Need Help: No WAN access on my VLAN

Hi

i try to figure out why i have no acces to the internet inside my vlan.

following settings:

firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'
        option synflood_protect '1'
        option flow_offloading '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone
        option name 'iot_online'
        option output 'ACCEPT'
        list network 'iot_online'
        option input 'REJECT'
        option forward 'REJECT'

config zone
        option name 'lan_guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_guest'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan_guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot_offline'

config forwarding
        option src 'iot_online'
        option dest 'wan'

config zone
        option name 'iot_offline'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot_offline'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'


what am i missing here ?

i want to have internet acces within my vlan iot_online.

thank you so much for any tipps.

Which VLAN is the issue?

Let's see the complete files:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi as i wrote, i try to get internet/wan access inside my wlan iot_online.
here my configs.

thank you

{
        "kernel": "5.10.146",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.2",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}

cat /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'eth0'
        option ipaddr '192.168.0.1'
        list dns '192.168.0.10'
        option delegate '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option hostname 'router'
        option peerdns '0'
        list dns '192.168.0.1'
        option metric '1'

config interface 'lan_guest'
        option proto 'static'
        option device 'eth0.30'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        list dns '192.168.0.10'

config interface 'iot_offline'
        option proto 'static'
        option device 'eth0.50'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'
        list dns '192.168.0.10'

config interface 'iot_online'
        option proto 'static'
        option device 'eth0.55'
        option ipaddr '192.168.55.1'
        option netmask '255.255.255.0'
        list dns '192.168.0.10'

config device
        option name 'eth0.55'
        option type '8021q'
        option ifname 'eth0'
        option vid '55'
        option ipv6 '0'

config device
        option name 'eth0.50'
        option type '8021q'
        option ifname 'eth0'
        option vid '50'
        option ipv6 '0'

config device
        option name 'eth0.30'
        option type '8021q'
        option ifname 'eth0'
        option vid '30'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

cat /etc/config/wireless
not used

cat /etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config tag 'tag1'
        option dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option limit '200'
        option force '1'
        list dhcp_option '6,192.168.0.10'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan_guest'
        option interface 'lan_guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        list dhcp_option '6,192.168.0.10'
        list ra_flags 'none'

config dhcp 'iot_offline'
        option interface 'iot_offline'
        option start '100'
        option leasetime '12h'
        option force '1'
        list dhcp_option '6,192.168.0.10'
        option limit '250'
        list ra_flags 'none'

config dhcp 'iot_online'
        option interface 'iot_online'
        option start '100'
        option leasetime '12h'
        option force '1'
        option limit '250'
        list dhcp_option '6,192.168.0.10'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'
        option synflood_protect '1'
        option flow_offloading '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone
        option name 'iot_online'
        option output 'ACCEPT'
        list network 'iot_online'
        option input 'REJECT'
        option forward 'REJECT'

config zone
        option name 'lan_guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_guest'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan_guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot_offline'

config forwarding
        option src 'iot_online'
        option dest 'wan'

config zone
        option name 'iot_offline'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot_offline'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'iot_online'

It's probably a DNS issue. Your iot_online network doesn't have any way to access the DNS server specified at 192.168.0.10.

While connected to the iot_online network, what happens if you run the following tests:

config rule
        option name 'Allow DHCP iot_offline'
        list proto 'udp'
        option src 'iot_offline'
        option target 'ACCEPT'
        option src_port '68'
        option dest_port '67'

config rule
        option name 'Allow DHCP iot_online'
        list proto 'udp'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'
        option src 'iot_online'

sorry i missed this 2 rules.

Does a host connected to the iot_online network get an IP address via DHCP?

1 Like

yes. that works fine.

1 Like

let's see the results of the ping tests.

yep youre right. when im in vlan and set my dns to 9.9.9.9 i have access but if i set my dns to 192.168.0.10 there are no ping available.

i guess the firewall rule isnt correct?

Just to be clear and verify (sorry if this seems redundant) - the issue is with your wireless LAN named iot_online?

If so, how did you configure wireless and setup wireless to eth0.55 if you didn't use the config file?

You don't have any firewall rules to allow DNS to be forwarded to the DNS server address.

Create a traffic rule that accepts TCP+UDP traffic from the iot_online zone with destination port 53 to destination zone lan destination addrsss 192.168.0.10.

1 Like

i made one, still no access.


config rule
        option name 'Allow PiHole to iot_online'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.0.10'
        list proto 'tcp'
        list proto 'udp'
        option src 'iot_online'

What is the DNS server itself? Is it a pihole? If so, you have to tell the pihole to accept all orgins.

2 Likes

yep it is.

Permit all origins

1 Like

i guess this was the problem. the ping works. within iot_online VLAN . THANK YOU SO MUCH

maybe i was to fast :slight_smile:

some of my devices say dhcp failed now. when i try to connect to iot_online.
with my laptop it works great.

any idea ? thank you.

it works i guess. i had in one of my dhcp host configs a space within the name.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.