Suddenly cannot access 192.168.1.1, but can through 192.168.9.1 (SSH works, pings and http(s) don't)

So I am trying to access it from my main SSID which has access to lan and it’s on the same subnet (192.168.1.x) I have another SSID which is on another subnet (192.168.2.x) and on a different VLAN (VLAN_21), but has access to lan and a few more, there I can actually access 192.168.1.1, so I am utterly confused.

Here are my configs:

ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT3000",
	"board_name": "glinet,gl-mt3000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan.71'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config interface 'wwan'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '31'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '51'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '61'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '71'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '81'
	list ports 'eth1:t'

config interface 'VLAN21_admin'
	option proto 'static'
	option device 'br-lan.21'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'VLAN41_NAS'
	option proto 'static'
	option device 'br-lan.41'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'VLAN31_PC'
	option proto 'static'
	option device 'br-lan.31'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'VLAN51_Server'
	option proto 'static'
	option device 'br-lan.51'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '91'
	option name 'br-lan.91'

config interface 'VLAN61_IoT'
	option proto 'static'
	option device 'br-lan.61'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'

config interface 'VLAN91_Guest'
	option proto 'static'
	option device 'br-lan.91'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '111'
	option name 'br-lan.111'

config interface 'VLAN111_General'
	option proto 'static'
	option device 'br-lan.111'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

config interface 'wg_wg_home_vpn'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port 'REDACTED'
	list addresses '192.168.55.1/24'
	option mtu '1280'

config wireguard_wg_wg_home_vpn
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description 'REDACTED'
	list allowed_ips '192.168.55.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_wg_home_vpn
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description 'REDACTED'
	list allowed_ips '192.168.55.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wifi'
	option channel '6'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'
	option country 'REDACTED'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/18000000.wifi+1'
	option channel '44'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option country 'REDACTED'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option key 'REDACTED'
	option network 'lan'
	option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option key 'REDACTED'
	option network 'VLAN91_Guest'
	option isolate '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option isolate '1'
	option key 'REDACTED'
	option network 'VLAN91_Guest'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'
	option network 'VLAN61_IoT'
	option hidden '1'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option hidden '1'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'
	option network 'VLAN41_NAS'

config wifi-iface 'wifinet7'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option hidden '1'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'
	option network 'VLAN51_Server'

config wifi-iface 'wifinet8'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'REDACTED'
	option hidden '1'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'
	option network 'VLAN21_admin'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option noresolv '0'
	option cachesize '1000'
	option port '54'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'VLAN21_admin'
	option interface 'VLAN21_admin'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.2.1'
	list dhcp_option '3,192.168.2.1'

config dhcp 'VLAN41_NAS'
	option interface 'VLAN41_NAS'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.4.1'
	list dhcp_option '3,192.168.4.1'

config dhcp 'VLAN31_PC'
	option interface 'VLAN31_PC'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.3.1'
	list dhcp_option '3,192.168.3.1'

config dhcp 'VLAN51_Server'
	option interface 'VLAN51_Server'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.5.1'
	list dhcp_option '3,192.168.5.1'

config dhcp 'VLAN61_IoT'
	option interface 'VLAN61_IoT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.6.1'
	list dhcp_option '3,192.168.6.1'

config dhcp 'VLAN91_Guest'
	option interface 'VLAN91_Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.9.1'
	list dhcp_option '3,192.168.9.1'

config dhcp 'VLAN111_General'
	option interface 'VLAN111_General'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.11.1'
	list dhcp_option '3,192.168.11.1'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'General'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-lan.111'
	list network 'VLAN111_General'

config zone
	option name 'admin'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN21_admin'
	list device 'br-lan.21'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-lan.91'
	list network 'VLAN91_Guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'guest'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config zone
	option name 'PC'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-lan.31'
	list network 'VLAN31_PC'

config zone
	option name 'IoT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN61_IoT'
	list device 'br-lan.61'

config zone
	option name 'NAS'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-lan.41'
	list network 'VLAN41_NAS'

config zone
	option name 'Server'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-lan.51'
	list network 'VLAN51_Server'

config forwarding
	option src 'admin'
	option dest 'IoT'

config forwarding
	option src 'admin'
	option dest 'NAS'

config forwarding
	option src 'admin'
	option dest 'Server'

config forwarding
	option src 'General'
	option dest 'wan'

config forwarding
	option src 'General'
	option dest 'IoT'

config forwarding
	option src 'General'
	option dest 'NAS'

config forwarding
	option src 'admin'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IoT'

config forwarding
	option src 'lan'
	option dest 'NAS'

config forwarding
	option src 'PC'
	option dest 'wan'

config forwarding
	option src 'IoT'
	option dest 'wan'

config forwarding
	option src 'NAS'
	option dest 'wan'

config forwarding
	option src 'Server'
	option dest 'wan'

config rule
	option name 'PC DHCP and DNS'
	option src 'PC'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'IoT DHCP and DNS'
	option src 'IoT'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'NAS DHCP and DNS'
	option src 'NAS'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'Server DHCP and DNS'
	option src 'Server'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'General DHCP and DNS'
	option src 'General'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'Admin DHCP and DNS'
	option src 'admin'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule 'wg_rule_wg_home_vpn'
	option name 'Allow-WireGuard-wg_home_vpn-wan'
	option src 'wan'
	option dest_port 'REDACTED'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG_Home'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg_wg_home_vpn'

config forwarding
	option src 'WG_Home'
	option dest 'wan'

config rule
	option name 'WG Home DNS'
	option dest_port '53 853'
	option target 'ACCEPT'
	option src 'WG_Home'

config forwarding
	option src 'WG_Home'
	option dest 'NAS'

config rule
	option name 'WG Admin (enable on demand)'
	option src 'WG_Home'
	option target 'ACCEPT'
	list src_ip 'REDACTED'
	list proto 'all'
	option enabled '0'

config rule
	option name 'WG to Admin VLAN (enable on demand)'
	option src 'WG_Home'
	option dest 'admin'
	option target 'ACCEPT'
	list src_ip 'REDACTED'
	list proto 'all'
	option enabled '0'

config redirect
	option dest 'NAS'
	option target 'DNAT'
	option family 'ipv4'
	list proto 'tcp'
	option src 'lan'
	option src_dport '443'
	option dest_ip '192.168.4.245'
	option dest_port '10443'
	option reflection '0'
	option src_dip '192.168.4.245'
	option name 'correct 443 router to 10443 nas'

What are you accessing?

SSH, Telnet?
LuCI web GUI, HTTP or HTTPS?

(I see a firewall rule that might mess up HTTPS.)

I’ve updated the title. Pings don’t work and http/s don’t work, even though I am on the same subnet. SSH does work.

Try disabling this:

Is there a reason you set forwarding to reject?

(BTW, you don't have to set DHCP Options Nos. 3 and 6 if they are the default IP you configured on the interface.)

I can’t disable that, I need it for reverse proxy on my NAS, since I cannot overwrite it inside the NAS. This caused no issues for months after using it, so I don’t believe the issue is there. I am using different vlans and have traffic rules for jumping through as shown in the config.

Please verify the subnet you're using by looking at the network settings of the device you're using to connect (i.e. your computer/phone/tablet). Beyond that, make sure it's the only active network connection (for example, if it is ethernet into your computer, make sure wifi is disabled and that there are no other ethernet connections).

If you're on the lan (192.168.1.0/24), it has input set to ACCEPT, so you should have proper connectivity. Most of your other networks appear to have REJECT as the input rule, so your observations would be expected on the other subnets.

You have a bunch of things here that need to be addressed...

First, VLANs 91 and 111 are not properly defined. You need to create bridge-VLANs for those (just like you did for the others) and you can delete the 802.1q stanzas for those VLANs:

For all of your new zones, you should only have the network, not the device. Delete the device line below (and in every other zone):

I’ve checked this, I am on the same subnet, checking from my PC, but also from the web interface where it shows the same IP on the same subnet for that PC. It is also the only active network connection.

If you're on the lan (192.168.1.0/24), it has input set to ACCEPT, so you should have proper connectivity. Most of your other networks appear to have REJECT as the input rule, so your observations would be expected on the other subnets.

It’s exactly how it’s configured.

I’ll adjust what you recommended and get back to you.

Hey @psherman, as you instructed, I've deleted the stanzas, but could you explain why this is redundant? I was following OneMarcFifty video on VLANs, and he explicitly defined these for all devices (unlike me for only two devices, for some reason that I am unaware of - this was long time ago so I somehow missed it), explained and demonstrated how he defines the stanzas here (timestamped).

You need to create bridge-VLANs for those (just like you did for the others)

The reason why I don't have the bridge VLANs created for 91 and 111, is because I have an 8 port switch, all of the others are tagged to it, but the 91 and 111 are not - there isn't available physical port to do so so I left them out, and hence why in the GUI I have not added them (of course equivalent to the config file setup you have pointed to)

image1760×1406 160 KB

Delete the device line below (and in every other zone):

I updated this part too as instructed.

So the only part I have not changed is defining the two bridge VLANs, but if you say that it doesn't matter if I can't assign them physically to the switch port, and just assign them as Not as member, or even Tagged (let me know) without issues here for the VLAN firewall function on the wireless interfaces, let me know.

Lastly, the issue persists, despite the changes from above.

The underlying 802.1q stanza is created automatically when you make a bridge-VLAN. It is unnecessary and in some cases may even cause issues (although I have yet to have definitive proof of problems, I still recommend removing them since they are unnecessary).

Is there an expectation that 91 and 111 will be used on ethernet? Or is it wifi only? If wifi, is it using just a single radio, or will you use dual band?

Let's see the updated complete config.

The underlying 802.1q stanza is created automatically when you make a bridge-VLAN. It is unnecessary and in some cases may even cause issues (although I have yet to have definitive proof of problems, I still recommend removing them since they are unnecessary).

Yes, exactly, and why I am confused on their removal (also OneMarcFifty tries to even declare them implicitly). Here is how it looks now that they are removed as you instructed, from the GUI, and to be honest I have no idea how to remove them from here, the br-lan.81 doesn't even exists, since it's a remnant of some older network interface I had, but it doesn't matter since they are all already unconfigured (see configs below):

image2116×1282 229 KB

Is there an expectation that 91 and 111 will be used on ethernet? Or is it wifi only? If wifi, is it using just a single radio, or will you use dual band?

The guest network, I might eventually put it on some port after switching something else out of it. The general one, I might eventually delete it, since if you can see, it's completely redundant and not used on any interface. I was planning br-lan.111 to be what actually br-lan is, but I believe the default lan is not an issue to be used and virtually identical to the br-lan.111. This is the configuration I had about a year before the issues started by the way, and I had no updates done to it.

As for the guest network, that one has a configured wireless AP, with dual band setup.

cat /etc/config/network

Here are the current configs:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan.71'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config interface 'wwan'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '31'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '51'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '61'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '71'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '81'
	list ports 'eth1:t'

config interface 'VLAN21_admin'
	option proto 'static'
	option device 'br-lan.21'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'VLAN41_NAS'
	option proto 'static'
	option device 'br-lan.41'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'VLAN31_PC'
	option proto 'static'
	option device 'br-lan.31'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'VLAN51_Server'
	option proto 'static'
	option device 'br-lan.51'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

config interface 'VLAN61_IoT'
	option proto 'static'
	option device 'br-lan.61'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'

config interface 'VLAN91_Guest'
	option proto 'static'
	option device 'br-lan.91'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'

config interface 'VLAN111_General'
	option proto 'static'
	option device 'br-lan.111'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

config interface 'wg_wg_home_vpn'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port 'REDACTED'
	list addresses '192.168.55.1/24'
	option mtu '1280'

config wireguard_wg_wg_home_vpn
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description 'REDACTED'
	list allowed_ips '192.168.55.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_wg_home_vpn
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description 'REDACTED'
	list allowed_ips '192.168.55.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'General'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN111_General'

config zone
	option name 'admin'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN21_admin'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN91_Guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'guest'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config zone
	option name 'PC'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN31_PC'

config zone
	option name 'IoT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN61_IoT'

config zone
	option name 'NAS'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN41_NAS'

config zone
	option name 'Server'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VLAN51_Server'

config forwarding
	option src 'admin'
	option dest 'IoT'

config forwarding
	option src 'admin'
	option dest 'NAS'

config forwarding
	option src 'admin'
	option dest 'Server'

config forwarding
	option src 'General'
	option dest 'wan'

config forwarding
	option src 'General'
	option dest 'IoT'

config forwarding
	option src 'General'
	option dest 'NAS'

config forwarding
	option src 'admin'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IoT'

config forwarding
	option src 'lan'
	option dest 'NAS'

config forwarding
	option src 'PC'
	option dest 'wan'

config forwarding
	option src 'IoT'
	option dest 'wan'

config forwarding
	option src 'NAS'
	option dest 'wan'

config forwarding
	option src 'Server'
	option dest 'wan'

config rule
	option name 'PC DHCP and DNS'
	option src 'PC'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'IoT DHCP and DNS'
	option src 'IoT'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'NAS DHCP and DNS'
	option src 'NAS'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'Server DHCP and DNS'
	option src 'Server'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'General DHCP and DNS'
	option src 'General'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule
	option name 'Admin DHCP and DNS'
	option src 'admin'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'

config rule 'wg_rule_wg_home_vpn'
	option name 'Allow-WireGuard-wg_home_vpn-wan'
	option src 'wan'
	option dest_port 'REDACTED'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG_Home'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg_wg_home_vpn'

config forwarding
	option src 'WG_Home'
	option dest 'wan'

config rule
	option name 'WG Home DNS'
	option dest_port '53 853'
	option target 'ACCEPT'
	option src 'WG_Home'

config forwarding
	option src 'WG_Home'
	option dest 'NAS'

config rule
	option name 'WG Admin (enable on demand)'
	option src 'WG_Home'
	option target 'ACCEPT'
	list src_ip 'REDACTED'
	list proto 'all'
	option enabled '0'

config rule
	option name 'WG to Admin VLAN (enable on demand)'
	option src 'WG_Home'
	option dest 'admin'
	option target 'ACCEPT'
	list src_ip 'REDACTED'
	list proto 'all'
	option enabled '0'

config redirect
	option dest 'NAS'
	option target 'DNAT'
	option family 'ipv4'
	list proto 'tcp'
	option src 'lan'
	option src_dport '443'
	option dest_ip '192.168.4.245'
	option dest_port '10443'
	option reflection '0'
	option src_dip '192.168.4.245'
	option name 'correct 443 router to 10443 nas'

Currently, these two networks are using devices that don't exist:

You have three choices:

1. Add a bridge-vlan for each with it tagged on eth1 (just as you have for the other VLANs). There is no problem with doing this, as it will simply be ignored by the downstream switch if it isn't declared or used there. This option offers the most flexibility, though, as it makes the networks available to the downstream without any further router configuration changes.
2. Create a bridge-vlan that simply has no ports (but is otherwise the same as the other bridge-vlans). I wouldn't recommend this method, though, as it a slightly unusual use of the syntax.
3. Create a separate, empty bridge for each of these networks. You need to have these associated with a bridge (or bridge-vlan) since you are using them on wifi with dual band.

All that said, the rest of the config looks fine. I'd recommend you fix the above and then let's revisit the original issue.

Can you perform an experiment where you connect to the lan (192.168.1.0/24) and try to reach 192.168.1.1 again. When you perform those tests, we want to see if you can reach it by the web interface, ssh, and ping. If that doesn't work, try 192.168.9.1 with the same tests.

Then, switch to VLAN 21 (admin; 192.168.2.0/24) and run the same experiments (in fact, might as well add 192.168.2.1 to the mix).

In all tests, make sure that you are connected to the right network (check the address you get via DHCP) and that you have only that single connection to the network (i.e. single ethernet or wifi connection, no other connections). And, make sure that you don't have any VPNs running on the computer you use to test.

Can you perform an experiment where you connect to the lan (192.168.1.0/24) and try to reach 192.168.1.1 again. When you perform those tests, we want to see if you can reach it by the web interface, ssh, and ping. If that doesn't work, try 192.168.9.1 with the same tests.

On VLAN 21 192.168.1.1 is reachable, pingable.

make sure that you are connected to the right network (check the address you get via DHCP) and that you have only that single connection to the network (i.e. single ethernet or wifi connection, no other connections).

Checked.

However, I do have a new clue.

When I am connected at 192.168.1.x subnet, and I can reach all subnets, through pings or directly accessing the router at 192.168.x.1, all of them work properly, however 192.168.1.1 does not, despite me being connected to that subnet. Traceroute goes through 192.168.1.1 correctly too. I can ping other devices on the subnet (as long as we are on the same band and if that device is not the actual router (192.168.1.1).

When I am connected at VLAN_21 (192.168.2.1 subnet) I can also reach them all, including 192.168.1.1, but I CANNOT reach 192.168.2.1.

So it seems that the issue is that I can't reach the router on the same subnet (pings or gateway), but I can on the other subnets it has firewall access to. Tracert once again routes correctly.

This experiment is useful, but it just doesn’t make any sense for this behavior to be observed.

What is the host operating system you’re using to run these tests? Do you have other machines/devices with a different OS that you can use to further confirm your findings?

@psherman Hmm, I just tested with my android phone, and I can connect/ping to the 192.168.1.1!

So it's my mac that's the issue, but how come? I cannot find anything that could affect this, keep in mind that when I switch to another subnet and vlan like VLAN_21, I can ping the subnet I couldn't previously, but now can't ping the subnet I am in.

Great. That proves that the network configuration is working properly (on the router).

I have no idea why this would be happening. I have many Macs and not a single one has ever shown this behavior. Do you have any VPN software or other 3rd party software that affects the network connectivity installed on your Mac? For example, are you running Wireguard on your Mac and is it activated? Or any antivirus software or a firewall?

I do, I have VPN, WG, Little Snitch. But none of them should mess up my setup with the configs I have, tried everything and I am very confused. Also utterly confused how the subnet to router block happens dynamically depending on my current VLAN. Another thing is that these programs were all the time here, I have not changed anything.

Also I cannot ping VLAN_41, nor access SMB, but I can access 192.168.4.x:5001 which is the DSM login interface of my Synology NAS through the web browser. So the only difference is that my phone can access 192.168.x.1 (including it's own subnet gateway (which my mac can't) and the rest of them, as long as it's connected to a VLAN that has access to those).

On my mac, same deal, my attached storage doesn't work, I checked Synology Firewall, everything is good, when trying with nc -vz 192.168.4.x 445 it succeeds. So this is also weird, actually this is how I noticed the issue with the router. My shared network drive stopped working, went to see if something is going on my router's end, and I couldn't access it on 192.168.1.1.

Please actively disable all of these and test again. If a VPN is active, it would explain this behavior for sure. Little Snitch is both a logger and a local firewall that can block certain network activity.

Your local VPN/little snitch could do this.... for example, you may be reaching the router via wireguard, but it may be unable to reach it on the local subnet because of the VPN being active.

But my VPN, WG are all inactive, LS has no rules that affect it also.

image1804×642 72.1 KB

image1024×434 42.4 KB

Even tried with the Network filter (basically Llittle Snitch itself) disabled:

image548×110 14.3 KB

Also, phone has the issue with the NAS, my previous reply.

Do you have other devices to test with? Another Mac/Win/Linux/ChromeOS box, or another phone or tablet?

If not, what Mac do you have? If it's an Intel model, you can actually boot a live USB stick of Linux -- I like Ubuntu for these tests. With that booted, you can test access to router and your NAS.