Two VLANs but one doesn't have internet connection

Hi there,

this is my first post to this excellent forum which has already been a great help for me getting OpenWRT up and running.

I am using the custom build by @hnyman for my Netgear R7800 (https://forum.openwrt.org/t/build-for-netgear-r7800/) which I further customized by integrating additional packages. It works like a charm with a basic setup (1 interface with wifi, no VLAN configuration).

Now, I would like to set up a more advanced configuration which separates my IOT devices from my file shares, printers, and so on. That means, I would like to have one VLAN 'lan' and one VLAN 'iot'. Both should have their own DHCP servers, WIFIs and, of course, internet access. Accessing the 'iot' VLAN from 'lan' is optional. Nothing exotic if you will.

I managed to set-up the configuration: My devices can connect to the VLANs (via cable and wifi) and receive different IP- and Broadcast-addresses as configured in the DHCP servers of the respective interfaces.

Unfortunately, one VLAN doesn't have internet access and I can't figure out how to get it working. I assume that it's a firewall problem since DHCP works correctly. That's why I tried

config zone
	option name 'iot'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

to just duplicate the working 'lan' configuration as well as

config zone
	option name 'iot'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

following the guest-wifi-tutorial: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface (which means that I added the DNS- and DHCP-forwards).

I would deeply appreciate some help after spending several sleepless nights over this...

Best
Mirco

P.S.: From the other posts I read on this topic I learnt that you might need these:

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda8:b4de:8670::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.1'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0.2'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option ifname 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '3 0t'

config interface 'iot'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option ip6assign '64'
	option type 'bridge'
	option ifname 'eth0.3'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'iot'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config forwarding
	option dest 'wan'
	option src 'iot'

config rule
	option dest_port '53'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option name 'iot dns'
	option src 'iot'

config rule
	option dest_port '67-68'
	option src 'iot'
	option name 'iot dhcp'
	option target 'ACCEPT'
	option proto 'udp'

Under iot firewall zone is missing.

Thank you very much, this did the trick. But I'm a little confused why I had to add this line using the console.

Do you know where to set this up in LuCI? I set up the interfaces using the web interface. But all the firewall/interface menus still look the same as before. Did I miss something?

You had created the iot zone in firewall, but didn't associate any interface with this zone. You can see the change either under Interfaces-iot-Firewall settings tab or under Firewall-Edit iot zone-Covered networks.

I checked this via interfaces->iot->firewall settings. The iot network also showed up as covered network. Nevertheless, I had to add the suggested line manually...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.