DHCP not working via VLAN

andre78 · July 17, 2022, 6:40pm

Hi,

My AP is set up as a dumb AP, using only the 4 LAN ports, WAN is unused.

I was able to set up a VLAN Network and attach it to a wireless network. When I set the IP on the connected client manually (in the range of that VLAN network, 192.168.20.1/24), I can access the internet, but DHCP doesn't work.
Which other setting do I have to make?

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4c:c9ec:2f25::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.11.3'
        option gateway '192.168.11.1'
        list dns '192.168.11.10'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'
        option name 'br-lan.20'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.3'
        option netmask '255.255.255.0'
        option gateway '192.168.20.1'
        option broadcast '192.168.20.255'
        option type 'bridge'

config wifi-iface 'wifinet6'
        option device 'radio1'
        option mode 'ap'
        option ssid 'klggst'
        option ieee80211r '1'
        option mobility_domain 'c3c3'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ieee80211w '2'
        option wpa_disable_eapol_key_retries '1'
        option nasid 'EE9F80D5DB51'
        option key 'REMOVED'
        option encryption 'psk2'
        option network 'guest'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

Thank you!

grrr2 · July 17, 2022, 7:50pm

you should watch this https://www.youtube.com/watch?v=4t_S2oWsBpE or google for "openwrt dumb ap" first.

hint: dumb ap is dumb, i.e. it runs no services just acts as physical extension of main router, so you should not set ip to interfaces for example (except one in the management vlan for managing device). all clients connecting to dumb ap will / should receive services (e.g. DNS/DHCP) from the main router. on the dumb ap no firewall, dnsmasq (for DNS and DHCP) is required.

Pico · July 17, 2022, 8:26pm

What is the expected outcome - Having a logically separated guest network on the AP?

Either you will need to VLAN-segment also your main router (which probably is not OpenWRT based, as you did not post any config).
Or you can run your AP as router (but its guest network would still be able to access devices on the main router, if the main router is not VLAN segmented. Only devices in the other segment on the AP would be safe). But a dumb AP alone wont be sufficient.

andre78 · July 17, 2022, 8:28pm

thanks, @grrr2 - the APs do not provide DNS or DHCP services.
And it get's even weirder: I have set up another VLAN to try and asssociated it with my WLAN for work devices - it works. Same settings(!). "Nice!" I thought, added another one with the exact settings (of course different VLAN ID etc) - it doesn't work.

andre78 · July 17, 2022, 8:36pm

I plan to have different VLANs for

home
guests
iot
server admin UI (proxmox, opnsense, openWRT etc)
work
...

All of them are created in the same way:
OPNsense (Main router): create VLAN interface, assign static /24 IP, activate DHCP on interface, create fw rules, I can ping all interfaces via VLAN
Switches: tagged all relevant interfaces (works from non-openWRT machines)
OPNsense: 3 similar APs (Linksys E8450), using only LAN ports, which are connected to the switches.

trendy · July 17, 2022, 8:42pm

The overall planning is wrong. The dumbAP cannot have multiple interfaces with multiple gateways. You should have only one interface set as static protocol with IP/mask/gateway/dns for management purposes and the rest should be unmanaged, that means without any settings. The dumbAP should act as a bridge between the clients and the main router.
Also dhcp and firewall on the dumbAP must be disabled.

There is a guide for guest network on a dumbAP, but it doesn't apply in your scenario as you want to bridge the SSID to a tagged interface.

andre78 · July 18, 2022, 6:08am

Thanks for your reply. If I understand it correctly, there is also no need to create interfaces for each VLAN?

andre78 · July 18, 2022, 6:20am

For anyone reading this later, the part about not using the interfaces is wrong, if they are to be used for wireless. The interfaces are needed of course, but set as unconfigured.
This leads me to the conclusion that the DHCP issue is outside openWRT, although set up identically for each VLAN in OPNsense. I will try today how the other, still unconfigured APs behave.

trendy · July 18, 2022, 6:28am

That's right, you need the interfaces but without addresses, that is unmanaged. Since static settings work fine but not DHCP for the clients, I tend to believe there is some misconfiguration in DHCP server config of main router.

maverickpuss · December 21, 2023, 5:32pm

1000 times of thanks to you for this as I'm the "anyone" reading this lol, because it has bothered me for almost two weeks already, and today after I switched protocol of my "guest" interface from DHCP to "unmanaged", it obtained IP in one millisecond just like a charm.

system · December 31, 2023, 5:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.