Zone forwarding help

Hey , beautiful people of the internet,

I am struggeling to configure zone forwarding, it seems all pretty straight forward but I just cant ping a device in the guest_IOT zone from a device in the LAN zone. For some reason the ping works 3x or so after I hit save in Luci. Now this is a special build of openWRT called openmptcprouter, but there should not be anything different in this regard .

sorry for the long firewall config, most stuff is added for openmptcprouter

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'REJECT'
	option disable_ipv6 '0'
	option forward 'REJECT'

config zone 'zone_lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option auto_helper '0'
	option mtu_fix '1'
	list network 'lan'
	list network 'wan1'

config zone 'zone_wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan2'
	list network 'wan3'
	list network 'wan4'
	list network 'wan5'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'lan to IOT'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'iot_GUEST'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'
	option reload '1'

config rule
	option target 'ACCEPT'
	option name 'Allow-All-LAN-to-VPN'
	option dest 'vpn'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option name 'Allow-All-Ping'
	option proto 'icmp'
	option dest '*'
	option src '*'
	option icmp_type 'echo-request'

config rule
	option target 'ACCEPT'
	option name 'Allow-VPN-ICMP'
	option proto 'icmp'
	option src 'vpn'

config rule
	option target 'ACCEPT'
	option name 'Allow-Lan-to-Wan'
	option dest 'wan'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option name 'ICMPv6-Lan-to-OMR'
	option src 'lan'
	option family 'ipv6'
	option proto 'icmp'
	option limit '1000/sec'
	option icmp_type 'echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'

config include 'omr_server'
	option path '/etc/firewall.omr-server'
	option reload '1'

config include 'gre_tunnel'
	option path '/etc/firewall.gre-tunnel'
	option reload '0'

config forwarding 'fwlantovpn'
	option src 'lan'
	option dest 'vpn'

config rule 'blockquicproxy'
	option name 'Block QUIC Proxy'
	option proto 'udp'
	option dest_port '443'
	option target 'DROP'
	option src 'lan'

config rule 'blockquicall'
	option name 'Block QUIC All'
	option proto 'udp'
	option src '*'
	option dest '*'
	option dest_port '443'
	option target 'DROP'

config rule 'allowicmpipv6'
	option proto 'icmp'
	option target 'ACCEPT'
	option src 'wan'
	option name 'Allow IPv6 ICMP'
	option family 'ipv6'
	option icmp_type 'neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation'

config rule 'allowdhcpv6546'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '547'
	option name 'Allow DHCPv6 (546-to-547)'
	option family 'ipv6'
	option src_port '546'

config rule 'allowdhcpv6547'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option name 'Allow DHCPv6 (547-to-546)'
	option family 'ipv6'
	option src_port '547'

config rule 'allow_dhcp_request_vpn'
	option name 'Allow-DHCP-Request-VPN'
	option src 'vpn'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option family 'ipv4'

config include 'v2ray'
	option path '/etc/firewall.v2ray-rules'
	option reload '0'

config include 'omr_bypass'
	option path '/etc/firewall.omr-bypass'
	option reload '0'

config include 'ss_rules'
	option path '/etc/firewall.ss-rules'
	option reload '1'

config zone 'zone_vpn'
	option name 'vpn'
	option masq '1'
	option input 'REJECT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'omrvpn'
	list network 'omr6in4'

config include 'ttl'
	option path '/etc/firewall.ttl'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'iot_GUEST'
	list network 'VLAN3'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'iot_GUEST'

config forwarding
	option src 'iot_GUEST'
	option dest 'wan'

config rule
	option name 'Guest_DHCP_DNS'
	option src 'iot_GUEST'
	option dest_port '53 67 68'
	option target 'ACCEPT'

You have a lot of strange stuff happening -- including a wan network in the lan zone, unnecessary rules allowing forwarding (these should simply be forwarding stanzas), VPNs, GRE tunnels, etc.... at least you have provisions for it and it isn't clear what is actually going on.

From the looks of this, it is not pure/official OpenWrt. What device is this on? what version of OpenWrt are you running?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

ubus call system board

as I said, this is openmptcprouter its for bonding multiple wan interfaces, definetely non standard.

the wan1 interface is actually in my lan (I know.. weird and not perfect, but I need to add another VLAN capable switch to seperate those, as I have a AP and a 5G router on the same port on a dumb switch under the roof.. thats part of the WAN bond) its allready ordered

I just realized that a bypass rule in openmptcp seems to have broken my firewall zone forwards. if I disable this my rules work as expected, so thx for have a look over it, I was going a bit mad with this