No inter-VLAN communication when using the same Firewall Zone

I'm running two openwrts, one as a router and another only as a switch&ap. Both openwrts are connected with a cable where both end ports are configured as trunk ports. The VLAN separation works without a Problem and both can connect to wan.

My problem is that the inter-VLAN communication is not working. The interface of the new VLAN, VLAN99, is using the same "lan" firewall zone as the other VLAN ,VLAN1 (pre-configured from the install).

Firewall forwarding is set to accept, maybe I'm missing something

Maybe some useful information:
VLAN1 - 10.11.14.0/24
VLAN99 - 10.99.0.0/16

uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxx:xxxx:xxxx:xxxx:/xx'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.dns='8.8.8.8'
network.lan.delegate='0'
network.lan.ipaddr='10.11.14.1/24'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan.dns='8.8.8.8'
network.wan.peerdns='0'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0 1 2t 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[1].ports='4 6t'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].vid='99'
network.@switch_vlan[2].ports='2t 5t'
network.Servers=interface
network.Servers.ifname='eth0.99'
network.Servers.proto='static'
network.Servers.netmask='255.255.0.0'
network.Servers.delegate='0'
network.Servers.ipaddr='10.99.0.1'

uci show firewall;
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan Servers'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

ip route
default via xx.xx.xx.xx dev eth1.2  src xx.xx.xx.xx
10.11.14.0/24 dev br-lan scope link  src 10.11.14.1
10.99.0.0/16 dev eth0.99 scope link  src 10.99.0.1
xx.xx.xx.xx/xx dev eth1.2 scope link  src xx.xx.xx.xx

CMD.exe - Ping result when pinging test Linux machines. Seems like the packets are being rejected or do not find the way back.

ping 10.11.14.10

Pinging 10.11.14.10 with 32 bytes of data:
Reply from 10.99.0.99: Destination host unreachable.
Reply from 10.99.0.99: Destination host unreachable.
Reply from 10.99.0.99: Destination host unreachable.
Reply from 10.99.0.99: Destination host unreachable.

Ping statistics for 10.11.14.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

You can remove the dns from the lan interface, keep it only in wan.

Do both hosts in vlan1 and vlan99 acquire settings from dhcp successfully?

1 Like

DNS removed from the lan interface, thanks for the tip.

Hosts in vlan1 do get the correct dhcp settings, on vlan99 I have disabled the dhcp server since I'm setting everything manually in that vlan (Just in case, one host has the IP 10.99.0.99, Subnet 255.255.0.0, Gateway 10.99.0.1, DNS 10.99.0.1)

Can you ping from the host in vlan1 the router and vice versa?
Can you ping from the host in vlan99 the router and vice versa?

Hosts pinging their own gateway works.
vlan1 -> 10.11.14.1
vlan99 -> 10.99.0.1
But pinging the other vlan's gateway has the following result for both:

[vlan99 host]>ping 10.11.14.1

Pinging 10.11.14.1 with 32 bytes of data:
Reply from 10.99.0.99: Destination host unreachable.
Reply from 10.99.0.99: Destination host unreachable.
Reply from 10.99.0.99: Destination host unreachable.

The router can ping both hosts successfully

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like

ubus call system board

root@OpenWrt:~# ubus call system board;
{
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT32X",
        "board_name": "linksys,venom",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}

uci export network; uci export dhcp; uci export firewall;

root@OpenWrt:~# uci export network; uci export dhcp; uci export firewall;
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx:xxxx:/xx'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ip6assign '60'
        option delegate '0'
        list ipaddr '10.11.14.1/24'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        list dns '8.8.8.8'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2t 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '99'
        option ports '2t 5t'

config interface 'Servers'
        option ifname 'eth0.99'
        option proto 'static'
        option netmask '255.255.0.0'
        option delegate '0'
        option ipaddr '10.99.0.1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '/test.net/10.11.14.5'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '1,255.0.0.0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Servers'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

head -n -0 /etc/firewall.user;

root@OpenWrt:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables-save -c;

root@OpenWrt:~# iptables-save -c;
# Generated by iptables-save v1.8.3 on Sat Sep 26 22:52:25 2020
*nat
:PREROUTING ACCEPT [23210:4341910]
:INPUT ACCEPT [5009:377694]
:OUTPUT ACCEPT [4700:336909]
:POSTROUTING ACCEPT [150:11031]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[23210:4341910] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[15112:3747886] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[5726:464380] -A PREROUTING -i eth0.99 -m comment --comment "!fw3" -j zone_lan_prerouting
[2372:129644] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[12525:1068594] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[37:3234] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.99 -m comment --comment "!fw3" -j zone_lan_postrouting
[12375:1057563] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[37:3234] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[20838:4212266] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[12375:1057563] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[12375:1057563] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[2372:129644] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Sep 26 22:52:25 2020
# Generated by iptables-save v1.8.3 on Sat Sep 26 22:52:25 2020
*mangle
:PREROUTING ACCEPT [14781949:35732386877]
:INPUT ACCEPT [20459:2354853]
:FORWARD ACCEPT [14751191:35726815519]
:OUTPUT ACCEPT [23861:4835899]
:POSTROUTING ACCEPT [14774733:35731630706]
[4469:274508] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[4664:265380] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Sep 26 22:52:25 2020
# Generated by iptables-save v1.8.3 on Sat Sep 26 22:52:25 2020
*filter
:INPUT ACCEPT [1:40]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[3558:343299] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[16903:2011634] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[8843:1476635] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1794:74404] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3425:255210] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1577:121290] -A INPUT -i eth0.99 -m comment --comment "!fw3" -j zone_lan_input
[3058:158499] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[14751191:35726815519] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[14744403:35726040874] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5027:664517] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[1761:110128] -A FORWARD -i eth0.99 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[3558:343299] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[20310:4494672] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[14067:4042596] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[163:14242] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1:40] -A OUTPUT -o eth0.99 -m comment --comment "!fw3" -j zone_lan_output
[6079:437794] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[2464:102597] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[88:13556] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1794:74404] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[163:14242] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1:40] -A zone_lan_dest_ACCEPT -o eth0.99 -m comment --comment "!fw3" -j ACCEPT
[6788:774645] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[6788:774645] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[5002:376500] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[5002:376500] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[164:14282] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[164:14282] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3425:255210] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1576:121250] -A zone_lan_src_ACCEPT -i eth0.99 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[319:20712] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[12548:1191727] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[3058:158499] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[13:4264] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[493:38082] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2552:116153] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[6079:437794] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[6079:437794] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[2552:116153] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep 26 22:52:25 2020

ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.11.14.1/24 brd 10.11.14.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xx.xx.xx.xx/xx brd xx.xx.xx.xx scope global eth1.2
       valid_lft forever preferred_lft forever
15: eth0.99@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.99.0.1/16 brd 10.99.255.255 scope global eth0.99
       valid_lft forever preferred_lft forever
default via xx.xx.xx.xx dev eth1.2  src xx.xx.xx.xx
10.11.14.0/24 dev br-lan scope link  src 10.11.14.1
10.99.0.0/16 dev eth0.99 scope link  src 10.99.0.1
xx.xx.xx.xx/xx dev eth1.2 scope link  src xx.xx.xx.xx
broadcast 10.11.14.0 dev br-lan table local scope link  src 10.11.14.1
local 10.11.14.1 dev br-lan table local scope host  src 10.11.14.1
broadcast 10.11.14.255 dev br-lan table local scope link  src 10.11.14.1
broadcast 10.99.0.0 dev eth0.99 table local scope link  src 10.99.0.1
local 10.99.0.1 dev eth0.99 table local scope host  src 10.99.0.1
broadcast 10.99.255.255 dev eth0.99 table local scope link  src 10.99.0.1
broadcast xx.xx.xx.x dev eth1.2 table local scope link  src xx.xx.xx.xx
local xx.xx.xx.xx dev eth1.2 table local scope host  src xx.xx.xx.xx
broadcast xx.xx.xx.xx dev eth1.2 table local scope link  src xx.xx.xx.xx
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

That is wrong. Better stick to the defaults if you are not sure. I could also question the choice of /16 for servers mask, but it is not affecting you in this case.

2 Likes

Sorry about that. That was a setting I used when everything was located in one subnet and one vlan.
The /16 servers mask is just being used for testing, once I have a better understanding of what went wrong I will reduce it appropriately.

list dhcp_option '1,255.0.0.0'

This setting has now been deleted. I released and renewed a host's dhcp lease but the problem persists.

So I just tried restarting fw3 to see if any error pop up. There is a warning with "ipset support" could this be the root of the problem?

root@OpenWrt:~# fw3 restart
Warning: Unable to locate ipset utility, disabling ipset support
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

No this is just a warning irrelevant to your problem.
Run a tcpdump to capture packets and start a ping from one host to the other.
tcpdump -i any -evn '(icmp) and (net 10.99.0.0/16 or net 10.11.14.0/24)'

I'm not sure why it works now but I did the following.

Knowing that you, trendy, revised the settings and saw no problems other than the "dhcp_option '1,255.0.0.0'", I deleted the "servers" interface and then rebooted the router. Then I added the interface with a new name, "test", and configured it the same as before (static IP, physical settings, firewall zone) and proceeded to reboot again.

Now 10.99.0.0/16 and 10.11.14.0/24 can talk to each other.
Not sure why the reboots solved the issue as I tried redoing the interface before but I certainly couldn't have done without your input. Thank you a lot!

I notice you didn't mention anything about restarting the dnsmasq, maybe that was the issue.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.