Hi, following the amazing videos of OneMarcFifty and got stuck at
[10:17](https://www.youtube.com/watch?v=UvniZs8q3eU&t=617s) adding and assigning the interfaces
I found this thread but can't figure out how to do it correctly...
Do I create a new device as @mpa clearly states and then create a new interface where I pick this device? When I click add dhcp server all I get is 'ignore interface'? 
1 mistake at least, not setting static ip on the interface to begin with. Did that and now dhcp option looks fine.
I created the device Guest and set it to bridge. FW zone is Guest on the interface. Double checked with the video. Setup the guest wifi adding guest network.
I can see the wifi but don't get any IP when connecting, a dummy 169.254.102.43 address now. I strongly believe the dhcp should be fine..
Tried manual IP 10.20.30.101 and mas 255.255.255.0 and router 10.20.30.40 and looks like that connected. No internet tho.
I'm using dnscrypt-proxy2 but that listens on localhost:53 so should be ok? In the video I opened ports for dns and dhcp I believe.
Don't understand why this doesn't work but hopefully you guys see the problem..
Network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
config device 'wan_wan_dev'
option name 'wan'
option macaddr '62:38:e0:da:5a:be'
config interface 'wan6'
option proto 'dhcpv6'
option device 'wan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'wlan1-1'
option ipv6 '0'
option multicast '0'
config interface 'Guest'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
option type 'bridge'
dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option localservice '1'
option noresolv '1'
list server '127.0.0.53'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option dhcpv4 'server'
option start '2'
option leasetime '6h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '150'
option leasetime '12h'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option name 'GuestZone'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'Guest'
config zone
option name 'IOTzone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'IOTzone'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'
I removed it all and followed this guide, still I have the same problem with no ip just the 169. address.
Really weird. I'll remove everything and try once more tonight....
Dnscrypt-proxy2 is not an issue. Main things I see are that your bridge doesnโt contain your wlan1-1 guest network.
Add your wlan1-1 to the bridge
list ports โwlan1-1โ
And add it to your guest network.
`option device 'wlan1'
Option 'bridge' under interface looks strange, usually it is used for devices ?
Right you are 
Found something for earlier days that made me put it in there, but since 21. I think this has been removed and put on devices.
So meanwhile I deleted all and followed the guide here:
I've added wlan1-1 as you mentioned so here is the latest info
network
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wlan1-1'
config device
option name 'wlan1-1'
option ipv6 '0'
option multicast '0'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option device 'wlan1-1'
option delegate '0'
A third attempt going on....
Same result now, but as you stated earlier @RuralRoots and @mattimat I don't have wlan1-1 in the device 'bridge' and I don't see that br-lan does have it either.
Added wlan config for info too.
My setup is pretty basic I think. No big changes compared to default config I think. I got a dumb ap on lan 1 that is working nicely today, but I'm trying to get vlans and guest/iot/prod VLAN and WLAN up and running.. 
Thanks for your help so far..
Network:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
config device 'wan_wan_dev'
option name 'wan'
option macaddr '62:38:e0:da:5a:be'
config interface 'wan6'
option proto 'dhcpv6'
option device 'wan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'guest'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
option device 'guest'
config device
option type 'bridge'
option name 'guest'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option localservice '1'
option noresolv '1'
list server '127.0.0.53'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option dhcpv4 'server'
option start '2'
option leasetime '6h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
Wifi:
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option cell_density '0'
option channel '36'
option htmode 'VHT40'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr ''
option encryption 'psk2'
option key ''
option ssid ''
option ieee80211r '1'
option mobility_domain '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option cell_density '0'
option channel '8'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr ''
option encryption 'psk2'
option key ''
option ssid ''
option ieee80211r '1'
option ft_over_ds '1'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid ''
option encryption 'psk2'
option key ''
option network 'lan'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'none'
option network 'guest'
The same physical ports cannot belong to more than one bridge.
If you do not need wired ports for the guest network, delete the guest device and option device from the guest interface section:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option device 'br-lan'
config interface 'guest'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
If you need a wired port (lan4 for example):
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option type 'bridge'
option name 'br-guest'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option device 'br-lan'
config interface 'guest'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
option device 'br-guest'
OK thanks pavelgl!
I don't need it for testing so I will remove lan1-4 from bridge guest , but later on I will have to use lan 1 (or lan 4 as you exemplified) that connect to the dumb ap. I will be back with how that goes.
Is it enough to restart firewall/network/dnsmasq for everything to work or do I need a complete reboot?
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'guest'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'guest'
wifi
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option network 'guest'
option encryption 'psk2'
option key '12345678'
Restarting the services is enough.
Why, is it still not working?
Make sure the guest wifi is enabled and verify that the IP address is assigned.
ip a show | grep 10.20.30.40 -A1 -B2
Also check the DHCP server.
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; sleep 3; logread -e dhcp
I assume the firewall settings are correct.
Not working... yet
root@Router:~# ip a show | grep 10.20.30.40 -A1 -B2
19: phy1-ap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 02:25:9c:14:2d:59 brd ff:ff:ff:ff:ff:ff
inet 10.20.30.40/24 brd 10.20.30.255 scope global phy1-ap2
valid_lft forever preferred_lft forever
root@Router:~# /etc/init.d/log restart; /etc/init.d/dnsmasq restart; sleep 3; logread -e dhcp
udhcpc: started, v1.36.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
udhcpc: started, v1.36.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
Fri Feb 24 11:14:11 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 10.20.30.100 -- 10.20.30.249, lease time 12h
Fri Feb 24 11:14:11 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.2 -- 192.168.1.151, lease time 6h
Fri Feb 24 11:14:11 2023 daemon.info dnsmasq-dhcp[1]: DHCP, sockets bound exclusively to interface br-lan
Fri Feb 24 11:14:11 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 9 names
Fri Feb 24 11:14:11 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
What doesn't work?
Connect a device to the guest network and check its IP configuration.
Try to ping 8.8.8.8 and openwrt.org.
Testing with my iphone and it tries to connect but doesn't get any ip. It's then disconnected from the network / trying to connect again.. Did the forget network a number of times. No go.
Sometimes it gets 169.254... address.
uci export firewall
Latest thing I tested was to accept everything in guest zone.. will put it back to how it should be.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option name 'guest'
option output 'ACCEPT'
list network 'guest'
option forward 'ACCEPT'
option input 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'DNS and DHCP guest'
option src 'guest'
option target 'ACCEPT'
option dest_port '53 67 68'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
Correct the zone policies and the DNS and DHCP guest rule, but that shouldn't be causing the problem.
config rule
option name 'DNS and DHCP guest'
option src 'guest'
option target 'ACCEPT'
option dest_port '53 67'
list proto 'udp'
Restart the router just in case and please find another device (other than a phone) for the test.