Use lan to access services behind vlan

Vlan5231 · April 12, 2025, 5:49pm

Hi, can I use my lan to access services that are behind a vlan? However, the lan shouldn't be accessible from the vlan. A luci method would be great.

Thank you

psherman · April 12, 2025, 6:10pm

This depends on your network topology, but might be as simple as a firewall rule.

Let’s see your config, and it would also be helpful to see a diagram of the network.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Vlan5231 · April 12, 2025, 7:54pm

As you can see, it's a very basic network; in essence, "3" points to the server that has the services that I want to use from the LAN interface. Openwrt version: 24.10.0

paste

psherman · April 12, 2025, 7:57pm

Please post your configs directly into the forum (not via a 3rd party site)

Vlan5231 · April 12, 2025, 8:21pm

Sorry.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ''
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 '0'
	option delegate '0'
	option peerdns '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3:u*'

config interface '2'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'wg'
	option proto 'wireguard'
	option private_key ''
	list dns ''
	list addresses ''
	option delegate '0'
	option mtu '1412'

config wireguard_vpn
	option description ''
	option public_key ''
	option endpoint_host ''
	option endpoint_port ''
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config interface '3'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	list server '127.0.0.1#5054'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '127.0.0.1#5054'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5054'
	list addnhosts '/var/run/adblock-fast/dnsmasq.addnhosts'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp '2'
	option interface '2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp '3'
	option interface '3'
	option start '100'
	option limit '150'
	option leasetime '12h'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name '2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network '2'

config rule
	option name 'allow-dns-3'
	option src '3'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'allow-dns-2'
	option src '2'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'allow-dhcp-2'
	list proto 'udp'
	option src '2'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'allow-dhcp-3'
	list proto 'udp'
	option src '3'
	option dest_port '67'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'vpn'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name '3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network '3'

config forwarding
	option src '3'
	option dest 'vpn'

config redirect 'force dns'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option name 'force dns'
	option dest 'lan'
	option dest_port '53'

config redirect
	option src '3'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option name 'force dns'
	option dest '3'
	option dest_port '53'

config forwarding
	option src '2'
	option dest 'wan'

psherman · April 12, 2025, 8:30pm

So your config is pretty straightforward. Can you be more specific about what you are trying to achieve? Do you want “open” access from one network to another (while restricting the other direction), or do you have specific allowances/restrictions that you want to implement?

Vlan5231 · April 12, 2025, 8:35pm

From the LAN interface, I would like to access the services on vlan "3"—basically, the hosted web interfaces that are on vlan 3. However, I don't want the vlan "3" to have access to the lan interface or be able to do anything. I'm not sure how to explain it better.

psherman · April 12, 2025, 8:38pm

Just add

config forwarding
	option src 'lan'
	option dest '3'

Keep in mind that the hosts with services must accept traffic from a different subnet, so it if doesn’t work, check the host level firewalls (like windows firewall)

Vlan5231 · April 12, 2025, 8:40pm

Sounds fantastic. That way, I can access my hosted web interfaces and other services while also knowing that it's secure? I don't completely trust "3" because it's essentially like iot.