VLAN are half connected


I want to create two "isolated" local network with one WAN internet connection.I created a new VLAN for this purpose:

VLAN 1 is the default one, VLAN 100 is for my ISP, VLAN 2 is my new network.

I have 3 interfaces:

LAN_1 is linked to eth0.1 with static IP on network with DHCP server active
LAN_2 is linked to eth0.2 with static IP on network with DHPC server active
WAN_3 is linked eth1.100 with DHCP IP from my ISP.

I have connected two computers to my router: one on LAN 1 and one on LAN 2

The computer A has IP
The computer B has IP

Both have internet acces (ping ok to google.com)

Now I don't hunderstand why the computer A can ping the computer B, but computer B can't ping the computer A.

Is there a rule related to VLAN id ?
I don't want any possible communication between computer A or B.
I also tried to add both ways static route between networks but computer B can't still ping the computer A.

Thank you for help.


Check your firewall zones. Make sure both eth0.1 and eth0.2 are assigned to LAN zone.

1 Like


I'll check again tonight (I don't have the device now) but both interface LAN_A and LAN_2 are associated to lan on firewall rules.

I'll past my network config, maybe I miss something.


If the purpose to isolate them then you need to create to zones LAN1 and LAN2, where traffic is allowed from each of them to WAN but traffic between them is blocked.

I'll check the firewall rule and create then assign different rules for the both LAN.

I discussed with a coworker this morning and we think this behavior is because my LAN1 is the default configuration (after hard reset, bridged with radio/wifi initially) there is somewhere a rule not visible in the GUI that allow communication.

So If I delete LAN1 interface and create a new one from scratch (like LAN2) my networks won't exchange the traffic.

I'll let you know tonight.

Thank you.

Make sure your netmasks are set properly (/24 or
Make sure you don't have eth0 with no VLAN number attached to any network.

Use two different firewall zones and have each one set to forward to wan but not to each other.

After deleting all firewall rules, there is no more link between interfaces.

But I can't get internet anymore. I tried different configuration, allow anything from anywhere between LAN1 and WAN but can't ping google.com from LAN 1.

I don't know what I'm missing, I'll search again and send you my configuration later if I don't found a solution.

On the router in SSH mode I can ping google.com, so link is up and good.

Thanks you for helping.

All is working now !

I just want to check with you is there is no security issue:

Thank you for help.

On Forward, use reject instead of drop. (drop can slow down your applications)

I switched to drop, thank you for the advice.

One last strange behaviour. My LAN2 host a webserver.

A added a port forward: From wan port 8888 forward to port 80.

The redirect from my phone in cell network (4G) is good, I can display the web page with my https://ISPIP:8888, but from my local network LAN1 ( my web browser said ERR_CONNECTION_REFUSED.

So I added a zone rule from lan 1: allow forward to LAN2 in addition to WAN.

Now I can join my LAN2 from my LAN but I don't really like this solution because I use the local adresse to join the web server and not the ISPIP (resolved with a domaine).

Thank you.



Ummmm...this setting doesn't even affect any of the OP's traffic.

That setting is for is for INTRA-zone forwarding. The behavior of LAN1 and LAN2 to WAN are covered under "Zone => Forwardings"

And since in most cases you don't want someone forwarding across WANs, dropping silently should be OK anyways.

A common reason for using DROP rather than REJECT is to avoid giving away information about which ports are open, however, discarding packets gives away exactly as much information as the rejection.

With REJECT, you do your scan and categorise the results into "connection established" and "connection rejected".

With DROP, you categorise the results into "connection established" and "connection timed out".

The most trivial scanner will use the operating system "connect" call and will wait until one connection attempt is completed before starting on the next. This type of scanner will be slowed down considerably by dropping packets. However, if the attack sets a timeout of 5 seconds per connection attempt, it is possible to scan every reserved port (1..1023) on a machine in just 1.5 hours. Scans are always automated, and an attacker doesn't care that the result isn't immediate.

A more sophisticated scanner will send packets itself rather than relying on the operating system's TCP implementation. Such scanners are fast, efficient and indifferent to the choice of REJECT or DROP.

DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users. DROP should not normally be used.

I guess you missed that the setting you suggested (i.e. the FORWARD settings) has 0 affect on the OP's listed traffic (i.e. LAN1-to-WAN and LAN2-to-WAN), but OK, I understand your explanation...although I never understood why one would give away their presence on WAN (or use CPUs to do so) by sending rejects to IPs on WAN - when using DROP, a malicious person wouldn't know it's there. :confused:

...worse yet, setting REJECT on WAN could even unwittingly make you a participant in a reflection attack from a malicious botnet or device spoofing the SRC IPs...the extra CPUs could possibly (D)DoS your router.

1 Like

@lleachii My mistake, I didn't realise that forward in this situation maens -> from router to zone.

I thought, from router to the big internet. :wink:

Thank you for explaining this :grinning:

1 Like

It doesn't...

It means "forwarding between PHYs in the same firewall zone".

Your term: "from router to zone" - I would better describe as "output".