Routing between vlans

Overview... Why can't I route data between VLAN2 and VLAN5 it used to talk to a WAN port. I'm so confused.

Ok, here's the scenario I've been battling the last few days and it's gonna be something really simple I've missed.

My Main router HomeHub5a (HH5a) running 17.01.4, r3560-79f57e422d used to be connected directly to an ADSL line, all my vlans routed perfectly everything was awesome.

Recently, I've changed ISP, I'm not able to use my router directly with the ADSL line anymore. However, I would like to continue to use my old HH5a, as it i like the adblock and other functionality I've configured. I want to leave the ISP router standard but have my HH5a route to it.

The new ISP router IP address range is 192.168.0.1/24

On the HH5a I have configured the physical LAN Port 4 to have a vlan id of 2. connected this port to the new ISP router and set a static IP address of 192.168.0.3. 192.168.0.3 is also reserved on the ISP router.

On the HH5a I have configured the physical LAN port 3 to have a vlan id of 5. This VLAN has a static IP address of 192.168.5.1/24. for DHCP on this VLAN is configured to be Default gateway 192.168.5.1.

From devices on the ISP router (192.168.0.1/24) i can successfully ping 192.168.0.1 (default gateway) and 192.168.0.3 (HH5a Port4). Therefore the route between the ISP router HH5a is working. However, I am unable to ping 192.168.5.1.

From a device on vlan id 5 of the HH5a (192.168.5.2), I can ping 192.168.5.1 and 192.168.0.3. but not 192.168.0.1 or anything on the internet.

if i do this locally on the HH5a...

ping -I br-LAN5 192.168.5.2 #I can ping this device on VLAN5
ping -I br-LAN5 192.168.0.3 #This fails

This is my network config

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd46:0ba0:8372::/48'

config atm-bridge 'atm'
        option encaps 'llc'
        option payload 'bridged'
        option vci '38'
        option vpi '0'

config dsl 'dsl'
        option xfer_mode 'ptm'
        option annex 'b'
        option tone 'a'
        option line_mode 'vdsl'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:47:99:9e'

config interface 'wan'
        option _orig_ifname 'ptm0'
        option _orig_bridge 'false'
        option type 'bridge'
        option ifname 'ptm0'
        option proto 'none'

config device 'wan_dev'
        option name 'ptm0'
        option macaddr '40:f2:01:47:99:9f'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '0 2 4 5t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '1 6t'

config interface 'vpnserver'
        option proto 'none'
        option auto '1'
        option delegate '0'
        option _orig_ifname 'ovpns0'
        option _orig_bridge 'true'
        option ifname 'ovpns0'

config interface 'LAN2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'true'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.0.3'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '192.168.0.255'
        option dns '1.1.1.1'

config interface 'LAN5'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option dns '192.168.5.3'
        option type 'bridge'
        option _orig_ifname 'eth0.5'
        option _orig_bridge 'true'
        option ifname 'eth0.5'
        option broadcast '192.168.5.255'
        option gateway '192.168.0.1'

config route 'Route_Lan2'
        option interface 'LAN2'
        option target '192.168.5.0'
        option gateway '192.168.5.1'
        option netmask '255.255.255.0'

config route 'Route_Lan5'
        option interface 'LAN5'
        option target '192.168.0.0'
        option gateway '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'lan'
        option proto 'static'
        option ifname 'eth0'

This is my firewall config... (I've tried to open everything up to test this...)

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option drop_invalid '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'LAN2'
        option forward 'ACCEPT'
        option network 'LAN2'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'LAN5'
        option forward 'ACCEPT'
        option network 'LAN5'

config forwarding
        option src 'VLAN2'
        option dest 'VLAN5'

config forwarding
        option src 'VLAN5'
        option dest 'VLAN2'

config forwarding
        option dest 'LAN5'
        option src 'LAN2'

config forwarding
        option dest 'LAN2'
        option src 'LAN5'

config rule
        option target 'ACCEPT'
        option name 'Test'
        option src '*'
        option dest '*'

config redirect
        option target 'DNAT'
        option src 'LAN2'
        option dest 'LAN5'
        option proto 'tcp udp'
        option name 'external'

config redirect
        option target 'DNAT'
        option src 'LAN5'
        option dest 'LAN2'
        option proto 'tcp udp'
        option name 'internal'

This is the output of my route config.

PIEFIE:~$ route -e
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.0.1     0.0.0.0         UG        0 0          0 eth0.2
192.168.0.0     *               255.255.255.0   U         0 0          0 eth0.2
192.168.5.0     *               255.255.255.0   U         0 0          0 br-LAN5
192.168.200.0   *               255.255.255.0   U         0 0          0 ovpns0

PIEFIE:~$ ip route show
default via 192.168.0.1 dev eth0.2
192.168.0.0/24 dev eth0.2  src 192.168.0.3
192.168.5.0/24 dev br-LAN5  src 192.168.5.1
192.168.200.0/24 dev ovpns0  src 192.168.200.1

PIEFIE:~$ cat /etc/iproute2/rt_tables
#
# reserved values
#
128     prelocal
255     local
254     main
253     default
10      InternetOut
0       unspec
#
# local
#
#1      inr.ruhep

Please help

You should remove the static routes. Static routes are only necessary when the route is not implicitly known by the router, as is the case here.

For the router, there should be no default gateway on 192.168.5.0/24. For the clients in the same subnet the router is the gateway, but for the router itself it's not.

Mijzelf. Thanks for your reply

Ok I've removed the default gateway from 192.168.5.0/24

and I've removed the routes from the network config

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd46:0ba0:8372::/48'

config atm-bridge 'atm'
        option encaps 'llc'
        option payload 'bridged'
        option vci '38'
        option vpi '0'

config dsl 'dsl'
        option xfer_mode 'ptm'
        option annex 'b'
        option tone 'a'
        option line_mode 'vdsl'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:47:99:9e'

config interface 'wan'
        option _orig_ifname 'ptm0'
        option _orig_bridge 'false'
        option type 'bridge'
        option ifname 'ptm0'
        option proto 'none'

config device 'wan_dev'
        option name 'ptm0'
        option macaddr '40:f2:01:47:99:9f'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '0 2 4 5t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '1 6t'

config interface 'vpnserver'
        option proto 'none'
        option auto '1'
        option delegate '0'
        option _orig_ifname 'ovpns0'
        option _orig_bridge 'true'
        option ifname 'ovpns0'

config interface 'LAN2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'true'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.0.3'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '192.168.0.255'
        option dns '1.1.1.1'

config interface 'LAN5'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option dns '192.168.5.3'
        option type 'bridge'
        option _orig_ifname 'eth0.5'
        option _orig_bridge 'true'
        option ifname 'eth0.5'
        option broadcast '192.168.5.255'

config interface 'lan'
        option proto 'static'
        option ifname 'eth0'

i still seem to have some routes but think they might be default ones for the subnets...

 route -e
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.0.1     0.0.0.0         UG        0 0          0 eth0.2
192.168.0.0     *               255.255.255.0   U         0 0          0 eth0.2
192.168.5.0     *               255.255.255.0   U         0 0          0 br-LAN5
192.168.200.0   *               255.255.255.0   U         0 0          0 ovpns0

I've rebooted the switch

Locally on the HH5a switch

ping 192.168.0.1 #works (but I think this is using the 192.168.0.3 ip to achieve this)
ping -I br-LAN5 192.168.5.2 #works

but

ping -I br-LAN5 192.168.0.3 #fails
ping -I br-LAN5 192.168.0.1 #fails

from another device on the 192.168.5.1/24

ping 192.168.5.1 #works
ping 192.168.0.3 #works
ping 192.168.0.1 #fails

So... i still can't route to the internet any more ideas would be greatly helpful.

Thanks

Take out all the DSL settings, as you aren't using the integral DSL modem.

Your wan network should be:

config interface wan
    option proto dhcp
    option ifname 'eth0.5'
    option hostname 'HomeHub'

This is something that should just work if you start from a default configuration and make minimal changes (add VLAN to the switch, change wan interface from ptm to eth).

Hi thanks for you help mk24,

So I've removed the atm section from the network file and I've added the eth0.2 network to the interface as this was the one that has the internet connection.

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd46:0ba0:8372::/48'

config dsl 'dsl'
        option xfer_mode 'ptm'
        option annex 'b'
        option tone 'a'
        option line_mode 'vdsl'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:47:99:9e'

config interface 'wan'
        option _orig_ifname 'ptm0'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.0.3'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '255.255.0.255'
        option dns '1.1.1.1'
        option ifname 'eth0.2'

config device 'wan_dev'
        option name 'ptm0'
        option macaddr '40:f2:01:47:99:9f'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '0 2 4 5t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '1 6t'

config interface 'vpnserver'
        option proto 'none'
        option auto '1'
        option delegate '0'
        option _orig_ifname 'ovpns0'
        option _orig_bridge 'true'
        option ifname 'ovpns0'

config interface 'LAN2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'true'
        option proto 'none'
        option ifname 'eth0'

config interface 'LAN5'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option dns '192.168.5.3'
        option type 'bridge'
        option _orig_ifname 'eth0.5'
        option _orig_bridge 'true'
        option ifname 'eth0.5'
        option broadcast '192.168.5.255'

config interface 'lan'
        option proto 'static'
        option ifname 'eth0'

I've deleted the old firewall settings for LAN2 which was the eth0.2 interface which i've also set to unmanaged. I've move the IP address from LAN2 and the eth0.2 network from LAN2 to the wan interface

In the network section for "wan" there are the following tags

    option _orig_ifname 'ptm0'
    option _orig_bridge 'false'

should i have removed these too?

Below is the new firewall config.

cat /etc/config/firewall

config defaults
option syn_flood '1'
option drop_invalid '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config include
option path '/etc/firewall.user'

config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'LAN5'
option forward 'ACCEPT'
option network 'LAN5'

config rule
option target 'ACCEPT'
option name 'Test'
option src ''
option dest ''

config zone
option name 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wan'

config forwarding
option dest 'LAN5'
option src 'wan'

config forwarding
option dest 'wan'
option src 'LAN5'

results are the same

192.168.0.1/24 devices can ping 192.168.0.3
192.168.0.1/24 devices can't ping 192.168.1.5

hh5 switch
ping -I br-LAN5 192.168.5.2 #works
ping -I br-LAN5 92.168.0.3 #fails
ping -I br-LAN5 192.168.0.1 #fails

another device on 192.168.5.1/24

ping 192168.5.1 #works
ping 192.168.0.3 #works
ping 192.168.0.1 #fails

This is really weired.

What would stop it routing. the switch can get to the internet just fine. It's just that i can't escape from VLAN5. Should the 192.168.5.1/24 network have a default gateway of 192.168.0.3? this would be the egress port to the internet, ia the 192.168.0.0/24 network which has a default gateway of 192.168.0.1?

Why don't you just reset the device to defaults, as @mk24 notes should work:

?

I've deleted the all the vlans, interfaces and firewall rules. I've also deleted all the DSL config in the network config file

removed the vlan config on the switch and readded everything i needed back.

Here's my new network file.

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd46:0ba0:8372::/48'

config interface 'wan'
        option proto 'static'
        option ipaddr '192.168.0.3'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '255.255.0.255'
        option dns '1.1.1.1'
        option ifname 'eth0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 2 4 5 6t'
        option vid '5'

config interface 'vlan5'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.5.255'
        option dns '1.1.1.1'
        option type 'bridge'
        option stp '1'
        option ifname 'eth0.5'

and my firewall

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option drop_invalid '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vlan5'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vlan5'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'wan'

config forwarding
        option dest 'wan'
        option src 'vlan5'

config forwarding
        option dest 'vlan5'
        option src 'wan'

vlan5 is a bridged connection to the wifi on the switch.
wan is a static ip address connection to the new adsl router as before.

I'm still in a world of pain. all pings are the same. I can get from the 192.168.5.1/24 network to the 192.168.0.3 interface but can't get out to 192.168.0.1 or 1.1.1.1 or 8.8.8.8 on the internet. Something has to be missing. or i need a route of some kind

You are:

config forwarding
	option dest 'wan'
	option src 'vlan5'

You never permitted traffic from VLAN5 to WAN.

You need masq and mtu_fix on the wan side so you can NAT out to the Internet. This is in the default configuration. I highly encourage you to go back to default configuration and start there and get something simple working, like regular access to the Internet.

I'm not sure what you're trying to do with the bi-directional routing between the two networks. If you want the effect of one network, make one network.

Generally one would have only one other device in their WAN network, the ISP modem or router. Don't connect other devices to that router. Connect all your LAN devices to the 5.1 network.

OK done a full reset. Still the same, I can get out to the Internet if I put the WiFi bridge on the wan vlan port, but anything on a new vlan. Doesn't route or ping back to the ISP router

Don't make any new interfaces yet. You have the stock wan and lan, get that to work in the conventional way first.

WAN should not be a bridge. The only two things in it should be your modem/router and your OpenWrt router.

I can't plug the router into any Adsl lines though.

Here why I'm trying to do this...

We just had virgin fibre installed. The location of the virgin router is awkward. As its next to the TV. I'm not bothered that the TV, dvd player and virgin Tivo box are all on the virgin router. But I wanted to keep the virgin firewall and WiFi as standard.

My wife likes adverts... She's unique... She actually enjoys doing payper click stuff she's wiered.

The rest of the family however, love the adblocking, dns stuff and vpn I've done with the old hh5's.

So I wanted to leave the original virgin router and WiFi as standard. I know I could put it into modem only mode. But then the TV, tivo box and dvd player wouldn't be behind a firewall.

So. Here's where I'm stuck. I basically can't go back to using the hh5a as an Adsl router.

I defaulted the router and everything was standard. I added the static ip address to vlan0. 1 on the router. And I could ping the gateway and anything else on the internet. But now I wanted to isolate the virgin router from my other vlans. This is where I've got the issues. It's like I need a static route to enable a new interface to forward traffic to the virgin vlan. I'm not really bothered if I can't go the otherway... Virgin to hh5a. But need it to route hh5a to virgin.

OK, in post 1 you said you switched ISPs from ADSL to a fiber service. Now (in post 13), you're saying you can't connect to ADSL.

To be clear you also said this:

By any chance...do you have 2 ISPs (instead of changing)?

I'm not clear on your issue, unless you still have ADSL service and didn't tell us.

The UK is aggressively marketing VDSL with outdoor DSLAMs as "fibre" (FTTC), still - one would usually expect VDSL2+vectoring for those lines, instead of ADSL.

Ok we are sorted.

Yep Sorry guys I've changed ISP. The old one does't work anymore. I've moved from copper ADSL fibre at the cabinet to fibre to the house. So the old modem wouldn't work on the new broadband providers network.

I've sorted it the defaulting of the configs was the way to go. Since defaulting i'd missed a firewall rule to forward the traffic to the new router. Interestingly I can't see any difference between the new and the old network files from before the reset.

mk24 thanks for you help much appreciated. It's been a battle but we made it

@elevennails If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.