Can't connect to other subnets unless both devices are set to DHCP

bcherb2 · January 30, 2023, 5:54pm

I am trying to create and talk between several subnets. Each network needs to have some DHCP, but also allow for statically assigned devices so long as the IP isn't already taken. Even when entering the correct gateway, I cannot ping or connect to devices on other subnets (unless I set them to DHCP).

Is this possible? How can I achieve this?

Here's a rough diagram:

A and B can talk to one another fine, but C can only talk to his own subnet, using 192.168.8.1 as his gateway.

And here are the various logs I've seen people ask for in other posts:

 ubus call system board;
{
	"kernel": "5.10.134",
	"hostname": "BastianLabRouter",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.0-rc6",
		"revision": "r19590-042d558536",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.0-rc6 r19590-042d558536"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:0700:db4f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option name 'br-lan.2'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option name 'br-lan.3'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option name 'br-lan.4'

config interface 'Vlan1'
	option proto 'static'
	option device 'br-lan.1'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'Vlan2'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'Vlan3'
	option proto 'static'
	option device 'br-lan.3'
	option netmask '255.255.255.0'
	option ipaddr '10.203.26.1'

config interface 'Vlan4'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'

config device
	option name 'lan4.10'
	option type '8021q'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan3'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config interface 'wwan'
	option proto 'dhcp'

config device
	option name 'wlan0'

config interface 'wifi_backup'
	option proto 'static'
	option device 'wlan0'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option name 'br-lan.5'
	option ipv6 '0'

config interface 'AP_net'
	option proto 'static'
	option device 'br-lan.5'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan3'
	list ports 'lan4:t'

config route
	option interface 'Vlan1'
	option target '192.168.8.1/24'
	option gateway '192.168.8.1'

config route
	option interface 'Vlan2'
	option target '192.168.8.1/24'
	option gateway '192.168.3.1'

config route
	option interface 'Vlan3'
	option target '192.168.8.1/24'
	option gateway '192.168.8.1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Vlan1'
	option interface 'Vlan1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Vlan2'
	option interface 'Vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'Vlan3'
	option interface 'Vlan3'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Vlan4'
	option interface 'Vlan4'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'DESKTOP-E'
	option dns '1'
	option ip '192.168.8.10'

config host
	option name 'iconnors10b'
	option mac '000000000001'
	option ip '192.168.8.138'

config host
	option name 'DESKTOP-7L'
	option mac '000000000002'
	option ip '192.168.8.12'

config dhcp 'wifi_backup'
	option interface 'wifi_backup'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vlans'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Vlan1'
	list network 'Vlan2'
	list network 'Vlan3'
	list network 'Vlan4'
	list network 'wifi_backup'
	list network 'AP_net'
	list network 'lan'

config forwarding
	option src 'vlans'
	option dest 'lan'

config zone
	option name 'wifitest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Vlan4'

config forwarding
	option src 'wifitest'
	option dest 'vlans'

{
	"kernel": "5.10.134",
	"hostname": "BastianLabRouter",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.0-rc6",
		"revision": "r19590-042d558536",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.0-rc6 r19590-042d558536"
	}
}
~ # uci export network; uci export dhcp; uci export firewall;
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:0700:db4f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option name 'br-lan.2'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option name 'br-lan.3'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option name 'br-lan.4'

config interface 'Vlan1'
	option proto 'static'
	option device 'br-lan.1'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'Vlan2'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'Vlan3'
	option proto 'static'
	option device 'br-lan.3'
	option netmask '255.255.255.0'
	option ipaddr '10.203.26.1'

config interface 'Vlan4'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'

config device
	option name 'lan4.10'
	option type '8021q'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan3'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config interface 'wwan'
	option proto 'dhcp'

config device
	option name 'wlan0'

config interface 'wifi_backup'
	option proto 'static'
	option device 'wlan0'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option name 'br-lan.5'
	option ipv6 '0'

config interface 'AP_net'
	option proto 'static'
	option device 'br-lan.5'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan3'
	list ports 'lan4:t'

config route
	option interface 'Vlan1'
	option target '192.168.8.1/24'
	option gateway '192.168.8.1'

config route
	option interface 'Vlan2'
	option target '192.168.8.1/24'
	option gateway '192.168.3.1'

config route
	option interface 'Vlan3'
	option target '192.168.8.1/24'
	option gateway '192.168.8.1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Vlan1'
	option interface 'Vlan1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Vlan2'
	option interface 'Vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'Vlan3'
	option interface 'Vlan3'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Vlan4'
	option interface 'Vlan4'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'DESKTOP-E'
	option dns '1'
	option ip '192.168.8.10'

config host
	option name 'iconnors10b'
	option mac '000000000001'
	option ip '192.168.8.138'

config host
	option name 'DESKTOP-7L'
	option mac '000000000002'
	option ip '192.168.8.12'

config dhcp 'wifi_backup'
	option interface 'wifi_backup'
	option start '100'
	option limit '150'
	option leasetime '12h'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vlans'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Vlan1'
	list network 'Vlan2'
	list network 'Vlan3'
	list network 'Vlan4'
	list network 'wifi_backup'
	list network 'AP_net'
	list network 'lan'

config forwarding
	option src 'vlans'
	option dest 'lan'

config zone
	option name 'wifitest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Vlan4'

config forwarding
	option src 'wifitest'
	option dest 'vlans'

ip -4 addr


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
12: br-lan.2@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan.2
       valid_lft forever preferred_lft forever
13: br-lan.3@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.203.26.1/24 brd 10.203.26.255 scope global br-lan.3
       valid_lft forever preferred_lft forever
14: br-lan.4@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan.4
       valid_lft forever preferred_lft forever
15: br-lan.5@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global br-lan.5
       valid_lft forever preferred_lft forever
16: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet [redacted] brd [redacted] scope global wlan1
       valid_lft forever preferred_lft forever
18: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global wlan0
       valid_lft forever preferred_lft forever

psherman · January 30, 2023, 6:00pm

Remove all the routes... all networks that are defined on the router are already in the routing table... adding thes routes may just mess things up (and they are defined incorrectly anyway).

bcherb2:

config route
	option interface 'Vlan1'
	option target '192.168.8.1/24'
	option gateway '192.168.8.1'

config route
	option interface 'Vlan2'
	option target '192.168.8.1/24'
	option gateway '192.168.3.1'

config route
	option interface 'Vlan3'
	option target '192.168.8.1/24'
	option gateway '192.168.8.1'

You also appear to have the physical port mappings setup such that you have multiple networks attempting to use the same ports untagged... you can only have a single untagged netowk per port.

Next, remove this zone and forwarding config... Vlan4 is already included in another zone.

bcherb2:

config zone
	option name 'wifitest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Vlan4'

config forwarding
	option src 'wifitest'
	option dest 'vlans'

bcherb2 · January 30, 2023, 8:11pm

I made all of the recommended changes, thanks.

I can now ping from DHCP -> static across subnets, but still cannot do the reverse (static -> DHCP).

I almost posted that and double checked my settings -- the DNS had been changed to blank on my PC side. Once filling out the appropriate DNS server I can now reach both ways (not sure why this matters though? Maybe an artifact of Macos)

None the less, thanks!

psherman · January 30, 2023, 8:24pm

Can you give specific details about the following:

host IP address example on one subnet > host IP on anotehr subnet that works
above but that doesn't work
The complete IP information of each of the hosts in case 2

DHCP or Static IP
IP address
Subnet mask
Router/Gateway
DNS

How these devices are physically connected to the network.