Clients on VLAN/Subnet Can’t Connect to Internet

I need more help with setting up my network for an IOT isolation subnet.

Some of the IOT devices cannot be seen as online via the manufacturer app, some kind of routing problem I guess. Those same devices are shown as “no response” in the Apple Home app, an Avahi/reflector and/or routing problem again, I guess.

I have a Flint2 openwrt router, configured as a router.

I have a Synology RT2600ac in AP mode with its WAN connected to lan3 of the Flint2 router. The Synology also has 2 mesh WIFI APs (MR2200ac). The Synology AP is for the IOT devices to connect via WIFI. This AP also is VLAN aware.

I have a TP-link mesh system in AP mode connected to lan2 of the Flint2 openwrt router. This router is for any non-IOT devices on the primary network.

I am running 2 additional services on the Flint2 router: tailscale, adguard home, and avahi.

I have all IP addresses statically assigned in hosts, ethers, and the DHCP config file on the Flint2.

My primary network is 10.9.5.0/24. My IOT network is 10.9.8.0/24.

What I have done on the Synology AP:

1. Added a new network and assigned it VLAN ID 8 and assigned an SSID that all IOT devices connect to. This VLAN 8 becomes tagged across all ports, because all ports are bridged (including the WAN).

What I have done on the Flint2 openwrt router:

1. Enabled bridge VLAN filtering on the br-lan device.
2. Added 2 VLAN IDs:

• 5 for the primary network, setting all lan ports to untagged and the primary VLAN
• 8 for IOT network, setting all lan ports to untagged and only lan3 tagged

1. Change the device of the lan interface from br-lan to br-lan.5
2. Created an interface for the br-lan.8 device: static address, IP of 10.9.8.1, netmask 255.255.255.0
3. Enabled the DHCP for this interface on device br-lan.8
4. Created a firewall for this interface, allowing forwarding to the wan for internet and forward from source from the lan:

• Input: Accept, Output: Accept, Intra zone forwarding: reject

1. Setup a traffic rule to allow the IOT zone to access ports 53 54 67 68 for DNS and DHCP. I wasn’t sure about the dns port being 53 or 54 since adguard home uses 54 even though 53 is the default.
2. Setup a traffic rule to allow mDNS for UDP port 5353 from any zone to any zone for both IPv4 and IPv6.
3. Save and Apply to Flint2 openwrt
4. Reboot Flint2 openwrt, Synology mesh, and TP-link mesh

My questions:

Is there anything I need to do with DHCP options or routing for the new 10.9.8.0/24 using VLAN 8?

Is there anything I need to do with avahi-daemon.conf?

Is there anything to do with the firewall so that IOT devices can reach the internet?

I’m wondering why I am not receiving any responses for help with my configuration to allow IOT devices on a secondary subnet to both reach the internet and be seen through avahi?
Please let me know if more information is needed and I will post that. Thank you.

Let's review your actual config... this can tell us a lot and we can usually resolve things quickly.

Please post the configs from both the main router and the AP.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you @psherman. I will need to go through my steps again to set everything up. I reverted back to not using VLANs and subnets and just having everything on a single subnet. Everything works this way. Would it be helpful if I posted all of the config information in the current state, before making any changes?

If you've got a flat network right now, the full config may not be that useful.
However, we could use:

• A network topology diagram, complete with the addresses of each infrastructure device (router, AP, switches, etc.), the ports that connect to each device, and the brand + model and firmware of each device.
• for all OpenWrt devices, the output of ubus call system board

Screenshot 2025-02-25 at 8.56.28 PM1826×846 117 KB

Each of the 2nd and 3rd APs connect wirelessly to the master AP connected to the Flint OpenWrt router.

ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

From a topology standpoint, using 2 sets of APs is not ideal insofar as the increased radio noise in your environment. It would be far better to have VLAN aware APs such that a single set can broadcast your multiple SSIDs. Doing this over mesh isn't trivial, though, and many consumer grade mesh systems don't support multiple networks.

That said, achieving the goal with the topology you've laid out should certainly be possible... easy, in fact.

I made all of the changes to setup the VLAN and subnet and these are the config outputs.

ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'lan1'

config device
	option name 'lan4'

config device
	option name 'lan5'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3:t'
	list ports 'lan4'
	list ports 'lan5'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '9'
	option htmode 'HE20'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Payette'
	option encryption 'sae-mixed'
	option key ''
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'
	option ieee80211r '1'
	option ft_over_ds '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '136'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Owyhee'
	option encryption 'sae-mixed'
	option key ''
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'
	option ieee80211r '1'
	option ft_over_ds '0'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Owyhee'
	option encryption 'sae-mixed'
	option key ''
	option ocv '0'
	option network 'lan'
	option ieee80211r '1'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Payette'
	option encryption 'sae-mixed'
	option key ''
	option ocv '0'
	option ieee80211r '1'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option port '54'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '110'
	option limit '140'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '3,10.9.5.1'
	list dhcp_option '6,10.9.5.1'
	list dhcp_option '15,br-lan'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

#multiple static config host with IP address and Mac addresses removed

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'Tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'tailscale'

config forwarding
	option src 'Tailscale'
	option dest 'lan'

config rule
	option name 'Allow-IOT-mDNS'
	option family 'ipv4'
	option src '*'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-IOT-mDNS6'
	option family 'ipv6'
	option src '*'
	option src_port '5353'
	list dest_ip 'ff02::fb'
	option dest_port '5353'
	option target 'ACCEPT'
	list proto 'udp'
	option dest '*'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'

config forwarding
	option src 'IOT'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'IOT'

config forwarding
	option src 'Tailscale'
	option dest 'IOT'

config rule
	option name 'IOT DHCP and DNS'
	option src 'IOT'
	option dest_port '53 54 67 68'
	option target 'ACCEPT'

cat /etc/avahi/avahi-daemon.conf

[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

On a port-by-port basis, what should each port do?

from your diagram, lan3 should be the 10.9.8.0/24 network, and lan2 should be the 10.9.5.0/24 network. It appears that both of those should be untagged on their respective ports.

What about ports 1, 4, and 5?

I'm only using port 2 and 3 at this time.
Port 2 is VLAN 5, the primary that is bridged to all other ports, my secure side, connected to the tp-link mesh.
Port 3 is VLAN 8, is for the IOT devices, wanting that isolated from all other ports.
I only have VLAN 8 tagged on port 3.
All other VLAN 8 ports are untagged.
For VLAN 5, all ports untagged and marked as PVID.

Ok... so we'll do this:

• VLAN 5 on ports 1, 2, 4, and 5; all untagged
• VLAN 8 on port 3 only; untagged.

Lets fix the problems...

First, edit the bridge-VLAN for VLAN 5 to omit port lan3:

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

Then edit bridge-VLAN for VLAN 8 to only have port lan3, and to make it untagged + PVID:

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'lan3:u*'

I have several recommendations for the wireless config, but it's moot because you've got all of them disabled on this device.

You may want to change input to REJECT on the IOT firewall zone to improve security, but this is not critical immediately:

Restart your router once you've made the VLAN changes and then test.

Changes made, still IOT devices can't reach internet and show offline in their apps on phone. Apple Home app also can not see them and shows "no response".

It's some kind of routing or dns problem, right?

Home kit will not cross subnets by default.

First test (with a laptop or a phone) that each network is functioning in general.

Then, you’ll need to add an mdns reflector. Look for avahi.

Interesting. If I switch my computer from the 10.9.5.0 WIFI network to the 10.9.8.0 IOT network, I don't get an IP address from DHCP.
I do have avahi installed and reflector enabled. I posted the config of that above.
Do I need to add some DHCP options to the IOT interface, for device br-lan.8?

It seems that all IOT devices are connecting the Synology router WIFI but not getting IP addresses from the OpenWrt router that is the only DHCP server.

Try unplugging the wifi ap for vlan 8 and plug a computer into that directly port instead. What happens?

Directly connected to port 3/VLAN 8 I get an IP address in the 10.9.8.0 subnet as expected.
With only that hardwired connection I can ping 8.8.8.8 and get a response, but no response from www.google.com, "ping: cannot resolve www.google.com: Unknown host".

This is a DNS problem? FYI I am also running adguard home on the openWrt router.
The synology router connected to port 3 shows a gateway of 10.9.8.1 and DNS server of 10.9.5.1. Default DNS server is on port 53, I believe and adguard home uses port 54, if any of that matters.

DNS server problems wouldn't explain why none of the devices are getting an IP address though.

I do think this is an issue with Adguard...

Since I've never used it, I don't entirely know the mechanism by which it messes up the dnsmasq DHCP service, but try editing your IOT DHCP server to look like this:

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '3,10.9.8.1'
	list dhcp_option '6,10.9.8.1'

Then restart and test again.

No dice. Same deal. I do appreciate everything you are doing to help me. It's getting late here, so I'm going to call it a night. Tomorrow is another day.

Possibly another thing that might be screwing things up. I have a static IP address set in the 10.9.5 range for the synology router, yet when all is configured for VLAN the synology router is getting a DHCP assigned IP in the 10.9.8 range. Could be a problem?

Yes, this could be an issue, but your topology diagram shows that you want it to have an address in 10.9.8.0/24 when it is connected to lan3. So... maybe not??

I suspect that there is a problem related to adguard. So my recommendation would be to make a backup, reset the device to defaults, and then make changes to create the additional VLAN without adding adguard. If it works, make a backup and then you can try adding adguard and see what happens.

That said, before you do the reset, we can review your current config...
And... if you set the IOT zone's input rule to REJECT, try setting it back to ACCEPT to see if that resolves anything.

I flashed the OpenWrt router with a Sysupgrade and started from scratch. No AdGuard Home installed. Restored the vlan config files for: dacha, firewall, network, and wireless.
I did not change anything on the synology router for adding VLAN ID of 8. I'm assuming this doesn't matter since on the OpenWrt Router port 3, the VLAN is untagged. I'm probably wrong here. Outcome was that IOT devices on 10.9.8.0/24 subnet still were not controllable. I still need to check if IP addresses are not getting assigned on the IOT network. I'll do that now. Just wanted to give a quick update.