Traffic not passing between subnets

I’m using a Netgear Nighthawk R7800 and the main subnet is 192.168.1.1 which the hardwired PCs on ports lan1-3 and WiFi devices currently use, and I’ve created another subnet 10.10.55.1 for my server, which is using a static address of 10.10.55.198 (hardwired to port lan4).

I thought I’d created the correct rules in the firewall to allow traffic between the two subnets, but using my laptop connected to the WiFi and assigned the address 192.168.1.125 I was unable to connect to the server on 10.10.55.198.

With Tailscale running on the laptop and the server, I was able to connect from the laptop to the server using the Tailscale address of 100.x.x.x, so the server is able to access the Internet via the router, it’s just the internal traffic between the subnets that is being blocked.

The only thing I can see in the config that looks a bit strange is in the /etc/config/dhcp it has

config dhcp 'SRVLAN'
option interface 'SRVLAN'

and

config dhcp 'srv_lan'
option interface 'srv_lan'

whereas in /etc/config/network it only has

config interface 'srv_lan'

but in /etc/config/firewall it creates the SRVLAN zone and associates it with the ‘srv_lan’ network

config zone
option name 'SRVLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'srv_lan'

so I don’t think the dhcp entry for SRVLAN could be causing the problem I’m having.

ubus call system board

{
        "kernel": "6.6.86",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "ipq806x/generic",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4c:dc35:91a9::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'

config device
        option type 'bridge'
        option name 'br-iot'

config device
        option type 'bridge'
        option name 'br-srv'
        list ports 'lan4'

config interface 'srv_lan'
        option proto 'static'
        option device 'br-srv'
        option ipaddr '10.10.55.1'
        option netmask '255.255.255.0'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option band '2g'
        option channel '8'
        option cell_density '0'
        option country 'GB'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Visuals-X'
        option encryption 'psk2'
        option key 'x'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '161'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'GB'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Visuals'
        option encryption 'sae-mixed'
        option key 'x'
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Visuals-SRV'
        option encryption 'sae-mixed'
        option key 'x'
        option ocv '0'
        option network 'srv_lan'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Visuals-Guest'
        option encryption 'psk2'
        option key 'x'
        option network 'guest'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Visuals-24G'
        option encryption 'psk2'
        option key 'x'
        option network 'lan'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Visuals-IoT'
        option encryption 'psk2'
        option key 'x'
        option network 'lan'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IoT_WAN'
        option interface 'IoT_WAN'
        option start '100'
        option limit '50'
        option leasetime '12h'
        option dhcpv4 'server'

config host
        option name 'Mums-PC'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.101'

config host
        option name 'Dads-PC'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.100'

config host
        option name 'Wiser-Hub'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.136'

config host
        option name 'Wyze-1'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.195'

config host
        option name 'Wyze-2'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.118'

config host
        option name 'Wyze-3'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.158'

config host
        option name 'KASA-KP303-PlugStrip'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.198'

config host
        option name 'Tapo-P110-Plug'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.160'

config host
        option name 'Tapo-L900-Lightstrip'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.191'

config host
        option name 'TPLink-HS100-Plug'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.147'

config host
        option name 'TP-Link-HS100-Plug-2'
        option dns '1'
        option mac 'x'
        option ip '192.168.1.140'

config dhcp 'SRVLAN'
        option interface 'SRVLAN'
        option start '250'
        option limit '3'
        option leasetime '12h'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'srv_lan'
        option interface 'srv_lan'
        option start '200'
        option limit '50'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'nss_ecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone
        option name 'IoT_WAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'IoT_WAN'

config forwarding
        option src 'IoT_WAN'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'IoT_WAN'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule
        option name 'Guest DNS'
        option src 'Guest'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'IoT'

config rule
        option name 'IoT DNS'
        option src 'IoT'
        option target 'ACCEPT'
        option dest_port '53'

config rule
        option name 'IoT-WAN DNS'
        option src 'IoT_WAN'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'allow_forward'
        option src 'wan'
        list src_ip '192.168.0.0/16'
        list src_ip '10.0.0.0/8'
        option dest '*'
        option target 'ACCEPT'

config rule
        option name 'Allow-Admin'
        list proto 'tcp'
        option src 'wan'
        option dest_port '20 80 443'
        option target 'ACCEPT'

config zone
        option name 'SRVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'srv_lan'

config forwarding
        option src 'SRVLAN'
        option dest 'wan'

config forwarding
        option src 'IoT'
        option dest 'SRVLAN'

config forwarding
        option src 'lan'
        option dest 'SRVLAN'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'Guest'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IoT DHCP'
        list proto 'udp'
        option src 'IoT'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IoT-WIN DHCP'
        list proto 'udp'
        option src 'IoT_WAN'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'SRVLAN'
        option dest_port '53'
        option target 'ACCEPT'
        option name 'SRV DNS'

config forwarding
        option src 'SRVLAN'
        option dest 'lan'

Could you try re-posting your configs using the </> code formatting. This makes it much more readable.

It seems to be hit or miss whether the preformatted text option messes up the formatting or not. I’ve edit my post and you can see that the /etc/config/network one looks OK but the subsequent ones got messed up by using that option.

Something certainly went wrong there. You should be able to click the </> button and you'll get what you see below where the text below is enclosed by three back-ticks (like this: `` -- here I just did two so it doesn't trigger the markdown):

type or paste code here

You simply copy your text and paste it in place of the "type or paste code here" between the sets of 3 back-ticks.

But more critically, it's still hard to read because your configs are missing all the indenting, and now it is entirely unreadable due to the messed up formatting. It should look like this (just a random example; see the configs after the log entry).

Can you try once more, please.

OK, I think that’s fixed it.

Thanks.

I've looked over the config and I do see some things that are odd, but not necessarily that would impact access from 192.168.1.125 > 10.10.55.198

Is tailscale still running on the server? Have you tried disabling it?

What OS is the server? If it's windows, make sure that it is set to accept connections from subnets other than the local subnet. The default Windows firwewall prohibits connections from other subnets.

Thanks.

I don’t think Tailscale was running on the server when I first tried, but I’ll test again and make sure it’s disabled. As I recall the laptop was connect to the Visuals-X SSID as it can’t connect to 5Ghz, but that is on the ‘lan’ network and the firewall rules should allow traffic between ‘lan’ and ‘srv_lan’.

The server is running Proxmox VE, which is essentially Debian 13. I’ve moved it from my Dad’s house to mine at the moment and I can connect to the server on 10.10.55.198 from my PC on 10.10.18.64, so there doesn’t seem to be anything configured on the server that would have blocked access from a different subnet. I’ve tested with Tailscale activated and deactivated on the server (always with it not activated on my PC) and it works either way.

Not that it should make any difference, but I’m running OPNsense on my router so I can’t directly compare my config to that on my Dad’s OpenWrt router.

Could you let me know what odd things you spotted please, so I can correct them.

Sure…

Starting here:

You should be using a single bridge + bridge-VLANs for all networks using Ethernet. Multiple bridges on DSA devices (when addressing the Ethernet ports) doesn’t usually work reliably.

For the 2G band, use channels 1, 6, or 11 — these are the three non-overlapping channels. Avoid the intermediate ones since they will tend to have more noise since they overlap with channels on either side (and it causes problems for neighboring APs, too).

Don’t use sae-mixed as mixed mode operation tends to cause problems. Instead, use either WPA2 or WPA3.

And, I recommend using the same SSID for 2.4G and 5G when you’ve got the same network attached. Let the client devices use whichever band is best, dynamically, using the internal logic of the client devices.

In many cases, IoT devices are considered untrusted. To that end, you may want to consider setting the input rule to REJECT (and adding rules to accept DHCP and DNS) like you did for the guest network.

This rule probably shouldn’t be here and won’t do anything useful per the name of the rule — I’d recommend deleting it.

This rule should only be here if the upstream network is fully trusted and where there is a need to be able to manage the router from the upstream network. Otherwise, this should be deleted.

Thanks, that’s great. I’ll tidy those things up when I’m next over there and re-test Tailscale.

I’ve done all your suggestions except for this one, as I’m not sure how to do this. If I delete the br-srv device and then add lan4 to the Bridge ports for br-lan, how do I then set lan4 to use the 10.10.55.0 subnet and create a DHCP server for that subnet?

On the interfaces tab lan is associated with device br-lan and is set to use the 192.168.1.1 subnet, so if lan4 is part of br-lan how do I associate it with a different subnet?

I still can’t connect to the server on 10.10.55.198 from the laptop on 192.168.1.225. I can connect to the Raspberry Pi on 10.10.55.20 and from that I can ping 10.10.55.198, so the issue is specifically that traffic is not working between the laptop and 10.10.55.198.

If I connect the laptop to the Visuals-SRV SSID so it gets a 10.10.55.x IP address, I can then ping the server. Doing ‘route print’ on the laptop shows an active route for 10.10.55.0 when it’s connected to the Visuals-SRV SSID, but not when it’s connected to the Visuals SSID, so it seems to be an issue with the router not passing traffic between the two subnets, rather than an issue with the laptop or the server. Doing ‘route -p add 10.10.55.0 mask 255.255.255.0 192.168.1.1 if 23’ adds a persistent route as confirmed by ‘route print’ but I still can’t connect to 10.10.55.198.

EDIT: I’ve also tested from a wired PC on 192.168.1.100 and that can also ping the RPi on 10.10.55.20 but not the server on 10.10.55.198

It starts by putting lan4 back into the bridge:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

Then you create two bridge-VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '55'
        list ports 'lan4:u*'

Next, edit the lan interface to use br-lan.1 and the srv_lan network to use br-lan.55:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

...

config interface 'srv_lan'
        option proto 'static'
        option device 'br-lan.55'
        option ipaddr '10.10.55.1'
        option netmask '255.255.255.0'

You already have a DHCP server setup for srv_lan, so no further action is required there.

Check the local (host-level) firewall on the server. It is likely that it is blocking inbound connections originating from a different subnet than the server uses. This is common on Windows and a few other operating systems.

Ah thanks, I’ll do that.

I don’t think the issue with not being able to connect to the server from a different subnet can be an issue with the server’s firewall, because I had it at my house for a while connected to port 3 on my OPNsense router on 10.10.55.198, with my own PC and server connected to port 2 on 10.10.18.x and I was able to connect to my Dad’s server from them. The only difference is my Dad’s main network is on 192.168.1.0 but iptables -L -v -n doesn’t show any rule blocking traffic from that subnet.

Chain INPUT (policy ACCEPT 61991 packets, 9537K bytes)
 pkts bytes target     prot opt in     out     source               destination         
75951   14M ts-input   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ts-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 95946 packets, 22M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  tailscale0 *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x40000/0xff0000
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000
    0     0 DROP       all  --  *      tailscale0  100.64.0.0/10        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      tailscale0  0.0.0.0/0            0.0.0.0/0           

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       100.100.105.x       0.0.0.0/0           
    0     0 RETURN     all  --  !tailscale0 *       100.115.x.0/23      0.0.0.0/0           
    0     0 DROP       all  --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0           
12395 4481K ACCEPT     all  --  tailscale0 *       0.0.0.0/0            0.0.0.0/0           
 1625 97500 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:41641

I edited /etc/config/network so it looks like this now:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4c:dc35:91a9::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '55'
        list ports 'lan4:u*

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'srv_lan'
        option proto 'static'
        option device 'br-lan.55'
        option ipaddr '10.10.55.1'
        option netmask '255.255.255.0''

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'

config device
        option type 'bridge'
        option name 'br-iot'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config route
        option interface 'srv_lan'
        option target '10.10.18.0/24'
        option gateway '10.10.55.102'

Then I did
uci commit
/etc/init.d/network restart

and now I've completely lost remote connection to the router, my Dad's PC which I was connected to via Rustdesk, and the machines on 10.10.55.x which I was connected to via Tailscale. What have I done wrong here?

EDIT: I've confirmed that all the computers connected to the router have lost connectivity, so I'm going to get my Dad to connect his laptop to it directly and also to a portable hotspot on his phone and hopefully I'll be able to ssh in that way and revert the network config to how it was before, but I really don't understand why this has broken it.

OK, I went over there and booted it into failsafe mode and fixed it.

My config files are now:

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4c:dc35:91a9::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '55'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'srv_lan'
	option proto 'static'
	option device 'br-lan.55'
	option ipaddr '10.10.55.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config route
	option interface 'srv_lan'
	option target '10.10.18.0'
	option netmask '255.255.255.0'
	option gateway '10.10.55.102'

firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'
    list network 'srv_lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'nss_ecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '1'

config zone
	option name 'Guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'IoT_WAN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'IoT_WAN'

config forwarding
	option src 'IoT_WAN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IoT_WAN'

config zone
	option name 'IoT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option name 'Guest DNS'
	option src 'Guest'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config rule
	option name 'IoT DNS'
	option src 'IoT'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'IoT-WAN DNS'
	option src 'IoT_WAN'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'SRVLAN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'srv_lan'

config forwarding
	option src 'SRVLAN'
	option dest 'wan'

config forwarding
	option src 'IoT'
	option dest 'SRVLAN'

config forwarding
	option src 'lan'
	option dest 'SRVLAN'

config forwarding
	option src 'Guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'Guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'IoT DHCP'
	list proto 'udp'
	option src 'IoT'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'IoT-WIN DHCP'
	list proto 'udp'
	option src 'IoT_WAN'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'SRVLAN'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'SRV DNS'

config forwarding
	option src 'SRVLAN'
	option dest 'lan'

config nat
	option name 'Prevent MAS for 10.10.18.0/24'
	option family 'ipv4'
	list proto 'all'
	option src 'wan'
	option src_ip '10.10.55.0/24'
	option dest_ip '10.10.18.0/24'
	option target 'ACCEPT'

What changes did you make to fix it? The only thing I'm seeing with a quick glance is the VLAN 55 definition of lan4 port going from explicitly defined (:u*) to having that removed.

Yeah I think that is the only difference. In the GUI lan 4 is still marked as U so I guess that must be the default when it isn't explicitly stated in the config file. The * indicates "Is Primary VLAN" so I guess that shouldn't be ticked for lan4 but I don't know why it would have caused all the ports to stop working.

At least my original problem is fixed now and I can access the devices on the 10.10.55.0 subnet from the machines on the 192.168.1.0 subnet.

Now I just need to get the site-to-site Tailscale subnet routing working properly, but I'll start a new post about that.

The change should not have broken anything... I don't know why you had that experience.

great!

yup... a new thread makes sense.