Routing between VLANs - zones?

czerole · March 23, 2020, 2:40am

R6220 trying to route between two VLANs.

PING ok from the router to devices ((Pihole/Windows) on both VLANs.
PING ok from VLAN 1 (Windows) to GW of VLAN 5.
PING no response from VLAN 5 (Pihole) to VLAN 1 device or GW.
Clients have internet access.
No static routes/traffic rules for these subnets


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option name 'lan'
        list device 'eth0.1'
        list device 'br-lan'
        list device 'wlan1'

config zone
        option network 'lab'
        option input 'ACCEPT'
        option name 'lab'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'eth0.5'
        list device 'br-lab'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option dest 'wan'
        option src 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'lan'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'lan'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'LAB'

config forwarding
        option dest 'lan'
        option src 'lab'

config forwarding
        option dest 'wan'
        option src 'lab'

config forwarding
        option dest 'lab'
        option src 'lan'

root@OpenWrt:~# cat /etc/config/network


config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '10.61.6.1'
        option netmask '255.255.255.224'
        list dns '10.61.6.34'
        list dns '9.9.9.9'
        option delegate '0'
        option ifname 'eth0.1'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'a0:63:91:17:7b:30'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'a0:63:91:17:7b:31'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 1 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 3 2'
        option vid '5'

config interface 'lab'
        option proto 'static'
        option type 'bridge'
        list dns '9.9.9.9'
        option netmask '255.255.255.224'
        option ip6assign '64'
        option ipaddr '10.61.6.33'
        option macaddr 'A0:63:91:17:7B:32'
        option ifname 'eth0.5'

10.61.6.0/27 dev br-lan scope link  src 10.61.6.1
10.61.6.32/27 dev br-lab scope link  src 10.61.6.33

Thanks in advance for the help.

psherman · March 23, 2020, 6:25am

Check your Windows machine(s) -- the firewall (within Windows) is often configured to allow connections from the same network/subnet/VLAN, but block connections from others. So your inter-VLAN routing may be working properly, but Windows may be blocking it. If you have a non-Windows machine (Mac, Linux, even just a RPi) that you can put on VLAN 1, you can test the routing to be certain that it is just the Windows firewall.

czerole · March 23, 2020, 10:29pm

Thanks for the reply...do you see a misconfiguration? I disconnected the PI and connected it via wireless, and I can PING it from VLAN 5 (now 3). I cannot PING it from VLAN 1 if it's on VLAN 3 (wired), and it appears that communication is only successful from VLAN 3 to VLAN 1 wired/wireless but not from VLAN 1 wired/wireless (zone LAN).

psherman · March 23, 2020, 10:42pm

I don't see any misconfigurations, but it is possible I'm missing it.

If you haven't already, perform your testing using wired connections only directly to the built-in switch (baed on the posted configuration, VID 1 on ports 0 and 1, VID 5 on ports 2 and 3; logical-to-physical port labeling obviously not indicated here) as to rule out any possible Wifi based issue.

czerole · March 24, 2020, 12:29am

I uncovered the issue, thank you, rookie oversight . At some point the Pi's mask changed and there were too many variables to determine the cause of the issue.

While I did accomplish what I wanted with OpenWRT, I did notice that the R6220 doesn't like routing between VLANs. Queries are incredibly slow if targeting the PI directly, however having the router as the DNS it's snappy.

Thanks again.

system · April 3, 2020, 12:29am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.