1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

intervlan routing problem

Discussion in 'Tomato Firmware' started by linkmaniac, Nov 28, 2011.

  1. linkmaniac

    linkmaniac Networkin' Nut Member

    Hi all,

    I ve created some vlans in the tomato gui and configured static routing but still cannot access one vlan from another. What am I doing wrong? Should I change something in the iptables? I ve tried with "iptables service stop" and reboot but it didn`t help. Plz help!!! network.png routing.png

    Thanks in advance.
     
  2. Toastman

    Toastman Super Moderator Staff Member Member

    Did you discover the VLAN-Access page? I think that has what you need.

    VLAN-GUI-3.PNG
     
  3. linkmaniac

    linkmaniac Networkin' Nut Member

    Yes, it s already set. But it doesn`t help... LAN.png
     
  4. linkmaniac

    linkmaniac Networkin' Nut Member

    Any other suggestions?
     
  5. linkmaniac

    linkmaniac Networkin' Nut Member

    This is what I have in iptables with:
    iptables -L -n
    iptables -L -n -v
    iptables -L chain-name -n -v
    iptables -L spamips -n -v



    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    shlimit tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33534 limit: avg 5/sec burst 5
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:456 dpt:456
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:111 dpt:111
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:222 dpt:222

    Chain FORWARD (policy DROP)
    target prot opt source destination
    all -- 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.23.0/255.255.255.0 name: lan3
    all -- 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.22.0/255.255.255.0 name: lan2
    all -- 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.21.0/255.255.255.0 name: lan1
    all -- 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.20.0/255.255.255.0 name: lan
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    monitor all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    wanin all -- 0.0.0.0/0 0.0.0.0/0
    wanout all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 192.168.22.0 192.168.21.0
    ACCEPT all -- 192.168.21.0 192.168.22.0
    upnp all -- 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain monitor (1 references)
    target prot opt source destination
    RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 WEBMON --max_domains 300 --max_searches 300

    Chain shlimit (1 references)
    target prot opt source destination
    all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: shlimit side: source
    DROP all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

    Chain upnp (1 references)
    target prot opt source destination

    Chain wanin (1 references)
    target prot opt source destination

    Chain wanout (1 references)
    target prot opt source destination
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    1055 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 shlimit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
    1 67 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    655 58072 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    418 46696 ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0
    435 49097 ACCEPT all -- br2 * 0.0.0.0/0 0.0.0.0/0
    418 46696 ACCEPT all -- br3 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:33434:33534 limit: avg 5/sec burst 5
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    418 46696 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:456 dpt:456
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:111 dpt:111
    0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:222 dpt:222

    Chain FORWARD (policy DROP 6 packets, 312 bytes)
    pkts bytes target prot opt in out source destination
    0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.23.0/255.255.255.0 name: lan3
    51 16740 all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.22.0/255.255.255.0 name: lan2
    6 312 all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.21.0/255.255.255.0 name: lan1
    22323 16M all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.20.0/255.255.255.0 name: lan
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br1 br1 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br2 br2 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br3 br3 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    721 34712 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    10045 2075K monitor all -- * vlan4 0.0.0.0/0 0.0.0.0/0
    21995 16M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 wanin all -- vlan4 * 0.0.0.0/0 0.0.0.0/0
    373 19479 wanout all -- * vlan4 0.0.0.0/0 0.0.0.0/0
    370 19323 ACCEPT all -- br0 vlan4 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br1 vlan4 0.0.0.0/0 0.0.0.0/0
    3 156 ACCEPT all -- br2 vlan4 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br3 vlan4 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br2 br1 192.168.22.0 192.168.21.0
    0 0 ACCEPT all -- br1 br2 192.168.21.0 192.168.22.0
    0 0 upnp all -- vlan4 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 6581 packets, 1835K bytes)
    pkts bytes target prot opt in out source destination

    Chain monitor (1 references)
    pkts bytes target prot opt in out source destination
    0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 WEBMON --max_domains 300 --max_searches 300

    Chain shlimit (1 references)
    pkts bytes target prot opt in out source destination
    0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: shlimit side: source
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

    Chain upnp (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination

    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
    iptables: No chain/target/match by that name
    iptables: No chain/target/match by that name


    Is this alright? I see iptables is configured to allow the communication between LAN1 and LAN2. There must be something else...
     
  6. kthaddock

    kthaddock Network Guru Member

    Try to remove Src and Dst it's optional:


    • Src Address (optional) - Source address allowed. Ex: "1.2.3.4", "1.2.3.4 - 2.3.4.5", "1.2.3.0/24".
    • Dst Address (optional) - Destination address inside the LAN.
     
  7. linkmaniac

    linkmaniac Networkin' Nut Member

    That doesn`t work either...And the router mode too...Any other suggestions?
     
  8. teaman

    teaman LI Guru Member

    Do all machines have the router IP address as their default gateway? That's not optional...
     
  9. linkmaniac

    linkmaniac Networkin' Nut Member

    Success! (kind of...). Thanks for your quick responses and your hints! I ve managed to configure routes from vlan1 to vlan2 and now I can access my NAS. This is the case in "router" mode. But another problem appeared. I have no access to internet...I have to have access to internet from both vlan1 and vlan2. When I change to "gateway" I can access the internet but not my NAS. I tried on the WAN port as well as from a port on vlan1 but it doesn`t work. I cannot have intervlan routing and internet simultaneously or what?
     
  10. clarknova

    clarknova Networkin' Nut Member

    Delete your static routes. The router already knows how to find attached networks. You don't need RIP either based on what you've told us, and you shouldn't have to mess with iptables. You will need your LAN access rules, but if you don't need SRC and DST addresses in there (you want to allow all SRC and DST hosts) then leave them out.
     
  11. teaman

    teaman LI Guru Member

    Hi there!

    First of all: I don't think you ever mentioned your router model and/or which particular build/mod/version you're currently using (or did I miss anything?!?). But... why such things would be relevant? :)

    • about the HW model: well... some routers have a single MII (Media Independent Interface) connecting all LAN and WAN ports to the internal switch. However, some routers have two MII (one for the LAN ports, another for the WAN port). If that's the case... I'm afraid there's not much to be done regarding your attemps in reassiging the WAN port as member of a LAN-facing VLAN :confused:
    • about the particular build/mod/version: well... there's lots of different versions out there... so you want to make sure you have a build that... contains the commits/changes/patches required for your particular goals, don't you agree? :)

    I mean: this VLAN separation/isolation thing has been under development for a few months now. Every few weeks, we learn about some situation and/or experience by users out there (such as yourself) that... we simply haven't considered and/or never thought about ;)

    Therefore, I believe there might be a few commits/patches/changes that could be relevant to your particular situation:


    And finally, this one (just published/pushed a few moments ago, should be included on some newer builds/mods soon....):


    With all that being said, I'd like to suggest you to please keep in mind a few things:

    • when reporting any bugs/problems/issues, please do share with us as much information as you could possibly gather about the whole thing (i.e. HW model, firmware/mod version, etc...)
    • also... please allow me to remind you that... none of us is actually... there (with you)... seeing/experiencing what you've been seeing (so again: please do include as much information as you can)
    • and finally: when/if something doesn't work... please check if you do have the latest and/or most recent version of whatever build/mod you've been using on your router (mostly, because we've releasing updates almost every week... and perhaps... a specific problem you might have found... could have been already fixed on a newer and/or more recent build).

    Now, all of us should take a deep breath before continuing :)

    Let me assure you something about this: yes, you can (in fact, I wrote that code for my personal use, not to mention I've been using that feature on my WRT54GL for quite a while...). Therefore... we just need to figure out what might be wrong/different on your particular deployment ;)

    Cheers!
     
  12. shibby20

    shibby20 Network Guru Member

    you didnt create VLANs. You created only bridges (brX). Please show us Advanced->VLAN page.
     

Share This Page