[Solved]OpenWRT vlans don't have internet access except the lan vlan

Phillis · August 12, 2023, 4:14am

I am quite new to OpenWRT but i am running OpenWRT 22.03.2 on an apu4 router that doesnt have wifi antennas and only acts as a router. This is connected to a managed switch (gs1900-8hp to be exact) and I am using the TPLink EAP-615-Wall access point with the default firmware.

Currently, I only have internet on the lan vlan, which is vlan 5. When i connect to the other vlans, there is no internet at all.

I have configured the following vlans on eth0:

vlan 5 - lan
vlan 6 - IoT
vlan 7 - VPN
vlan 8 - Work
vlan 9 - Guest

I have added vlan filtering for these on the bridge device and I have the ports on the router configured to

eth0 - tag all vlans
eth1 - wan port
eth2 & 3 - untagged for vlan 5 with pvid checked.

The switch is configured as following:
port 1 - tag all vlans (this is connected to eth0 on the router)
port 2 - tag all vlans (this is connected to the access point) with PoE enabled
port 3 - untag vlan 5/pvid of 5 (this is a device connecting to the lan vlan)
port 4 - untag vlan 6/pvid of 6 (device connecting to vlan 6)
port 5 - untag vlan 7/pvid of 7 (device connecting to vlan 7)
ports 6 & 7 are disabled disabled
port 8 - untag vlan 1/pvid of 8, used to access just the management console of the switch

The AP is configured with SSIDs of each vlan and this works perfectly. I can connect to each vlan and get assigned a ip address in each vlan's address space.

Here are some configuration files

Interfaces

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'IPV6IP'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.5'
        option ipaddr '192.168.11.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '5'
        option name 'eth0.5'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '6'
        option name 'eth0.6'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '7'
        option name 'eth0.7'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '8'
        option name 'eth0.8'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '9'
        option name 'eth0.9'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'eth0:t'
        list ports 'eth2:u*'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '6'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'eth0:t'

config interface 'IoT'
        option proto 'static'
        option device 'br-lan.6'
        option ipaddr '192.168.12.0'
        option netmask '255.255.255.0'

config interface 'VPN'
        option proto 'static'
        option device 'br-lan.7'
        option ipaddr '192.168.13.0'
        option netmask '255.255.255.0'

config interface 'Work'
        option proto 'static'
        option device 'br-lan.8'
        option ipaddr '192.168.14.0'
        option netmask '255.255.255.0'

config interface 'Guest'
        option proto 'static'
        option device 'br-lan.9'
        option ipaddr '192.168.15.0'
        option netmask '255.255.255.0'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'IPV6'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VPN'

config zone
        option name 'Work'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Work'

config zone
        option name 'Guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config forwarding
        option src 'IoT'
        option dest 'wan'

config forwarding
        option src 'VPN'
        option dest 'wan'

config forwarding
        option src 'Work'
        option dest 'wan'

config forwarding
        option src 'Guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'IoT'

config forwarding
        option src 'lan'
        option dest 'VPN'

config forwarding
        option src 'VPN'
        option dest 'lan'

I am sure i am missing something obvious, but i cant seem to figure it out and all help will definitely be appreciated. Thanks in advance!

psherman · August 12, 2023, 4:33am

These addresses are wrong for all of your new networks (the only one that is correct is the lan network)

use 192.168.12.1. The 0 address is invalid in a /24 network.

Phillis · August 12, 2023, 5:12am

that was it! i now have internet on all vlans, but i have one more problem. I cant seem to access a windows machine on the lan vlan from a device on the same vlan. Is there some configuration needed there or should all devices reach all devices on the same vlan?

psherman · August 12, 2023, 5:20am

Devices on the same VLAN will communicate with each other at layer 2 (switching), so the router (which runs at layer 3 - routing/firewall) is not involved. This means it is a host level issue (unless you misconfigured some of your ports with respect to the vlan membership).

Check the windows firewall... in some cases, it will treat a new network as untrusted and not allow any inbound connections. Turn the windows firewall off entirely as a test -- if that fixes the issue, you know where to look. If not, we can dig deeper.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Phillis · August 12, 2023, 5:37am

ok excellent, i will take a look at that, thanks for the help!

system · August 22, 2023, 5:38am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.