Traffic between interfaces

Hello all,

I have the following network configuration:

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '101'
        option name 'lan1.101'
        option macaddr '<removed>'

config interface 'm'
        option proto 'static'
        option ipaddr '112.20.1.1'
        option netmask '255.255.255.0'
        option device 'lan1.101'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '102'
        option name 'lan1.102'
        option macaddr '<removed>'

config interface 'd'
        option proto 'static'
        option ipaddr '112.20.2.1'
        option netmask '255.255.255.0'
        option device 'lan1.102'

config interface 'u'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option device 'lan1.102'

with the following firewall configuration:

config zone
        option name 'm'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'm'

config zone
        option name 'd'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'd'
        list network 'u'

config rule
        option name 'A2D'
        option src 'm'
        option dest 'd'
        option target 'ACCEPT'
        list proto 'all'
        list src_ip '112.20.1.101'

The problem is that from the machine having IP 112.20.1.101 I can ping a device under 112.20.2.0/24 network but not a device under 192.168.1.0/24 network.

Any idea why?

Thanks
HL

Hi again,

After some tests I found out a more weird behavior.

I have 2 devices attached to interface 'u' having IP addresses 192.168.1.200 and 192.168.1.252.
From the router when I try to ping them I receive responses from both but from a machine attached to 'm' network I receive response only from 192.168.1.200.

Do you have any idea why the router is blocking the connection to 192.168.1.252?

let's see the complete configs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
{
        "kernel": "5.10.146",
        "hostname": "G",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '112.20.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '***omitted***'

config device
        option name 'wan'
        option macaddr '***omitted***'

config interface 'wan'
        option proto 'pppoe'
        option device 'wan.835'
        option username '***omitted***'
        option password '***omitted***'
        option ipv6 'auto'

config interface 'wan6'
        option proto 'pppoe'
        option device 'wan.835'
        option username '***omitted***'
        option password '***omitted***'
        option ipv6 'auto'

config interface 'direct'
        option proto 'static'
        option device 'lan4'
        option ipaddr '112.20.0.1'
        option netmask '255.255.255.0'

config interface 'm'
        option proto 'static'
        option ipaddr '112.20.1.1'
        option netmask '255.255.255.0'
        option device 'lan1.101'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '101'
        option name 'lan1.101'
        option macaddr '***omitted***'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '102'
        option name 'lan1.102'
        option macaddr '***omitted***'

config interface 'd'
        option proto 'static'
        option ipaddr '112.20.2.1'
        option netmask '255.255.255.0'
        option device 'lan1.102'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '103'
        option name 'lan1.103'
        option macaddr '***omitted***'

config interface 's'
        option proto 'static'
        option device 'lan1.103'
        option ipaddr '112.20.3.1'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '104'
        option name 'lan1.104'
        option macaddr '***omitted***'

config interface 'g'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'lan1.104'
        option ipaddr '112.20.4.1'

config interface 'vpn'
        option proto 'none'
        option device 'tun0'

config device
        option name 'lan4'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '835'
        option name 'wan.835'
        option macaddr '***omitted***'

config interface 'u'
        option proto 'static'
        option device 'lan1.102'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'
        option country 'FR'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'
        option country 'FR'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option channel '34'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

DHCP:

config tag 'provider_dns'
        option dhcp_option '6,8.8.8.8,8.8.4.4'

config dnsmasq 'm_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/m.ch.local/'
        option domain 'm.ch.local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.m'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'm'
        list notinterface 'loopback'
        list server '8.8.8.8'
        list server '8.8.4.4'
        option noresolv '1'

config dhcp 'm'
        option instance 'm_dns'
        option interface 'm'
        option start '250'
        option limit '2'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

***list of hosts omitted***

config dnsmasq 'd_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/d.ch.local/'
        option domain 'd.ch.local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.d'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'd'
        list notinterface 'loopback'
        list server '8.8.8.8'
        list server '8.8.4.4'

config dhcp 'd'
        option instance 'd_dns'
        option interface 'd'
        option start '254'
        option limit '1'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

***list of hosts omitted***

config dnsmasq 's_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/s.ch.local/'
        option domain 's.ch.local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.s'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 's'
        list notinterface 'loopback'

config dhcp 's'
        option instance 's_dns'
        option interface 's'
        option start '250'
        option limit '1'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

***list of hosts omitted***

config dnsmasq 'g_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/g.ch.local/'
        option domain 'g.ch.local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.g'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'g'
        list notinterface 'loopback'

config dhcp 'g'
        option instance 'g_dns'
        option interface 'g'
        option start '200'
        option limit '10'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

***list of hosts omitted***

config dnsmasq 'direct_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/direct.ch.local/'
        option domain 'direct.ch.local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.direct'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'direct'

config dhcp 'direct'
        option instance 'direct_dns'
        option interface 'direct'
        option start '200'
        option limit '1'
        option leasetime '1h'
        option dhcpv4 'server'
        option ignore '1'

config dnsmasq 'u_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/u.d.ch.local/'
        option domain 'u.d.ch.local'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.u.d'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'u'

config dhcp 'u'
        option instance 'u_dns'
        option interface 'u'
        option start '200'
        option limit '0'
        option leasetime '1h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'main'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'main'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

config zone
        option name 'direct'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'direct'

config zone
        option name 'm'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'm'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'd'
        option forward 'ACCEPT'
        list network 'd'
        list network 'u'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 's'
        option forward 'ACCEPT'
        list network 's'

config zone
        option name 'g'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'g'

config forwarding
        option src 'g'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule
        option src 'm'
        option dest 'd'
        option target 'ACCEPT'
        option name 'A2D'
        list proto 'all'
        list src_ip '112.20.1.101'

config forwarding
        option src 'm'
        option dest 'wan'

config rule
        option name 'D2Wan'
        option src 'd'
        option dest 'wan'
        option target 'ACCEPT'
        list src_ip '112.20.2.101'
        list src_ip '112.20.2.102'
        list src_ip '112.20.2.103'
        list src_ip '112.20.2.200'
        list src_ip '192.168.1.252'
        list src_ip '192.168.1.200'

Thank you!

All of your interface addresses/subnets (except for u) are invalid... you need to stick with RFC1918 address ranges.

In fact... even your loopback is wrong.

The entire configuration should be reset to defaults and you should start over.
Keep it simple and just add one network, test, and then move on to the next only after the first new network functions as expected.

Hello, can you please explain me how this affect the weird behavior I explained before?

Well, the loopback address being wrong could cause all sorts of problems -- the system's loopback address is now non-standard and I have no idea what will happen, but I can predict it will not be good.

Further, when you use non-RFC1918 addresses, all bets are off insofar as they are nominally publicly routable addresses. In theory, it should route internally without an issue, but it's not worth even trying to figure out what's going on or if it will work properly because it will cause you issues later (i.e. on the internet).

Ok, thank you for the explanation.

I have to admit that I changed the real addresses. The 112.20.x.x ranges are not the real ones; I wanted to mask them thinking they would have not affect the problem analisys. Anyeay, the real ones are 172.16.x.x and I can say that the system has worked ok for years before adding the 'u' interface.
I cannot reset the router as it Is in production therefore if you can help it is appreciated, otherwise I think I have to find a solution by myself.

Providing the real RFC1918 addresses will not compromise your network security because they are not publicly routable. That is to say that everyone uses the same general ranges...

So, please post your unredacted/unchanged configs (only redacting things that are actually private information like public IPs, passwords and SSID names, PPPoE credentials, etc.)