Router static IP inaccessible from connected device on VLAN

Tune · January 18, 2023, 10:38pm

I hope someone can help me as I am starting to go crazy. I have created a number of VLANs which I am exposing on the ports of the router(Linksys MR8300). The problem I have is that the IP I have assigned is not accessible from a device which is connected to the associated VLAN.

I have created a VLAN with ID 30 and it connects to an upstream pfsense server which provides DHCP. My PC gets an IP address in the correct range for the VLAN (192.168.30.66). I can access the pfsense server 192.168.30.1 but I can not access the statically assigned IP address on the router 192.168.30.2 and I can't work out how to fix it.

My network file is as follows:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:1d64:a7a4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option bridge_empty '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '30'
        option ports '0t 0t 1 4t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '41'
        option ports '0t 0t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '60'
        option ports '0t 0t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option vid '42'
        option ports '0t 0t 2 4t'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '43'
        option ports '0t 0t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '20'
        option ports '0t 0t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '50'
        option ports '0t 0t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option vid '10'
        option ports '0t 0t 4t'

config device
        option type 'bridge'
        option name 'br-wan'
        option bridge_empty '1'
        list ports 'eth1.5'

config interface 'WAN'
        option proto 'static'
        option device 'br-wan'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

config switch_vlan
        option device 'switch0'
        option vlan '11'
        option ports '0t 0t 3 5'
        option vid '5'

config device
        option type 'bridge'
        option name 'br30'
        option bridge_empty '1'
        list ports 'eth1.30'

config interface 'vlan30'
        option proto 'static'
        option device 'br30'
        option ipaddr '192.168.30.2'
        option netmask '255.255.255.0'
        option gateway '192.168.30.1'

config device
        option type 'bridge'
        option name 'br42'
        list ports 'eth1.42'
        option bridge_empty '1'

config interface 'vlan42'
        option proto 'none'
        option device 'br42'

config device
        option type 'bridge'
        option name 'br10'
        list ports 'eth1.10'
        option bridge_empty '1'

config interface 'vlan10'
        option proto 'none'
        option device 'br10'

config device
        option type 'bridge'
        option name 'br41'
        list ports 'eth1.41'
        option bridge_empty '1'

config interface 'vlan41'
        option proto 'none'
        option device 'br41'

Please let me know if any other files are important.
I have the firewalls turned off as it will be a dumb access point.
I have configured the WAN port as a local admin port for emergency access but want to be able to check and make changes from my "LAN" segment in normal running.
Thanks

psherman · January 18, 2023, 10:45pm

What physical port is used for the uplink to the pfsense router?
You have 0t listed twice in the ports -- it should only be once (this seems to be the case for all of your VLANs -- this should be fixed on all).

Logical port 1 is untagged for this VLAN, and logical port 4 is tagged.

Let's also see your firewall file.

Tune · January 18, 2023, 10:53pm

There seems to be a bug in either LUCI or the software for this device and the CPU (0t) is listed twice. If I try to set them separately the second one always gets set to the same as the first. (It is mentioned on some other threads)

Firewall file:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

I've not changed any of the firewall rules and I have removed the references from all of the interfaces. So I believe there are no rules running.

Tune · January 18, 2023, 10:54pm

Port 4 is the uplink port

psherman · January 18, 2023, 10:56pm

Ok... turn CPU (eth1) off for all VLANs. you only need one connection to the CPU.

Try assigning the vlan30 network to the lan firewall zone. Then try agian.

Tune · January 18, 2023, 11:03pm

Thanks. I can't turn eth1 off, it automatically gets changed to match eth0.

I don't have any firewall rules active on the lan zone or any zone so not sure what adding vlan30 to it would do.

psherman · January 18, 2023, 11:05pm

That is very odd. There may be somethign wrong with your config at a more fundamental level and it might be worth resetting if we can't get things working.... let's save that for a later step, though.

The zone does have input = accept. That is why we want it associated with the lan zone. Try it and report back.

Tune · January 18, 2023, 11:23pm

I've reset it about 30 times, literally, it's always the same.

OK, sorry to be a pain but can you give me some idea how I do that. (I can't see any ZONE definitions in the firewall tab where I might add vlan30?)

I added it as below but somehow that stopped even DHCP from working.

psherman · January 18, 2023, 11:25pm

The screengrab you have should be right -- save and apply.

How are you attempting to get DHCP -- wireless? wired? if wired, which port? (It shouldn't have any effect, but is useful for understanding the problem).

Tune · January 18, 2023, 11:28pm

OK, so the uplink cable was not pushed in properly so it couldn't get the IP from the upstream pfsense server.

It is back in again and working fine but still no access to the local IP

DHCP is from the upstream pfsense server which is accessed via port4

psherman · January 18, 2023, 11:30pm

Let's start over from scratch. Feel free to take a backup first, but I think we should start from the default config and build from there.

Before doing that, though... what is the output of

ubus call system board

Tune · January 18, 2023, 11:33pm

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.146",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys MR8300 (Dallas)",
        "board_name": "linksys,mr8300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}

psherman · January 18, 2023, 11:34pm

Ok... so you might as well take this opportunity to upgrade to 23.02.3 which was released recently. Do not keep settings when you run the upgrade -- this will get us to the default state. Then post your network config file... we'll build this one VLAN at a time.

Tune · January 18, 2023, 11:36pm

I don't think 23.02.3 is available for my router.

psherman · January 18, 2023, 11:37pm

https://firmware-selector.openwrt.org/?version=22.03.3&target=ipq40xx%2Fgeneric&id=linksys_mr8300

Tune · January 18, 2023, 11:56pm

OK, after much nail-biting and rebooting it is upgraded

psherman · January 19, 2023, 12:00am

Great! Post the default network config.

Tune · January 19, 2023, 12:02am

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd92:3d3e:2bc5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

psherman · January 19, 2023, 12:12am

K... we'll start with just adding VLAN30.

Before you do anything that I'll recommend below, it makes sense to enable wifi on this device... you can use the basic setup -- just put in an SSID + encryption type + password + country code in the wifi config, and enable it. This will be how you can connect to the device even if we mess up the wired configuration.

Once that is working, you cand do the rest...

add this to the netwok config file

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '30'
        option ports '4t 0t'

config device
        option type 'bridge'
        option name 'br-vlan30'
        list ports 'eth0.30'

config interface 'vlan30'
        option proto 'static'
        option device 'br-vlan30'
        option ipaddr '192.168.30.2'
        option netmask '255.255.255.0'
        option gateway '192.168.30.1'

And then edit br-lan to remove eth0

config device
        option name 'br-lan'
        option type 'bridge'

Now, in the firewall file, add network vlan30 to the lan zone.

Connect port 4, restart the router and see if you can access 192.168.30.2 from another device connected to the the 192.168.30.0/24 network.

Tune · January 19, 2023, 12:33am

OK, changes done. Router is inaccessible from the connected devices but is accessible from wifi.

The connected PC has an IP address(10.10.10.110) allocated by the pfsense server from the non-VLAN segment not from vlan 30.

I can only access the router from my phone(I only have a pc not a laptop) so it is tricky to download any files.