Okay so progressing slowly, with this config local traffic works on VLANs 2 and 3 with static settings, i can access LuCl. But still no dhcp or internet.
For some reason local traffic only works with the explicit following rule:
config rule
option name 'Allow-vlan2-browsing'
option src 'vlan2'
option proto 'tcp'
list dest_port '80'
list dest_port '443'
option family 'ipv4'
option target 'ACCEPT'
Which i don't understand since it should be covered by the forwarding rule.
Btw, after solving the kernel stuff i'm on v24.10.1 r28597-0425664679 with kernel 6.6.86.
Present config:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:t'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan2:t'
list ports 'lan3:u'
list ports 'lan4:u'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option delegate '0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option ipv6 '0'
config interface 'vlan2'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option delegate '0'
option ipv6 '0'
config interface 'vlan3'
option device 'br-lan.3'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option delegate '0'
option ipv6 '0'
/etc/config/firewall
config default
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option family 'ipv4'
option log '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option family 'ipv4'
option log '1'
config zone
option name 'vlan2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan2'
option family 'ipv4'
option log '1'
config zone
option name 'vlan3'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan3'
option family 'ipv4'
option log '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wan'
option masq '1'
option family 'ipv4'
option log '1'
config rule
option name 'Allow-vlan2-dhcp'
option src 'vlan2'
option proto 'udp'
option dest_port '67'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan2-dns'
option src 'vlan2'
option dest_port '53'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan2-netbios'
option src 'vlan2'
option proto 'udp'
option dest_port '137,138'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan2-browsing'
option src 'vlan2'
option proto 'tcp'
list dest_port '80'
list dest_port '443'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan3-dhcp'
option src 'vlan3'
option proto 'udp'
option dest_port '67'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan3-dns'
option src 'vlan3'
option dest_port '53'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan3-netbios'
option src 'vlan3'
option proto 'udp'
option dest_port '137,138'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-vlan3-browsing'
option src 'vlan3'
option proto 'tcp'
list dest_port '80'
list dest_port '443'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Restrict-ICMP'
option src 'wan'
option proto 'icmp'
option target 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'vlan2'
option dest 'wan'
config forwarding
option src 'vlan3'
option dest 'wan'
/etc/config/dhcp
interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan2:u*'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan3:u*'
list ports 'lan4:u*'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option delegate '0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option ipv6 '0'
config interface 'vlan2'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option delegate '0'
option ipv6 '0'
config interface 'vlan3'
option device 'br-lan.3'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option delegate '0'
option ipv6 '0'
I do have one weird log from the fireall, i don't get why it gives br-lan.2 as input rather than vlan2. Aren't forwarding rules suppose to be applied on interfaces not devices?
reject vlan2 in: IN=br-lan.2 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.2.151 DST=192.168.2.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=109 PROTO=UDP SPT=137 DPT=137 LEN=76