Greetings! It’s been a long time since I’ve posted on a forum - typically i’m pretty self sufficient - but even after countless days of digging, asking GPT-4 and trying to figure this out myself I am at a loss.
I have a GL-A1300 GL-INET router running:
openwrt-21.02 branch (git-22.347.45520-d30ab74) / OpenWrt 21.02.2 r16495-bf0c965af0
This is a travel router I have repurposed as a replacement DHCP server for my home network - as my netgear mesh was absolute trash for a router - but excellent wifi… This unit handles all of the main in and outbound connections - while my wifi is hardwired access points across the house. I have several raspberry pi boards running various functions in my home…
Here’s the issue. One of those pi’s is being purposed as a web server and I’d like it completely isolated from the rest of my lan.
I have some experience with VLANS and I managed - after a lot of struggling to get it set up correctly … I think.
Basic layout is one of the 2 LAN ports on the unit goes to my main LAN - the second goes to a second switch… the port I am using for the VLAN is untagged for the port and off for the VLAN I want it isolated from.
I managed to get the VLAN isolated, DHCP set up on a different range and internet to the VLAN … Port forwarding from the internet seems to work as well.
HOWEVER - I am TRYING to avoid a complicated DNS situation - and unfortunately something in my set up is preventing my LAN from talking to the VLAN over the WAN connection… - though I have the appropriate forwards set up in the firewall… I am able to ping devices locally from the LAN to the VLAN - but not from the VLAN to the LAN - this is as I want it… BUT - I want to be able to access these services via their public domain I have set up from the LAN side - without being connected to the VLAN as well… this way servers I use are easily accessible in and out of the home - even if the traffic has to hit the web…
NOW - if someone can suggest a better way that is just as easy as NAT loopback… I’m all ears… but for some reason - regardless of my loopback settings I am just not getting the results I want.
Please note I had the original 2 VLANS that came with the unit and I added the 3rd (which is the one i’m trying to get working)… This one is called “vlan3” in the configs…
Here’s my firewall (lightly redacted)-
config defaults
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option input 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'tethering'
option input 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest '*'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest '*'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'block_dns'
option name 'block_dns'
option src '*'
option device 'br-+'
option dest_port '53'
option target 'REJECT'
option enabled '0'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '0'
option src '*'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'
config rule
option name 'Allow-DHCP'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option src 'wan'
option dest '*'
config rule
option name 'Allow-DNS'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'wan'
option dest '*'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '0'
**REDACTED**
config redirect
option dest_ip '10.0.0.2'
option src 'wan'
option dest 'lan'
option reflection_src 'external'
option dest_port '8181'
list proto 'tcp'
list proto 'udp'
option src_dport '8181'
option name 'OpenVPN'
config redirect
option dest_ip '10.0.0.2'
option src 'wan'
option dest 'lan'
option reflection_src 'external'
option dest_port '8080'
list proto 'tcp'
list proto 'udp'
option src_dport '8080'
option name 'Wireguard'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'glnas_ser'
option src 'wan'
option dest_port '6000-6002'
option dest_proto 'tcp'
option target 'DROP'
config rule 'webdav_wan'
option src 'wan'
option dest_port '6008'
option dest_proto 'tcp'
option target 'DROP'
config forwarding
option dest 'lan'
option src 'wan'
config redirect
option src 'wan'
option name 'MUMBLE'
option target 'DNAT'
option dest_ip '10.0.100.10'
option dest_port '64738'
list proto 'tcp'
list proto 'udp'
option src_dport '64738'
option dest 'vlan3'
option reflection_src 'external'
config redirect
option dest_port '1935-1940'
option src 'wan'
option name 'RTMP'
option src_dport '1935-1940'
option target 'DNAT'
option dest 'vlan3'
option dest_ip '10.0.100.10'
option reflection_src 'external'
config rule 'https_wan'
option src 'wan'
option proto 'tcp'
option target 'ACCEPT'
option dest_port '444'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'vlan3'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'vlan3'
list device 'eth0.3'
option masq '1'
config forwarding
option dest 'wan'
option src 'vlan3'
config forwarding
option dest 'vlan3'
option src 'wan'
config redirect
option dest_port '80'
option src 'wan'
option name 'Webserver port 80'
option src_dport '80'
option dest 'vlan3'
option dest_ip '10.0.100.10'
option target 'DNAT'
option reflection_src 'external'
config forwarding
option dest 'vlan3'
option src 'lan'
config redirect
option dest_port '443'
option src 'wan'
option name 'Webserver Port 443'
option src_dport '443'
option dest 'vlan3'
option dest_ip '10.0.100.10'
option target 'DNAT'
option reflection_src 'external'
HERE IS MY NETWORK
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd33:4c21:d60a::/48'
config device
option name 'br-lan'
option type 'bridge'
option mtu6 '1470'
option mtu '1470'
list ports 'eth0'
config device
option name 'eth0'
option macaddr '94:83:c4:39:70:e9'
option mtu6 '1470'
option mtu '1470'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option isolate '0'
option ipaddr '10.0.0.1'
option ip6hint '0000'
option ip6ifaceid '::1'
option ip6assign '64'
config device
option name 'eth1'
option macaddr '94:83:c4:39:70:e8'
option mtu6 '1470'
option mtu '1470'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option metric '1'
list dns '10.0.0.2'
list dns '1.1.1.1'
list dns '8.8.8.8'
option peerdns '0'
option force_link '0'
option ipv6 '0'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option reqprefix 'auto'
option reqaddress 'try'
option sourcefilter '0'
option peerdns '0'
option disabled '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'LAN'
option ports '0 0 4'
config interface 'tethering6'
option proto 'dhcpv6'
option device '@tethering'
option disabled '1'
config interface 'wwan6'
option proto 'dhcpv6'
option device '@wwan'
option reqaddress 'try'
option reqprefix 'auto'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
option ip6prefix 'fd33:4c21:d60a::/48'
option ip6assign '64'
option ip6hint '0001'
option ip6ifaceid '::1'
option ip6class 'guest'
option netmask '255.255.0.0'
config interface 'wwan'
option proto 'dhcp'
option metric '3'
config interface 'modem_1_1_2_6'
option proto 'dhcpv6'
option device '@modem_1_1_2'
option disabled '1'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config device
option mtu6 '1470'
option name 'wlan1'
option mtu '1470'
config device
option mtu6 '1470'
option name 'wlan0'
option mtu '1470'
config interface 'zerotier'
option device 'ztjlh4chm6'
option proto 'none'
config interface 'modem_1_1_6'
option proto 'dhcpv6'
option disabled '1'
option device '@modem_1_1'
config interface 'tethering'
option proto 'dhcp'
option metric '2'
option device 'usb0'
config route6
**REDACTED**
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option description 'WAN'
option ports '0t 0t 5'
config device
option vid '3'
option type '8021q'
option name 'eth0.3'
option ifname 'eth0'
option acceptlocal '1'
config interface 'vlan3'
option device 'eth0.3'
option proto 'static'
option ipaddr '10.0.100.1'
option delegate '0'
option netmask '255.255.255.0'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option description 'VLAN3'
option ports '0t 0t 3'
& here is my DHCP
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option reflection '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'tethering'
config zone
option name 'vlan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'vlan3'
list device 'eth0.3'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'vlan3'
option dest 'wan'
# Ensure traffic from WAN can reach VLAN3
config forwarding
option src 'wan'
option dest 'vlan3'
# Essential services rules: DHCP, DNS, IPSec, and ICMPv6
config rule
option name 'Allow-Essential-WAN-Services'
option src 'wan'
option target 'ACCEPT'
list proto 'udp'
list proto 'tcp'
list proto 'icmp'
list proto 'esp'
option family 'ipv4'
option family 'ipv6'
list dest_port '67 68 546 500' # DHCP, DHCPv6, ISAKMP
list icmp_type 'echo-request echo-reply destination-unreachable time-exceeded'
# NAT Reflection for specific services (MUMBLE, RTMP, Webserver)
config redirect
option name 'MUMBLE'
option src 'wan'
option src_dport '64738'
option dest 'vlan3'
option dest_ip '10.0.100.10'
option dest_port '64738'
list proto 'tcp'
list proto 'udp'
option target 'DNAT'
option reflection '1'
config redirect
option name 'RTMP'
option src 'wan'
option src_dport '1935-1940'
option dest 'vlan3'
option dest_ip '10.0.100.10'
option dest_port '1935-1940'
option target 'DNAT'
option reflection '1'
config redirect
option name 'Webserver port 80'
option src 'wan'
option src_dport '80'
option dest 'vlan3'
option dest_ip '10.0.100.10'
option dest_port '80'
option target 'DNAT'
option reflection '1'
# Custom user scripts and includes
config include
option path '/etc/firewall.user'
config include
option path '/etc/firewall.nat6'
option reload '1'
# Security and management
config rule
option name 'Block-Unwanted-Traffic'
option src 'wan'
option target 'DROP'
list proto 'tcp'
list proto 'udp'
list dest_port '137 138 139 445' # SMB
list dest_port '6000-6002' # X11
list dest_port '6008' # WebDAV
# VPN Server Policy (if used, otherwise remove or disable)
config include 'vpn_server_policy'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '0'
# Optional: ZeroTier configuration (enable or adjust as needed)
# config zone 'zerotier'...
# Additional configurations for guest network, if used
# config zone 'guest'...
# config forwarding...
# config rule 'Allow-Guest-DHCP-and-DNS'...
& some screenies…
ANY HELP ON THIS ONE DESERVES A TIP!
Kindest regards!