I'm trying to create an isolated network on a dedicated LAN port for a printer to block its internet access. I've followed the standard DSA procedures to create a new bridged network, but the device connected to it consistently fails to get a DHCP lease. I've exhausted all troubleshooting I can think of and suspect this might be a bug or hardware incompatibility.
Hardware:
Router: GL.iNet GL-MT6000 (Flint 2)
Firmware: OpenWrt 24.10.2 (clean re-flash, no packages upgraded)
Client Device: Canon PIXMA MX922 Printer (and also tested with a laptop)
The Goal: Dedicate lan4 to a new, isolated network (printnet) that has its own DHCP server but no internet access. The main lan network should be able to access devices on printnet.
The Problem: Any device connected to lan4 fails to get an IP address. The printer self-assigns a 169.254.x.x address, and a laptop does the same. A tcpdump on the lan4 interface shows the device is sending DHCP Discover packets, but the router never sends a DHCPOFFER reply.
Configuration Files
Here are my sanitized configuration files, which appear to be correct:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdXX:XXXX:XXXX::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option name 'br-printnet'
option type 'bridge'
list ports 'lan4'
config interface 'printnet'
option device 'br-printnet'
option proto 'static'
option ipaddr '199.168.4.1'
option netmask '255.255.255.0'
Confirmed the printer works and requests DHCP via tcpdump.
Confirmed the physical link on lan4 is active (100 M) on the router's status page.
Tested with a laptop, which also failed to get a DHCP lease from printnet.
Performed a clean re-flash of the firmware, erasing all previous settings.
Rebuilt the configuration from scratch via SSH and the web interface.
Restarted the network service (/etc/init.d/network restart) and rebooted the router multiple times.
Despite the configuration appearing perfect, dnsmasq does not serve DHCP requests on the secondary br-printnet bridge. Has anyone else experienced this? Is this a known issue with the GL-MT6000's DSA switch or drivers?
Now, that said, we have not seen the firewall file... there could be an issue there, so if the above doesn't fix the problem, please show us the contents of /etc/config/firewall
Sorry, i forgot to supply you with the firewall file. Here it is. Thank you for your help.
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option srcice 'eth1' lan
option desto 'dhcp' wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config ruleion proto 'dhcpv6'
option name Allow-DHCP-Renew
config ioption srcprinter_lan' wan
option proto 'static' udp
option dest_portan4' 68
option target '192.168.4ACCEPT
option familyk '255.255.ipv40'
# Allow IPv4 pingter_lan'
config ruleion interface 'printer_lan'
option namet '100' Allow-Ping
option srcit '150' wan
option prototime '12h' icmp
root@Opeoption icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest \*
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
config zone
option name 'printer'
option network 'printer_lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'lan'g
option dest 'printer'
This firewall file appears to have a whole bunch of issues that could be just copy/paste errors, or could be indicative of file corruption or similar. For example:
There are many other examples of this. Please check your actual file to see what is going on and repost if it is simply a copy/paste problem.
Thank you. Yes, the firewall was corrupted as you indicated and it was fixed. Thank you and I really appreciate all your help. The router is working great and I learned a lot!