VLANs and firewall – can't access hosts between VLANs

I'd like to be able to connect to management interfaces in VLAN network from clearnet and VPN VLAN networks, but I can't seem to figure out what's wrong.

I have 5 VLANs:

  • 10: management
  • 20: vpn
  • 30: clearnet
  • 40: guest
  • 50: iot

All concerned devices are connected to the main router/AP (ethernet). There's a dumb switch distributing untagged VPN, another one on untagged clearnet.

Devices I'd like to manage:

  • 192.168.10.90 IPMI NAS – management ethernet port connected directly to the router
  • 192.168.10.2 dumb AP – connected via VLAN trunk

Management, vpn and clearnet VLANs are in one firewall zone.

I can connect to said management hosts when I connect directly to the management network.

My temporary solution is to have one special link with untagged clearnet and tagged management. Then my client admin laptop can easily untag managment and connect to both networks.

Somehow setting a static route on admin laptop doesn't help.

Here's my config:

# ubus call system board
{
	"kernel": "6.1.82",
	"hostname": "qqq",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r25869-12b2cb2ec3",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r25869-12b2cb2ec3"
	}
}
# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'qqq'
	option packet_steering '1'

config device
	option name 'lan1'
	option macaddr 'qqq1'

config device
	option name 'lan2'
	option macaddr 'qqq1'

config device
	option name 'lan3'
	option macaddr 'qqq1'

config device
	option name 'lan4'
	option macaddr 'qqq1'

config device
	option name 'lan5'
	option macaddr 'qqq1'

config device
	option name 'eth1'
	option macaddr 'qqq2'
	option ipv6 '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'
	option classlessroute '0'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key 'qqq'
	list addresses 'qqq'
	option mtu '1420'
	option delegate '0'

config wireguard_wgclient
	option public_key 'qqq'
	option preshared_key 'qqq'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'qqq'
	option endpoint_port 'qqq'
	option persistent_keepalive '15'
	option description 'qqq'

config device
	option type 'bridge'
	option name 'br-vlan'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config bridge-vlan
	option device 'br-vlan'
	option vlan '999'
	option local '0'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-vlan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan3:t'
	list ports 'lan5'

config bridge-vlan
	option device 'br-vlan'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan4'

config bridge-vlan
	option device 'br-vlan'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'lan3'

config interface 'lan_10_mgmt'
	option proto 'static'
	option device 'br_10_mgmt'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lan_20_vpn'
	option proto 'static'
	option device 'br_20_vpn'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lan_30_clrnet'
	option proto 'static'
	option device 'br_30_clrnet'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option delegate '0'

config bridge-vlan
	option device 'br-vlan'
	option vlan '40'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-vlan'
	option vlan '50'
	list ports 'lan1:t'

config interface 'lan_40_guest'
	option proto 'static'
	option device 'br_40_guest'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lan_50_iot'
	option proto 'static'
	option device 'br_50_iot'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option delegate '0'

config route
	option interface 'wgclient'
	option target 'qqqq'

config device
	option type 'bridge'
	option name 'br_10_mgmt'
	list ports 'br-vlan.10'
	option bridge_empty '1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br_20_vpn'
	list ports 'br-vlan.20'
	option bridge_empty '1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br_30_clrnet'
	list ports 'br-vlan.30'
	option bridge_empty '1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br_40_guest'
	list ports 'br-vlan.40'
	option bridge_empty '1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br_50_iot'
	list ports 'br-vlan.50'
	option bridge_empty '1'
	option ipv6 '0'

# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wgclient'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'lan10_20_30'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_10_mgmt'
	list network 'lan_20_vpn'
	list network 'lan_30_clrnet'

config forwarding
	option src 'lan10_20_30'
	option dest 'wan'

config zone
	option name 'lan_40'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan_40_guest'

config forwarding
	option src 'lan_40'
	option dest 'wan'

config zone
	option name 'lan_50'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan_50_iot'

config forwarding
	option src 'lan_50'
	option dest 'wan'

config rule
	option name 'Allow DNS from guest'
	option src 'lan_40'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow DHCP from guest'
	option src 'lan_40'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow ICMP ping from guest'
	option src 'lan_40'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow DNS from iot'
	option src 'lan_50'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow DHCP from iot'
	option src 'lan_50'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow ICMP ping from iot'
	option src 'lan_50'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Forward lan_mgmt DNS to router'
	option src 'lan10_20_30'
	option src_dport '53'
	option dest_ip '192.168.10.1'
	option src_ip '192.168.10.0/24'

config redirect
	option target 'DNAT'
	option name 'Forward lan_mgmt NTP to router'
	option src 'lan10_20_30'
	option src_dport '123'
	option dest_ip '192.168.10.1'
	option src_ip '192.168.10.0/24'

config redirect
	option target 'DNAT'
	option name 'Forward lan_vpn DNS to router'
	option src 'lan10_20_30'
	option src_dport '53'
	option dest_ip '192.168.20.1'
	option src_ip '192.168.20.0/24'

config redirect
	option target 'DNAT'
	option name 'Forward lan_vpn NTP to router'
	option src 'lan10_20_30'
	option src_dport '123'
	option dest_ip '192.168.20.1'
	option src_ip '192.168.20.0/24'

config redirect
	option target 'DNAT'
	option name 'Forward lan_clrnet DNS to router'
	option src 'lan10_20_30'
	option src_dport '53'
	option dest_ip '192.168.30.1'
	option src_ip '192.168.30.0/24'

config redirect
	option target 'DNAT'
	option name 'Forward lan_clrnet NTP to router'
	option src 'lan10_20_30'
	option src_dport '123'
	option dest_ip '192.168.30.1'
	option src_ip '192.168.30.0/24'

config redirect
	option target 'DNAT'
	option name 'Forward lan_iot DNS to router'
	option src 'lan_50'
	option src_dport '53'
	option dest_ip '192.168.50.1'

config redirect
	option target 'DNAT'
	option name 'Forward lan_iot NTP to router'
	option src 'lan_50'
	option src_dport '123'
	option dest_ip '192.168.50.1'

config rule
	option name 'Wi-Fi Calling DSCP'
	list proto 'udp'
	option src 'lan10_20_30'
	option dest 'wan'
	option dest_port '500 4500'
	option target 'DSCP'
	option set_dscp 'EF'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'