No internet on devices in VLAN with private DNS server

Hi, I've been trying to figure it out for days but unfortunately without success. My knowledge of OpenWRT is not great, I've only been running it for a few weeks so i need some help.

I have set 3 VLANs (guest, IoT, NoT) and SSIDs with the same name on access points (TP Link Omada) Let's forget guest and NoT and focus only on IoT VLAN 30

Route:
router -> managed switch -> access points

I can't reach my server (192.168.1.3) from a device in VLAN 30 (IoT). AdGuard home is running on that server (192.168.1.3) and I want all client traffic go through AdGuard. On the devices in LAN it works perfectly.

i can't even ping if i add this firewall rule.

config rule
	option target 'ACCEPT'
	option name 'Allow All (for test)'
	option dest '*'
	list proto 'all'
	option src '*'

So there are two problems but they are probably related

  1. I have no internet connection when using 192.168.1.3 as DNS server
  2. I cant ping from the device (mobile, laptop) on IoT to 192.168.1.3 on lan.

I can't find the problem. Does anyone else know?

Config:

i removed the dhcp configs for guest en NoT in this post

root@OpenWrt:cat /etc/config/dhcp 

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option domainneeded '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.3'

config dhcp 'IoT'
	option interface 'IoT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.3'

i removed the default WAN firewall config rules in this post

root@OpenWrt:cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option input 'REJECT'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	list network 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '67-68'
	option src 'guest'
	option target 'ACCEPT'
	option family 'ipv4'
	option name 'Allow-DHCP'
	option src_port '67-68'

config rule
	option dest_port '67-68'
	option src 'IoT'
	option name 'Allow-DHCP'
	option target 'ACCEPT'
	option src_port '67-68'
	option family 'ipv4'

config rule
	option target 'ACCEPT'
	option src 'NoT'
	option src_port '67-68'
	option dest_port '67-68'
	option family 'ipv4'
	option name 'Allow-DHCP'

config rule
	option dest_port '53'
	option target 'ACCEPT'
	option src 'guest'
	option family 'ipv4'
	option name 'Allow-DNS'

config rule
	option src 'IoT'
	option name 'Allow DNS'
	option target 'ACCEPT'
	option dest_port '53'
	list proto 'tcp'
	list proto 'udp'
	option family 'ipv4'

config rule
	option dest_port '53'
	option src 'NoT'
	option target 'ACCEPT'
	option family 'ipv4'
	option name 'Allow-DNS'

config rule
	option src_port '5353'
	option src 'IoT'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	list proto 'udp'
	option name 'Allow-mDNS'

config rule
	option src_port '5353'
	option name 'Allow-mDNS'
	option target 'ACCEPT'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	list proto 'udp'
	option family 'ipv4'
	option src 'NoT'

config zone
	option name 'IoT'
	option output 'ACCEPT'
	list network 'IoT'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'NoT'
	list network 'NoT'
	option family 'ipv4'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option dest_port '123'
	option src 'IoT'
	option name 'Allow-NTP'
	option dest 'lan'
	list dest_ip '192.168.1.3'
	option target 'ACCEPT'
	list proto 'udp'
	option family 'ipv4'

config rule
	option src 'NoT'
	option name 'Allow-NTP'
	option target 'ACCEPT'
	option family 'ipv4'
	list dest_ip '192.168.1.3'
	option dest_port '123'
	option dest 'lan'
	list proto 'udp'

config rule
	option src_port '6053'
	option src 'NoT'
	option target 'ACCEPT'
	list dest_ip '192.168.1.3'
	option dest_port '6053'
	list proto 'tcp'
	option name 'Allow-EspHome-API'
	option dest 'lan'
	option family 'ipv4'

config rule
	option src_port '5683'
	option src 'NoT'
	option name 'Allow-CoIoT'
	option dest 'lan'
	list dest_ip '192.168.1.3'
	option target 'ACCEPT'
	option dest_port '5683'
	option family 'ipv4'

config forwarding
	option dest 'NoT'
	option src 'lan'

config forwarding
	option dest 'IoT'
	option src 'lan'

config rule
	option dest 'lan'
	option src 'IoT'
	option target 'ACCEPT'
	option name 'Allow All (for test)'
	list proto 'all'

Answer my own topic. stupid.. I just had to change these firewall configurations and it all works now

cat /etc/config/firewall

config forwarding
	option src 'IoT'
	option dest 'wan'

config rule
	option name 'Allow-DNS'
	option src 'IoT'
	option dest 'lan'
	list dest_ip '192.168.1.3'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53'
2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.