No wan and connection on VLAN

Hi there,

i tried different stuff and i cant figure out the problem.

i want the following:

for now:
zone: security wan/internet access.
zone lan: acces to zone security

later:
zone: security no wan, just smtp ports for ip 192.168.60.240 no one else should have access to wan.

my firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan vpn'

config zone 'lan_guest'
	option name 'lan_guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'lan_guest'

config zone
	option output 'ACCEPT'
	option network 'IoT_Online'
	option name 'iot_online2'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'security'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'security'
	option input 'REJECT'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'
	option reload '1'

config rule
	option src 'lan_guest'
	option target 'ACCEPT'
	option name 'Guest allowed to DHCP'
	list proto 'udp'
	option src_port '68'
	option dest_port '67'

config rule
	option name 'Guest allowed PiHole'
	option src 'lan_guest'
	option dest_port '53'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	list dest_ip '192.168.0.10'

config forwarding
	option src 'lan_guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'lan_guest'

config zone
	option name 'iot_offline'
	option network 'IoT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'DROP'

config rule
	option name 'Allow DHCP iot_offline'
	list proto 'udp'
	option src 'iot_offline'
	option target 'ACCEPT'
	option src_port '68'
	option dest_port '67'

config forwarding
	option src 'lan'
	option dest 'iot_offline'

config rule
	option name 'Allow DHCP iot_online'
	list proto 'udp'
	option src 'iot_online2'
	option src_port '68'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'iot_online2'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot_online2'

config rule
	option name 'Allow PiHole to iot_online'
	list proto 'udp'
	option src 'iot_online2'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Security Allow DHCP'
	list proto 'udp'
	option src 'security'
	option src_port '68'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Security Allow PiHole'
	option src 'security'
	option dest 'lan'
	list dest_ip '192.168.0.10'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'udp'

config forwarding
	option src 'security'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'security'


my interface:


config interface 'security'
	option proto 'static'
	option ifname 'eth0.60'
	option ipaddr '192.168.60.1'
	option netmask '255.255.255.0'
	list dns '192.168.0.10'


thank you so much.

First of all, I do not recommend to mix 'vpn' and 'lan' (however I do not know, what 'vpn' zone contains).

Secondly, what is problem with 'expected' and 'real' behavior?

am i have no wan connection and i have no connection from lan to security.
eg. 192.168.1.x to 192.168.60.240

vpn is wireguard. i didnt make this setting , i guess auto config by luci

Try to add 'forwarding' from 'lan' to 'security' zone. Does is work?

nope, see end of my config. i dont know whats wrong :frowning:

Can you ping IP of router 192.168.60.1 from 'security' zone?

Yep, if i use network utilities in luci:

PING 192.168.60.1 (192.168.60.1): 56 data bytes
64 bytes from 192.168.60.1: seq=0 ttl=64 time=0.183 ms
64 bytes from 192.168.60.1: seq=1 ttl=64 time=0.173 ms
64 bytes from 192.168.60.1: seq=2 ttl=64 time=0.174 ms
64 bytes from 192.168.60.1: seq=3 ttl=64 time=0.177 ms
64 bytes from 192.168.60.1: seq=4 ttl=64 time=0.165 ms

--- 192.168.60.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.165/0.174/0.183 ms

No ping from device connected to 'security' zone.

i tried, no ping .

i received an ip from dhcp 192.168.60.210.

ping to 192.168.60.1 not succesfull. same for x.x.x.240

but it seems like internet works. if im in subnet/vlan 60. bu i cant ping or access x.x.60.1 or another device in this subnet.

Input is set to reject, so unless you have a rule to allow incoming traffic, like 'Security Allow DHCP' or 'Security Allow PiHole' it will be rejected.

Ok, makes sense. But shouldnt be possible to open 192.168.60.240 from 192.168.60.x?

Or Do i need a traffic rule for each from to IP?

Or i make input open and a traffic rule to disallow traffic to 193.168.60.1?

Is this the way?

I will test it later. Ty.

Intralan traffic is not regulated from the OpenWrt firewall. If you cannot access one host from another in the same lan, you need to look at the firewall settings of the hosts.

tbh, should this be enought? and i put security zone accept input too.

i dont get it :frowning:

there is no firewall at x.x.60.240 device. if i put the device in my default lan at 192.168.0.x i can easy access without problems. dhcp at device active.

what am i doing wrong. there must be something wrong :stuck_out_tongue:

Can you explain in more detail what is not working?
Source IP and in which zone, going to OpenWrt or another device in which zone? Which protocol/port are you using?

hi trendy,

i try to access 192.168.60.240 (vlan security eth0.60) from my local LAN eth.0 192.168.0.x
its an nvr device with web configuration/viewer so i guess http port 80.

as i said it worked well if i connect the device on my local 192.168.0.x network.

next step i want to disable every other access to this vlan 60 ingoing and outgoging esp. wan.
the nvr has email notfication this is i want to allow. so smtp ports 568 open. that the nvr can send mails but not "call home or videostream" .

thats what im trying to solve.

i thougth this will be easy doing :frowning:

You have the forwarding in place, so verify that there is nothing blocking requests from IPs outside the NVR subnet. It doesn't have to be a firewall, even an access list on its http server might be an issue.

yea as i thought...

looks like its the nvr. as soon he is in a subnet not 0 i have no access. he receives the correct ip from dhcp but no internetaccess, there is a remote app or a little connection status. its always offline.

and i put it in an other already working online vlan 55. is already well configured and i should have access , like to any other device in this vlan from my laptop.

so could it be possible that the nvr block like everything if its ip is not like in 192.168.0.x ?

internal ipv4 from the nvr to the cameras is 192.168.254.1

is there maybe a trick to handle that ? i already used pvid on my switch for this port.
idk if manufacture doing stuff or blocking like that? is that a way?

It is getting a bit out of the scope of this forum, but I must admit that some NVRs can be a bit particular when it comes to networking and configuration. I am sorry but I don't think we can be of more assistance. Your OpenWrt configuration looks correct and it seems to me that there is some misconfiguration or problem with the NVR.

1 Like