Only 3 out of 4 Vlans on Multiple devices working

Please help and thank you in advance! I’ve recently switched over from DD-WRT to OpenWRT and so far I’m thinking it’s more what I’m looking for. I am trying to make some improvements to my network while I’m rebuilding but its been a long time since I’ve gotten this deep into networking so any recommendations are welcome. My goal is to have a segregated WiFi Network for my IoT devices, another segregated network for a guest network and two networks that can talk to each other, my internal WiFi Network and a test WiFi network. I’m building this out on 3 Linksys WRT1900AC v1 routers that are all connected via ethernet in a bus topology and running firmware 19.07.3. I’m only using the WAN port on the Router that is connected to the internet, the other routers are all connected via switch ports. I’ve gone through the documentation at https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan as well as multiple related articles I was able to find on google and I’ve been able to get the internal network, guest network and test networks to work but I’m experiencing strange behavior on the IoT network that has led me to some questions.

In troubleshooting I’ve noticed that when creating the VLAN’s in LuCi it will add the vid option which does not change when you change the vlan option. I’ve updated all of these to match the vlan option and rebooted all of the devices.

In this set up do I need to configure the firewall on each device, or should the firewall be disabled on the two routers that are not connected to the internet?

Is there anything else that should be disabled on the 2 devices where I am not using the WAN port? DHCP and DNS is being served from the router connected to the internet and is already disabled on the other two.

For the IoT network I can connect to the network on the router connected to the internet, however once connected I cannot ping the interfaces for the same network on the other access points, it just comes back as unreachable. If I connect to any of the other 2 access points via wifi I can ping other devices connected to the same access point but I can not ping past the interface on the access point I’m connected to.

The part that really stumps me is that I’ve created the IoT network by copying and pasting the config from a working network from the ground up multiple times editing the IP addresses, names etc. each time so I’m wondering if it’s a basic configuration that I missed in set up. I’ve enabled logging on the firewall and was experiencing the error below, however I think I’ve ruled out the firewall by setting Input/forward/output to accept on the FW zone for the IoT network on all of the routers (not permanent, just for testing), the errors have gone away, however the problem persists.

The XX:XX:XX:XX:XX:XX portion of the error below is the mac address of the device that I’m testing with, I took them from the device labeled Router 2 below. Router 1 has not had similar messages for this interface.
[55747.476318] REJECT dev in: IN=br-dev OUT= MAC=33:33:00:00:00:02:XX:XX:XX:XX:XX:XX:86:dd SRC=fe80:0000:0000:0000:1001:3cce:8808:b496 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=894119 PROTO=ICMPv6 TYPE=133 CODE=0

I’m adding a copy of the configs below for the router that is connected to the internet (Router 1) and the router that is the first hop down the line (Router 2). For reference the mob(VLAN14) networks are the test networks lan (VLAN1) is the internal network and Dev (VLAN11) is the IoT network. The guest network is VLAN 13.

Router 1

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ‘###########”

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns ‘internaldns’
        list dns 'internaldns'
        option delegate '0'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'pppoe'
        option password '###########'
        option ipv6 'auto'
        option username '##################'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 3t 2 1 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config interface 'guest'
        option proto 'static'
        option delegate '0'
        option ipaddr '192.168.13.1'
        option netmask '255.255.255.0'
        list dns ‘internaldns’
        list dns 'internaldns'
        option ifname 'eth0.13'
        option type 'bridge'


config interface 'dev'
        option proto 'static'
        option delegate '0'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option ifname 'eth0.11'
        option type 'bridge'

config switch_vlan
        option device 'switch0'
        option vlan '13'
        option ports '5t 3t'
        option vid '13'

config switch_vlan
        option device 'switch0'
        option vlan '11'
        option ports '6t 3t'
        option vid '11'

config switch_vlan
        option device 'switch0'
        option vlan '14'
        option ports '5t 3t'
        option vid '14'

config interface 'mob'
        option proto 'static'
        option type 'bridge'
        option ifname 'eth0.14'
        option delegate '0'
        option ipaddr '192.168.14.1'
        option netmask '255.255.255.0'
        list dns 'internaldns'
        list dns 'internaldns'

Router 2

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ‘##############’

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        list dns 'internaldns'
        list dns 'internaldns'
        option delegate '0'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'none'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'none'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '5t 3t 2t 1 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'
config switch_vlan
        option device 'switch0'
        option vlan '13'
        option vid '13'
        option ports '5t 3t 2t'

config interface 'guest'
        option proto 'static'
        option ifname 'eth0.13'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ipaddr '192.168.13.2'
        list dns 'internaldns'
        list dns 'internaldns'
        option delegate '0'

config interface 'dev'
        option proto 'static'
        option ifname 'eth0.11'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.2'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option delegate '0'

config interface 'mob'
        option proto 'static'
        option ifname 'eth0.14'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ipaddr '192.168.14.2'
        option delegate '0'
        list dns 'internaldns'
        list dns 'internaldns'

config switch_vlan
        option device 'switch0'
        option vlan '11'
        option vid '11'
        option ports '6t 3t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '14'
        option vid '14'
        option ports '5t 3t 2t'

Firewall settings for Router 1

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config zone
        option name 'dev'
        option network 'dev'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option log '1'

config zone
        option name 'dev2'
        option network 'dev2'
        option output 'ACCEPT'
        option log '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'dev2'
        option dest 'wan'

config forwarding
        option src 'dev'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'guest'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src_port '67-68'

config rule
        option name 'Dev2 DNS'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'dev2'

config rule
        option name 'Dev2 DHCP'
        list proto 'udp'
        option src 'dev2'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src_port '67-68'

config rule
        option name 'Dev DNS'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'dev'

config rule
        option name 'Dev DHCP'
        list proto 'udp'
        option src 'dev'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src_port '67-68'

config zone
        option name 'mob'
        option network 'mob'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config forwarding
        option src 'mob'
        option dest 'wan'

config rule
        option name 'Mob DNS'
        option src 'mob'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Mob DHCP'
        list proto 'udp'
        option src 'mob'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src_port '67-68'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

Firewall settings for Router 2

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'guest'
        option name 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'guest'

config rule
        option dest_port '53'
        option name 'Guest DNS'
        option target 'ACCEPT'
        option src 'guest'

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'
        list proto 'udp'
        option src_port '67-68'


config zone
        option name 'mob'
        option network 'mob'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'mob'

config rule
        option dest_port '53'
        option src 'mob'
        option name 'Mob DNS'
        option target 'ACCEPT'

config rule
        option src_port '67-68'
        option src 'mob'
        option name 'Mob DHCP'
        option target 'ACCEPT'
        option dest_port '67-68'
        list proto 'udp'

config zone
        option name 'dev'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'dev'

config forwarding
        option src 'dev'
        option dest 'lan'

For VLAN 11 on all routers, replace port 6t with 5t.
Port 5 of the switch chip is connected to eth0 on the CPU, and Port 6 to eth1.

Within a VLAN, the firewall cannot be responsible for the broken connectivity because the forwarding happens on layer 2 inside the switch chip, or in a software bridge for WiFi. The packets are usually not handled further by the CPU, with the exception of multicast/broadcast, which is shown in your example.

I suggest to handle all forwarding and firewalling on the router connected to the internet.

The other devices should be configured as dumb APs, as you did, and disallow forwarding. To isolate the networks from each other on the APs, keep the firewall enabled and use it to block all forwarding, or set up the networks as unmanaged (no IP addresses), with the exception of a single interface in the lan network for management.

On both routers change the CPU port to 5, not 6.

The error you saw was for IPv6, but since you have not enabled it you should not care so much.
Another remark is that on router2 you don't need to assign IPs on all interfaces, only on lan for management will do. The rest can be unmanaged.
The firewall zones on router2 are pointless since you have bridged the wifi and the upstream port to router1.

Thank you for your responses, that did it!!

I think it was the CPU tagging, for some reason I was under the impression I needed to alternate between CPU's.

Thanks again for helping me fix this and simplify my configuration.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.