I've had zone forwarding set up for quite some time for Lan > IOT network routing. Seems perhaps in 24.10 release on x86 its no longer routing traffic. Seems like a block. I also flashed to latest snapshot and still see the same issues.
Anyone else able to confirm this behaviour?
This is working properly for me. Let's start with seeing your configuration files.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.74",
"hostname": "OpenWrt",
"system": "Intel(R) N100",
"model": "Default string Default string",
"board_name": "default-string-default-string",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r28800-04570f5ee2",
"target": "x86/64",
"description": "OpenWrt SNAPSHOT r28800-04570f5ee2",
"builddate": "1739221850"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd48:bef8:d138::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option igmp_snooping '1'
option stp '1'
list dns '192.168.1.1'
config interface 'wan'
option proto 'pppoe'
option device 'eth1.40'
option username 'xxxx@xxxx.net'
option password 'xxxxxxx'
option ipv6 'auto'
option peerdns '0'
list dns '192.168.1.1'
config device
option type '8021q'
option ifname 'eth0'
option vid '107'
option name 'eth0.107'
config interface 'iot'
option proto 'static'
option device 'eth0.107'
option ipaddr '192.168.107.1'
option netmask '255.255.255.0'
option delegate '0'
option igmp_snooping '1'
option stp '1'
list dns '192.168.107.1'
config device
option type '8021q'
option ifname 'eth1'
option vid '40'
option name 'eth1.40'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxx'
list addresses '10.5.0.2/32'
list dns '1.1.1.1'
config wireguard_wg0
option description 'Imported peer configuration'
option public_key 'xxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'xxxx'
option endpoint_port '51820'
config interface 'tailscale'
option proto 'none'
option device 'tailscale0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option local '/local/'
option domain 'local'
option port '54'
list server '192.168.1.1'
config dhcp 'lan'
option interface 'lan'
option start '2'
option limit '75'
option leasetime '24h'
option dhcpv4 'server'
option force '1'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IOT'
option interface 'IOT'
option start '2'
option limit '75'
option leasetime '24h'
list dhcp_option '6, 192.168.107.250'
config host
option name 'DietPi'
option dns '1'
option ip '192.168.107.250'
list mac 'dc:a6:32:26:00:a2'
config host
option name 'Diet-Pi'
option dns '1'
option ip '192.168.1.221'
list mac 'DC:A6:32:26:00:A2'
config host
option name 'SW-8P-1'
option dns '1'
option mac 'xxxx'
option ip '192.168.1.224'
config host
option name 'Plex'
option dns '1'
option mac '02:FF:60:3C:49:33'
option ip '192.168.1.201'
config host
option name 'NAS'
option dns '1'
option mac 'D8:CB:8A:A3:F8:63'
option ip '192.168.1.200'
config host
option name 'PS4'
option dns '1'
option mac 'A8:47:4A:58:BB:E3'
option ip '192.168.107.100'
config host
option name 'IoT-Pi'
option dns '1'
option mac 'D0:37:45:55:9A:F5'
option ip '192.168.107.254'
config host
option name 'NanoHD'
option dns '1'
option mac 'B4:FB:E4:29:9A:1C'
option ip '192.168.1.223'
config dhcp 'iot'
option interface 'iot'
option start '2'
option limit '75'
option leasetime '24h'
option force '1'
list dhcp_option '6,192.168.107.1'
list dhcp_option '3,192.168.107.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Deny-ICMP-from-WAN'
option family 'ipv4'
option src 'wan'
option proto 'icmp'
option target 'DROP'
list icmp_type 'echo-request'
config rule
option name 'Deny-Multicast-from-WAN'
option family 'ipv4'
list proto 'udp'
option src 'wan'
option target 'DROP'
list dest_ip '224.0.0.0/4'
config rule
option name 'Deny-Multicast-WAN-to-Internal'
option family 'ipv4'
option src 'wan'
option dest '*'
option proto 'udp'
option target 'DROP'
list dest_ip '224.0.0.0/4'
config rule
option name 'Deny-Multicast-All-Zones-to-WAN'
option family 'ipv4'
list proto 'udp'
option target 'DROP'
option src '*'
option dest 'wan'
list dest_ip '224.0.0.0/4'
config rule
option name 'Allow-Multicast-LAN'
option family 'ipv4'
option target 'ACCEPT'
option src 'lan'
list proto 'udp'
list dest_ip '224.0.0.0/4'
config rule
option name 'Allow-Multicast-IOT'
option family 'ipv4'
option target 'ACCEPT'
option src 'iot'
list proto 'udp'
list dest_ip '224.0.0.0/4'
config rule
option name 'Allow-Sonos-from-LAN'
option family 'ipv4'
option src 'lan'
option dest 'iot'
option target 'ACCEPT'
list proto 'all'
list dest_ip '192.168.107.120'
config rule
option name 'Allow-Sonos-TCP-to-LAN'
option family 'ipv4'
option src 'iot'
option dest 'lan'
option target 'ACCEPT'
list proto 'tcp'
option src_port '445 3445 1400 1433 3400 3401 3500 4070 4444'
list src_ip '192.168.107.120'
config rule
option name 'Allow-Sonos-UDP-to-LAN'
option family 'ipv4'
list proto 'udp'
option src 'iot'
option dest 'lan'
option target 'ACCEPT'
option dest_port '319 320 1900 1901 2869 5353 6969 10280-10284 30000-65535'
list src_ip '192.168.107.120'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'IOT'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'remote_wg'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip 'xxxx'
option dest_port '51820'
config redirect
option dest 'iot'
option target 'DNAT'
option name 'PS4 Ports'
option src 'wan'
option src_dport '3478-3480'
option dest_ip 'xxxx'
option dest_port '3478-3480'
config rule
option name 'Allow plex '
option dest 'lan'
option target 'ACCEPT'
option dest_port '32400'
option src 'IOT'
list dest_ip 'xxxx'
list proto 'tcp'
list proto 'udp'
config forwarding
option src 'IOT'
option dest 'wan'
config zone
option name 'vpnWG'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq_allow_invalid '1'
list network 'wg0'
config forwarding
option src 'IOT'
option dest 'vpnWG'
config rule
option name 'babycam_drop'
option src 'IOT'
option dest 'wan'
option target 'REJECT'
list src_ip '192.168.107.140'
list src_ip '192.168.107.141'
config rule
option name 'babycam_allow_53'
option src 'IOT'
option dest_port '53'
option target 'ACCEPT'
list src_ip '192.168.107.140'
list src_ip '192.168.107.141'
config rule
option name 'babycam_allow_123'
option src 'IOT'
option dest 'wan'
option dest_port '123'
option target 'ACCEPT'
list src_ip '192.168.107.140'
list proto 'udp'
config rule
option name 'allow udp babycam'
list proto 'udp'
option src 'IOT'
option dest 'lan'
option target 'ACCEPT'
list src_ip '192.168.107.140'
list src_ip '192.168.107.141'
config rule
option name 'babycam_icmp'
list proto 'icmp'
option src 'IOT'
option dest 'wan'
option target 'ACCEPT'
list src_ip '192.168.107.140'
list src_ip '192.168.107.141'
config rule
option name 'HA'
option src 'IOT'
option dest 'lan'
list dest_ip '192.168.1.221'
option dest_port '8123'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vpnWG'
config zone
option name 'tailscale'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'tailscale'
config forwarding
option src 'IOT'
option dest 'tailscale'
config forwarding
option src 'lan'
option dest 'tailscale'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config forwarding
option src 'lan'
option dest 'IOT'
You are mixing tagged and untagged traffic on eth0. I suppose you've got a managed switch attached to the router? If so, I strongly suggest you change the configuration to a VLAN trunk with only tagged traffic,
Usually, I define "bridge-vlan" for this kind of configuration. When using VLAN 10, the configuration looks like this:
config interface 'lan'
option device 'eth0.10'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option igmp_snooping '1'
option stp '1'
list dns '192.168.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0:t*'
config bridge-vlan
option device 'br-lan'
option vlan '107'
list ports 'eth0:t'
and remove this section:
config device
option type '8021q'
option ifname 'eth0'
option vid '107'
option name 'eth0.107'
is there something thats changed though in recent releases about native untagged vlan 1?
changing my lan to a tagged vlan is going to be a big task. as i've found out that ubiqiti unfi switches do not like you using the default 192.168.1.0/24 network as a tagged vlan it seems
ping 192.168.107.6 -I eth0 doesnt work from router shell.
VLAN 1 should still work just fine, tagged or untagged.
Be careful not to conflate the network address and the VLAN ID.
As far as the switches are concerned, there is no problem tagging VLAN 1, but you could have a sequencing issue if you don't handle the tagging in the right order.
But I don't see any network config for VLAN 1.
Also, does lanX:t* break something? Should be just lanX:t.
(If multiple VLAN are involved; I personally I try to stick to the old network mantra and try to avoid using VLAN 1 at all.)
ok update: i blame my tailscale config. removing it seemed to have fixed my routing woes.
Before i go and re-ip all my lan devices over to a new vlan (because i cant use 192.168.1.0/24 with a vlan on this switch). What are the benefits?
Benefits of renumbering?
192.168.0.0/16 is more or less safe to use with a small reminder:
192.168.0.0/23 at all.
192.168.0.0/24,192.168.1.0/24192.168.178.0/24 because of **** **** fritzbox.If you don't need a VPN to any Corporate VPN keep in mind that there is 10.0.0.0/8 and 172.16.0.0/12, too. RFC1918 offers plenty of possibilities.
Or go with the time, and try to use IPv6-Only on the VPN.
I ment more benefits of running a tagged vlan for lan traffic (i was just saying it has to come with an ip change for my setup)
Mixed traffic is ok on i.e. a server connection. untagged vlan for access and then multiple vlan for like storage-networks and the like.
But transporting mix untagged and tagged traffic over the same line to switches calls for issues all the time.
Also using VLAN 1 can break in so many unforeseen ways.
Whats the issue / question / struggle you are facing?
ok I moved my lan to .10 for all lan devices. However, on these zone forwardings.. I am still unable to ping devices from Lan > IOT. I had this working before for example (my sec cameras are in IOT and have viewers on LAN connecting to them.
I expect to be able to initiate traffice from LAN to IOT but not vise virsa
pretty confident now this is all due to policy based routing.. possibly tailscale taking over route priorities
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.