Not able to HTTP to another subnet

tinmem · May 12, 2022, 4:43pm

I have an TP-Link Archer C6 v2 running OpenWrt 21.02.2 r16495-bf0c965af0

I'm trying to get my Nextcloud server into its own zone so I can fully control which devices should have access and in the future also only allow it to ping some servers needed to have the mobile application working.

while on my process of baby steps (to learn how openwrt works), I've created my server zone, created a firewall entry...
what I have now is my laptop and server on two different subnets:
lan - 192.168.2.xxx
server - 192.168.4.xxx

I've set the forward rule on the firewall to make all my devices to be able to communicate with the server, with that I can ping my server from my laptop, but I can't HTTP(s) to it.
I was able to see some traffic going in/out from the router and also I can see them on the server as well using tcpdump

The interesting part is that if I run a tracepath command on my laptop than the browser starts to accept the routing and I can browse my Nextcloud server. I can't do the same on my phone so I can't use the app.
Since it works after tracepath command I'm pretty sure I'm doing some very dumb mistake , I appreciate any help.

here is my current configs (I've already removed some sensitive info):

cat /etc/config/network;

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48' # edited

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.2.100'
        option device 'br-lan.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip4table 'local'
        option ip6table 'local'

config interface 'xboxlan'
        option proto 'static'
        option ipaddr '192.168.3.101'
        option ip6assign '64'
        option device 'br-lan.10'
        option netmask '255.255.255.0'
        option ip6ifaceid '::10'

config interface 'server'
        option proto 'static'
        option ip6assign '64'
        option device 'br-lan.20'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option ip4table 'local'
        option ip6table 'local'
        option ip6ifaceid '::20'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'xxxx'
        option password 'xxxx'
        option ipv6 'auto'
        option peerdns '0'
        list dns 'xxx.xxx.xxx.20' # my internet provider dns
        list dns 'xxx.xxx.xxx.21' # my internet provider dns
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option ip6assign '64'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 5'
        option description 'main'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        
config device
        option name 'br-lan'
        option type 'bridge'
        option mtu '1480'
        option mtu6 '1480'
        list ports 'eth0.1'
        list ports 'eth0.10'
        list ports 'eth0.20'
        option acceptlocal '1'

config device
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx:xx' #edited
        option mtu '1480'
        option mtu6 '1480'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'
        option macaddr 'xx:xx:xx:xx:xx:xx' #edited
        option mtu '1480'
        option mtu6 '1480'
        option acceptlocal '1'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option macaddr 'xx:xx:xx:xx:xx:xx' #edited
        option mtu '1480'
        option mtu6 '1480'

config device
        option name 'wlan1'
        option multicast_fast_leave '1'
        option unicast_flood '0'
        option mtu '1480'
        option mtu6 '1480'
        option acceptlocal '1'

config device
        option name 'wlan0'
        option unicast_flood '0'
        option mtu '1480'
        option mtu6 '1480'

config device
        option name 'eth0.20'
        option type '8021q'
        option ifname 'eth0'
        option vid '20'
        option acceptlocal '1'

config device
        option name 'br-lan.20'
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'
        option acceptlocal '1'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option acceptlocal '1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '0t 3'
        option description 'xbox'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '20'
        option description 'fileserver'
        option ports '0t 2'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0.1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth0.20:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0.10:u*'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option htmode 'VHT80'
        option country 'BR'
        option cell_density '1'
        option channel '100'
        option diversity '1'
        option txpower '20'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option htmode 'HT40'
        option country 'BR'
        option cell_density '1'
        option channel '3'
        option noscan '1'
        option diversity '1'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option key 'password'
        option network 'lan'
        option ssid 'MyWiFi'
        option encryption 'sae-mixed'
        option disassoc_low_ack '0'
        option macfilter 'allow'
        list maclist 'XX:XX:XX:XX:XX:XX' # I know that there is better ways to secure my wifi but I've set a list of allowed Macs 

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'My5GWiFi'
        option encryption 'sae-mixed'
        option key 'password'
        option ieee80211r '1'
        option mobility_domain '4321'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option network 'lan'
        option disassoc_low_ack '0'
        option macfilter 'allow'
        list maclist 'XX:XX:XX:XX:XX:XX' # I know that there is better ways to secure my wifi but I've set a list of allowed Macs

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option ednspacket_max '1232'
        option allservers '1'
        option quietdhcp '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '101'
        option limit '169'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config dhcp 'server'
        option interface 'server'
        option leasetime '12h'
        option start '171'
        option limit '180'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        option dns_service '0'

config dhcp 'xboxlan'
        option interface 'xboxlan'
        option leasetime '12h'
        option start '102'
        option limit '110'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'FileServer'
        option dns '1'
        option mac 'XX:XX:XX:XX:XX:XX'
        option ip '192.168.4.174'

config host
        option name 'Laptop'
        option dns '1'
        option ip '192.168.2.109'
        option mac 'XX:XX:XX:XX:XX:XX'

config host
        option name 'Xbox'
        option dns '1'
        option ip '192.168.3.102'
        option mac 'XX:XX:XX:XX:XX:XX'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option forward 'DROP'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-lan.1'

config zone
        option output 'ACCEPT'
        option name 'server'
        option network 'server'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-lan.20'

config zone
        option output 'ACCEPT'
        option input 'REJECT'
        option name 'xbox'
        option network 'xboxlan'
        option forward 'REJECT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'
        
config forwarding
        option src 'lan'
        option dest 'server'
        
config forwarding
        option src 'lan'
        option dest 'xbox'

config forwarding
        option src 'server'
        option dest 'wan'

config forwarding
        option src 'server'
        option dest 'lan'

config forwarding
        option src 'xbox'
        option dest 'wan'

config rule
        option name 'Xbox DNS & DHCP'
        option dest_port '53 67 68 547'
        option target 'ACCEPT'
        option src 'xbox'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP-Xbox'
        list proto 'esp'
        option src 'wan'
        option target 'ACCEPT'
        option dest 'xbox'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-Xbox'
        list proto 'udp'
        option src 'wan'
        option dest_port '500'
        option target 'ACCEPT'
        option dest 'xbox'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_dport '53208'
        option dest_ip '192.168.3.102'
        option dest_port '53208'
        option name 'XBL_TCP+UDP-53208'
        list proto 'tcp'
        list proto 'udp'
        option src_port '3544'
        option dest 'xbox'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '3074'
        option dest_ip '192.168.3.102'
        option dest_port '3074'
        option name 'XBL_TCP+UDP-3074'
        option dest 'xbox'

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: br-lan.10@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP qlen 1000
    inet 192.168.3.101/24 brd 192.168.3.255 scope global br-lan.10
       valid_lft forever preferred_lft forever
14: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc fq_codel state UNKNOWN qlen 3
    inet xxx.xxx.xxx.xxx peer xxx.xxx.xxx.xxx/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
17: br-lan.20@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan.20
       valid_lft forever preferred_lft forever
18: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP qlen 1000
    inet 192.168.2.100/24 brd 192.168.2.255 scope global br-lan.1
       valid_lft forever preferred_lft forever

ip -4 ro li tab all

default via xxx.xxx.xxx.xxx dev pppoe-wan 
xxx.xxx.xxx.xxx dev pppoe-wan scope link  src xxx.xxx.xxx.xxx 
192.168.3.0/24 dev br-lan.10 scope link  src 192.168.3.101 
local xxx.xxx.xxx.xxx dev pppoe-wan table local scope host  src xxx.xxx.xxx.xxx 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.2.0 dev br-lan.1 table local scope link  src 192.168.2.100 
192.168.2.0/24 dev br-lan.1 table local scope link 
local 192.168.2.100 dev br-lan.1 table local scope host  src 192.168.2.100 
broadcast 192.168.2.255 dev br-lan.1 table local scope link  src 192.168.2.100 
broadcast 192.168.3.0 dev br-lan.10 table local scope link  src 192.168.3.101 
local 192.168.3.101 dev br-lan.10 table local scope host  src 192.168.3.101 
broadcast 192.168.3.255 dev br-lan.10 table local scope link  src 192.168.3.101 
broadcast 192.168.4.0 dev br-lan.20 table local scope link  src 192.168.4.1 
192.168.4.0/24 dev br-lan.20 table local scope link 
local 192.168.4.1 dev br-lan.20 table local scope host  src 192.168.4.1 
broadcast 192.168.4.255 dev br-lan.20 table local scope link  src 192.168.4.1

ip -4 ru

0:      from all lookup local 
10000:  from 192.168.4.1 lookup local 
10000:  from 192.168.2.100 lookup local 
20000:  from all to 192.168.4.1/24 lookup local 
20000:  from all to 192.168.2.100/24 lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
90017:  from all iif lo lookup local 
90018:  from all iif lo lookup local

tinmem · May 12, 2022, 4:43pm

I was not able to add the last part f my config:

iptables-save -c

 Generated by iptables-save v1.8.7 on Thu May 12 13:04:03 2022
*nat
:PREROUTING ACCEPT [28:2156]
:INPUT ACCEPT [22:1082]
:OUTPUT ACCEPT [18:1272]
:POSTROUTING ACCEPT [2:144]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_server_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_xbox_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_server_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_xbox_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_server_postrouting - [0:0]
:zone_server_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_xbox_postrouting - [0:0]
:zone_xbox_prerouting - [0:0]
[28:2156] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[26:1878] -A PREROUTING -i br-lan.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[1:64] -A PREROUTING -i br-lan.20 -m comment --comment "!fw3" -j zone_server_prerouting
[0:0] -A PREROUTING -i br-lan.10 -m comment --comment "!fw3" -j zone_xbox_prerouting
[0:0] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[1:214] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[19:1332] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-lan.20 -m comment --comment "!fw3" -j zone_server_postrouting
[0:0] -A POSTROUTING -o br-lan.10 -m comment --comment "!fw3" -j zone_xbox_postrouting
[17:1188] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[26:1878] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_server_postrouting -m comment --comment "!fw3: Custom server postrouting rule chain" -j postrouting_server_rule
[1:64] -A zone_server_prerouting -m comment --comment "!fw3: Custom server prerouting rule chain" -j prerouting_server_rule
[17:1188] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[17:1188] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1:214] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --sport 3544 --dport 53208 -m comment --comment "!fw3: BXL_TCP+UDP-53208" -j DNAT --to-destination 192.168.3.102:53208
[0:0] -A zone_wan_prerouting -p udp -m udp --sport 3544 --dport 53208 -m comment --comment "!fw3: BXL_TCP+UDP-53208" -j DNAT --to-destination 192.168.3.102:53208
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3074 -m comment --comment "!fw3: XBL_TCP+UDP-3074" -j DNAT --to-destination 192.168.3.102:3074
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3074 -m comment --comment "!fw3: XBL_TCP+UDP-3074" -j DNAT --to-destination 192.168.3.102:3074
[0:0] -A zone_xbox_postrouting -m comment --comment "!fw3: Custom xbox postrouting rule chain" -j postrouting_xbox_rule
[0:0] -A zone_xbox_postrouting -s 192.168.3.0/24 -d 192.168.3.102/32 -p tcp -m tcp --dport 53208 -m comment --comment "!fw3: BXL_TCP+UDP-53208 (reflection)" -j SNAT --to-source 192.168.3.101
[0:0] -A zone_xbox_postrouting -s 192.168.3.0/24 -d 192.168.3.102/32 -p udp -m udp --dport 53208 -m comment --comment "!fw3: BXL_TCP+UDP-53208 (reflection)" -j SNAT --to-source 192.168.3.101
[0:0] -A zone_xbox_postrouting -s 192.168.3.0/24 -d 192.168.3.102/32 -p tcp -m tcp --dport 3074 -m comment --comment "!fw3: XBL_TCP+UDP-3074 (reflection)" -j SNAT --to-source 192.168.3.101
[0:0] -A zone_xbox_postrouting -s 192.168.3.0/24 -d 192.168.3.102/32 -p udp -m udp --dport 3074 -m comment --comment "!fw3: XBL_TCP+UDP-3074 (reflection)" -j SNAT --to-source 192.168.3.101
[0:0] -A zone_xbox_prerouting -m comment --comment "!fw3: Custom xbox prerouting rule chain" -j prerouting_xbox_rule
[0:0] -A zone_xbox_prerouting -s 192.168.3.0/24 -d 100.102.15.108/32 -p tcp -m tcp --dport 53208 -m comment --comment "!fw3: BXL_TCP+UDP-53208 (reflection)" -j DNAT --to-destination 192.168.3.102:53208
[0:0] -A zone_xbox_prerouting -s 192.168.3.0/24 -d 100.102.15.108/32 -p udp -m udp --dport 53208 -m comment --comment "!fw3: BXL_TCP+UDP-53208 (reflection)" -j DNAT --to-destination 192.168.3.102:53208
[0:0] -A zone_xbox_prerouting -s 192.168.3.0/24 -d 100.102.15.108/32 -p tcp -m tcp --dport 3074 -m comment --comment "!fw3: XBL_TCP+UDP-3074 (reflection)" -j DNAT --to-destination 192.168.3.102:3074
[0:0] -A zone_xbox_prerouting -s 192.168.3.0/24 -d 100.102.15.108/32 -p udp -m udp --dport 3074 -m comment --comment "!fw3: XBL_TCP+UDP-3074 (reflection)" -j DNAT --to-destination 192.168.3.102:3074
COMMIT
# Completed on Thu May 12 13:04:03 2022
# Generated by iptables-save v1.8.7 on Thu May 12 13:04:03 2022
*mangle
:PREROUTING ACCEPT [277:32043]
:INPUT ACCEPT [269:31039]
:FORWARD ACCEPT [4:204]
:OUTPUT ACCEPT [276:79205]
:POSTROUTING ACCEPT [280:79409]
[1:60] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1:52] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu May 12 13:04:03 2022
# Generated by iptables-save v1.8.7 on Thu May 12 13:04:03 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_server_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_xbox_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_server_rule - [0:0]
:input_wan_rule - [0:0]
:input_xbox_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_server_rule - [0:0]
:output_wan_rule - [0:0]
:output_xbox_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_server_dest_ACCEPT - [0:0]
:zone_server_forward - [0:0]
:zone_server_input - [0:0]
:zone_server_output - [0:0]
:zone_server_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_xbox_dest_ACCEPT - [0:0]
:zone_xbox_dest_REJECT - [0:0]
:zone_xbox_forward - [0:0]
:zone_xbox_input - [0:0]
:zone_xbox_output - [0:0]
:zone_xbox_src_REJECT - [0:0]
[112:11368] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[157:19671] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[131:18185] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:60] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[23:1144] -A INPUT -i br-lan.1 -m comment --comment "!fw3" -j zone_lan_input
[2:128] -A INPUT -i br-lan.20 -m comment --comment "!fw3" -j zone_server_input
[0:0] -A INPUT -i br-lan.10 -m comment --comment "!fw3" -j zone_xbox_input
[0:0] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[1:214] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[4:204] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[3:144] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[3:144] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:60] -A FORWARD -i br-lan.1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-lan.20 -m comment --comment "!fw3" -j zone_server_forward
[0:0] -A FORWARD -i br-lan.10 -m comment --comment "!fw3" -j zone_xbox_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[112:11368] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[165:70301] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[149:69173] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan.1 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-lan.20 -m comment --comment "!fw3" -j zone_server_output
[0:0] -A OUTPUT -o br-lan.10 -m comment --comment "!fw3" -j zone_xbox_output
[16:1128] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:214] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1:60] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan.1 -m comment --comment "!fw3" -j ACCEPT
[1:60] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1:60] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to xbox forwarding policy" -j zone_xbox_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to server forwarding policy" -j zone_server_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[23:1144] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[23:1144] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[23:1144] -A zone_lan_src_ACCEPT -i br-lan.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_server_dest_ACCEPT -o br-lan.20 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_server_forward -m comment --comment "!fw3: Custom server forwarding rule chain" -j forwarding_server_rule
[0:0] -A zone_server_forward -m comment --comment "!fw3: Zone server to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_server_forward -m comment --comment "!fw3: Zone server to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_server_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_server_forward -m comment --comment "!fw3" -j zone_server_dest_ACCEPT
[2:128] -A zone_server_input -m comment --comment "!fw3: Custom server input rule chain" -j input_server_rule
[0:0] -A zone_server_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2:128] -A zone_server_input -m comment --comment "!fw3" -j zone_server_src_ACCEPT
[0:0] -A zone_server_output -m comment --comment "!fw3: Custom server output rule chain" -j output_server_rule
[0:0] -A zone_server_output -m comment --comment "!fw3" -j zone_server_dest_ACCEPT
[2:128] -A zone_server_src_ACCEPT -i br-lan.20 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[17:1188] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP-Xbox" -j zone_xbox_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP-Xbox" -j zone_xbox_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1:214] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:214] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[16:1128] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[16:1128] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[1:214] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_xbox_dest_ACCEPT -o br-lan.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_xbox_dest_REJECT -o br-lan.10 -m comment --comment "!fw3" -j reject
[0:0] -A zone_xbox_forward -m comment --comment "!fw3: Custom xbox forwarding rule chain" -j forwarding_xbox_rule
[0:0] -A zone_xbox_forward -m comment --comment "!fw3: Zone xbox to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_xbox_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_xbox_forward -m comment --comment "!fw3" -j zone_xbox_dest_REJECT
[0:0] -A zone_xbox_input -m comment --comment "!fw3: Custom xbox input rule chain" -j input_xbox_rule
[0:0] -A zone_xbox_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p tcp -m tcp --dport 547 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -p udp -m udp --dport 547 -m comment --comment "!fw3: Xbox DNS & DHCP" -j ACCEPT
[0:0] -A zone_xbox_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_xbox_input -m comment --comment "!fw3" -j zone_xbox_src_REJECT
[0:0] -A zone_xbox_output -m comment --comment "!fw3: Custom xbox output rule chain" -j output_xbox_rule
[0:0] -A zone_xbox_output -m comment --comment "!fw3" -j zone_xbox_dest_ACCEPT
[0:0] -A zone_xbox_src_REJECT -i br-lan.10 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu May 12 13:04:03 2022

mk24 · May 12, 2022, 5:31pm

Don't use bridge-vlans on a swconfig machine. Just set up your VLANs in the switch then attach them to interfaces or regular bridges by tagging packets out of eth0 with the notation eth0.X.

Start with both networks in the lan zone and you should be able to pass traffic freely between them. After that works then set up a different zone with restrictive rules between them. There is no need to use non-standard routing tables here.

tinmem · May 14, 2022, 8:22pm

thanks @mk24
luci should provide some insights whenever we are doing some very dumb thing like this
I've restarted all settings, created the vlans, bridged them, created 1 interface only, added it to the wifi..
still nothing...
I can ping the server, not can't HTTP to it, or ssh....
I still need to figure out what I'm doing wrong

tinmem · May 16, 2022, 1:10pm

so I've got this to work, although I'm still not sure what I've done to make it.

Performed an erase
Updated my router to OpenWrt 21.02.3 r16554-1d4dea6d4f (it was 21.02.2)
Created all the settings again
I still need to work on the firewall settings in order to strict access to my Nextcloud Server and some other small xbox network issues, but I'm glad that I have finally something working.
I'll mark @mk24 comment as the solution, since this time I didn't mess with bridge-vlans.
I also can add the current settings if that could help someone.

system · May 26, 2022, 1:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.