DHCP not working when using Pfsense VLANs

Installing and Using OpenWrt
1

Hi all, this is my first time posting here and most likely someone asked my question before, but I spent hours trying to figure out networking between Pfsense and Openwrt. I'm also new to Openwrt.

I created 2 tagged VLANs (although I just need one for guest network) in Pfsense and assigned them to new interfaces.

I also enable DHCP server for each VLAN and created firewall rules to allow traffic

I think everything from Pfsense side looks good. Now from Openwrt I want to use Guest VLAN to assign it to Guest SSID.

I first created bridge device to bridge all 4 LAN ports on my AP. Then I enabled bridge filtering,

Then I created guest interface and gave it static address protocol and bridge.50 device. DHCP is not enabled on this interface since I enable for the VLAN (bridge.50)

Now when I assign SSID to GuestLAN network and try to connect to that SSID I cannot get an IP, but if I enable DHCP for GuestLAN interface I can connect to that SSID but I don't have Internet access.

/etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.10.1.20'
list dns '10.10.1.26'
list dns '9.9.9.9'
option gateway '23.240.200.1'

config device
option name 'wan'
option macaddr ''

config interface 'wan'
option device 'wan'
option proto 'dhcp'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config device
option name 'eth0'

config device
option name 'wlan1-1'

config device
option name 'wlan0'

config interface 'GuestLAN'
option type 'bridge'
option device 'br-lan-test.50'
option proto 'static'
option ipaddr '10.10.50.20'
option netmask '255.255.255.0'

config device
option type 'bridge'
option name 'br-lan-test'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option bridge_empty '1'

config bridge-vlan
option device 'br-lan-test'
option vlan '50'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config bridge-vlan
option device 'br-lan-test'
option vlan '99'
list ports 'lan1:u*'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

/etc/config/wireless

config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option key ''
option ssid 'GuestWIFI'
option wmm '0'
option isolate '1'
option network 'GuestLAN'

FYI, my setup as follow

Pfsense acting as firewall and router (connected to ISP through WAN and LAN to unmanaged switch), Openwrt installed on AP to provide WLAN.

2

Might be worth spending time with tcpdump and .pcap files, to check the 802.1q headers in the packets.

3

The network configuration is full of errors.

The same physical ports cannot be members of multiple bridge devices.

You cannot have more than one untagged VLAN on the same port.

The next hop (gateway) address must be on the same IP subnet.

Here's an example of how to do it.

config device
	    option name 'br-lan'
	    option type 'bridge'
	    list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'

config bridge-vlan
        option vlan '1'
        option device 'br-lan'
        list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'

config bridge-vlan
        option vlan '50'
        option device 'br-lan'
        list ports 'lan1:t'

config interface 'lan'
        option device 'br-lan.1'
	    ...

config interface 'guest'
        option device 'br-lan.50'
	    ...

or

config device
	    option name 'br-lan'
	    option type 'bridge'
	    list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'

config device
	    option name 'br-guest'
	    option type 'bridge'
	    list ports 'lan1.50'

config interface 'lan'
        option device 'br-lan'
	    ...

config interface 'guest'
        option device 'br-guest'
	    ...

Note that there is a possibility that the unmanaged switch cannot properly handle tagged frames.

EDIT:

Sorry @iplaywithtoys , I replied to you by mistake...

1 Like
4

Thank you so much @pavelgl. I picked 2nd option and that did exactly what I wanted.

Now just to expand a little, I have two more IoT devices connected to LAN3 and LAN4 in openwrt AP and want to isolate them from private LAN and move them to Guest LAN so I would like them to get same IP lan1.50 so I did the following


config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'lan1.50'
        list ports 'lan3'
        list ports 'lan4'

config interface 'GuestLAN'
        option proto 'static'
        ....
        option device 'br-guest'

They are not getting an IP. Any idea why? is not the idea of bridge devices is so to act as switch so the 3 ports should be able to talk to each other and get an IP.

5

lan3 and lan4 should be removed from br-lan. Did you do that?

6

Yes, but still not getting IP

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
...

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'lan1.50'
        list ports 'lan3'
        list ports 'lan4'

config interface 'GuestLAN'
        option proto 'static'
        option device 'br-guest'
...
7

No worries. :wink:

1 Like
8

Update, it looks like Ethernet ports on openwrt AP now are broken. Only wifi is working.

if the config looks like the following, the Ethernet are unable to get proper IP

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
...

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'lan1.50'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan2'

config interface 'GuestLAN'
        option proto 'static'
        option device 'br-guest'
...

but if I change it to the following, the Ethernet ports get proper IP but unable to reach Internet and it's not DNS issue.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
...

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'lan1.50'

config interface 'GuestLAN'
        option proto 'static'
        option device 'br-guest'
...
1 Like
9

You are still having lan1 in two bridges.

10

I tested a similar configuration with version 22.03.5 and also noticed problems with the wired ports.
It appears that the broadcast and arp traffic generated by wired devices is not leaving the tagged port.
The problem went away for me when I switched to bridge vlan filtering (the first option).

Here are some commands adapted to the latest configuration you posted.
VLAN1 - lan1 untagged
VLAN50 - lan1 tagged, lan[2-4] untagged

The changes are not permanent, so if something goes wrong, just reboot the device.

devnum=$(uci show network | grep \@device | grep br-guest | cut -d "[" -f2 | cut -d "]" -f1)
uci del network.@device[$devnum]

uci add network bridge-vlan
uci set network.@bridge-vlan[-1].vlan='1'
uci set network.@bridge-vlan[-1].device='br-lan'
uci add_list network.@bridge-vlan[-1].ports='lan1'

uci add network bridge-vlan
uci set network.@bridge-vlan[-1].vlan='50'
uci set network.@bridge-vlan[-1].device='br-lan'
uci add_list network.@bridge-vlan[-1].ports='lan1:t'
uci add_list network.@bridge-vlan[-1].ports='lan2'
uci add_list network.@bridge-vlan[-1].ports='lan3'
uci add_list network.@bridge-vlan[-1].ports='lan4'

uci set network.lan.device='br-lan.1'
uci set network.GuestLAN.device='br-lan.50'
service network reload
1 Like
11

thanks again @pavelgl, I used the 1st option

config device
	    option name 'br-lan'
	    option type 'bridge'
	    list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'

config bridge-vlan
        option vlan '1'
        option device 'br-lan'
        list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'

config bridge-vlan
        option vlan '50'
        option device 'br-lan'
        list ports 'lan1:t'

config interface 'lan'
        option device 'br-lan.1'
	    ...

config interface 'guest'
        option device 'br-lan.50'
	    ...

now pretty much everything is working fine, except LAN port 3 and 4 are getting private network IP and I want them to get guest network IP, is that possible with creating 3rd VLAN ?

12

This is the way I have configured similar topology where I assume lan1 is connected to Pfsense.

config device
	    option name 'br-lan'
	    option type 'bridge'
	    list ports 'lan1'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'

config bridge-vlan
        option vlan '1'
        option device 'br-lan'
        list ports 'lan1,t'

config bridge-vlan
        option vlan '50'
        option device 'br-lan'
        list ports 'lan1:t'
        list ports 'lan3:u*'
        list ports 'lan4,u*'

config interface 'lan'
        option device 'br-lan.1'
	    ...

config interface 'guest'
        option device 'br-lan.50'
13

that didn't work for me. Thinking of just creating VLAN for the physical ports.

14

I noticed I left one typo, list ports 'lan4,u*' is wrong, it has to be list ports 'lan4:u*'

15

Please post the result of uci show network and define your needs - VLAN IDs and tagged/untagged port members.

16

I tried both ways, it broke wifi and ethernets weren't getting IP.

17

@pavelgl , I just need to configure LAN3 and LAN4 to be in VLAN50 (so they are in the guest network and have 10.10.50.x ip)

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdb2:b73e:ca49::/48'
network.@device[0]=device
network.@device[0].name='wan'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.auto='0'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@device[1]=device
network.@device[1].name='eth0'
network.@device[2]=device
network.@device[2].name='wlan1-1'
network.@device[3]=device
network.@device[3].name='br-lan'
network.@device[3].type='bridge'
network.@device[3].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].vlan='1'
network.@bridge-vlan[0].device='br-lan'
network.@bridge-vlan[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].vlan='50'
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].ports='lan1:t'
network.lan=interface
network.lan.device='br-lan.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.gateway='10.10.1.1'
network.lan.ipaddr='10.10.1.20'
network.GuestLAN=interface
network.GuestLAN.device='br-lan.50'
network.GuestLAN.proto='static'
network.GuestLAN.ipaddr='10.10.50.60'
network.GuestLAN.netmask='255.255.255.0'
network.GuestLAN.gateway='10.10.50.1'
18 
uci del_list network.@bridge-vlan[0].ports='lan3'
uci del_list network.@bridge-vlan[0].ports='lan4'
uci add_list network.@bridge-vlan[1].ports='lan3'
uci add_list network.@bridge-vlan[1].ports='lan4'
uci set network.GuestLAN.metric='10'
uci commit network
/etc/init.d/network restart
19

nice, that did what I'm looking for.

20

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.