NTP server with VLAN and traffic rule; devices still getting blocked

I have enabled NTP Server on main router 192.168.1.1 which is confirmed working using linux CLI tests from another LAN machine. I have 2 VLANs for GUEST and HOME (iot). Using various ESP based devices running ESPHome & Tasmota on the HOME VLAN. Have two dumb AP (no firewall, dhcp, dnsmasq) that tag VLANs where everything. I have created a firewall rule to allow NTP from HOME VLAN to LAN but deices are still being rejected. What have I done wrong?

Firewall Rule:

config rule
        option name 'Allow-NTP-Home'
        option src 'home'
        option dest_port '123'
        option target 'ACCEPT'
        option dest '*'
        list proto 'udp'
        list dest_ip '192.168.1.1'

Log Entries:

Sun Mar 16 17:10:08 2025 kern.warn kernel: [3777295.918692] reject home in: IN=br-home OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:39:08:00 SRC=192.168.5.206 DST=192.168.1.1 LEN=76 TOS=0x00 PREC=0x00 TTL=255 ID=45667 PROTO=UDP SPT=49706 DPT=123 LEN=56
Sun Mar 16 17:10:15 2025 kern.warn kernel: [3777302.836356] reject home in: IN=br-home OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:e5:08:00 SRC=192.168.5.155 DST=192.168.1.1 LEN=76 TOS=0x00 PREC=0x00 TTL=255 ID=12531 PROTO=UDP SPT=54259 DPT=123 LEN=56

NTP Config:

config timeserver 'ntp'
        list server '0.openwrt.pool.ntp.org'
        list server '1.openwrt.pool.ntp.org'
        list server '2.openwrt.pool.ntp.org'
        list server '3.openwrt.pool.ntp.org'
        option enable_server '1'
        option interface 'lan'
        option use_dhcp '0'

Network Config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'lan1.3'
        list ports 'lan2.3'
        list ports 'lan3.3'
        list ports 'lan4.3'

config device
        option type 'bridge'
        option name 'br-home'
        list ports 'lan1.5'
        list ports 'lan2.5'
        list ports 'lan3.5'
        list ports 'lan4.5'

config interface 'home'
        option proto 'static'
        option device 'br-home'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'

Firewall Config: (default rules removed)

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'guest'

config zone
        option name 'home'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'home'
        option log '1'

config forwarding
        option src 'lan'
        option dest 'home'

config rule
        option name 'Allow-DNS-Home'
        option src 'home'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Home'
        list proto 'udp'
        option src 'home'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6-Home'
        list proto 'udp'
        option src 'home'
        option dest_port '547'
        option target 'ACCEPT'

config rule
        option name 'Allow-ESPHome-Home-In'
        option src 'home'
        option dest 'lan'
        option dest_port '6052'
        option target 'ACCEPT'

config rule
        option name 'Allow-mDNS-Home'
        list proto 'udp'
        option src 'home'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        option name 'Allow-NTP-Home'
        option src 'home'
        option dest_port '123'
        option target 'ACCEPT'
        option dest '*'
        list proto 'udp'
        list dest_ip '192.168.1.1'

config rule
        option name 'Allow-ESPHome-Home-Out'
        option src 'home'
        option src_port '6053'
        option dest 'lan'
        option target 'ACCEPT'

config rule
        option name 'Allow-mDNSv6-Home'
        list proto 'udp'
        option src 'home'
        option src_port '5353'
        list dest_ip 'ff02::fb'
        option dest_port '5353'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP-Home'
        list proto 'igmp'
        option src 'home'
        list dest_ip '224.0.0.251'
        option target 'ACCEPT'

config rule
        option name 'Allow-MQTT-Home'
        list proto 'tcp'
        option src 'home'
        option dest 'lan'
        list dest_ip '192.168.1.22'
        list dest_ip '192.168.1.15'
        option target 'ACCEPT'

The other *-Home firewall rules are working properly.

Main Router Info:

Hostname: router-main
Model: Dynalink DL-WRX36
Architecture: ARMv8 Processor rev 4
Target Platform: ipq807x/generic
Firmware Version: OpenWrt 23.05.5 r24106-10cc5fcd00 / LuCI openwrt-23.05 branch git-24.264.56413-c7a3562
Kernel Version: 5.15.167

The vlan configuration is unorthodox, but if it works for you... why not?

Can we see the result of

nft list chain inet fw4 forward_home

EDIT:

The rule needs to be created in the INPUT chain, so just remove option dest '*'

Thanks, That did fix it. Is it INPUT because the service is hosted on the router itself? Is there anything in the log message that indicates it should be INPUT? Want to understand for the future.

Is there a better way to do it? Not a networking person by profession so open to all suggestions.

The default network devices on the router are: lan1, lan2, lan3, lan4, wan, and default 'br-lan' bridge which used all the lan ports. The default 'Lan' interface just uses the 'br-lan' bridge. The other interfaces 'Wan' & 'Wan6' just use the single 'wan' device.

There are actually 3 dumb APs (forgot about the one in the garage) and there was also a managed Cisco switch at one point so all the ports are tagged. This is also a dual band WiFi router, though WiFi is turned off right now because of signal overlap which was making things worse, so I figured this was the easiest way to group the devices into VLANs.

Yes.

No.

Just remember that the INPUT chain is responsible for processing incoming packets destined for the router itself, no matter which of the available interfaces. In this case you should only specify the source zone.

The default input policy for the lan zone is accept, so if that is the source, you don't need any additional rules.

To protect the router from unauthorized access, the default input policy for all untrusted zones is usually set to reject/drop. If the source is an untrusted zone, you need to create a firewall rule for each service hosted by the router that a device on the network needs access to (the absolute minimum is DHCP and DNS).

On the other hand, the FORWARD chain is for packets that are forwarded (routed) through the system, meaning they neither originate from nor are destined for the router. In this case, you must specify both (the source and destination) zones.

I initially overlooked that the destination address was another interface on the router (not a host on the lan), and since the rule was correct, I asked to see the actual contents of the forward chain. Later I saw my mistake and corrected the post.

For me, there is a way that works and a way that doesn't.

Overall, your configuration is valid, it just doesn't work on all devices. Many routers do not support more than one bridge simultaneously. My MikroTik with a similar configuration does not properly handle L2 broadcast traffic on some of the interfaces.

For DSA devices, we typically create only one bridge, specify the VLANs using bridge vlan filtering, and configure the device for a given interface using the dot (.) notation.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlan_tagging

Anyway, if it works for you, better do not touch it.

Thank you. That was all very helpful.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.