after setting up three vlan's (11 iot, 33 lan, 99 guest) i would like to access vlan 11 from vlan 33.
Situatuion / Problem
I can not ping or access devices in the vlan 11 from vlan 33. the server in vlan 11 is up and running.
This is my firewall setting:
in this post you can find my config files:
what do I have to change on my firewall?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Here are the information:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.33'
option ipaddr '192.168.33.1'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ip4table '1'
option ip6table '1'
config device
option name 'wan'
option macaddr 'xxxx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option ip4table '4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
option ip6table '4'
config interface 'WGInterface'
option proto 'wireguard'
option private_key 'xxxx'
list addresses 'xxxx'
option force_link '1'
config wireguard_WGInterface
option public_key 'xxxx'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'xxxx'
option endpoint_port '51820'
config bridge-vlan
option device 'br-lan'
option vlan '33'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan4:t'
config interface 'Gast'
option proto 'static'
option device 'br-lan.99'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ip4table '3'
option ip6table '3'
config interface 'IoT'
option proto 'static'
option device 'br-lan.11'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ip4table '2'
option ip6table '2'
config rule 'Gast_wan'
option in 'Gast'
option lookup '4'
option priority '30000'
config rule6 'Gast_wan6'
option in 'Gast'
option lookup '4'
option priority '30000'
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option country 'FR'
option cell_density '0'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option country 'FR'
option cell_density '0'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'xxxx'
option key 'xxxx'
option network 'lan'
option wpa_disable_eapol_key_retries '1'
option encryption 'psk-mixed'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'xxxx'
option key 'xxxx'
option network 'lan'
option wpa_disable_eapol_key_retries '1'
option encryption 'psk-mixed'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk-mixed'
option isolate '1'
option key 'xxxx'
option network 'Gast'
option wpa_disable_eapol_key_retries '1'
option disabled '1'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk-mixed'
option key 'xxxx'
option network 'IoT'
option wpa_disable_eapol_key_retries '1'
option disabled '1'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.2.0.1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option start '200'
option limit '30'
list dhcp_option '3,192.168.33.1'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Gast'
option interface 'Gast'
option start '200'
option limit '30'
option leasetime '6h'
list dhcp_option '3,192.168.99.1'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config dhcp 'IoT'
option interface 'IoT'
option leasetime '12h'
option start '200'
option limit '30'
list dhcp_option '3,192.168.11.1'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option input 'ACCEPT'
option forward 'DROP'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wgzone'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'WGInterface'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wgzone'
config zone
option name 'Gast'
option output 'ACCEPT'
option mtu_fix '1'
list network 'Gast'
option input 'DROP'
option forward 'DROP'
config zone
option name 'IoT'
option output 'ACCEPT'
list network 'IoT'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'IoT'
option dest 'wgzone'
config rule
option src 'Gast'
option dest_port '67 68'
option target 'ACCEPT'
option name 'Guest-DHCP'
config rule
option src 'IoT'
option dest_port '67 68'
option target 'ACCEPT'
option name 'IoT-DHCP'
config rule
option src 'Gast'
option dest_port '53'
option target 'ACCEPT'
option name 'Guest-DNS'
config rule
option src 'IoT'
option dest_port '53'
option target 'ACCEPT'
option name 'IoT-DNS'
config forwarding
option src 'lan'
option dest 'IoT'
config forwarding
option src 'Gast'
option dest 'wan'