GL-B1300: cannot access devices in different vlan

mr.Sparkle · July 23, 2022, 10:46am

Hello,
I have 2 VLANs correctly setup on my b1300. The devices from both of them can reach internet, but I cannot connect to a device on a different VLAN: e.g. if I try to connect from my laptop (on LAN vlan) to my Home Assistant (on my IoT vlan).

I can correctly ping/traceroute the opposite VLAN’s devices, but I have the impression some firewall rule is still blocking the responses.

Can you help me to spot the blocking part?

From LAN vlan (192.168.8.0):

$ traceroute 192.168.10.5
traceroute to 192.168.10.5 (192.168.10.5), 64 hops max, 52 byte packets
 1  gl-b1300 (192.168.8.1)  22.718 ms  2.851 ms  3.140 ms
 2  home-assistant (192.168.10.5)  4.245 ms  4.979 ms  4.098 ms

$ curl http://192.168.10.5 -p 8123
curl: (7) Failed to connect to 192.168.10.5 port 80 after 14 ms: Connection refused
curl: (7) Couldn't connect to server

From IoT vlan (192.168.10.0):

$ traceroute -p 8123 192.168.8.25
traceroute to 192.168.8.25 (192.168.8.25), 64 hops max, 52 byte packets
 1  gl-b1300 (192.168.10.1)  21.246 ms  1.524 ms  2.135 ms
 2  raspberry1 (192.168.8.25)  3.396 ms  5.081 ms  3.223 ms

/etc/config/firewall

cat /etc/config/firewall

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option name 'IoTzone_DHCP'
	option proto 'udp'
	option src 'IoTzone'
	option dest_port '67 68'
	option enabled '0'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'IoTzone_DNS'
	option src 'IoTzone'
	option enabled '0'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '5353'
	option name 'allow mDNS'
	option src_port '5353'
	option dest_ip '224.0.0.251'
	option family 'ipv4'
	option src '*'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '8008-8009'
	option name 'Chromecast 8008-8009'
	option dest 'IoTzone'
	option dest_ip '192.168.10.10'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '32768-61000'
	option name 'Chromecast 32768-61000'
	option dest 'IoTzone'
	option dest_ip '192.168.10.10'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '8443'
	option name 'Chromecast 8443'
	option dest 'IoTzone'
	option dest_ip '192.168.10.10'
	option src 'lan'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option disabled '0'
	option drop_invalid '1'
	option forward 'REJECT'
	option syn_flood '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'DROP'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'IoTzone'
	option network 'IoT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'IoTzone'

config forwarding
	option dest 'wan'
	option src 'IoTzone'

config forwarding
	option dest 'IoTzone'
	option src 'lan'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '0'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

mr.Sparkle · August 10, 2022, 1:40pm

Bump to this post. It seems for some reason the forward from IoT to Lan is ignored

alzhao · August 17, 2022, 10:28am

Can you check the guest zone config?

Adjusting the guest zone firewall settings like this will allow guest zone and private zone to talk with each other. Can you change guest zone to iot?

lQLPJxaZbsBjKkzNAavNAgaw1kGJ3j9yx3kC_HNHxwDSAA_518_427

dengxinfa · August 17, 2022, 11:06am

Your traceroute has shown that lan and iot can access each other properly.

I’m not sure what ‘curl -p’ means, maybe try curl http://192.168.10.5:8123