Can't pass through DHCP on my Openwrt One

mcv21 · January 14, 2025, 10:11pm

I have a new Openwrt One (I've not used Openwrt before).

What I want it to do is essentially just act as a wireless bridge - clients connect to the wifi and all traffic gets passed to my server (which runs a DHCPd). I feel this ought to be easy...

I've set up networking as follows:
device eth1.2 [VLAN 2 on eth1, which is the LAN port]
interface lan device eth1.2, static config, assigned to LAN firewall zone, DHCP Server set to Ignore interface
br-lan bridge (which I think came pre-configured) set to use eth1.2 in Bridge ports
both radios enabled, both default OpenWrt SSIDs enabled, network set to "Lan"
Under DHCP and DNS, Authoritative un-ticked.

The LAN port on the openwrt one is connected to an ethernet port on my server, which is configured to use VLAN 2 to talk to it - and I can connect via ssh and http fine.

I tried adding an explicit relay from 172.16.22.253 (the openwrt one IP) to 172.16.22.254 (my server's address) or having no relay configured (which seems more natural, I just want the packets passed on), but no joy.

I've been running tcpdump -i enp1s0f1.2 port 67 or port 68 -e -n -vand DHCP packets are not getting through.

What am I doing wrong, please?

[to address the "why" question - eventually I want to have different SSIDs on the wireless and bridge them to different VLANs so they'll get different IPs from my server and so on]

mcv21 · January 14, 2025, 10:12pm

I meant to add - I've done all the config via the web UI.

mcv21 · January 14, 2025, 10:37pm

Config details:
/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:2c13:b5b3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.2'

config interface 'lan'
        option device 'eth1.2'
        option proto 'static'
        option ipaddr '172.16.22.253'
        option netmask '255.255.255.240'
        option ip6assign '60'
        option gateway '172.16.22.254'
        option type 'bridge'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '2'
        option name 'eth1.2'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option num_global_macaddr '7'
        option country 'GB'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option num_global_macaddr '7'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option network 'lan'

/etc/config/dhcp [with the relay configured]

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config relay
        option local_addr '172.16.22.253'
        option server_addr '172.16.22.254'
        option interface 'lan'

/etc/config/firewall [I don't think I've changed this from default]

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

cogstrail · January 14, 2025, 10:50pm

This may help: https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap

This is from my AP (DHCP pass through works fine):

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ip6segmentrouting '0'
	option drop_unsolicited_na '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.100'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.0.1'
	option delegate '0'
	option ipv6 '0'
	list dns '10.0.0.1'

The firewall should not be involved if all traffic is in the lan zone.

mcv21 · January 14, 2025, 10:50pm

I did then find https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap which suggested a couple more things to turn off ( RA-Service, DHCPv6-Service, and NDP-Proxy under IPv6 settings), but still no joy

psherman · January 14, 2025, 10:56pm

Which way are you trying to form a bridge? From wired upstream > wifi, or wifi upstream > wired?

cogstrail · January 14, 2025, 10:58pm

DHCP on my AP:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

mcv21 · January 14, 2025, 10:59pm

I don't quite understand the question, sorry. I'm trying to bring from wifi (where my client machines are) to my DHCP server (which is attached to the LAN port of the openwrt one with an ethernet cable) [and said DHCP server is in turn connected to the wider internet]

i.e. a client device should connect to the wireless network, and have its DHCP request bridged to my DHCP server

psherman · January 14, 2025, 11:03pm

Sorry if the question wasn't clear...

Please confirm that the DHCP server is connected via ethernet to the OpenWrt One. And can you confirm that the ethernet connection is also the path to the internet, as well?

A diagram could be helpful if there is any ambiguity or multiple things to consider here (a photo of one that is hand drawn w/ pen and paper is fine).

mcv21 · January 14, 2025, 11:05pm

Yes, DHCP server connected via ethernet to OpenWrt One. And that's also the path to the internet (and that's working - from the diagnostics tab I can ping openwrt.org just fine).

psherman · January 14, 2025, 11:13pm

Ok... so the setup is quite simple... you just need a few edits:

Remove the bridge line at the bottom of this section, and change the device to br-lan:

mcv21:

config interface 'lan'
        option device 'eth1.2'
        option proto 'static'
        option ipaddr '172.16.22.253'
        option netmask '255.255.255.240'
        option ip6assign '60'
        option gateway '172.16.22.254'
        option type 'bridge'

This will work assuming that your ethernet connection is tagged VLAN 2. If you're working with an untagged network, just edit the br-lan definition to use eth1 instead of eth1.2.

You can delete this:

And you can also delete this:

Then restart and test again.

mcv21 · January 14, 2025, 11:23pm

That lot of changes did the trick, thank you!

system · January 24, 2025, 11:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.