VLANs and Firewall struggles

Hello,
I have an Gl-iNet MT6000 (Flint 2) as my main router and I have configured multiple VLANs on it.
Until recently I had my LAN (1), Guest, IoT devices on it and everything worked as expected.

I upgraded my lab and now I need to isolate traffic and thus I created multiple VLANs. I used the same rules as in the Guest and IoT zones as well as the actual devices. I have setup a single Proxmox (for now, another 2 are coming) and I have configured these VLANs on the Proxmox as well.

I have multiple problems, but I will focus on each one of them one by one.

Problem no1 is that I cannot access the VMs on each of the new VLANs from my PC.

I start a VM/LXC on VLAN 105, IP 192.168.101.66
From my PC:

ssh root@192.168.101.66
ssh: connect to host 192.168.101.66 port 22: Connection refused

From the router itself:

ssh root@192.168.101.66 
root@192.168.101.66's password:  
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.17.2-2-pve x86_64) 

 * Documentation:  https://help.ubuntu.com 
 * Management:     https://landscape.canonical.com 
 * Support:        https://ubuntu.com/pro 
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings 

Last login: Mon Dec 15 11:37:04 2025 from 192.168.101.65
 

I will share portions of /etc/config/network and /etc/config/firewall.

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option igmp_snooping '1'

config device
option name 'lan1'

config device
option name 'lan2'
...

config interface 'lan'
option proto 'static'
option ipaddr '192.168.0.254'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option device 'br-lan.1'
list dns '192.168.0.1'
list dns '192.168.0.254'
list dns_search 'example.com'

config interface 'guest'
option device 'br-lan.9'
option force_link '1'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '1'
option isolate '1'
option disabled '0'

config interface 'iot'
option force_link '1'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.192.168'
option netmask '255.255.255.128'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '1'
option isolate '1'
option disabled '0'

config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan1:t'
list ports 'lan2:t'

config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2:t'

config bridge-vlan
option device 'br-lan'
option vlan '105'
list ports 'lan1:t'

config interface 'OCP_External'
option proto 'static'
option device 'br-lan.105'
option ipaddr '192.168.101.65'
list dns '192.168.0.1'
option netmask '255.255.255.248'
list dns_search 'example.com'

Firewall:

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'


config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'guest'


config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'

config zone
option name 'IoT'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'iot'

config forwarding
option dest 'IoT'
option src 'lan'

config forwarding
option dest 'guest'
option src 'lan'

config zone
option name 'ocp_external'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'OCP_External'

config forwarding
option src 'lan'
option dest 'ocp_external'

The way I understand it, traffic from my PC (lan) SHOULD be forwarded to 192.168.0.66 (VLAN 105, OCP_External) since there is a forwarding rule!

Running tcpdumpmakes things interesting:

tcpdump -ni br-lan 'host 192.168.101.66 and tcp port 22'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes




19:15:57.309640 IP 192.168.0.3.47784 > 192.168.101.66.22: Flags [S], seq 3125488271, win 64240, options [mss 1460,sackOK,TS val 258068420 ecr 0,nop,wscale 10], length 0
19:15:57.309791 IP 192.168.101.66.22 > 192.168.0.3.47784: Flags [R.], seq 0, ack 3125488272, win 0, length 

BUT, the 105 is not getting any packet!

tcpdump -ni br-lan.105 tcp port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan.105, link-type EN10MB (Ethernet), capture size 262144 bytes

Any ideas what is wrong?

To better understand the setup (more than just the excerpts), let's see the complete output of the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

ubus call system board
{
        "kernel": "5.4.246",
        "hostname": "gw",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "",
                "target": "mediatek/mt7986",
                "description": "OpenWrt 21.02-SNAPSHOT "
        }
}

FW:

cat /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config rule 'wan_drop_leaked_dns'
        option name 'wan_drop_leaked_dns'
        option src 'wan'
        option proto 'udp'
        option dest_port '53'
        option mark '!0x8000/0xf000'
        option target 'DROP'
        option enabled '0'

config rule 'guest_drop_leaked_dns'
        option name 'guest_drop_leaked_dns'
        option src 'guest'
        option proto 'udp'
        option dest_port '53'
        option mark '!0x8000/0xf000'
        option target 'DROP'
        option enabled '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'secondwan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'


config zone
        option name 'IoT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'iot'

config rule
        option name 'Allow-DHCP-IoT'
        option src 'IoT'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS-IoT'
        option src 'IoT'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config forwarding
        option dest 'wan'
        option src 'IoT'

config forwarding
        option dest 'IoT'
        option src 'lan'

config forwarding
        option dest 'guest'
        option src 'lan'

config forwarding
        option src 'wgserver'
        option dest 'lan'

config include 'dns_order'
        option type 'script'
        option path '/etc/firewall.dns_order'
        option reload '1'
        option enabled '1'

config include 'vpnclient'
        option type 'script'
        option path '/usr/bin/rtp2.sh'
        option reload '0'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config include 'security'
        option type 'script'
        option path '/etc/firewall.security'
        option reload '0'

config rule 'lan_drop_leaked_dns'
        option name 'lan_drop_leaked_dns'
        option src 'lan'
        option proto 'udp'
        option dest_port '53'
        option mark '!0x8000/0xf000'
        option target 'DROP'
        option enabled '1'

config rule 'wgserver_drop_leaked_dns'
        option name 'wgserver_drop_leaked_dns'
        option src 'wgserver'
        option proto 'udp'
        option dest_port '53'
        option mark '!0x8000/0xf000'
        option target 'DROP'
        option enabled '1'

config rule 'ovpnserver_drop_leaked_dns'
        option name 'ovpnserver_drop_leaked_dns'
        option src 'ovpnserver'
        option proto 'udp'
        option dest_port '53'
        option mark '!0x8000/0xf000'
        option target 'DROP'
        option enabled '1'

config zone 'wgserver'
        option name 'wgserver'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'REJECT'
        option masq '1'
        option masq6 '1'
        option family 'ipv4'
        option forward 'REJECT'
        option enabled '1'
        list network 'wgserver'

config rule 'wgserver_allow'
        option name 'wgserver_allow'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '51820'
        option family 'ipv4'
        option enabled '1'

config rule 'wgserver2lan'
        option name 'wgserver2lan'
        option src 'wgserver'
        option dest 'lan'
        option proto 'all'
        option enabled '0'
        option family 'ipv4'

config forwarding 'wgserver2wan'
        option name 'wgserver2wan'
        option src 'wgserver'
        option dest 'wan'
        option family 'ipv4'
        option enabled '1'

config forwarding 'lan2wgserver'
        option name 'lan2wgserver'
        option src 'lan'
        option dest 'wgserver'
        option family 'ipv4'
        option enabled '1'

config rule 'wgserver2wgserver'
        option name 'wgserver2wgserver'
        option src 'wgserver'
        option dest 'wgserver'
        option proto 'all'
        option target 'REJECT'
        option family 'ipv4'
        option enabled '1'

config rule 'wgserver_allow_dns'
        option name 'wgserver_allow_dns'
        option src 'wgserver'
        option target 'ACCEPT'
        option dest_port '53'
        option family 'ipv4'
        option enabled '1'

config zone
        option name 'ocp_bmc'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OCP_BMC_Network'

config zone
        option name 'ocp_provision'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OCP_Provision'

config zone
        option name 'ocp_node_mng'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OCP_Node_mng'

config zone
        option name 'ocp_storage'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OCP_Storage'

config zone
        option name 'ocp_external'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OCP_External'

config zone
        option name 'ocp_vms'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'OCP_VMs'

config forwarding
        option src 'lan'
        option dest 'ocp_bmc'

config forwarding
        option src 'lan'
        option dest 'ocp_external'

config forwarding
        option src 'lan'
        option dest 'ocp_node_mng'

config forwarding
        option src 'lan'
        option dest 'ocp_provision'

config forwarding
        option src 'lan'
        option dest 'ocp_storage'

config forwarding
        option src 'lan'
        option dest 'ocp_vms'

config zone
        option name 'LXCNet'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'LXCNet'

config forwarding
        option src 'lan'
        option dest 'LXCNet'

Net:

config interface 'loopback'

option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option igmp_snooping '1'

config device
option name 'lan1'

config device
option name 'lan2'

config device
option name 'lan3'

config device
option name 'lan4'

config device
option name 'lan5'

config interface 'lan'
option proto 'static'
option ipaddr '192.168.0.254'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option device 'br-lan.1'
list dns '192.168.0.1'
list dns '192.168.0.254'
list dns_search 'example.com'

config device
option name 'eth1'

config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option force_link '0'
option ipv6 '0'
option metric '10'
option vlanid '0'
option disabled '0'
option peerdns '1'

config interface 'wan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wan'

config interface 'tethering6'
option proto 'dhcpv6'
option disabled '1'
option device '@tethering'

config interface 'wwan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wwan'

config interface 'guest'
option device 'br-lan.9'
option force_link '1'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '1'
option isolate '1'
option disabled '0'

config interface 'tkiot'
option force_link '1'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.192.168'
option netmask '255.255.255.128'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '1'
option isolate '1'
option disabled '0'

config interface 'wwan'
option proto 'dhcp'
option metric '20'
option classlessroute '0'

config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'

config interface 'secondwan6'
option proto 'dhcpv6'
option disabled '1'
option metric '15'
option device '@secondwan'

I think you should start with upgrading the firmware to the actual release version, which is 24.10.4.

As @elder_tinkerer has pointed out, you are not using an official OpenWrt release. You've got the vendor firmware installed on your device, currently.

If you wish to continue using the GL-inet firmware (which is a fork of OpenWrt, but not from the official project), you can ask on their support channels/forums.

We can help you here if you're using the official OpenWrt.

Yeap. Because this is the real problem.
Anyway, no problem.

The reason we can't help you with the GL-Inet firmware is that it is heavily modified vs official OpenWrt. The syntax and methods are significantly different for their firmware than they would be for OpenWrt -- including parameters/options that don't exist in official OpenWrt and other details.