MGMT access to other vlans/routing/firewall

Hey guys i'm having a few problems and i'd like to know the correct process and configuration for my MGMT access to other ports/vlans/networks

vlan_99 is my mgmt access and its untagged accross all ports

firewall zones, allows forwarding to and from other vlans

and firewall rules has unrestricted access device and forwarding all ports enabled

i still need to add routing rules correct?

If all of the networks exist on your main router, it's a matter of configuring that device's firewall to allow routing between subnets. This is done in with the forwarding rules (not port forwarding)... much like you see for lan > wan.

Post your main router's config and we'll help you with that process.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I've been very excited about my audit from you guys, so much that i've put off doing this until now lol. It means a lot to me so thank you

***I put in notes in the form of
###Example throughout the doc for all my issues that need resolving


{
	"kernel": "5.15.150",
	"hostname": "frontGATE",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Linksys MR8300 (Dallas)",
	"board_name": "linksys,mr8300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5e:0db4:baa7::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option stp '1'
	option igmp_snooping '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '##:##:##:##:##:##'

config device
	option name 'lan2'
	option macaddr '##:##:##:##:##:##'

config device
	option name 'lan3'
	option macaddr '##:##:##:##:##:##'

config device
	option name 'lan4'
	option macaddr '##:##:##:##:##:##'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ip6assign '60'
	option gateway '223.101.0.1'
	list ipaddr '223.101.0.33/24'
	list ipaddr '223.101.0.33/16'

config device
	option name 'wan'
	option macaddr '##:##:##:##:##:##'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option type 'bridge'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:u*'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '222'
	list ports 'lan4:u*'

config interface 'MGMT'
	option proto 'static'
	option device 'br-lan.99'
	option gateway '223.101.99.160'
	list ipaddr '223.101.99.168/27'
###WASN'T SURE IF I NEED TO ADD OTHER SUBNET IPS TO THIS INTERFACE TO COMMUNICATE WITH OTHER NETWORKS

config interface 'TRUNK1'
	option proto 'static'
	option device 'br-lan.222'
	list ipaddr '223.101.22.2/24'
	option gateway '223.101.22.1'
###HAVING TROUBLE GETTING A SECONDARY LINE FROM SERVER TO PASS THROUGH SWITCH VLAN 122 IP 223.102.20.122 THE PRIMARY CONNECT IS CONNECTED TO THIS ROUTER AS 223.102.10.122 VLAN 122

config device
	option type 'bridge'
	option name 'br-wifi'
	list ports 'dummy0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
###THIS DEVICE AUTO CREATED FROM MAKING GUEST WIFI WHICH ALSO IS ATTACHED TO GUEST INTERFACE I'D LIKE TO FIX THIS AS AND CHANGE GUEST INTERFACE TO VLAN_223

config interface 'guest'
	option proto 'static'
	option device 'br-wifi'
	option ipaddr '223.101.23.3'
	option netmask '255.255.255.0'
###THIS IS SUPPOSED TO BE VLAN_223 HOWEVER WILL NOT WORK WHEN I CHANGE DEVICE


config interface 'PVE_primary'
	option proto 'static'
	option device 'br-lan.121'
	option gateway '223.102.10.1'
	list ipaddr '223.102.10.33/16'
	list ipaddr '223.102.10.33/24'
###LOST COMMUNICATION WITH SERVER WHICH HAS NO MONITOR AND FORGOT WHICH SUBNET SO ADDED BOTH

config bridge-vlan
	option device 'br-lan'
	option vlan '121'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '122'
	list ports 'lan4:t'

config interface 'PVE_secondary'
	option proto 'static'
	option device 'br-lan.122'
	option ipaddr '223.102.20.33'
	option netmask '255.255.255.0'
	option gateway '223.102.20.1'

config interface 'IOT'
	option proto 'static'
	option ipaddr '223.101.44.4'
	option netmask '255.255.255.0'
	option gateway '223.101.44.1'
	option device 'br-lan.444'
###THIS IS SUPPOSED TO PASS THROUGH THE SWITCH (TRUNK VLAN_222) HOWEVER NOT WORKING CURRENTLY


config bridge-vlan
	option device 'br-lan'
	option vlan '444'
	list ports 'lan4:t'

config rule
	option in 'PVE_primary'
	option src '223.102.10.0/24'
	option out 'wan'
	option disabled '1'

config route
	option interface 'MGMT'
	option target '223.101.0.0/16'
	option gateway '0.0.0.0'

config route
	option interface 'MGMT'
	option target '223.102.10.0/16'
	option gateway '0.0.0.0'
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '100'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'MGMT'
	option mode 'ap'
	option ssid 'MGMTZone'
	option encryption 'sae-mixed'
	option key '##########'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'guest'
	option mode 'ap'
	option ssid 'GuestZone'
	option encryption 'sae-mixed'
	option multicast_to_unicast_all '1'
	option key '#########'
###NOT SURE IF MULTICAST TO UNICAST SOLVED A PROBLEM OR NOT WORKS IN BOTH MODES ON OR OFF
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/ziontek/'
	option domain 'ziontek'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option logqueries '1'
	option logdhcp '1'
	option logfacility 'LOCAL7'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'TRUNK1'
	option interface 'TRUNK1'
	option start '100'
	option limit '150'
	option leasetime '12h'
###DEDICATED TO SWITCH

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'MGMT'
	option interface 'MGMT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config domain
	option name 'GuestWIFI_smsng'
	option ip '223.101.23.134'

config domain
	option name 'FG_Trunk'
	option ip '223.101.22.2'

config domain
	option name 'FG_Guest'
	option ip '223.101.23.3'

config domain
	option name 'FG_Mgmt'
	option ip '223.101.99.9'

config domain
	option name 'Lenovo_mgmt'
	option ip '223.101.99.141'

config domain
	option name 'SWITCH'
	option ip '223.101.22.133'

config domain
	option name 'FRONTGATE'
	option ip '223.101.0.33'

config dhcp 'PVE_primary'
	option interface 'PVE_primary'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

config host
	option ip '223.101.99.170'
	option mac '##:##:##:##:##:##'

config domain
	option name 'FG_PVE1'
	option ip '223.102.10.33'

config domain
	option name 'FG_PVE2'
	option ip '223.102.20.33'

config domain
	option name 'MgmtWIFI_Lenovo'
	option ip '223.101.99.170'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config domain
	option name 'PVE'
	option ip '223.102.10.122'
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'PVE_secondary'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'TRUNK1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'TRUNK1'

config zone
	option name 'GUESTzone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'MGMT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'MGMT'
	list device 'br-lan.99'
	option masq6 '1'

config rule
	option name 'Allow - GUEST - DHCP DNS'
	option src 'GUESTzone'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'

config rule
	option name 'Allow - MGMT - NoRestriction'
	option src 'MGMT'
	option target 'ACCEPT'
	option dest '*'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
	list proto 'esp'
	option dest_port '21 20 22 23 25 53 67 68 69 80 110 123 143 161 389 443 445 514 1812 1813 5060 88 993 995 1433 3306 3389 8443 500 4500 1701 1723 1194'
###RECENTLY ATTEMPTED TO RESOLVE CROSS NEXTWORK COMMUNICATION BY ADDING THIS RULE WITH THESE PORTS



config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'GUESTzone'
	option dest 'wan'

config forwarding
	option src 'MGMT'
	option dest 'lan'

config forwarding
	option src 'TRUNK1'
	option dest 'lan'

config forwarding
	option src 'TRUNK1'
	option dest 'wan'

config forwarding
	option src 'MGMT'
	option dest 'wan'

config forwarding
	option src 'MGMT'
	option dest 'GUESTzone'

config forwarding
	option src 'MGMT'
	option dest 'TRUNK1'

config rule
	option name 'Deny - GUEST - WebGUI'
	option src 'GUESTzone'
	option target 'REJECT'
	option dest_port '80 443 213'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
###STILL WORKING ON TRYING TO DISCOVER HOW TO MAKE THE ROUTER USEABLE BUT NOT DISCOVERABLE TO ALL VLANS EXCEPT MGMT

config zone
	option name 'PVE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'PVE_primary'
	list network 'PVE_secondary'
	list device 'br-lan.121'

config forwarding
	option src 'PVE'
	option dest 'wan'

config forwarding
	option src 'MGMT'
	option dest 'PVE'

config forwarding
	option src 'TRUNK1'
	option dest 'PVE'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'IOT'

config forwarding
	option src 'MGMT'
	option dest 'IOT'

config rule
	option name 'Allow - IOT - DNS DHCP'
	option src 'IOT'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow - PVE - DNS DHCP'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
	option src 'PVE'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow - MGMT - PVE'
	list proto 'all'
	option src 'MGMT'
	option dest 'PVE'
	option target 'ACCEPT'
	option enabled '0'

config forwarding
	option src 'GUESTzone'
	option dest 'MGMT'

config forwarding
	option src 'IOT'
	option dest 'MGMT'

config forwarding
	option src 'lan'
	option dest 'MGMT'

config forwarding
	option src 'PVE'
	option dest 'MGMT'

config forwarding
	option src 'TRUNK1'
	option dest 'MGMT'

config forwarding
	option src 'PVE'
	option dest 'TRUNK1'

Quite honestly, I've gone through your config and it is a mess. You should really start over from scratch and setup just one additional network, get it working and then use that recipe to build the others.

That said, I had already started going through your config... so comments below -- probably not exhaustive of the issues, but what I saw as I quickly went through. Like I said, start over from scratch as this is seriously messed up and the time it will take to fix will be greater than that required to start fresh and rebuild.

This raises some questions:

Normally, your lan should be in the RFC1918 address range. This violates that. Further, it's not clear why you have the same address listed twice with two different subnet sizes. (pro-tip: stick to /24 unless there is a reason to go larger).

The gateway should be removed in most cases -- assuming that there is a wan connection.

Remove the bridge line from the wan interfaces:

The VLAN configs are wrong...

If not specified, the VLAN will appear untagged on the ports. You should explicitly specify the untagged ports by adding :u*to the respective ports. Tagged ports will use :t, while ports that are not members of a VLAN should be removed from the bridge-vlan stanza for a given VLAN ID.
Only one network is allowed to be untagged on a port.

Remove the gateway from this:

The RFC1918 address discussion applies here, too. And /24's are the typical recommended size unless you have a reason to make it bigger or smaller.

It's worth noting that the /16 you have defined for the lan will overlap this and therefore it won't work properly.

Same things apply to this -- RFC1918, remove gateway. Also, while "Trunk" is not a reserved word at a technical level, you should be careful because this has a meaning already assigned (a trunk is a port/cable that carries more than one network). So it's recommended to have a name that describes the purpose of the network.

This must be deleted. Ports can only be in a single bridge. In this case, they're defined already in br-lan. Further, don't add ports that don't actually exist ("dummy0")

The same stuff applies (RFC1918), but this also will need to be setup against br-lan if ethernet is going to be involved (remeber, you need to delete br-wifi):

Same problems here:

Delete all of this:

All of your mappings here are going to need to be updated once you have RFC1918 addresses setup properly:

Undo these changes:

Delete thses:

PVE_secondary is defined in 2 zones. A network must only be in a single zone. Further, that device doesn't belong in the zone config:

so how would i make a mgmt access to see and edit or access resources on other vlans? and thank you im starting over and reading RFC1918

This is purely about forwards and the firewall zone configurations.

So, for example, if the mgmt network is in the mgmt zone and the lan network is in the lan zone, it would look like this:

config forwarding
	option src 'mgmt'
	option dest 'lan'

okay one more question

port4 is my trunk to my switch

which has

IOT
a secondary server connection
smart TV
a device im turning into a network monitoring and logging machine

so 4 different vlans
and the trunk

so trunk = vlan_222 untagged primary vlan
vlan 223 tagged
vlan 224 tagged
vlan 225 tagged
??

and the same on the switch
vlan_222 port1 untagged primary
vlan_223 port 2 tagged
vlan_224 port 3 tagged
vlan_225 port 4 tagged

I don't understand the "and the trunk" here... can you clarify?

The point is that you don't need to create a trunk VLAN/interface.. the port is a trunk by nature of carrying multiple networks. I'm not sure what the TRUNK1 VLAN/interface is intended to do, which is why I recommend making this more descriptive of its purpose. For example, calling your networks lan, guest, iot, and so on make it very clear what they're for.

This next discussion is confusing.... try to be very precise with your words because we don't know if the switch you're referring to is internal to this router or an external managed switch.

My recommendation is to define the desired behavior of each port of the built-in switch... for example (just making this up):

  • Port 1: untagged VLAN 222
  • Port 2: untagged VLAN 223
  • Port 3: untagged VLAN 224
  • Port 4: untagged VLAN 222 + tagged VLANs 223, 224, 225.

so yes i know what a trunk port is

i can't tuck the other networks (vlans) properly into the trunk port without creating a vlan for the trunk unless you have a better suggestion?

so i did that and actually wrote that out your example you just did it cleaner thank you for that i'll adopt that

either way i can't seem to grab the vlans outside of the primary port vlan like you showed with the tagged vlans i can't connect to those at all

Like I've been saying, you don't need a trunk "network" to create a trunk. You just simply assign the VLANs to the port, and that becomes a trunk.

Did you start from scratch? And then add just one network?

Let's see the configuration.

Also, what is connected downstream of the trunk port?