DHCP issue with multiple OpenWRT routers

Hello,

I am using OpenWRT on 2 Nighthawk 500 (OpenWRT #1 and #2) and 1 Net-link CPE210-220 (OpenWRT #3).

OpenWRT #1 and #2 are wired using RJ45 to my ISP router. OpenWRT #3 is wirelessly connectd (WDS) to OpenWRT#1.

+------------------------+                                
|ISP Router              |                                
|192.168.2.254           |                                
|DHCP Server LAN1        +------------------+             
|WIFI Access Point LAN1  |                  |             
|                        |                  |             
|                        |                  |             
+------------+-----------+                  |             
             |                              |             
             |                              |             
             |                              |             
+------------+-----------+     +------------+-----------+ 
|OpenWRT Route  #1       |     |OpenWRT Router #2       | 
|192.168.2.1             |     |192.168.2.2             | 
|WIFI Access point LAN1  |     |WIFI Access point LAN1  | 
|                        |     |                        | 
|DHCP Server LAN2        |     |                        | 
|WIFI Access Point LAN2  |     |WIFI Access Point LAN2  | 
+------------------------+     +------------------------+ 
                                                          
                                                          
+-------------------------+
| OpenWRT DummyAP         |
| 192.168.2.3             |
|                         |
|                         |
|                         |
| WIFI Access Point LAN2  |
 +-------------------------+

My goals are the following:

  1. Let my ISP router acting as the DHCP server for LAN1 (192.168.2.0/24). It also acts as WiFI access point for this same LAN1.
  2. OpenWRT #1 acts as RJ45 switch for LAN1
  3. OpenWRT #1 and #2 act as WiFi AP for LAN1 (same SSID and password as ISP router)
  4. A second LAN2 (192.168.1.0/24) for my IoT. I want this LAN2 to have internet access but no vision on LAN1. But devices from LAN1 need to view and access LAN2.
  5. OpenWRT #1, #2 and #3 act as WiFi AP fro LAN2 (same SSID and password for the 3 of them).

So far:
Goal #1 is obviously OK
Goal #2 is OK
Goal #3 "looks" OK. But how to check if traffic is effectively following the path Computer > OpenWRT #1/#2 > ISP Router?
Goal #4 almost there as LAN#2 works and can not see LAN1. My concern is how to get access from LAN1 to LAN2?
Goal #5 is my main issue. Few minutes after enabling AP for LAN2 on the OpenWRT #2, I lost all my devices (no more IP address assigned). Looks like DHCP server from OpenWRT #1 screws as soon as I start the radio from OpenWRT #2

Any help would be welcomed as I tried for several days/weeks to solve the issues. But without any luck untill now.

Here are the config for OpenWRT #1 and #2

OpenWRT-#1 [192.168.2.1]

/etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix xxxx:043d:3dbc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.254'

config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'

config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'

config device
option type 'bridge'
option name 'br-RollDom76133'
option bridge_empty '1'

config interface 'RollDom76133'
option proto 'static'
option device 'br-RollDom76133'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '8.8.4.4'

option gateway '192.168.2.254'

/etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'RollDom76133'
option name 'RollDom7613'

config forwarding
option dest 'lan'
config forwarding
option dest 'lan'
config forwarding
option dest 'lan'

config forwarding
option src 'RollDom7613'
option dest 'lan'

config rule
option name 'Roll_DHCP'
list proto 'udp'
option src 'RollDom7613'
option dest_port '67-68'
option target 'ACCEPT'

config rule
option name 'Roll_DNS'
option src 'RollDom7613'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Roll_Block'
option src 'RollDom7613'
option dest 'lan'
list dest_ip '192.168.2.0/24'
option target 'REJECT'
list proto 'all'

/etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
option country 'FR'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Freebox-3E2237'
option encryption 'sae-mixed'
option key 'key’
option disassoc_low_ack '0'

config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'FR'
config wifi-iface 'wifinet2'

option device 'radio1'
option mode 'ap'
option ssid 'RollDom76133'
option encryption 'sae-mixed'
option key ‘key’
option network 'RollDom76133'
option wds '1'
option disassoc_low_ack '0'

OpenWRT-#2 [192.168.2.2]

/etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:7b16::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.2'
list ports 'eth1.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.254'

config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'

option device 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'

config device
option type 'bridge'
option name 'RollDom76133'
option bridge_empty '1'

config interface 'RollDom76133'
option proto 'static'
option device 'RollDom76133'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'

option gateway '192.168.1.1'

/etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule

option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'RollDom7613'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'RollDom76133'

config rule
option name 'Allow-DNS-Roll'
option src 'RollDom7613'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Allow-DHCP-Roll'
list proto 'udp'
option src 'RollDom7613'
option dest_port '68-68'
option target 'ACCEPT'
config forwarding
option src 'RollDom7613'
option dest 'lan'

config rule
option name 'Block_RollDom'
list proto 'all'
option src 'RollDom7613'
option dest 'lan'
list dest_ip '192.168.2.0/24'
option target 'REJECT'

/etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
option country 'FR'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Freebox-3E2237'
option encryption 'sae-mixed'
option key 'key'

config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'FR'

config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'RollDom76133'
option encryption 'sae-mixed'
option key 'key
option network 'RollDom76133'

I haven't reviewed your config in detail, but:

  • I can see a bunch of potential issues... the method to deal with them (fix vs start over, as well as what the fixes should be) will depend on the next point.
  • I think you're going to need to change your topology a bit...

Starting with this:

To achieve this, either your ISP router must support VLANs, or you must connect OpenWrt router #2 directly to OpenWrt router #1 (i.e. unplug the connection between OpenWrt router 2 and the ISP router, and instead connect OpenWrt router 2 to OpenWrt router 1).

Next...

For this to work, there are 2 ways you can configure things... the first is the preferred method, the second can work, but will not be optimal and thus may warrant restructuring your topology even more significantly.

  • If your ISP router has support for static routes, you can create a route that is 192.168.1.0/24 via 192.168.2.1; then you can disable masquerading on the lan firewall zone and setup forwarding from the lan zone to the rolldom7613 zone.
  • or, if your ISP router doesn't have support for static routes, you'll need to use port forwarding. This means that you'll need to setup a port forward for each device and for each service that exists behind the OpenWrt router. This is tedious at best, and may be challenging from a practical perspective.

If your ISP router doesn't support static routes and/or VLANs, you should consider putting everything behind the OpenWrt router and making that the main router for your network. This does mean that the ISP router's wifi would not be usable, but you can use the wifi on the OpenWrt routers instead. If the ISP router has a bridge mode, even better.

2 Likes