Trouble routing between VLANs

Hey everyone, I'm just staring out with OpenWRT and trying to set up a VLAN on my network, and I'd like to be able to SSH from VLAN 10 (192.168.86.0/24) to my primary LAN (192.168.86.0/24), but for some reason I can't get it to work out. I added a rule to forward traffic going to port 22 on the 86.0 LAN, but I end up always getting a timed out connection. Where if I delete that rule, I immediately get a connection rejected error which is what I expect.

Here's my network configuration

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd1f:1269:d04d::/48'
network.globals.packet_steering='2'
network.globals.steering_flows='128'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.86.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='192.168.86.5'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan.hostname='*'
network.wan.peerdns='0'
network.wan.dns='192.168.86.5'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='eth0'
network.@device[1].vid='10'
network.@device[1].name='eth0.10'
network.vlan10=interface
network.vlan10.proto='static'
network.vlan10.device='vlan-10'
network.vlan10.ipaddr='192.168.10.1'
network.vlan10.netmask='255.255.255.0'
network.vlan10.type='bridge'
network.vlan10.dns='192.168.86.5'
network.@device[2]=device
network.@device[2].type='bridge'
network.@device[2].name='vlan-10'
network.@device[2].ports='eth0.10'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.device='eth1'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'

And my firewall configuration.

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].log='1'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='SSH vlan10->lan'
firewall.@rule[0].proto='tcp'
firewall.@rule[0].src='vlan10'
firewall.@rule[0].dest='lan'
firewall.@rule[0].dest_port='22'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Wireguard'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='51820'
firewall.@redirect[0].dest_ip='192.168.86.5'
firewall.@redirect[0].dest_port='51820'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='HTTP'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_ip='192.168.86.5'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='HTTPS'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_ip='192.168.86.5'
firewall.@redirect[2].dest_port='443'
firewall.@zone[2]=zone
firewall.@zone[2].name='vlan10'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].log='1'
firewall.@zone[2].network='vlan10'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vlan10'
firewall.@forwarding[1].dest='wan'

You currently appear to have your lan and wan on the same subnet. that will not work. They must be different.

Beyond that, please post the following (it's more readable):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi

ssh is on port 22

My WAN is on my public IP on the 107.129.68.0/22 network so not the same subnet as my lan/vlan. I have no trouble routing to the internet. I have an adguard DNS server on 192.168.86.5

root@snoopy:~# ubus call system board
{
        "kernel": "6.1.89",
        "hostname": "snoopy",
        "system": "ARMv8 Processor rev 1",
        "model": "Raspberry Pi 5 Model B Rev 1.0",
        "board_name": "raspberrypi,5-model-b",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26399-17ca4cccc6",
                "target": "bcm27xx/bcm2712",
                "description": "OpenWrt SNAPSHOT r26399-17ca4cccc6"
        }
}
root@snoopy:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1f:1269:d04d::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.86.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.86.5'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option hostname '*'
        option peerdns '0'
        list dns '192.168.86.5'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '10'
        option name 'eth0.10'

config interface 'vlan10'
        option proto 'static'
        option device 'vlan-10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        list dns '192.168.86.5'

config device
        option type 'bridge'
        option name 'vlan-10'
        list ports 'eth0.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth1'
        option reqaddress 'try'
        option reqprefix 'auto'

root@snoopy:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/axi/1001100000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

root@snoopy:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'serenity'
        option ip '192.168.86.10'
        list mac ''

config host
        option name 'slimbox'
        list mac ''
        option ip '192.168.86.5'

config host
        option name 'tardis'
        list mac ''
        option ip '192.168.86.11'

config dhcp 'vlan10'
        option interface 'vlan10'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@snoopy:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'SSH vlan10->lan'
        list proto 'tcp'
        option src 'vlan10'
        option dest 'lan'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.86.5'
        option dest_port '51820'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.86.5'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.86.5'
        option dest_port '443'

config zone
        option name 'vlan10'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'vlan10'

config forwarding
        option src 'vlan10'
        option dest 'wan'

That was a mistake on my part. I meant port 22. I've updated my post

for start ...
stop firewall
/etc/init.d/firewall stop
then ping from vlan10 to server on lan
then ssh from vlan10 to server on lan

Delete this:

Edit vlan10 to look like this:

config interface 'vlan10'
        option proto 'static'
        option device 'eth0.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

Delete this:

Then reboot your device and try again.

Still getting the same behavior. Stopping the firewall service didn't help either.

do you have ping ?
with / without firewall ?

With firewall with ping I got "Destination Port Unreachable". Without the firewall, I got "Request timed out."

so, you have basic problems with routing or with vlan setup

first, you need to make ping work
then try to setup firewall

Yes, that's what I'm looking for help with.

let's see your current
cat /etc/config/network
then
ip link
then
ip a

root@snoopy:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1f:1269:d04d::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.86.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.86.5'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option hostname '*'
        option peerdns '0'
        list dns '192.168.86.5'

config interface 'vlan10'
        option proto 'static'
        option device 'eth0.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth1'
        option reqaddress 'try'
        option reqprefix 'auto'

root@snoopy:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
6: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
root@snoopy:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet 107.129.xx.xx/22 brd 107.129.71.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2600:1700:8e40:91e0:d237:45ff:fe13:65d1/64 scope global dynamic noprefixroute
       valid_lft 3383sec preferred_lft 3383sec
    inet6 2600:1700:8e40:91e0::48/128 scope global dynamic noprefixroute
       valid_lft 2746sec preferred_lft 2746sec
    inet6 fe80::d237:45ff:fe13:65d1/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet 192.168.86.1/24 brd 192.168.86.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 2600:1700:8e40:91ef::1/64 scope global dynamic noprefixroute
       valid_lft 2746sec preferred_lft 2746sec
    inet6 fd1f:1269:d04d::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::2ecf:67ff:fe1a:34bf/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.1/24 brd 192.168.10.255 scope global eth0.10
       valid_lft forever preferred_lft forever
    inet6 fe80::2ecf:67ff:fe1a:34bf/64 scope link
       valid_lft forever preferred_lft forever
root@snoopy:~# ip route
default via 107.129.68.1 dev eth1  src 107.129.xx.xx
107.129.68.0/22 dev eth1 scope link  src 107.129.xx.xx
192.168.10.0/24 dev eth0.10 scope link  src 192.168.10.1
192.168.86.0/24 dev br-lan scope link  src 192.168.86.1

ok, and vlan10 is terminated ?
where ?
you have some managed switch ?

I have a TP-Link TL-SG108E managed switch configured with port 1 untagged with VLAN 1 and tagged with VLAN 10. Port 3 is untagged with VLAN 10 and set to default PVID of 10

Router is on port 1


ok, now
you have some PC in vlan10 access (untagged) port

let's try to ping
192.168.10.1 from there

Yes the PC on VLAN10 got an IP 192.168.10.204 and gets routed to the internet. I can ping and SSH from the PC to 192.168.10.1 and to 192.168.86.1. But I can't go anywhere else on the 192.168.86.0/24 subnet

What are the hosts in question? Are they windows machines? If so, the local windows firewall may be blocking the connections. Try disabling windows firewall, or try with a Linux or macOS host as the target.

Aha! My traffic appears to be getting blocked at the 192.168.86.5 server firewall. Now I just need to figure out how to fix that in iptables and I'll be golden. Thanks for your help.