DHCP on wifi not working

Hello,

Normally I'm not the guy asking stupid questions but in this case it seems I need help after spending 10+ hours trying and reading manual and similar issues. I even ultimatly bricked a router after i tried to flash the original firmware back...

I'm planning to using three, pardon two -after frying one- Cudy M1800 together with 2 managed switches to distribute a couple of networks in our house with two, maybe soon three parties and a growing number of IOT devices (Shellys). I addition, there is a server that should be reached from outside (DMZ) and a shared network printer.
The plan:

• Admin network to config routers and switches
• Party 1 (Berlin)
• Party 2 (London)
• IOT
• DMZ
• Shared Ressouces: Printer
• Guest

each should to be distributed via radio aka WIFI with their own SSIDs and by wired ethernet (VLANs).
The house is huge enough that two, better three or even four access points are needed. It should not make any difference what access point or proper configured switch is used to connect. Routers, access points and switches are wired together. Each network should has his own IP range and a DHCP server in action. (Yes, maybe the server should work with a static one)

The problem:
When I configure a network (aka interface) - here 'Berlin' - besides the default 'lan' and try to connect to it, dnsmasq is not serving an IP address. When setting a static address all seems to work correct.
I've tried:

• to link the wifi Berlin direkt to the network as in the config below this post
• link the wifi Berlin via the bridge when adding the phy0-ap0 to the ports and assign to the VLAN 1 untagged
• both at once
• link the wifi Berlin to network 'lan': this works as intended

On wireshark I only see EAPOL 802.1X messages on the wifi adapter from the router. To all DCHP discover request it's silent and dumb. I haven't tried to connect the Berlin lan via wire yet.

Thank you for reading this and all advises you may have.

Kind regards
Olias

Version is
OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '10'
        option limit '250'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Berlin'
        option interface 'Berlin'
        option start '10'
        option limit '250'
        option leasetime '8760h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

package dropbear

config dropbear 'main'
        option enable '1'
        option PasswordAuth 'on'
        option RootPasswordAuth 'on'
        option Port '22'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'Berlin'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Berlin'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'Berlin'
        option dest 'wan'

package luci

config core 'main'
        option lang 'auto'
        option mediaurlbase '/luci-static/bootstrap'
        option resourcebase '/luci-static/resources'
        option ubuspath '/ubus/'

config extern 'flash_keep'
        option uci '/etc/config/'
        option dropbear '/etc/dropbear/'
        option openvpn '/etc/openvpn/'
        option passwd '/etc/passwd'
        option opkg '/etc/opkg.conf'
        option firewall '/etc/firewall.user'
        option uploads '/lib/uci/upload/'

config internal 'languages'

config internal 'sauth'
        option sessionpath '/tmp/luci-sessions'
        option sessiontime '3600'

config internal 'ccache'
        option enable '1'

config internal 'themes'
        option Bootstrap '/luci-static/bootstrap'
        option BootstrapDark '/luci-static/bootstrap-dark'
        option BootstrapLight '/luci-static/bootstrap-light'

config internal 'apply'
        option rollback '90'
        option holdoff '4'
        option timeout '5'
        option display '1.5'

config internal 'diag'
        option dns 'openwrt.org'
        option ping 'openwrt.org'
        option route 'openwrt.org'

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd63:7bb7:3fdd::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'Berlin'
        option proto 'static'
        option ipaddr '172.16.10.1'
        option netmask '255.255.255.0'
        option device 'br-lan.10'
        option type 'bridge'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan:t'

package rpcd

config rpcd
        option socket '/var/run/ubus/ubus.sock'
        option timeout '30'

config login
        option username 'root'
        option password '$p$root'
        list read '*'
        list write '*'

package system

config system
        option hostname 'Heimdall'
        option ttylogin '0'
        option log_size '128'
        option urandom_seed '0'
        option compat_version '1.1'
        option zonename 'UTC'
        option log_proto 'udp'
        option conloglevel '8'
        option cronloglevel '7'

config timeserver 'ntp'
        list server '0.openwrt.pool.ntp.org'
        list server '1.openwrt.pool.ntp.org'
        list server '2.openwrt.pool.ntp.org'
        list server '3.openwrt.pool.ntp.org'

package ubihealthd

package uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '0'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'defaults'
        option days '397'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option channel 'auto'
        option htmode 'HE40'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Berlin'
        option encryption 'sae-mixed'
        option key 'i wont tell you'
        option ocv '0'
        option network 'Berlin'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'London'
        option encryption 'sae-mixed'
        option wmm '0'
        option key 'i wont tell you'
        option ocv '0'
        option disabled '1'

You should sanitize your configs before posting. Might as well change your passwords now.

The router is unpowered as I 'm just testing around for now. And I will change SSIDs and passwords before installing and connecting it to the real systems.

But sure, you are right!

There are many issues here.

Your lan DHCP server pool is too large. The limit must be <=245 with a start value of 10.

Likewise, same comment about the pool size here. Also, a 1 year lease time for the DHCP server is silly. I’d recommend a much smaller value — 12h is the default:

Your Berlin firewall zone has input set to REJECT — this is fine if you consider this zone/network untrusted. But if that’s the case, you do need to add a set of rules to allow DHCP (udp port 67) and DNS (tcp+udp port 53)

This syntax is wrong — the bridge line must not be here — remove that line:

Don’t use sae-mixed — use only WPA2 or WPA3:

Once those changes are all complete, reboot and test again.

That was the fault:

config zone
        option name 'Berlin'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Berlin'

I've changed input to ACCEPT as this should be used as the main network.

As I made the hole config via LuCI I couldn't believe the syntax was wrong. So this was the only logical error in my thoughts.
I've shorten the leasetime to one week.

What's the reason for this?

Well, LuCI is just a front end. This part is a logic error (on the human side), not a syntax problem. But, if the network is not fully trusted, it’s actually best practice to reject input and then make rules to allow the required services.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

There are many client devices that don’t work properly when this mode is used.