Hey everyone, I'm just staring out with OpenWRT and trying to set up a VLAN on my network, and I'd like to be able to SSH from VLAN 10 (192.168.86.0/24) to my primary LAN (192.168.86.0/24), but for some reason I can't get it to work out. I added a rule to forward traffic going to port 22 on the 86.0 LAN, but I end up always getting a timed out connection. Where if I delete that rule, I immediately get a connection rejected error which is what I expect.
Here's my network configuration
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd1f:1269:d04d::/48'
network.globals.packet_steering='2'
network.globals.steering_flows='128'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.86.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='192.168.86.5'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan.hostname='*'
network.wan.peerdns='0'
network.wan.dns='192.168.86.5'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='eth0'
network.@device[1].vid='10'
network.@device[1].name='eth0.10'
network.vlan10=interface
network.vlan10.proto='static'
network.vlan10.device='vlan-10'
network.vlan10.ipaddr='192.168.10.1'
network.vlan10.netmask='255.255.255.0'
network.vlan10.type='bridge'
network.vlan10.dns='192.168.86.5'
network.@device[2]=device
network.@device[2].type='bridge'
network.@device[2].name='vlan-10'
network.@device[2].ports='eth0.10'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.device='eth1'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
And my firewall configuration.
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].log='1'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='SSH vlan10->lan'
firewall.@rule[0].proto='tcp'
firewall.@rule[0].src='vlan10'
firewall.@rule[0].dest='lan'
firewall.@rule[0].dest_port='22'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Wireguard'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='51820'
firewall.@redirect[0].dest_ip='192.168.86.5'
firewall.@redirect[0].dest_port='51820'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='HTTP'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_ip='192.168.86.5'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='HTTPS'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_ip='192.168.86.5'
firewall.@redirect[2].dest_port='443'
firewall.@zone[2]=zone
firewall.@zone[2].name='vlan10'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].log='1'
firewall.@zone[2].network='vlan10'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vlan10'
firewall.@forwarding[1].dest='wan'
You currently appear to have your lan and wan on the same subnet. that will not work. They must be different.
Beyond that, please post the following (it's more readable):
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
My WAN is on my public IP on the 107.129.68.0/22 network so not the same subnet as my lan/vlan. I have no trouble routing to the internet. I have an adguard DNS server on 192.168.86.5
root@snoopy:~# ubus call system board
{
"kernel": "6.1.89",
"hostname": "snoopy",
"system": "ARMv8 Processor rev 1",
"model": "Raspberry Pi 5 Model B Rev 1.0",
"board_name": "raspberrypi,5-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r26399-17ca4cccc6",
"target": "bcm27xx/bcm2712",
"description": "OpenWrt SNAPSHOT r26399-17ca4cccc6"
}
}
root@snoopy:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1f:1269:d04d::/48'
option packet_steering '2'
option steering_flows '128'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.86.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.86.5'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option hostname '*'
option peerdns '0'
list dns '192.168.86.5'
config device
option type '8021q'
option ifname 'eth0'
option vid '10'
option name 'eth0.10'
config interface 'vlan10'
option proto 'static'
option device 'vlan-10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option type 'bridge'
list dns '192.168.86.5'
config device
option type 'bridge'
option name 'vlan-10'
list ports 'eth0.10'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option reqprefix 'auto'
root@snoopy:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/axi/1001100000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel 'auto'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
root@snoopy:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'serenity'
option ip '192.168.86.10'
list mac ''
config host
option name 'slimbox'
list mac ''
option ip '192.168.86.5'
config host
option name 'tardis'
list mac ''
option ip '192.168.86.11'
config dhcp 'vlan10'
option interface 'vlan10'
option start '100'
option limit '150'
option leasetime '12h'
root@snoopy:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'SSH vlan10->lan'
list proto 'tcp'
option src 'vlan10'
option dest 'lan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.86.5'
option dest_port '51820'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.86.5'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.86.5'
option dest_port '443'
config zone
option name 'vlan10'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
list network 'vlan10'
config forwarding
option src 'vlan10'
option dest 'wan'
That was a mistake on my part. I meant port 22. I've updated my post
for start ...
stop firewall
/etc/init.d/firewall stop
then ping from vlan10 to server on lan
then ssh from vlan10 to server on lan
Delete this:
Edit vlan10 to look like this:
config interface 'vlan10'
option proto 'static'
option device 'eth0.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
Delete this:
Then reboot your device and try again.
Still getting the same behavior. Stopping the firewall service didn't help either.
do you have ping ?
with / without firewall ?
With firewall with ping I got "Destination Port Unreachable". Without the firewall, I got "Request timed out."
so, you have basic problems with routing or with vlan setup
first, you need to make ping work
then try to setup firewall
Yes, that's what I'm looking for help with.
let's see your current
cat /etc/config/network
then
ip link
then
ip a
root@snoopy:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1f:1269:d04d::/48'
option packet_steering '2'
option steering_flows '128'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.86.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.86.5'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option hostname '*'
option peerdns '0'
list dns '192.168.86.5'
config interface 'vlan10'
option proto 'static'
option device 'eth0.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option reqprefix 'auto'
root@snoopy:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
6: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
root@snoopy:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
inet 107.129.xx.xx/22 brd 107.129.71.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 2600:1700:8e40:91e0:d237:45ff:fe13:65d1/64 scope global dynamic noprefixroute
valid_lft 3383sec preferred_lft 3383sec
inet6 2600:1700:8e40:91e0::48/128 scope global dynamic noprefixroute
valid_lft 2746sec preferred_lft 2746sec
inet6 fe80::d237:45ff:fe13:65d1/64 scope link
valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
inet 192.168.86.1/24 brd 192.168.86.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 2600:1700:8e40:91ef::1/64 scope global dynamic noprefixroute
valid_lft 2746sec preferred_lft 2746sec
inet6 fd1f:1269:d04d::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::2ecf:67ff:fe1a:34bf/64 scope link
valid_lft forever preferred_lft forever
6: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether xxx brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 brd 192.168.10.255 scope global eth0.10
valid_lft forever preferred_lft forever
inet6 fe80::2ecf:67ff:fe1a:34bf/64 scope link
valid_lft forever preferred_lft forever
root@snoopy:~# ip route
default via 107.129.68.1 dev eth1 src 107.129.xx.xx
107.129.68.0/22 dev eth1 scope link src 107.129.xx.xx
192.168.10.0/24 dev eth0.10 scope link src 192.168.10.1
192.168.86.0/24 dev br-lan scope link src 192.168.86.1
ok, and vlan10 is terminated ?
where ?
you have some managed switch ?
I have a TP-Link TL-SG108E managed switch configured with port 1 untagged with VLAN 1 and tagged with VLAN 10. Port 3 is untagged with VLAN 10 and set to default PVID of 10
Router is on port 1
ok, now
you have some PC in vlan10 access (untagged) port
let's try to ping
192.168.10.1 from there
Yes the PC on VLAN10 got an IP 192.168.10.204 and gets routed to the internet. I can ping and SSH from the PC to 192.168.10.1 and to 192.168.86.1. But I can't go anywhere else on the 192.168.86.0/24 subnet
What are the hosts in question? Are they windows machines? If so, the local windows firewall may be blocking the connections. Try disabling windows firewall, or try with a Linux or macOS host as the target.
Aha! My traffic appears to be getting blocked at the 192.168.86.5 server firewall. Now I just need to figure out how to fix that in iptables and I'll be golden. Thanks for your help.
