Routing between vlans not working properly

kopasiak · July 27, 2021, 7:00pm

Hi Guys,

I've just started using OpenWRT for my home network.

Situation:
I've 2 wifi networks and each of them is assigned to a separate vlan.
Let's call them general and iot.

In the Firewall section I defined that traffic from general network can be FWD to iot but not the other way around.

I've a DHCP server running in my iot network that assigns addresses from .3 to .93
Apart from that I've a bunch of iot devices that have a static IP assigned as they work a little bit faster in that use config and they have addresses over .200.

Problem:
So if I try to reach from the general network any device that has IP assigned by DHCP all works fine but if I try to reach a device that has a static IP assigned from the outside of DHCP pool then it's unreachable.
Question:
What's wrong and how to make the whole /24 subnet reachable from the general network?

trendy · July 27, 2021, 9:06pm

Are you trying to reach them by IP or hostname?

kopasiak · July 27, 2021, 11:10pm

I'm trying to reach them using their IP address.
When I connect to iot network they are perfectly reachable but not from the general network

faser · July 28, 2021, 12:15am

Is your DHCP config and your static configs configuring the same gateway?

eduperez · July 28, 2021, 7:02am

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

kopasiak · July 28, 2021, 8:07am

Yup. They both mention my router IP address as a GW and they have no issues reaching the Internet

kopasiak · July 28, 2021, 8:16am

# cat /etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1e:f58a:7273::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.254.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '5t 3t 2 1 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4'
	option vid '2'

config interface 'wwan'
	option proto 'dhcp'

config interface 'sensors'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ifname 'eth0.10'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '10'
	option ports '5t 3t'

# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'FR'
	option htmode 'VHT80'
	option channel '36'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'trust_me_I'\''m_an_engineer_5G'
	option key '<password>'
	option encryption 'psk2+ccmp'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211r '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option hwmode '11g'
	option htmode 'HT40'
	option channel '11'
	option noscan '1'

config wifi-iface 'wifinet2'
	option ssid 'trust_my_sensors'
	option encryption 'psk2'
	option device 'radio2'
	option mode 'ap'
	option network 'sensors'
	option key '<password2>'

config wifi-iface 'wifinet3'
	option ssid 'trust_me_I'\''m_an_engineer'
	option encryption 'psk2'
	option device 'radio2'
	option mode 'ap'
	option network 'lan'
	option key '<password>'

# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'
	option leasetime '24h'
	option ra_management '1'
	option start '3'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'sensors'
	option interface 'sensors'
	option leasetime '24h'
	option limit '90'
	option start '3'

# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option name 'lan'

config zone
	option name 'sensors'
	list network 'sensors'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'sensors'

config forwarding
	option dest 'sensors'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule
	option dest_port '67'
	option src 'sensors'
	option name 'SensorsDHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src 'sensors'
	option name 'SensorsDNS'
	option target 'ACCEPT'

trendy · July 28, 2021, 8:39am

Install tcpdump and run the following command:
tcpdump -i any -evn host 192.168.200.20X
Change the address to one of your static, run some tests to let it collect some packets, stop it with Ctrl-c and paste here the output.