OS:
root@home:~# cat /etc/os-release
NAME="OpenWrt"
VERSION="24.10.0"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 24.10.0"
VERSION_ID="24.10.0"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r28427-6df0e3d02a"
OPENWRT_BOARD="mediatek/filogic"
OPENWRT_ARCH="aarch64_cortex-a53"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 24.10.0 r28427-6df0e3d02a"
OPENWRT_BUILD_DATE="1738624177"
root@home:~# uname -a
Linux home 6.6.73 #0 SMP Mon Feb 3 23:09:37 2025 aarch64 GNU/Linux
set up:
eth1 (sfp-lan): belongs to the default br-lan/ firewall zone lan (192.168.40.*).
lan1@eth0: belongs to default br-lan/ zone lan.
eth1.900@eth1: belongs to firewall zone T_VLAN (192.168.3.*)
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.40.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint 'f'
config interface 'T_VLAN'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint 'e'
option device 'eth1.900'
Add forwarding rules from T_VLAN to both lan and wan
config forwarding
option src 'T_VLAN'
option dest 'lan'
now 192.168.3.* can ping 8.8.8.8 and can ping 192.168.40.*, it’s conntracked.
(does the UNREPLIED imply that the echo reply didn’t match the conntrack?)
root@home:~# cat /proc/net/nf_conntrack | grep icmp
ipv4 2 icmp 1 29 src=192.168.3.229 dst=192.168.40.227 type=8 code=0 id=61095 packets=49 bytes=4116 [UNREPLIED] src=192.168.40.227 dst=192.168.3.229 type=0 code=0 id=61095 packets=0 bytes=0 mark=0 zone=0 use=2
everything is fine and expected, however this is not my wanted behavior since I only want lan being able to initiate connections to T_VLAN
let’s undo the previous config and use the following
config forwarding
option src 'lan'
option dest 'T_VLAN'
initiate ping from 192.168.40.* to 192.168.3.* which is rejected in the reverse direction (icmp reply)
netfilter log
Mon Apr 21 09:05:31 2025 kern.warn kernel: [20211.020771] reject T_VLAN forward: IN=eth1.900 OUT=br-lan MAC=<MAC> SRC=192.168.3.229 DST=192.168.40.227 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9274 PROTO=ICMP TYPE=0 CODE=0 ID=24371 SEQ=172
tcpdump on peer interface of eth1
1745226508.901729 <MAC> > <MAC>, ethertype IPv4 (0x0800), length 98: 192.168.40.227 > 192.168.3.229: ICMP echo request, id 24371, seq 345, length 64
1745226508.901787 <MAC> > <MAC>, ethertype 802.1Q (0x8100), length 102: vlan 900, p 0, ethertype IPv4 (0x0800), 192.168.3.229 > 192.168.40.227: ICMP echo reply, id 24371, seq 345, length 64
1745226508.922340 <MAC> > <MAC>, ethertype 802.1Q (0x8100), length 130: vlan 900, p 0, ethertype IPv4 (0x0800), 192.168.3.1 > 192.168.3.229: ICMP 192.168.40.227 protocol 1 port 44882 unreachable, length 92
clearly the echo request got thru but without conntrack and it’s very odd that the packets came out untagged. The echo reply was rejected by netfilter which makes sense since there was no conntrack established
If we do it from openwrt itself (193.168.3.1 → 192.168.3.229) we can see that it’s conntrack’ed and the echo request is tagged as expected
ipv4 2 icmp 1 29 src=192.168.3.1 dst=192.168.3.229 type=8 code=0 id=12024 packets=69 bytes=5796 src=192.168.3.229 dst=192.168.3.1 type=0 code=0 id=12024 packets=69 bytes=5796 mark=0 zone=0 use=2
# peer interface shows correctly tagged echo request
1745226998.242957 <MAC> > <MAC>, ethertype 802.1Q (0x8100), length 102: vlan 900, p 0, ethertype IPv4 (0x0800), 192.168.3.1 > 192.168.3.229: ICMP echo request, id 12024, seq 194, length 64
1745226998.243012 <MAC> > <MAC>, ethertype 802.1Q (0x8100), length 102: vlan 900, p 0, ethertype IPv4 (0x0800), 192.168.3.229 > 192.168.3.1: ICMP echo reply, id 12024, seq 194, length 64
I’ve also tried the VLAN Filtering and adding VLAN IDs to br-lan instead of creating eth1.900, then I have br-lan.900 but the results were pretty much identical
