DHCP not working and I need to keep changing static IP on windows

Installing and Using OpenWrt
1

Problem

  1. DHCP not working
  2. When using static IP I have to keep changing it.
cat /etc/config/dhcp 
/$ cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '127.0.0.1#5453'
	list server '0::1#5453'
	list rebind_domain 'time.android.com'
	option stripmac '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'private'
	option interface 'private'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config dhcp 'server'
	option interface 'server'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.2'
	list mac '00:00:00:00:00:00'

config host
	option name 'Device Name Censored'
	list mac '00:00:00:00:00:00'
	option ip '192.168.1.3'
	option leasetime 'infinite'
	list tag 'Phone'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.4'
	list mac '00:00:00:00:00:00'
	list tag 'Desktop'
	option duid '752225972532457524722999592747'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.5'

config host
	option name 'Device Name Censored'
	list mac '00:00:00:00:00:00'
	option ip '192.168.4.6'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.6'
	option mac '00:00:00:00:00:00'
	list tag 'Adaptor'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.7'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.8'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.9'
	option mac '00:00:00:00:00:00'
	option leasetime 'infinite'
	list tag 'Phone'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.10'
	option leasetime 'infinite'
	list tag 'Laptop'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.11'
	option leasetime 'infinite'

config host
	option name 'Device Name Censored'
	option leasetime 'infinite'
	option ip '192.168.1.12'
	list tag 'Phone'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.13'
	option leasetime 'infinite'
	option mac '00:00:00:00:00:00'
	list tag 'Phone'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.14'
	list mac '00:00:00:00:00:00'
	option leasetime 'infinite'

config host
	option name 'Device Name Censored'
	option ip '192.168.1.15'

config host
	option name 'Device Name Censored'
	option ip '192.168.2.2'
	list tag 'TV'

config host
	option name 'Device Name Censored'
	list mac '00:00:00:00:00:00'
	option ip '192.168.2.3'
	option leasetime 'infinite'
	list tag 'Phone'

config host
	option name 'Device Name Censored'
	list mac '00:00:00:00:00:00'
	option ip '192.168.2.4'
	option leasetime 'infinite'

config host
	option name 'Device Name Censored'
	list mac '00:00:00:00:00:00'
	option ip '192.168.2.5'
	option leasetime 'infinite'
	list tag 'Phone'

config host
	list mac '00:00:00:00:00:00'
	option ip '192.168.2.6'
	option name 'Device Name Censored'
	option leasetime 'infinite'
	list tag 'Phone'

config ipset
	list name '192.168.1.9-192.168.1.12'
	list domain 'UserX.lan'
	option table_family 'inet'

config ipset
	list domain 'DeviceList.local'
	list name '192.168.1.8-192.168.1.12'
	option table_family 'inet'

config ipset
	list name '192.168.1.8'
	list name '192.168.1.9'
	list name '192.168.1.12'
	list domain 'MobileList.lan'
	option table_family 'inet'

config ipset
	list domain 'facebook.com'
	list name 'facebook.com'
	option table_family 'inet'

config host
	option name 'Device Name Censored'

config host
	option name 'Device Name Censored'

config dhcp 'serverlocal'
	option interface 'serverlocal'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan2'
	option interface 'lan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	option ra 'server'
	option dhcpv6 'server'
	list ntp '192.168.0.1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
cat /etc/config/network 
/$ cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option steering_flows '128'
	option ula_prefix 'fd00::/8'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'censored'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.240'
	list dns '127.0.0.1'
	list dns '0::1'
	option ip6ifaceid '::1'
	option delegate '0'
	option auto '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '127.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option peerdns '0'
	list dns '0::1'
	option delegate '0'
	option auto '0'

config interface 'Wireguard'
	option proto 'wireguard'
	list addresses '10.2.0.2/32'
	option private_key 'censored'
	list dns '127.0.0.1'
	list dns '0::1'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.240'
	option device 'br-guest'
	list dns '127.0.1.1'
	list dns '127.0.0.1'
	option auto '0'

config interface 'private'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option device 'br-private'
	option netmask '255.255.255.240'
	list dns '127.0.0.1'
	list dns '0::1'
	option ip6ifaceid '::1'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	list ports 'lan4'

config device
	option type 'bridge'
	option name 'br-private'
	option bridge_empty '1'
	option macaddr 'censored'
	list ports 'lan3'

config device
	option type 'bridge'
	option name 'br-server'
	option bridge_empty '1'
	option macaddr 'censored'

config interface 'server'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option device 'br-server'
	option netmask '255.255.255.240'
	list dns '127.0.0.1'
	list dns '0::1'
	option ip6ifaceid '::1'
	option auto '0'

config device
	option name 'wan'
	option macaddr 'censored'

config device
	option name 'eth0'

config interface 'wwan'
	option proto 'dhcp'
	option auto '0'
	option disabled '1'

config device

config wireguard_Wireguard
	option description 'Config Example'
	option private_key 'censored'
	option private_key 'censored'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '146.70.174.66'
	option disabled '1'

config interface 'serverlocal'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option device 'br-serverlocal'
	option auto '0'

config device
	option type 'bridge'
	option name 'br-serverlocal'

config wireguard_Wireguard
	option description 'x'
	option private_key 'censored'
	option private_key 'censored'
	option persistent_keepalive '25'
	option endpoint_host '89.187.170.159'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config wireguard_Wireguard
	option description 'x'
	option private_key 'censored'
	option private_key 'censored'
	option persistent_keepalive '25'
	option endpoint_host '146.70.174.66'
	list allowed_ips '0.0.0.0/0'
	option disabled '1'

config wireguard_Wireguard
	option description 'x'
	option private_key 'censored'
	option private_key 'censored'
	option persistent_keepalive '25'
	option endpoint_host '185.132.132.113'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option disabled '1'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.240'
	list dns '127.0.0.1'
	list dns '0::1'
	option delegate '0'
	option ip6ifaceid '::1'
cat /etc/config/network 
/$ cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option cell_density '1'
	option country 'US'
	option htmode 'HT40'
	option channel '6'
	option txpower '20'
	option ldpc '0'
	option noscan '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '5g'
	option cell_density '3'
	option country 'US'
	option channel '36'
	option htmode 'VHT160'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan2'
	option mode 'ap'
	option ssid 'Censored'
	option key 'Censored'
	option encryption 'sae-mixed'
	option wpa_disable_eapol_key_retries '1'
	option macaddr 'random'
	option ocv '0'
	option isolate '1'
	option ieee80211w '1'
	option ifname 'WifiMain2Ghz'
	option disassoc_low_ack '0'

config wifi-iface '2Ghz'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Censored'
	option ifname '2Ghz'
	option key 'Censored'
	option encryption 'sae-mixed'
	option wpa_disable_eapol_key_retries '1'
	option macaddr 'random'
	option ocv '0'
	option isolate '1'
	option ieee80211w '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan2'
	option ssid 'Censored'
	option key 'Censored'
	option encryption 'sae-mixed'
	option macaddr 'random'
	option ieee80211w '1'
	option isolate '1'
	option ocv '0'
	option ifname 'WifiMain5Ghz'

config wifi-iface 'W5Ghz'
	option device 'radio1'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'
	option ifname 'W5Ghz'
	option ssid 'Censored'
	option key 'Censored'
	option encryption 'sae-mixed'
	option macaddr 'random'
	option ieee80211w '1'
	option ocv '0'
	option isolate '1'
	option disabled '1'
	list maclist '00:00:00:00:00:00'
	list maclist '00:00:00:00:00:00'
	list maclist '00:00:00:00:00:00'

config wifi-iface 'IOT2Ghz'
	option device 'radio0'
	option mode 'ap'
	option wpa_disable_eapol_key_retries '1'
	option ifname 'IOT2Ghz'
	option key 'Censored'
	option ssid 'Censored'
	option encryption 'sae-mixed'
	option network 'private'
	option macaddr 'random'
	option ocv '0'
	list maclist '00:00:00:00:00:00'
	list maclist '00:00:00:00:00:00'
	list maclist '00:00:00:00:00:00'
	list maclist '00:00:00:00:00:00'
	option skip_inactivity_poll '1'
	option disabled '1'

config wifi-iface 'IOT5Ghz'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option wpa_disable_eapol_key_retries '1'
	option ifname 'IOT5Ghz'
	option key 'Censored''
	option ssid 'Censored'
	option network 'private'
	option macaddr 'random'
	option ieee80211w '1'
	option ocv '0'
	list maclist '00:00:00:00:00:00'
	option disabled '1'

config wifi-iface 'WifiGuest'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Censored'
	option encryption 'sae-mixed'
	option isolate '1'
	option ifname 'WifiGuest'
	option macaddr 'random'
	option key 'Censored'
	option ieee80211w '1'
	option wpa_disable_eapol_key_retries '1'
	option network 'Guest guest'
	option ocv '0'
	option disabled '1'

config wifi-iface 'WifiServer'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Censored'
	option encryption 'sae-mixed'
	option macaddr 'random'
	option key 'Censored'
	option network 'server'
	option isolate '1'
	option ifname 'Wifi_Server'
	option ocv '0'
	option disabled '1'

config wifi-iface 'WifiClient'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'Censored'
	option encryption 'sae'
	option key 'Censored'
	option macaddr 'random'
	option ocv '0'
	option disabled '1'
	option ifname 'WifiClient'

config wifi-iface 'monitor'
	option device 'radio1'
	option mode 'monitor'
	option network 'lan'
	option ifname 'Wifi5mon0'
	option macaddr 'random'
	option ssid 'Censored'
	option disabled '1'

config wifi-iface 'mesh'
	option device 'radio0'
	option mode 'mesh'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option key 'Censored'
	option encryption 'none'
	option mesh_id '80211s'
	option macaddr 'random'
	option disabled '1'

config wifi-iface 'adhoc'
	option device 'radio0'
	option mode 'adhoc'
	option ssid 'Censored'
	option macaddr 'random'
	option ifname 'Wifi_Adhoc'
	option encryption 'none'
	option key 'Censored'
	option disabled '1'

config wifi-iface 'wifinet12'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Censored'
	option encryption 'sae-mixed'
	option ifname 'experiment'
	option macaddr 'random'
	option key 'Censored'
	option ocv '0'

config wifi-iface 'wifinet13'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Censored'
	option encryption 'sae-mixed'
	option macaddr 'random'
	option key 'Censored'
	option ocv '0'

Old Problem now Solved

  • How to change the LAN IP range
  • Have another Range in the same zone

Problem

My WAN started using 192.168.1.1 instead of 192.168.100.1 causing my internet to not work.

What I did

My LAN uses the 192.168.1.1 range, so I created lan2 with 192.168.0.1 for the same firewall zone and adjusted firewall rules which needed and created extra SSID that connect to lan2,

now I can't access LuCI via 192.168.0.1's wifi.

2

You have to re-connect clients if you change gateway ip

3

why not simply move 192.168.1.1 to 192.168.0.1 ?
one digit to be replaced in /etc/config/network.
force all clients to reconnect afterwards.

6 Likes
4

I tried that but I had to revert using recovery-safeboot thing

5

Really, why ?

1 Like
6

I got dual network working.

DHCP not working, and I need to keep changing the static IP on Windows.

7

Well, we can't help you with it "doesn't work"...

1 Like
8

@frollic

/etc/config/firewall 
/$ cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan2'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option input 'DROP'
	option masq '1'
	option masq6 '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option name 'Wireguard'
	option input 'DROP'
	list network 'Wireguard'

config zone
	option name 'private'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'private'

config zone
	option name 'Guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config zone
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option name 'server'
	list network 'server'

config zone
	option name 'serverlocal'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'serverlocal'

config forwarding
	option src 'Guest'
	option dest 'Wireguard'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'private'
	option dest 'wan'

config forwarding
	option src 'private'
	option dest 'Wireguard'

config forwarding
	option src 'lan'
	option dest 'private'

config redirect
	option dest 'server'
	option target 'DNAT'
	option name 'Allow All In on Server'
	option src 'wan'
	option dest_ip '192.168.4.6'
	option family 'ipv4'
	list proto 'all'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'Torrent [Enable/Disable]'
	option src 'wan'
	option src_dport '49156'
	option dest_ip '192.168.1.4'
	option dest_port '49156'
	option dest 'lan'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option enabled '0'

config redirect
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.0.1'
	option dest_port '53'
	option name 'DNS - LAN (192.168.0.1)'
	list src_mac '!00:00:00:00:00:00'
	list src_mac '!00:00:00:00:00:00'

config redirect
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.1.1'
	option dest_port '53'
	option name 'DNS - LAN (192.168.1.1)'
	list src_mac '!00:00:00:00:00:00'
	list src_mac '!00:00:00:00:00:00'

config redirect
	option target 'DNAT'
	option name 'DNS - Private (May exclude TV)'
	option src 'private'
	option src_dport '53'
	option dest_ip '192.168.2.1'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option src 'Guest'
	option src_dport '53'
	option dest_port '53'
	option dest_ip '192.168.3.1'
	option name 'DNS - Guest'

config redirect
	option target 'DNAT'
	option name 'DNS - Server'
	option src 'server'
	option src_dport '53'
	option dest_ip '192.168.4.1'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option src 'lan'
	option dest_port '853'
	option src_dport '853'
	option dest_ip '139.84.177.196'
	option name 'DoT - LAN - MyDNSserver'
	list src_mac '!00:00:00:00:00:00'
	option reflection_src 'external'

config redirect
	option target 'DNAT'
	option src_dport '853'
	option dest_ip '139.84.177.196'
	option dest_port '853'
	option src 'private'
	option dest 'wan'
	option name 'DoT - Private - MyDNSserver'

config redirect
	option dest 'wan'
	option target 'DNAT'
	option name 'NTP - LAN (192.168.0.1)'
	option src 'lan'
	option src_dport '123'
	option dest_port '123'
	option dest_ip '192.168.0.1'
	list proto 'udp'

config redirect
	option dest 'wan'
	option target 'DNAT'
	option name 'NTP - LAN (192.168.1.1)'
	option src 'lan'
	option src_dport '123'
	option dest_port '123'
	option dest_ip '192.168.1.1'
	list proto 'udp'

config redirect
	option target 'DNAT'
	option name 'NTP - Private'
	option src 'private'
	option src_dport '123'
	option dest_ip '192.168.2.1'
	option dest_port '123'
	list proto 'udp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'Guest'
	option src_dport '123'
	option dest_ip '192.168.3.1'
	option dest_port '123'
	option name 'NTP - Guest'
	list proto 'udp'

config redirect
	option dest 'server'
	option target 'DNAT'
	option name 'PublicServer - Kiwix Server Phone'
	option src 'server'
	option src_dport '443-8080'
	option dest_port '8080'
	option dest_ip '10.10.11.2'

config ipset
	option name 'Phones_Others'
	option family 'ipv4'
	list match 'src_mac'
	list entry '00:00:00:00:00:00'
	list entry '00:00:00:00:00:00'
	list entry '00:00:00:00:00:00'

config ipset
	option name 'Phones'
	option family 'ipv4'
	list match 'src_mac'
	list entry '00:00:00:00:00:00'
	list entry '00:00:00:00:00:00'
	list entry '00:00:00:00:00:00'
	list entry '00:00:00:00:00:00'

config ipset
	option name 'Google'
	option family 'ipv4'
	option loadfile '/tmp/Google.txt'
	list match 'dest_net'

config ipset
	option name 'Facebook'
	option family 'ipv4'
	option loadfile '/tmp/Facebook.txt'
	list match 'dest_net'
	option storage 'bitmap'

config ipset
	option name 'Netflix'
	option family 'ipv4'
	option loadfile '/tmp/Netflix.txt'
	list match 'dest_net'
	option storage 'bitmap'

config ipset
	option name 'Youtube'
	option family 'ipv4'
	option loadfile '/tmp/Youtube.txt'
	list match 'dest_net'

config nat
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_port '5353'
	option target 'SNAT'
	option snat_port '53'
	option name '5353 to 53'
	option enabled '0'

config nat
	option name 'PublicServer - Kiwix Server Phone'
	option src 'PubServer'
	option target 'SNAT'
	option snat_ip '10.10.11.2'
	list proto 'tcp'
	list proto 'udp'
	option snat_port '8080'
	option dest_port '443'
	option enabled '0'

config nat
	option name 'Torrent [Test] ??'
	list proto 'all'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

config nat
	option name '[Test] IP Spoof'
	list proto 'all'
	option src 'wan'
	option src_ip '192.168.1.4'
	option target 'SNAT'
	option snat_ip '0.0.0.0'
	option enabled '0'

config rule
	option name 'Default - Allow-DHCP-Renew [Can Limit to ONT] - Log'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option limit '10/second'
	option log '1'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'Default - Allow-Ping (Tracert) [Can Limit to ONT]'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	list dest_ip '192.168.100.1'
	option limit '1000/second'

config rule
	option name 'Default - Allow-IGMP (IPTV)'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option log '0'
	option limit '10/second'

config rule
	option name 'Default - Allow-DHCPv6 - Log'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option log '1'
	list src_mac '00:00:00:00:00:00'
	option limit '10/second'

config rule
	option name 'Default - Allow-MLD (Multicast)'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'

config rule
	option name 'Default - Allow-ICMPv6-Input (RFC4890,TracerRoute, targets input chain, meaning it'\''s for pinging to/from router itself)'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Default - Allow-ICMPv6-Forward (ICMP forward to LAN devices, targets forward chain)'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Default - Allow-IPSec-ESP (IPsec tunnels)'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Default - Allow-ISAKMP (IPsec tunnels)'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name ' [Switch to accept when active]'
	option src 'wan'
	option dest 'server'
	option target 'ACCEPT'
	list dest_ip '192.168.4.6'
	option family 'ipv4'
	list proto 'all'
	option enabled '0'

config rule
	option name 'Allow - Incoming to Client for Torrent [Enable/Disable]'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '192.168.1.4'
	option dest_port '49156'
	option enabled '0'

config rule
	option name 'Allow - Incoming to Client [Games] [Enable/Disable]'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	list dest_ip '192.168.1.4'
	option dest_port '37055'
	option enabled '0'

config rule
	option name 'Incoming WAN to Router'
	option src 'wan'
	option target 'DROP'
	list proto 'all'

config rule
	option name 'Incoming WAN to Router - Log'
	option src 'wan'
	option target 'DROP'
	option log '1'
	list proto 'all'

config rule
	option name 'Incoming WAN to Router - Log [Testing w/ Inbound Device Wan Interface]'
	option src 'wan'
	option direction 'in'
	option device 'wan'
	option target 'DROP'
	option log '1'
	list proto 'all'

config rule
	option name 'Incoming WAN to Any - Log '
	option src 'wan'
	option dest '*'
	option target 'DROP'
	list proto 'all'
	option log '1'

config rule
	option name 'Incoming Wireguard to Any - Log'
	option src 'Wireguard'
	option target 'DROP'
	option dest '*'
	list proto 'all'
	option log '1'

config rule
	option name 'Disable IPv6 [Global Unicast Addresses]'
	option target 'REJECT'
	option family 'ipv6'
	option dest '*'
	option src '*'
	list dest_ip '2000::/3'
	list proto 'all'

config rule
	option name 'Allow - Intera-Zone - FTP [Enable/Disable] (To Check Inter Device Com Pcap) - Log'
	option src '*'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_ip '192.168.1.3'
	list src_ip '192.168.1.4'
	option dest '*'
	list dest_ip '192.168.1.3'
	list dest_ip '192.168.1.4'
	option target 'ACCEPT'
	option log '1'
	list proto 'all'

config rule
	option name 'DSCP - Zone - Guest'
	option src 'Guest'
	option dest '*'
	option target 'DSCP'
	option set_dscp 'BE'
	list proto 'all'

config rule
	option name 'DSCP - DHCP'
	option src '*'
	option dest_port '67 68'
	option target 'DSCP'
	option set_dscp 'EF'

config rule
	option name 'DSCP - Router Out'
	option dest '*'
	option target 'DSCP'
	option set_dscp 'AF32'
	option enabled '0'
	list proto 'all'

config rule
	option name 'DSCP - Router Access'
	option src 'lan'
	option dest_port '80 443 22'
	option target 'DSCP'
	option set_dscp 'EF'

config rule
	option name 'DSCP - DNS'
	option dest '*'
	option dest_port '53 853'
	option target 'DSCP'
	option set_dscp 'CS4'
	option src '*'

config rule
	option name 'DSCP - ICMP'
	list proto 'icmp'
	option dest '*'
	option target 'DSCP'
	option set_dscp 'AF31'
	option src '*'

config rule
	option name 'DSCP - Protocol - VoWiFi UDP'
	list proto 'udp'
	option dest '*'
	option dest_port '500 4500'
	option target 'DSCP'
	option set_dscp 'EF'
	option src '*'
	option ipset 'Phones'

config rule
	option name 'DSCP - Protocol - VoWifi TCP'
	list proto 'tcp'
	option dest '*'
	option target 'DSCP'
	option set_dscp 'EF'
	option src '*'
	option dest_port '143'
	option ipset 'Phones'

config rule
	option name 'DSCP - Client - TV'
	list src_mac '00:00:00:00:00:00'
	option target 'DSCP'
	option src 'private'
	option set_dscp 'AF32'
	option dest '*'

config rule
	option name 'DSCP - Service - Google [IPset]'
	option target 'DSCP'
	option src '*'
	option set_dscp 'AF41'
	option dest '*'
	option ipset 'Google'
	option log '0'

config rule
	option name 'DSCP - Serivce - Netflix [IP Set]'
	option target 'DSCP'
	option src '*'
	option set_dscp 'AF41'
	option dest '*'
	option ipset 'Netflix'
	option log '0'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'DSCP - Service - YouTube [IPset]'
	option target 'DSCP'
	option src '*'
	option set_dscp 'AF41'
	option dest '*'
	option ipset 'Youtube'
	option log '0'

config rule
	option name 'DSCP - Service - Facebook [IPset]'
	option target 'DSCP'
	option dest '*'
	option set_dscp 'BE'
	option src '*'
	option ipset 'Facebook'
	option log '0'

config rule
	option name 'Block Facebook without VPN'
	option src '*'
	option dest 'wan'
	option target 'REJECT'
	option ipset 'Facebook'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'Block Youtube without VPN'
	option src '*'
	option dest 'wan'
	option target 'REJECT'
	option ipset 'Youtube'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'Block Google without VPN'
	option src '*'
	option dest 'wan'
	option target 'REJECT'
	option ipset 'Google'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option dest_port '4244 5222 5223 5228 5242 50318 59234 3478 45395'
	option target 'DSCP'
	option dest 'wan'
	option set_dscp 'AF42'
	option name 'DSCP - Service - WhatsApp Call'
	option src 'lan'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option limit '10/second'

config rule
	option name 'DSCP - Service - Webex'
	list proto 'udp'
	option src 'lan'
	list src_mac '00:00:00:00:00:00'
	option dest 'wan'
	option dest_port '5004 9000'
	option target 'DSCP'
	option set_dscp 'AF42'
	option enabled '0'

config rule
	option name 'DSCP - Mass Download - PC [Enable/Disable]'
	option src 'lan'
	option dest 'wan'
	option target 'DSCP'
	option set_dscp 'BE'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option target 'ACCEPT'
	list src_ip '192.168.1.2'
	option name 'Allow - LAN - Extender,DumbAP Allow [Need to Update IPv6]'
	option src 'lan'
	list proto 'all'

config rule
	option name '[Dead] Allow - SquidProxyOnRouter'
	option src 'lan'
	option target 'ACCEPT'
	list src_mac '00:00:00:00:00:00'
	option dest_port '3128'
	option enabled '0'

config rule
	option dest '*'
	option target 'REJECT'
	option name 'Block - IP Range - USA DoD /8 IPs - Log'
	option src '*'
	list dest_ip '6.0.0.0/8'
	list dest_ip '21.0.0.0/8'
	list dest_ip '22.0.0.0/8'
	list dest_ip '26.0.0.0/8'
	list dest_ip '29.0.0.0/8'
	list dest_ip '30.0.0.0/8'
	list dest_ip '33.0.0.0/8'
	list dest_ip '11.0.0.0/8'
	list dest_ip '7.0.0.0/8'
	list dest_ip '55.0.0.0/8'
	list dest_ip '28.0.0.0/8'
	list dest_ip '214.0.0.0/8'
	list dest_ip '215.0.0.0/8'
	list proto 'all'
	option log '1'

config rule
	option target 'ACCEPT'
	option name '[Test] Allow -  [Move Rule Up/Down to Diagnose Problem] Client - X - Log'
	option src '*'
	option dest '*'
	list src_mac '00:00:00:00:00:00'
	option log '1'
	option enabled '0'
	list proto 'all'

config rule
	option enabled '0'
	option name 'Block - IP Range - DoH Services (Auto Update IPset) - Log'
	option src '*'
	option ipset 'DoH'
	option dest '*'
	option target 'REJECT'
	option log '1'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '443'

config rule
	option src 'lan'
	option dest '*'
	option target 'ACCEPT'
	option name 'Allow - Client - censored'
	list proto 'all'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name 'Block - Security - CarrierGradeNAT - Log'
	option dest '*'
	list dest_ip '100.64.0.0/10'
	option target 'REJECT'
	option src '*'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Security - Bogon - Internet Reserved for future use - Log'
	option dest '*'
	option target 'REJECT'
	list dest_ip '240.0.0.0/4'
	list dest_ip '192.88.99.0/24'
	option src '*'
	option log '1'
	list proto 'all'
Cant connect to openwrt via wifi when WAN is disconnected
9
Click to expand 
config rule
	option src 'lan'
	option dest_port '80 443 22 8080'
	option target 'ACCEPT'
	option name 'Allow - Admin Access to Router from LAN'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'No Phone,TV Night [12pm to 10am]'
	option src '*'
	option dest '*'
	option target 'DROP'
	option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
	option start_time '00:00:00'
	option stop_time '00:10:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name 'No Phone,TV Evening [5:30pm to 8:00pm]'
	option src '*'
	option dest '*'
	option target 'DROP'
	option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
	option start_time '00:17:30'
	option stop_time '00:20:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name 'No Phone,TV Rest [3:30pm to 6:00pm]'
	option src '*'
	option dest '*'
	option target 'DROP'
	option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
	option start_time '00:16:30'
	option stop_time '00:18:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name 'Block All'
	option src '*'
	option dest '*'
	option target 'DROP'
	option dest_port '443'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name ' Phone [Max 8/min]'
	option src '*'
	option dest '*'
	option target 'DROP'
	option limit '8/minute'
	list src_mac '00:00:00:00:00:00'
	option dest_port '443'
	option enabled '0'

config rule
	option name ' [max 8/min]'
	option src '*'
	option dest '*'
	option dest_port '443'
	option target 'DROP'
	option limit '8/min'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name 'TV [Max 3]'
	option src '*'
	option dest '*'
	option dest_port '443'
	option target 'DROP'
	option limit '10/second'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'

config rule
	option name 'Allow - Inter-Zone - Phone/PC to TV from LAN [To Test] [Update to IPv6] '
	option src 'lan'
	option ipset 'Phones'
	option dest 'private'
	list dest_ip '192.168.2.2'
	option target 'ACCEPT'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_ip '192.168.1.1/28'
	list src_ip '192.168.0.1/28'

config rule
	option name 'Block - Inter-Zone - LAN to Guest - Log [Need to Update IPv6]'
	option src 'lan'
	option dest 'Guest'
	option target 'DROP'
	option log '1'
	list dest_ip '192.168.3.1/29'
	list proto 'all'

config rule
	option name 'Block - Inter-Zone - LAN to Private - Log [Need to Update IPv6]'
	option src 'lan'
	option dest 'private'
	option target 'DROP'
	option log '1'
	list src_ip '192.168.1.1/28'
	list dest_ip '192.168.2.1/28'
	list dest_ip '!192.168.2.2'
	list proto 'all'

config rule
	option name 'Block - Inter-Zone - LAN to PublicServer [Need to Update IPv6]'
	option src 'lan'
	option dest 'server'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.37.1/28'

config rule
	option name 'Block - Other Subnet LAN 192.168.10.0-192.168.255.255 - Log'
	option src '*'
	list src_ip '192.168.10.0/23'
	list src_ip '192.168.12.0/22'
	list src_ip '192.168.16.0/20'
	list src_ip '192.168.32.0/19'
	list src_ip '192.168.64.0/18'
	list src_ip '192.168.128.0/17'
	option dest '*'
	option target 'REJECT'
	option log '1'
	list proto 'all'

config rule
	option name '[To update for 192.168.0.1 ] Block - Intera-Zone - Log (192.168.0.1-192.168.255.254) [Need to Update IPv6]'
	option src 'lan'
	option dest 'lan'
	option target 'REJECT'
	option log '1'
	list dest_ip '192.168.0.0/16'
	list dest_ip '!192.168.100.1'
	list proto 'all'
	option enabled '0'

config rule
	option src '*'
	option dest '*'
	option target 'ACCEPT'
	option name 'Block - LAN - Link-local Addresses [May Allow when problems]'
	list dest_ip '169.254.0.0/16'
	list dest_ip 'fe80::/10'
	list proto 'all'

config rule
	option name 'Block - Broadcast [Need to Update IPv6]'
	option src 'lan'
	option dest '*'
	list dest_ip '255.255.255.255'
	option target 'REJECT'
	list proto 'all'

config rule
	option name 'Block - LAN Broadcast - Log [Need to Update IPv6] '
	option src 'lan'
	option dest '*'
	list dest_ip '192.168.1.255'
	option target 'REJECT'
	option log '1'
	list proto 'all'

config rule
	option src 'lan'
	option dest '*'
	list dest_ip '224.0.0.0/4'
	option target 'REJECT'
	option name 'Block - Multicast LAN, Internet- 224.0.0.0/4'
	list proto 'all'

config rule
	option name 'Block - Multicast Address'
	list dest_ip '224.0.0.0'
	list dest_ip '224.0.0.255'
	option target 'REJECT'
	option src 'lan'
	option dest '*'
	list proto 'all'

config rule
	option name 'Block - Multicast - IPv6'
	option src 'lan'
	option dest '*'
	list dest_ip 'ff00::/8'
	option target 'REJECT'
	list proto 'all'

config rule
	option src 'lan'
	option target 'REJECT'
	option name 'Block - Security - LAN - SSDP [Multicast, NetworkDiscovery]'
	list proto 'udp'
	option src_port '1900'
	option dest_port '1900'
	list dest_ip '239.255.255.250'
	list dest_ip 'FF02::C'
	list dest_ip 'FF05::C'
	list dest_ip 'FF08::C'
	list dest_ip 'FF0E::C'
	list dest_ip 'ff00::c/fff0:ffff:ffff:ffff:ffff:ffff:ffff:ffff'
	option dest '*'

config rule
	option src 'lan'
	option src_port '5355'
	list dest_ip '224.0.0.252'
	list dest_ip 'FF02::1:3'
	option dest_port '5355'
	option target 'REJECT'
	list proto 'tcp'
	list proto 'udp'
	option name 'Block - Security - LLMNR (LinkLocalMulticastNameResolution)'
	option dest '*'

config rule
	option name 'Block - Security - Vuln - NetBIOS (Helper)'
	option src 'lan'
	option target 'REJECT'
	option helper 'netbios-ns'
	option dest '*'
	list proto 'all'

config rule
	option name 'Block - Security - Vuln - NetBIOSoverTCP/IP'
	option src 'lan'
	option src_port '137'
	option dest '*'
	option dest_port '137'
	option target 'REJECT'

config rule
	list proto 'tcp'
	option src 'lan'
	option src_port '139'
	option dest '*'
	option dest_port '139'
	option target 'REJECT'
	option name 'Block - Security - Vuln - NetBIOSoverTCP/IP TCP'

config rule
	option name 'Block - Security - Vuln - NetBIOSoverTCP/IP UDP'
	list proto 'udp'
	option src 'lan'
	option src_port '138'
	option dest '*'
	option dest_port '138'
	option target 'REJECT'

config rule
	list proto 'udp'
	option src 'lan'
	option src_port '5353'
	option dest '*'
	list dest_ip '224.0.0.251'
	list dest_ip 'ff02::fb'
	option dest_port '5353'
	option target 'REJECT'
	option name 'Block - Security - mDNS [LAN, Multicast]'

config rule
	option src 'lan'
	option src_port '3702'
	list dest_ip '239.255.255.250'
	list dest_ip 'FF02::C'
	option dest_port '3702'
	option target 'REJECT'
	option name 'Block - LAN - WS-Discovery (WebServicesDynamicDiscovery)'
	option dest '*'

config rule
	option target 'REJECT'
	option helper 'ftp'
	option name 'Block - Security - Vuln - FTP (Helper)'
	option src 'lan'
	option dest '*'
	list proto 'all'

config rule
	option name 'Test All DNS53 to Router for AllZone in 1 Rule'
	option src '*'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'Allow - Essential - LAN to Router - DHCP, NTP'
	option src 'lan'
	option dest_port '67 68 546 547 123'
	option target 'ACCEPT'
	list proto 'udp'
	list dest_ip '192.168.0.1'
	list dest_ip '192.168.1.1'

config rule
	option name 'Allow - Essential - LAN to Router - DNS53'
	option target 'ACCEPT'
	option src 'lan'
	option dest_port '53'

config rule
	option name 'Allow - Essential - DoT DNS-over-TLS '
	option src 'lan'
	option dest '*'
	option dest_port '853'
	option target 'ACCEPT'

config rule
	option name 'Allow - Essential -  ICMP'
	list proto 'icmp'
	option src 'lan'
	option target 'ACCEPT'
	option dest '*'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'Block - LAN to Router [All Other]'
	option src 'lan'
	option target 'REJECT'
	list proto 'all'

config rule
	option name 'Block - Security - L2TP [IP Protocol No.] - Log [Breaks Internet]'
	list proto 'l2tp'
	option target 'REJECT'
	option src 'lan'
	option dest '*'
	option log '1'
	option enabled '0'

config rule
	option name 'Block - Security - PPTP (Helper) - Log'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option helper 'pptp'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Security - TFTP (Helper)  - Log'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option helper 'tftp'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Not Used Much - Transport L4 - RDP [IP Protocol No.] - Log'
	list proto 'rdp'
	option src '*'
	option target 'REJECT'
	option dest '*'
	option log '1'

config rule
	option name 'Block - Not Used Much - Transport L4 - SCTP [IP Protocol No.] - Log'
	list proto 'sctp'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option log '1'

config rule
	option name 'Block - Not Used Much - Transport L4 - UDPLite [IP Protocol No.] - Log'
	list proto 'udplite'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option log '1'

config rule
	option target 'REJECT'
	list proto 'udp'
	option src 'lan'
	option dest '*'
	option dest_port '443'
	option name 'Block - Security - QUIC'

config rule
	option dest_port '51820'
	option target 'ACCEPT'
	option src '*'
	option dest '*'
	list proto 'tcp'
	list proto 'udp'
	option name 'Allow - Protocol - VPN - Wireguard '
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_ip '0.0.0.0/0'
	list dest_ip 'Censored'


config rule
	option dest_port '51820'
	option target 'ACCEPT'
	option src '*'
	option dest '*'
	option name 'Allow - Protocol - VPN - Wireguard '
	list src_mac '00:00:00:00:00:00'
	list proto 'tcp'
	list proto 'udp'
	list proto 'sctp'
	list proto 'udplite'
	list proto 'ipencap'

config rule
	option target 'ACCEPT'
	option src 'lan'
	list proto 'tcp'
	option dest '*'
	option dest_port '80 443'
	option name 'Allow - Protocol - HTTP/s'

config rule
	option name 'Allow - Protocol - Email - IMAP'
	list proto 'tcp'
	option src 'lan'
	option dest '*'
	option dest_port '993'
	option target 'ACCEPT'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	list proto 'udp'
	option src 'lan'
	option dest_port '500 4500'
	option target 'ACCEPT'
	option dest '*'
	option ipset 'Phones'
	option name 'Allow - Protocol - VoWiFi UDP'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	list proto 'tcp'
	option src 'lan'
	option dest_port '143'
	option target 'ACCEPT'
	option dest '*'
	option ipset 'Phones'
	option name 'Allow - Protocol - VoWiFi TCP'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'Allow - Protocol - SIP (Helper) [Enable/Disable]'
	option src 'lan'
	option dest '*'
	option target 'ACCEPT'
	option helper 'sip'
	list proto 'all'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option dest_port '50318 59234'
	option target 'ACCEPT'
	option src 'lan'
	option dest '*'
	option name 'Allow - Service - WhatsApp TCP/UDP [TimeRestrict]'
	option ipset 'Phones_Others'
	option start_time '09:00:00'
	option stop_time '22:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option limit '50/second'

config rule
	option src 'lan'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '4244 5222 5223 5228 5242'
	option dest '*'
	option name 'Allow - Service - WhatsApp TCP [TimeRestrict]'
	option start_time '07:00:00'
	option stop_time '22:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option limit '50/second'
	option ipset 'Phones_Others'

config rule
	list proto 'udp'
	option dest_port '3478 45395'
	option target 'ACCEPT'
	option src 'lan'
	option dest '*'
	option ipset 'Phones_Others'
	option name 'Allow - Service - WhatsApp UDP [TimeRestrict]'
	option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
	option start_time '09:00:00'
	option stop_time '21:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option limit '50/second'

config rule
	option name 'Allow - Service - Webex [Enable/Disable]'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '9000 5004'
	option target 'ACCEPT'
	list src_mac '00:00:00:00:00:00'
	option enabled '0'
	option limit '100/second'

config rule
	option name 'Allow - Service -Appx'
	list proto 'tcp'
	option src 'lan'
	option dest '*'
	option dest_port '8443 8444'
	option target 'ACCEPT'
	option limit '10/second'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option dest_port '5000'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest '*'
	option src 'lan'
	option name 'Allow - Service - Appx Web [MAC Limited]'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option target 'ACCEPT'
	option dest_port '5551'
	list proto 'tcp'
	option dest '*'
	option src 'lan'
	option name 'Allow - Service - Appx Android [MAC Limited]'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'

config rule
	option name 'StopLog NotNeeded - WhatsApp TCP 5222'
	list proto 'tcp'
	option src 'lan'
	option dest '*'
	option dest_port '5222'
	option target 'ACCEPT'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option limit '10/second'
	option ipset 'Phones_Others'

config rule
	option name 'StopLog NotNeeded - Android Notifcation C2DM'
	list proto 'tcp'
	option src 'lan'
	option dest '*'
	option dest_port '5228'
	option target 'ACCEPT'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	list src_mac '00:00:00:00:00:00'
	option ipset 'Phones'

config rule
	option name 'Allow Client - G-Desktop-Wifi AllowAllOther - Log'
	option src 'lan'
	option dest '*'
	option target 'ACCEPT'
	option log '1'
	list src_mac '00:00:00:00:00:00'
	list proto 'all'

config rule
	option src 'Guest'
	option dest 'lan'
	option target 'DROP'
	option name 'Block - Inter-Zone - Guest to LAN [Need to Update IPv6]'
	list proto 'all'
	list dest_ip '192.168.1.1/28'
	list dest_ip '192.168.0.1/28'

config rule
	option src 'Guest'
	option target 'ACCEPT'
	option dest_port '67 68'
	option name 'Guest - Essential - DHCP [TimeRestrict]'
	list proto 'udp'
	option limit '1/second'
	option start_time '09:00:00'
	option stop_time '22:00:00'

config rule
	option dest_port '53'
	option target 'ACCEPT'
	option src 'Guest'
	option name 'Guest - Essential - DNS'

config rule
	option name 'Block - Security - Guest to Router'
	option src 'Guest'
	option target 'DROP'
	list proto 'all'

config rule
	option name 'Guest - HTTPs [TimeRestrict]'
	option src 'Guest'
	option dest_port '80 443'
	list proto 'tcp'
	option dest 'Wireguard'
	option target 'ACCEPT'
	option start_time '09:00:00'
	option stop_time '22:00:00'

config rule
	option name 'Block Inter-Zone - Private to LAN [Need to Update IPv6]'
	option src 'private'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.1.1/28'
	list dest_ip '192.168.0.1/28'

config rule
	option name 'Private - Essential - DHCP, NTP'
	option src 'private'
	option dest_port '67 68 123'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Private - Essential - DNS'
	option src 'private'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Private - ICMP'
	list proto 'icmp'
	option src 'private'
	option target 'ACCEPT'
	option dest '*'

config rule
	option name 'Private - Block to Router'
	option src 'private'
	option target 'REJECT'
	list proto 'all'

config rule
	option src 'private'
	option dest 'private'
	option target 'ACCEPT'
	option name 'Private - Allow Intera-Zone [Update IPv6]'
	list src_ip '192.168.2.1/28'
	list src_ip '!192.168.2.1'
	list dest_ip '192.168.2.1/28'
	list dest_ip '!192.168.2.1'
	list proto 'all'

config rule
	option src 'private'
	option dest 'private'
	option target 'REJECT'
	option name 'Private - Allow Intera-Zone Block Outside Range Other [Update IPv6]'
	list proto 'all'
	list src_ip '!192.168.2.1'
	list src_ip '!192.168.2.1/28'
	list src_ip '192.168.2.0/24'
	list dest_ip '!192.168.2.1'
	list dest_ip '!192.168.2.1/28'
	list dest_ip '192.168.2.16/28'
	list dest_ip '192.168.2.32/27'
	list dest_ip '192.168.2.64/26'
	list dest_ip '192.168.2.128/25'

config rule
	option src 'private'
	option dest 'private'
	option target 'ACCEPT'
	option name 'Private - Allow Intera-Zone [Update IPv6]'
	list proto 'all'

config rule
	option src 'private'
	list src_mac '00:00:00:00:00:00'
	option target 'ACCEPT'
	option dest '*'
	option name 'Private - TV Allow Ports [Dont need to allow 53]'
	option dest_port '80 443 5228 853 53'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Private - TV - IGMP - Log'
	list proto 'igmp'
	option src 'private'
	list src_mac '00:00:00:00:00:00'
	option dest '*'
	option target 'ACCEPT'
	option log '1'

config rule
	option name 'Private - TV - Allow IGMP In - Log'
	list proto 'igmp'
	option src 'wan'
	option dest 'private'
	list dest_ip '192.168.2.2'
	option target 'ACCEPT'
	option limit '100/second'
	option log '1'

config rule
	option src 'private'
	option target 'ACCEPT'
	option dest '*'
	option name 'Private - Allow Ports (Non-TV)'
	option dest_port '80 443'
	list proto 'tcp'
	list proto 'udp'

config rule
	option src 'private'
	option target 'ACCEPT'
	option dest 'wan'
	option name 'Private - Allow Ports - Wireguard [Not Neede]'
	option dest_port '51820'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name ' Private - Allow Ports Non-TV Device [Need to Update IPv6] - Log to Enable '
	option src 'private'
	option target 'ACCEPT'
	option dest '*'
	list proto 'tcp'
	list proto 'udp'
	list src_ip '!192.168.2.2'

config rule
	option name 'PublicServer - Essential - DHCP, DNS'
	option dest_port '53 67 68 123'
	option target 'ACCEPT'
	option src 'server'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Block - Acees to Router [Rule '\''cause other rules aren'\''t blocking]'
	option src 'server'
	option target 'DROP'
	list proto 'all'

config rule
	option name 'PublicServer - Allow - Intera-Zone'
	option src 'server'
	option dest 'server'
	option target 'ACCEPT'
	list proto 'all'
	list dest_ip '!192.168.4.1'

config rule
	option name 'Server - Allow Out'
	option src 'server'
	option dest 'wan'
	option target 'ACCEPT'
	list dest_ip '!192.168.2.1/28'
	list dest_ip '!192.168.3.1/28'
	list proto 'all'

config rule
	option name 'Server - Block All In'
	option src '*'
	option dest 'server'
	option target 'REJECT'
	option enabled '0'

config rule
	option src 'serverlocal'
	option dest_port '67 68'
	option target 'ACCEPT'
	option name 'LocalServer (No WAN Public) - AllowDHCP'

config rule
	option name 'Block - IP-in-IP encapsulation IP-ENCAP [IP Protocol No.] - Log'
	list proto 'ipencap'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option log '1'

config rule
	option name 'Block - EGP [IP Protocol No.] - Log'
	list proto 'egp'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option log '1'

config rule
	option name 'Block - HMP [IP Protocol No.] - Log'
	list proto 'hmp'
	option src '*'
	option dest '*'
	option target 'DROP'
	option log '1'

config rule
	option name 'Block - GRE [IP Protocol No.] - Log'
	list proto 'gre'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option log '1'

config rule
	option name 'Block - Dont Know - AMANDA (Helper) - Log'
	option target 'REJECT'
	option helper 'amanda'
	option dest '*'
	option src '*'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Dont Know - RAS (Helper) - Log'
	option target 'REJECT'
	option helper 'RAS'
	option src '*'
	option dest '*'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Dont Know - Q.931 (Helper) - Log'
	option target 'REJECT'
	option helper 'Q.931'
	option src '*'
	option dest '*'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Dont Know - IRC DDC (Helper) - Log'
	option target 'REJECT'
	option helper 'irc'
	option src '*'
	option dest '*'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Dont Know - SANE [Helper] - Log'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option helper 'sane'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Dont Know - SNMP (Helper) - Log'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option helper 'snmp'
	option log '1'
	list proto 'all'

config rule
	option name 'Block - Dont Know - RTSP (Helper) - Log'
	option src '*'
	option dest '*'
	option target 'REJECT'
	option helper 'rtsp'
	option log '1'
	list proto 'all'

config rule
	option target 'REJECT'
	option dest '*'
	option src 'lan'
	option name 'Block All - LAN - Log'
	option log '1'
	list proto 'all'

config rule
	option name 'Block All - Private - Log'
	option src 'private'
	option dest '*'
	option target 'REJECT'
	option log '1'
	list proto 'all'

config rule
	option src 'Guest'
	option dest '*'
	option target 'REJECT'
	option name 'Block All - Guest - Log'
	option log '1'
	list proto 'all'

config rule
	option name 'Block All - Server - Log [May disable logging]'
	option src 'server'
	option dest '*'
	option target 'REJECT'
	option log '1'
	list proto 'all'

config rule
	option name 'Any to Any is Processed 1st and breaks Internet'
	option src '*'
	option dest '*'
	option target 'ACCEPT'
	option enabled '0'

config forwarding
	option src 'Guest'
	option dest 'wan'

config forwarding
	option src 'server'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'server'

config forwarding
	option src 'wan'
	option dest 'Wireguard'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

This content is hidden by default and will be revealed when the user clicks on the summary.

10

Please add missing pieces.
If i was a sneeky toddler id plainly make a new wifi connection on my phonem

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
11

To be clear:

  • On what network is DHCP not working?
  • When did it stop working?

I ask because you have a lot of odd configurations (e.g., you have DHCP configurations for WAN, these don't exist by default, and firewalled time restrictions for DHCP). You also have a lot of conflicting, possibly dangerous, or irrelevant firewall rules (:warning: e.g., you allow traffic from WAN) , so your response will be needed to decipher the issue.

What does this mean?

Why have you installed all these helpers?!?!

(FYI, some helpers are known vulnerable by design. It's again unclear why you configuration shows this.)

1 Like
12
  • On what network is DHCP not working?

Lan

  • When did it stop working?

It's on and off for me but since last update it started again

you have DHCP configurations for WAN, these don't exist by default

I always had in default state - Allow-DHCP-Renew

You also have a lot of conflicting, possibly dangerous, or irrelevant firewall rules (:warning: e.g., you allow traffic from WAN)

That's only for device devices (IPs)

I got dual network working.

192.168.1.1 and 192.168.0.1 both work together but now I have turned of .1.1

FYI, some helpers are known vulnerable by design. It's again unclear why you configuration shows this.)

I have block all helpers not needed

13

$ ubus call system board

{
	"kernel": "6.6.110",
	"hostname": "R",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "D-Link DIR-2640 A1",
	"board_name": "dlink,dir-2640-a1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.4",
		"revision": "r28959-29397011cc",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.4 r28959-29397011cc",
		"builddate": "1760891865"
	}
}```
14

:light_bulb:

Wow....Really?

:spiral_notepad: I'm not sure why you think you could configure 2 OpenWrt interfaces to the same PHY br-lan, but that won't work. It's not clear what you're attempting to do, so I cannot assist.

You simply needed to edit the LAN IP range. I believe other users already explained that.

Your update broke things.

Incorrect, I'm referring to your DHCP config, and it's not default:

Thanks for the clue. You should really stop breaking your config.

Why are they installed?

:spiral_notepad: (Lastly, all these DNS configurations pointing to localhost seem odd, but OK.)

15

I always had this in default state -

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
16

This is default:

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

(There is no DHCP Server for WAN.)

17

No DHCP problem on lan interface only and also I have to keep chaing stating IP eg - between192.168.0.2 and .3

18

Yes, I understand - the point is your configurations are not default.

Why?

19

This config seems very basic to me, tell what's wrong -

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

[quote="RSHARM, post:17, topic:244865"]
and also I have to keep chaing stating IP eg - between192.168.0.2 and .3
[/quote]

Why?

If I don't switch internet doesnn't work and luci is not accessable

20

Please stop quoting different configs than the one we discussed, it seems to cause [you] confusion.

:spiral_notepad: Then delete this network that's conflicting with your ISP's upstream network.

  • Or you could have simply renumbered LAN to 192.168.0.0/24 instead of creating LAN2
  • Also, it's not clear why you're using /28 (netmask 255.255.255.240), but I suggest setting it back at /24