VLAN WOES! VLAN server accessible from web but not from inside LAN

Greetings! It’s been a long time since I’ve posted on a forum - typically i’m pretty self sufficient - but even after countless days of digging, asking GPT-4 and trying to figure this out myself I am at a loss.

I have a GL-A1300 GL-INET router running:
openwrt-21.02 branch (git-22.347.45520-d30ab74) / OpenWrt 21.02.2 r16495-bf0c965af0

This is a travel router I have repurposed as a replacement DHCP server for my home network - as my netgear mesh was absolute trash for a router - but excellent wifi… This unit handles all of the main in and outbound connections - while my wifi is hardwired access points across the house. I have several raspberry pi boards running various functions in my home…

Here’s the issue. One of those pi’s is being purposed as a web server and I’d like it completely isolated from the rest of my lan.

I have some experience with VLANS and I managed - after a lot of struggling to get it set up correctly … I think.

Basic layout is one of the 2 LAN ports on the unit goes to my main LAN - the second goes to a second switch… the port I am using for the VLAN is untagged for the port and off for the VLAN I want it isolated from.

I managed to get the VLAN isolated, DHCP set up on a different range and internet to the VLAN … Port forwarding from the internet seems to work as well.

HOWEVER - I am TRYING to avoid a complicated DNS situation - and unfortunately something in my set up is preventing my LAN from talking to the VLAN over the WAN connection… - though I have the appropriate forwards set up in the firewall… I am able to ping devices locally from the LAN to the VLAN - but not from the VLAN to the LAN - this is as I want it… BUT - I want to be able to access these services via their public domain I have set up from the LAN side - without being connected to the VLAN as well… this way servers I use are easily accessible in and out of the home - even if the traffic has to hit the web…

NOW - if someone can suggest a better way that is just as easy as NAT loopback… I’m all ears… but for some reason - regardless of my loopback settings I am just not getting the results I want.

Please note I had the original 2 VLANS that came with the unit and I added the 3rd (which is the one i’m trying to get working)… This one is called “vlan3” in the configs…

Here’s my firewall (lightly redacted)-

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'DROP'
	

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'tethering'
	option input 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest '*'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest '*'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'block_dns'
	option name 'block_dns'
	option src '*'
	option device 'br-+'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

config rule 'process_mark'
	option name 'process_mark'
	option dest '*'
	option proto 'all'
	option extra '-m owner --gid-owner 65533'
	option target 'MARK'
	option set_xmark '0x8000/0xc000'

config rule 'wan_in_conn_mark'
	option name 'wan_in_conn_mark'
	option src 'wan'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-j CONNMARK --set-xmark 0x8000/0xc000'
	option enabled '0'

config rule 'lan_in_conn_mark_restore'
	option name 'lan_in_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
	option enabled '0'
	option src '*'

config rule 'out_conn_mark_restore'
	option name 'out_conn_mark_restore'
	option dest '*'
	option set_xmark '0x8000/0xc000'
	option target 'MARK'
	option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
	option enabled '0'

config include 'swap_wan_in_conn_mark'
	option type 'script'
	option reload '1'
	option path '/etc/firewall.swap_wan_in_conn_mark.sh'
	option enabled '0'

config rule
	option name 'Allow-DHCP'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option src 'wan'
	option dest '*'

config rule
	option name 'Allow-DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option src 'wan'
	option dest '*'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '0'

**REDACTED**

config redirect
	option dest_ip '10.0.0.2'
	option src 'wan'
	option dest 'lan'
	
	option reflection_src 'external'
	option dest_port '8181'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '8181'
	option name 'OpenVPN'

config redirect
	option dest_ip '10.0.0.2'
	option src 'wan'
	option dest 'lan'
	
	option reflection_src 'external'
	option dest_port '8080'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '8080'
	option name 'Wireguard'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config forwarding
	option dest 'lan'
	option src 'wan'

config redirect
	option src 'wan'
	option name 'MUMBLE'
	option target 'DNAT'
	option dest_ip '10.0.100.10'
	option dest_port '64738'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '64738'
	option dest 'vlan3'
	
	option reflection_src 'external'

config redirect
	option dest_port '1935-1940'
	option src 'wan'
	option name 'RTMP'
	option src_dport '1935-1940'
	option target 'DNAT'
	option dest 'vlan3'
	option dest_ip '10.0.100.10'
	
	option reflection_src 'external'

config rule 'https_wan'
	option src 'wan'
	option proto 'tcp'
	option target 'ACCEPT'
	option dest_port '444'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option name 'vlan3'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	list network 'vlan3'
	list device 'eth0.3'
	option masq '1'

config forwarding
	option dest 'wan'
	option src 'vlan3'

config forwarding
	option dest 'vlan3'
	option src 'wan'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'Webserver port 80'
	option src_dport '80'
	option dest 'vlan3'
	option dest_ip '10.0.100.10'
	option target 'DNAT'
	
	option reflection_src 'external'

config forwarding
	option dest 'vlan3'
	option src 'lan'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'Webserver Port 443'
	option src_dport '443'
	option dest 'vlan3'
	option dest_ip '10.0.100.10'
	option target 'DNAT'
	
	option reflection_src 'external'

HERE IS MY NETWORK

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd33:4c21:d60a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option mtu6 '1470'
	option mtu '1470'
	list ports 'eth0'

config device
	option name 'eth0'
	option macaddr '94:83:c4:39:70:e9'
	option mtu6 '1470'
	option mtu '1470'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option isolate '0'
	option ipaddr '10.0.0.1'
	option ip6hint '0000'
	option ip6ifaceid '::1'
	option ip6assign '64'

config device
	option name 'eth1'
	option macaddr '94:83:c4:39:70:e8'
	option mtu6 '1470'
	option mtu '1470'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option metric '1'
	list dns '10.0.0.2'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option peerdns '0'
	option force_link '0'
	option ipv6 '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option reqprefix 'auto'
	option reqaddress 'try'
	option sourcefilter '0'
	option peerdns '0'
	option disabled '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0 0 4'

config interface 'tethering6'
	option proto 'dhcpv6'
	option device '@tethering'
	option disabled '1'

config interface 'wwan6'
	option proto 'dhcpv6'
	option device '@wwan'
	option reqaddress 'try'
	option reqprefix 'auto'
	option disabled '1'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '1'
	option ip6prefix 'fd33:4c21:d60a::/48'
	option ip6assign '64'
	option ip6hint '0001'
	option ip6ifaceid '::1'
	option ip6class 'guest'
	option netmask '255.255.0.0'

config interface 'wwan'
	option proto 'dhcp'
	option metric '3'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option device '@modem_1_1_2'
	option disabled '1'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config device
	option mtu6 '1470'
	option name 'wlan1'
	option mtu '1470'

config device
	option mtu6 '1470'
	option name 'wlan0'
	option mtu '1470'

config interface 'zerotier'
	option device 'ztjlh4chm6'
	option proto 'none'

config interface 'modem_1_1_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1'

config interface 'tethering'
	option proto 'dhcp'
	option metric '2'
	option device 'usb0'

config route6
**REDACTED**

config rule 'policy_default_rt_vpn_ts'
	option lookup 'main'
	option priority '1099'
	option mark '0x80000/0xc0000'
	option invert '0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option description 'WAN'
	option ports '0t 0t 5'

config device
	option vid '3'
	option type '8021q'
	option name 'eth0.3'
	option ifname 'eth0'
	option acceptlocal '1'

config interface 'vlan3'
	option device 'eth0.3'
	option proto 'static'
	option ipaddr '10.0.100.1'
	option delegate '0'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'VLAN3'
	option ports '0t 0t 3'

& here is my DHCP

config defaults
    option input 'DROP'
    option output 'ACCEPT'
    option forward 'REJECT'
    option synflood_protect '1'
    option reflection '1'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    list network 'lan'

config zone
    option name 'wan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'
    list network 'wwan'
    list network 'tethering'

config zone
    option name 'vlan3'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    list network 'vlan3'
    list device 'eth0.3'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'vlan3'
    option dest 'wan'

# Ensure traffic from WAN can reach VLAN3
config forwarding
    option src 'wan'
    option dest 'vlan3'

# Essential services rules: DHCP, DNS, IPSec, and ICMPv6
config rule
    option name 'Allow-Essential-WAN-Services'
    option src 'wan'
    option target 'ACCEPT'
    list proto 'udp'
    list proto 'tcp'
    list proto 'icmp'
    list proto 'esp'
    option family 'ipv4'
    option family 'ipv6'
    list dest_port '67 68 546 500' # DHCP, DHCPv6, ISAKMP
    list icmp_type 'echo-request echo-reply destination-unreachable time-exceeded'

# NAT Reflection for specific services (MUMBLE, RTMP, Webserver)
config redirect
    option name 'MUMBLE'
    option src 'wan'
    option src_dport '64738'
    option dest 'vlan3'
    option dest_ip '10.0.100.10'
    option dest_port '64738'
    list proto 'tcp'
    list proto 'udp'
    option target 'DNAT'
    option reflection '1'

config redirect
    option name 'RTMP'
    option src 'wan'
    option src_dport '1935-1940'
    option dest 'vlan3'
    option dest_ip '10.0.100.10'
    option dest_port '1935-1940'
    option target 'DNAT'
    option reflection '1'

config redirect
    option name 'Webserver port 80'
    option src 'wan'
    option src_dport '80'
    option dest 'vlan3'
    option dest_ip '10.0.100.10'
    option dest_port '80'
    option target 'DNAT'
    option reflection '1'

# Custom user scripts and includes
config include
    option path '/etc/firewall.user'

config include
    option path '/etc/firewall.nat6'
    option reload '1'

# Security and management
config rule
    option name 'Block-Unwanted-Traffic'
    option src 'wan'
    option target 'DROP'
    list proto 'tcp'
    list proto 'udp'
    list dest_port '137 138 139 445' # SMB
    list dest_port '6000-6002' # X11
    list dest_port '6008' # WebDAV

# VPN Server Policy (if used, otherwise remove or disable)
config include 'vpn_server_policy'
    option path '/etc/firewall.vpn_server_policy.sh'
    option reload '1'
    option enabled '0'

# Optional: ZeroTier configuration (enable or adjust as needed)
# config zone 'zerotier'...

# Additional configurations for guest network, if used
# config zone 'guest'...
# config forwarding...
# config rule 'Allow-Guest-DHCP-and-DNS'...

& some screenies…

Screenshot 2024-04-06 0703571065×934 40.5 KB

Screenshot 2024-04-06 0706581059×1247 86.7 KB

Screenshot 2024-04-06 0705451060×1158 51.2 KB

Screenshot 2024-04-06 0700501069×1762 132 KB

ANY HELP ON THIS ONE DESERVES A TIP!

Kindest regards!

Just figured i’d report back since I had some success - someone may come across this - and I spent 3 days racking my head against my desk trying to get this working the way I wanted…

SO - after pounding my head against the desk I decided to set all of my external WAN domains in my “dnsmasq.conf” file to redirect to my main gateway using the following syntax at the bottom of the file…

address=/EXTERNAL DOMAIN NAME/INTERNAL ADDRESS

after setting all of the domains I typically access to route back to my main gateway - in this case 10.0.0.1 … I was then able to set up a second set of port forwarding rules to allow the ports I needed - in this case 80, 443, and whatever else to go from my lan - and then route back to the server.

See the following screenie from my port forwarding rules…

Screenshot 2024-04-06 1938281182×611 45.5 KB

Basically once I implemented the private server vlan it segmented how my NAT Loopbacks were working - so this was a reasonable work-around. I’m still seeing one or two weird things as a result of this, but hopefully this helps someone make progress VLAN-ing on these routers.

This solved my issue where I was unable to resolve servers on the vlan - from my lan over a WAN domain (gosh what a mouthful) - I was able to access over local IPs - but something in NAT loopback is causing me a headache after 3 days of looking at config files.

Perhaps it’s just how GL-iNet handles vlan traffic… oh well! On to the next problem!

Marking this as solved- but if someone has any input on how I could do this differently, please let me know!

Cheers!