Zone config vs firewall rule

I thought the following

config forwarding
option src 'vlan5'
option dest 'vlan1'

meant 'allow forwarding of all traffic from vlan5 to vlan1"

If thats true then I should need no firewall rules allowing traffic from vlan5 to vlan1 correct ?

Correct :slight_smile:

Unless there are other rules Dropping traffic

1 Like

In isolation, yes, that forwarding rule will allow allow all (relevant) traffic to route from VLAN 5 to VLAN 1. But if you have other rules that are more granular (or if these are not properly formed in general), the forwarding may not happen.

Importantly, what is your observation?

1 Like

My observation is I cant get certain aspects of 'dlna/upnp between vlans' to fully behave (it works mostly) .
Let me review my entire setup and update this post

What aspects?

my phone app 'HIFI CAST" connects and plays from a minidlna server across vlans but shows no album art . The album art is trying to be delivered via http (I think) . If the minidlna server is on the same vlan as the phone the album art shows up .

1 Like

You may need an mdns repeater/reflector (such as avahi) to enable these things.

But, it would be helpful to see your complete firewall file.

I'm using avahi and smcroute as I have somewhat of an iot 'menagerie' .

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'vlan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'vlan1'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping-Wan'
        option family 'ipv4'
        list proto 'icmp'
        list icmp_type 'echo-request'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name '3-to-dns-dhcp'
        option src 'vlan3'
        option dest_port '53 67'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'media players to wan'
        option dest 'wan'
        option target 'REJECT'
        option family 'ipv4'
        option src 'vlan3'
        list proto 'all'
        list src_ip '10.10.20.33'
        list src_ip '10.10.20.9'

config zone
        option name 'vlan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan3'

config rule
        option name 'DLNA UPNP 3  to 1'
        option src 'vlan3'
        option dest 'vlan1'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '8200 32768-61000'

config redirect
        option target 'DNAT'
        option name 'dns-redirect-vlan3'
        option family 'ipv4'
        option src 'vlan3'
        option src_ip '!10.10.20.1'
        option src_dport '53'
        option dest_ip '10.10.20.1'
        option dest_port '53'
        option src_dip '!10.10.20.1'
        option reflection '0'
        list proto 'tcp'
        list proto 'udp'
        option dest 'vlan3'

config redirect
        option target 'DNAT'
        option name 'dns-redirect-vlan1'
        option family 'ipv4'
        option src 'vlan1'
        option src_ip '!10.10.10.1'
        option src_dip '!10.10.10.1'
        option src_dport '53'
        option dest_ip '10.10.10.1'
        option dest_port '53'
        option reflection '0'
        list proto 'tcp'
        list proto 'udp'
        option dest 'vlan1'

config redirect
        option target 'DNAT'
        option name 'dns-redirect-vlan5'
        option family 'ipv4'
        option src 'vlan5'
        option src_ip '!10.10.30.1'
        option src_dip '!10.10.30.1'
        option src_dport '53'
        option dest_ip '10.10.30.1'
        option dest 'vlan3'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option target 'DNAT'
        option name 'ntp-redirect-vlan1'
        option src 'vlan1'
        option src_ip '!10.10.10.1'
        option src_dip '!10.10.10.1'
        option src_dport '123'
        option dest_ip '10.10.10.1'
        option dest_port '123'
        list proto 'udp'
        option reflection '0'
        option dest 'vlan1'

config redirect
        option target 'DNAT'
        option name 'ntp-redirect-vlan3'
        option src 'vlan3'
        option src_ip '!10.10.20.1'
        option src_dport '123'
        option dest_ip '10.10.20.1'
        option dest_port '123'
        option src_dip '!10.10.20.1'
        list proto 'udp'
        option reflection '0'
        option dest 'vlan3'

config zone
        option name 'vlan5'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan5'

config forwarding
        option src 'vlan1'
        option dest 'vlan5'

config forwarding
        option src 'vlan3'
        option dest 'vlan5'

config forwarding
        option src 'vlan3'
        option dest 'wan'

config forwarding
        option src 'vlan1'
        option dest 'vlan3'

config forwarding
        option src 'vlan5'
        option dest 'vlan3'

config forwarding
        option src 'vlan5'
        option dest 'vlan1'

To be clear:

  • what is the SRC VLAN?
  • what is the DST VLAN?

The HIFICAST app is on vlan1 and minidlna is on vlan5 so the 'src' of the album art is minidlna and the destination of the album art is the app . vlan5 -> vlan1

If the player makes a http request to the server for art content, the player is the source of the connection.

I thought he meant the source of the data

For firewall purposes, the "source" is the machine that initiates the connection. For example when you use a LAN computer to fetch a web page from the Internet, that is lan->wan forwarding.

I suspect that minidlna itself is part of the confusion factor. Even though its config file has
network_interface=eth0.5

lsof still shows

minidlnad 6630 minidlna 6u IPv4 33243 0t0 TCP *:8200 (LISTEN)

What sort of weirdness that causes is unknown

should the interface be the physical interface, or the network?

you use to be able to specify a subnet but no longer

if I give it something bogus it complains

error: Network interface eth0.99 not found

What about the network by name? like lan3 or lan5?

error: Network interface vlan5 not found

vlan5 appears to be the name of your firewall zone, but the network seems to be lan5 (at least based on the firewall; we haven't seen the network config file).

Try lan5