DHCP not giving out address leases on wireless AP

@psherman, splitting out as suggested.

My main network is on a different range to the one that I have put the radio1 AP on so that shouldn’t be causing the issue.

Network config:

 config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd03:ada5:cd05::/48'

config interface 'lan'
        option proto 'dhcp'
        option ifname 'eth0'

config interface 'wwan'
        option proto 'dhcp'

config interface 'providervpn'
        option proto 'none'
        option ifname 'tun0'

config interface 'lan2'
        option proto 'static'
        option ifname 'radio1'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/qca953x_wmac'
        option htmode 'HT20'
        option legacy_rates '1'
        option country 'GB'
        option channel '1'

config wifi-iface
        option network 'wwan'
        option ssid 'homenetwork'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'sta'
        option bssid '00:F2:01:3A:61:F0'
        option key '........'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option country 'GB'
        option legacy_rates '1'
        option channel 'auto'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWRT'
        option encryption 'psk2'
        option key '.......'

DHCP:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan2'
        option interface 'lan2'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

And finally, firewall (wan is set to accept input as I wanted to move the ethernet there just to test that having 2 interfaces on the lan rule set wasn't causing issues):

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan2'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'DROP'
        option input 'ACCEPT'
        option network 'wan wan6 wwan lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'providervpn'
        option family 'ipv4'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'providervpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

I'm sure it's something simple but I just can't see it!

You have a few things wrong with your config. What exactly are you trying to accomplish?

The main issue I see is...right now, you don't have WiFi connected to a network that hands out IP addresses. From your title, it seems you want to do the opposite.

If it was your Intention to connect it to lan2, you managed to attach it to WWAN. WWAN is set to connect to a WAN via Wireless and GET AN IP, not hand out IPs to a local network.

I see a bunch of potential issues. If you make eth0 WAN, you'll have a known-good uplink to start with. Your WLAN will be on radio1, and radio0 will be another WAN interface (you might disable it in the meantime). This will setup normal routing from the ethernet WAN (or WWAN) through the device, providing a WLAN on wifi... you should have internet access on the router and devices connected to it (although I think you have removed forwarding from LAN > WAN which you might want to put back for now, until you have everything else running first, then add the VPN stuff and remove the forwarding rule, if you want). try making the changes below:

firewall (partial)

config defaults
option syn_flood '1’
option output 'ACCEPT’
option input 'ACCEPT’
option forward ‘REJECT’

config zone
option name 'lan’
option input 'ACCEPT’
option output 'ACCEPT’
option forward 'ACCEPT’
option network ‘lan’

config zone
option name 'wan’
option output 'ACCEPT’
option masq '1’
option mtu_fix '1’
option forward 'REJECT’
option input 'REJECT’
option network ‘wan wan6 wan'

network (full)

config interface 'loopback’
option ifname 'lo’
option proto 'static’
option ipaddr '127.0.0.1’
option netmask ‘255.0.0.0’

config globals 'globals’
option ula_prefix ‘fd03:ada5:cd05::/48’

config interface 'wwan’
option proto ‘dhcp’
option ifname ‘eth0’

config interface 'providervpn’
option proto 'none’
option ifname ‘tun0’

config interface 'lan’
option proto 'static’
option ipaddr '192.168.1.1’
option netmask ‘255.255.255.0’

wireless (partial)

config wifi-iface
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWRT'
option encryption 'psk2'
option key '.......'

dhcp (partial; remove lan2)

config dhcp 'lan’
option interface 'lan’
option dhcpv6 'server’
option ra 'server’
option ra_management '1’
option start '100’
option limit '150’
option leasetime ‘12h’

Sorry, realised, wasn't too clear on the topic. As psherman has shown, I want eth0 and radio0 to be wan connections and radio1 to be WLAN serving DHCP.

@psherman thank you! That is working now. My network now looks like:

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0'

config interface 'wwan'
        option proto 'dhcp'
        option ifname 'radio0'

config interface 'providervpn'
        option proto 'none'
        option ifname 'tun0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

Is that the right principle? What is the best principle when it comes to the VPN? I want internet to work on the lan when the vpn isn't running but then obviously for all traffic to be routed across when it is. Can I have a one config fits all or will there have to be a script to change the routing when the vpn is started?

Glad things are working!

I'd have to look at my config files, but you might want to remove the wwan ifname from network, and instead define that association in the wireless wifi-iface > option network 'wwan' instead.

Meanwhile, for the LAN > WAN or VPN question, that is something you'll handle with two elements:

  1. in the openvpn config file, make sure there is the directive for redirect gateway def1 which will send all traffic through the tunnel when it is up and running.
  2. There are two relevant forwarding rules in the firewall: LAN > WAN, and LAN > VPN. If you have both, hosts on the LAN will be able to use the internet normally when the VPN is down. However, if you wish to prevent 'leakage' of packets to the WAN when the tunnel is down, remove or disable the LAN > WAN forwarding rule (if you do remove this forwarding rule, try not to forget you've done it this way when you inevitably say "why can't I connect to the internet" :slight_smile:).

I have set the 3 position slide switch to configure the device at boot time (applies currently to my MR3020, actually, but eventually the 902AC as well):
pos 1 (AP): WWAN disabled, WAN on eth0, known good config files loaded (network, wireless, firewall) for a known/predictable initial state.
pos 2 (WISP): boot with most-recently used configuration (typically the WWAN enabled and connected), autostart VPN.
pos 3 (3G): boot with most-recently used config, autostart VPN, disable LAN > WAN forwarding so no packets can leak if tunnel is down.

I've also been meaning to incorporate the travelmate package which resolves one of the major headaches of these devices -- the radio will not connect even to LAN devices if it is unable to connect to another network in 'sta' mode. It also has the ability to store the recently used wifi networks (i.e. WWANs) to make reconnecting easier.

Ah yes, it was already in wireless, I'm getting more use to where everything needs to be now.

I like the idea of having removing the rule to prevent leakage when the VPN is up, maybe I will add something to the script you have me to enable vpn on the WPS button to load different firewall comfigs

Under normal circumstances, the gateway redirect def1 should send all traffic through the tunnel, and it is really only at significant risk of leaking packets when the tunnel is not up or goes down unexpectedly. So keep in mind that if you tie the firewall config to the ifup (disable LAN > WAN forwarding) or ifdown (re-enable LAN > WAN forwarding) status, it could potentially defeat the purpose. That's why I have a boot mode configured such that when I use it, I know that no packets should leak.

That said, you could disable LAN > WAN forwarding upon the WPS button press (i.e. starting the VPN) and not re-enable it until the next reboot of the router. This way, if you have initiated the VPN in general, you know you don't want any packets going out WAN unless via the tunnel for the remainder of the session.

BTW, the router itself will still have traffic flow to the WAN which is required to maintain your connection to the VPN (otherwise it would not know how to get VPN tunnel packets out to the VPN server/endpoint on the other end).