I have recently managed to get my setup perfect, (4 weeks working on it) well so I thought, now I realise I would like a tiny little addition if possible and not too complicated, for which I need some help please.
About my setup:
WRT1900AVS v2, with 2 VLANS (192.168.5.1 and 192.168.10.1)
.5.1 goes through normal internet connection, and .10.1 goes through VPN.
The above works perfect! but,
I would like to be able to ping/access devices on either VLAN from the other VLAN, I believe its a routing situation? if doing this breaks my current setup then I can live without it, but if it is possible, it would make my almost perfect setup completely perfect.
the default gateway for each vlan is its first IP address, 192.168.5.1 and 192.168.10.1
Presumably you've got a firewall zone defined for each of your VLANs. All you should need to do is to add firewall forwarding rules allowing inter-VLAN routing (just replace VLAN1 and VLAN2 with the names of the firewall zones for each of those networks):
config forwarding
option src 'VLAN1'
option dest 'VLAN2'
config forwarding
option src 'VLAN2'
option dest 'VLAN1'
Hi have added the code you gave in the firewall file, changed the vlan names to match mine, which are simply VLAN5 and VLAN10 and still no ping
is the code to be inputted in the firewall file?
Please find below firewall config, i do have some forwarded ports
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'VLAN5'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'VLAN5'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'VLAN5'
option network 'VLAN5'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option dest 'wan'
option src 'VLAN5'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'VLAN10'
option network 'VLAN10'
option forward 'REJECT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'VPN'
option forward 'ACCEPT'
option masq '1'
option network 'NordVPN'
config forwarding
option dest 'VLAN10'
option src 'VPN'
config forwarding
option dest 'VPN'
option src 'VLAN10'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'VLAN5'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.5.3'
option dest_port '80'
option name 'webserver'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'VLAN5'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.5.3'
option dest_port '443'
option name 'https'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'VLAN5'
option proto 'udp'
option src_dport '1701'
option dest_ip '192.168.5.2'
option dest_port '1701'
option name 'vpn1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'VLAN5'
option proto 'udp'
option src_dport '500'
option dest_ip '192.168.5.2'
option dest_port '500'
option name 'vpn2'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'VLAN5'
option proto 'udp'
option src_dport '4500'
option dest_ip '192.168.5.2'
option dest_port '4500'
option name 'vpn3'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'VLAN5'
option proto 'udp'
option src_dport '1194'
option dest_ip '192.168.5.2'
option dest_port '1194'
option name 'openvpn'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '8001'
option dest_port '8001'
option name 'vuplus1'
option dest 'VLAN10'
option dest_ip '192.168.10.2'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '8002'
option dest_port '8002'
option name 'vuplus2'
option dest 'VLAN10'
option dest_ip '192.168.10.2'
config forwarding
option src 'VLAN5'
option dest 'VLAN10'
config forwarding
option src 'VLAN10'
option dest 'VLAN5'
I have also tried adding the following just as a test but it still did not work:
config rule
option target 'ACCEPT'
option proto 'all'
option src '*'
option dest '*'
I also have the following code in startup, as without this VLAN5 devices cannot get on to the internet. I have added an ip per like, as the 192.168.5.0/24 wouldn't work. not sure if this has any impact on what i am trying to achieve
ip route add default via 192.168.0.1 table 10
ip rule add from 192.168.5.2 table 10
Please see attached pic, maybe it will help. there most definitely are devices at the addresses i am pinging, as i can ping them when on the same subnet.
I've been playing with this a bit today and I'm confirming what you are seeing. I think I had done this in the past, but now I can't recall what it was that I had done to make it work.
I'll keep thinking about how it is supposed to work.
@ess2k
I found the solution on my test router (E3000)... REBOOT!
That's it! In my test configuration, I added a VLAN and assigned it to a switch port. I then created an interface (Guest) with a unique subnet, assigned it a firewall zone (guest), and turned on the DHCP server. In the firewall, I made rules to allow udp 67-68 from the guest zone for dhcp, and then udp/tcp 53 from guest for dns. Finally, I went into the guest zone definition and allowed forwarding both to and from the lan zone (I did this from the GUI, but verified the same forwarding config text as I had suggested earlier).
It still wasn't pinging across VLANs, but when I rebooted, it started to work!
BTW, you can also remove the two iproutes you added and the extra firewall rule to accept all (this one in particular could seriously compromise security wrt the internet, but was worth testing).
Yes, i have already removed that accept all rule.
so do you think doing the above will solve the issue even though allowing everything didnt? i was rebooting almost after each settings change.
Lastly, where you mention,
is this to be done in traffic rules section? and if so what does the destination zone need to be, the opposing VLAN?
Good. Yes, it should work, but I found another caveat, at least on my system. The route that the packets attempt to take entirely depends on the available network interfaces on your computer and the service order (if applicable). In my case, on a Mac Pro, I have 2 ethernet ports and wifi. I normally have my wifi and ethernet 1 connected to my main network and set with higher service priority than ethernet 2 (which I use for experimental purposes). This means that normally packets going to an unknown network try to go out of the first interface and don't reach their destination. But when I turn off those interfaces (or if I change the service priority order), the packets go to my test router on ethernet 2 and get routed appropriately.
I'm guessing you already have this working since you said your VLANs were up and running previously. But for completeness, the way I've implemented them was with the LuCi interface Firewall > Traffic Rules. Source zone is guest (my 2nd VLAN), and destination zone is Device (input). The resulting "match" description is "any udp from any host in guest to any router IP at ports 67-68" accept input.
The UCI firewall config for that rule looks like this:
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Allow-GuestDHCP'
option src 'guest'
@psherman
man, thanks for all your help, i appreciate it. I have allowed all traffic on all ports to and from vlan5 and vlan10.
Just as a test, i removed the code below...
ip route add default via 192.168.0.1 table 10
ip rule add from 192.168.5.2 table 10
(the second line in this code is repeated for each ip address in the subnet)
...from startup, rebooted and can ping either subnet from the other. the moment i add the code above to start up and reboot, i cannot ping.
without that code my non VPN VLAN5 cannot access the internet.
i think with that code, all traffic is being sent to the gw: 192.168.0.1
maybe i need to add a hop to 192.168.5.1 before it does to 192.168.0.1, but i have no idea how to
thanks for your help.
Yes, i do. and I still couldnt get internet on VLAN5, i am sure its some sort of config in the vpn that is blocking it.
i think i may have to live with this one.
Still looking through the config files, but curious about what the symptom is on VLAN5 when trying to get to the internet...
What does DHCP assign to the clients for the gateway, subnet mask, and DNS?
Can you ping the gateway?
Can you ping externally (say 8.8.8.8 -- a Google DNS server)?
Can you ping a domain (maybe google.com)?
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.5.1: Destination port unreachable.
Reply from 192.168.5.1: Destination port unreachable.
Reply from 192.168.5.1: Destination port unreachable.
Reply from 192.168.5.1: Destination port unreachable.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
but, if i type the ip of my ISP's routers external IP, i get my webserver page. so there is some internet connection as it goes out my internet and returns back in to get my webserver page. so it is some sort of DNS/Routing issue.
Tried long and hard to sort it, then i got the solution below to work, i ran with it. but as you know with this solution to get internet on vlan5, i cannot ping inter-vlans.
ip route add default via 192.168.0.1 table 10
ip rule add from 192.168.5.2 table 10