Unable to connect between two networks within the same firewall zone

wowbaggerHU · November 15, 2022, 8:18am

Dear Members,

I have a Turris MOX router, and I had to separate the WiFi AP to a new interface from the br-lan bridge that holds the switch ports. So the wired clients sit on one interface and the WiFi clients on another. Both interfaces (when viewed from Luci) belong to the same firewall zone. For this reason I assumed that the devices residing in either of them would be able to connect to the devices in the other. But that doesn’t seem to be the case.
What may be causing this?
To be more precise… I have a network-enabled printer that is connected to one of the switch ports, and now I can’t connect to it from one of my machines connected to the WiFi interface.
I can’t even ping the printer’s IP address, which was possible earlier when the switchports and the WiFi AP were bridged.

Any help would be appreciated.

dhopfm · November 15, 2022, 9:43am

Did you allow traffic forwarding for that firewall zone?

wowbaggerHU · November 15, 2022, 10:21am

Both the wired ports (br-lan) in question and the WiFi network (wlan) belong to the same firewall zone (lan). I don’t fully understand what you are getting at.
On the firewall settings page in Luci, there is a possibility to set this behavior with respect to certain directions: lan => wan and so on. There forward is set to accept.
Also on the firewall settings page there is General settings where you can set the default behavior for Input / Output / Forward. There Forward is set to reject, but I don’t think I am supposed to change that.

I think this forwarding ruleset doesn’t apply here, because the traffic is not even leaving the firewall zone.

dhopfm · November 15, 2022, 10:47am

Yeah, there’s always been a bit of confusion around the Forward setting (and maybe the UI could be a bit clearer here):

This setting controls whether traffic can flow between interfaces that belong to the same zone (in my example: lan). This is the setting which is relevant in your case.

The Forward setting under General Settings (further up on that page) controls whether traffic can generally be forwarded between zones. As you mentioned, you probably want to leave that disabled (reject or drop).

wowbaggerHU · November 15, 2022, 10:56am

Okay, thanks for the explanation.
It has been set to accept from the beginning for me.

dhopfm · November 15, 2022, 11:00am

Presumably your two interfaces are using different IP subnets, I’ll assume 192.168.1.0/24 and 192.168.2.0/24 here and that the router interfaces are configured to use .1 for both.

Can you ping from a device to the other subnet’s .1 address? If yes, can you ping a different device on the printer subnet?

wowbaggerHU · November 15, 2022, 11:11am

It’s actually two neighboring /25 networks, but petty much yes.

No the pings to the router’s address in the other network are unsuccessful, and neither can I ping other devices.

dhopfm · November 15, 2022, 11:33am

Please share the output of ip -4 -br a and ip -4 -br r so we can exclude addressing issues.

wowbaggerHU · November 15, 2022, 12:25pm

# ip -4 -br a
lo               UNKNOWN        127.0.0.1/8 
eth0             UP             192.168.0.10/24 
br-lan           UP             192.168.10.1/25 
br-wlan          UP             192.168.10.129/25 
tun_turris       UNKNOWN        192.168.11.1/28

wowbaggerHU · November 17, 2022, 2:42pm

The problem is still present.

wowbaggerHU · November 25, 2022, 9:40am

Any help would be welcome.