My first VLAN and the Lingering Question of Why lan2 Clients Can't Ping Each Other

albertop · April 12, 2020, 7:17am

So I bought a shiny wrt1900acs router and I'm enjoying it. The lan ports are Gigabit and support VLANS. I finally made it to the 21st century.

I also use a VPN service and wanted to forward all traffic from one vlan (lan1 192.168.1.1 ) through the VPN whereas the second vlan (lan2 192,168.0.1) would go straight through to the internet.

This was achieved through hours upon hours of searching the internet. One lingering doubt remains though. For some reason, none of the clients on lan2 can ping anything in their own network. Not that it's particularly necessary right now. I don't have any services on lan2 and they can connect to lan1 just fine. It's just I don't understand and it's bothering me.

Here are my configs:
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:6a1f:a70e::/48'

config interface 'lan1'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lan2'
	option ifname 'eth0.3'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '5t 3 2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '5t 1 0'
	option vid '3'

config interface 'PIA_VPN'
	option proto 'none'
	option ifname 'tun0'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

config rule
	option src '192.168.0.0/24'
	option lookup '2'

Notice I made another routing table (table 2) so that lan2 can access the internet when the vpn is on. That's mostly what's confusing me.

and the /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan1'
	list network 'lan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan2'
	list network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan1'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan1'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan2'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan2'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'PIA_VPN'

config forwarding
	option dest 'VPN_FW'
	option src 'lan1'

config forwarding
	option dest 'wan'
	option src 'lan2'

So everything works. I can get to the internet on both vlans when the openvpn is up, but 192.168.0.0/24 addresses cannot see each other. Help me. I really apologize if this has been answered before. It's like the last thing and everything will be like it should be.

albertop · April 12, 2020, 10:23pm

I figured it out.
All I had to do was either add a route on table 2 for lan2 internal connections or add a rule to look at the main routing table for lan2 internal connections. I went with the latter. Here are the two rules in place of the one rule for handling all connections from lan2.

config rule
	option src '192.168.0.0/24'
	option dest '192.168.0.0/24'
	option lookup 'main'

config rule
	option src '192.168.0.0/24'
	option dest '0.0.0.0/0'
	option lookup '2'

So basically I'm saying look at main routing table for anything going from lan2 to lan2 but look at routing table 2 if it's going anywhere else. I still am not sure why I can connect to lan1 from lan2 since by my logic it should be using table 2 but it seems to be using the main routing table.

Still, chiseling away at it.

Sparks · April 12, 2020, 11:31pm

Have you tried putting option type 'bridge' under lan2 interface setting?

albertop · April 13, 2020, 1:03am

I have but I don't really see the point. The lan2 interface is not bridging with anything. My understanding is that bridging creates a bridge interface out of a combination of two or more other interfaces. As I am not worried about wifi on lan2, I don't really see why it is necessary. I just need the two other ports on the router on a different subnet. But I will try that if you can provide the reasoning behind it.

My guess is the reason I still cannot connect lan1 to lan2 is because it is using the VPN gateway and that's a routing and/or firewall issue. I'm still learning tho.