DHCP-Problem with VLAN

Hello,

I want to seperate my network with VLANs. I thought, I had all configuration done, but the device, which I put in VLAN 103 don't get a IP-address.

Let me at first describe my network infrastructure:
I have a FritzBox 7490 with original OS, which is connected to internet. This 7490 is connected to a TP-Link Switch TL-SG1016DE on Port 1.
Port 9 of this switch is connected to the WAN-Port of a FritzBox 4040, which runs with openwrt.
Port 10 of this switch is connected to port LAN1 of the 4040.
Port 3 is connected to an internet radio.

I create VLAN 101 for DMZ (not in use), VLAN 102 for Guest and VLAN 103 for IOT in openwrt. And I changed the default VLAN1 to 100, because the FritzBox 4040 has problems with VLAN 1 and 2.

All this VLAN are tagged to port 9 in the switch which is port 5 in the 4040.
In the switch also port 2 is tagged with all VLANs, which leads to another TP-Link switch TL-SG108E.
Port 3 in the switch TL-SG1016DE is untagged with VLAN 103.

The problem is, that no ip-address is assigned to the internet radio on port 3.

Here are the relevant parts of the /etc/config/network on openwrt:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:6428:57b9::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.100'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '100'
        option vid '100'
        option ports '0t 1 2 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '103'
        option vid '103'
        option ports '0t 5t'
config interface 'DMZ'
        option ifname 'eth0.101'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.101.1'
        option ip6assign '64'
        option ip6hint '1'

config interface 'Gast'
        option ifname 'eth0.102'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.102.1'
        option ip6assign '64'
        option ip6hint '2'

config interface 'IOT'
        option ifname 'eth0.103'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.103.1'
        option ip6assign '64'
        option ip6hint '3'

Here the content of /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'DMZ'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'DMZ'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'

config dhcp 'Gast'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'Gast'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'

config dhcp 'IOT'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'IOT'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'

Can you give me a hint, where the problem is?

Thank you in advance

Matthias

I think a drawing that shows all the devices will be helpful... I got lost trying to understand your current infrastructure!

As you wanted:

Matthias

In your first post, you commented that all VLANs are tagged on port 9 of the main switch, but on the drawing port 9 is connected to the WAN port from the router. Shouldn't you be using port 10 for trunking? Or is this just a typo?

No typo. I tagged port 9 of the switch, which is connected to the WAN-Port of the openwrt router. I read in another post (https://forum.openwrt.org/t/solved-vlans-on-ipq40xx-alternative-config-for-fritzbox-4040/41832/3), that on this Fritzbox 4040 the driver is not working good with VLAN and the port 5 (which is the WAN-Port) must be tagged. Otherwise the router is not reachable, after VLAN is enabled.

I also tried to tagg port 10, which is connected with port LAN1 of the openwrt router. But this leads also to a not reachable router.

Matthias

Do you set port 3 of the SG1016DE to VLAN 103 untagged and also PVID to 103 ?

Yes, I read before, that on TP-Link switches the PVID has to be set separate.

Matthias

Not sure I understand this...

On the router's port LAN1 you have VLANs 100, 101, 102, and 103, all of them tagged. These are connected to port 10 of the main router, but you do not have them tagged on that port. Then, how is this switch supposed to untagg all these VLANs?

Unless I am wrong, on the main router you should also define VLANs 100, 101, 102, and 103, all of them tagged on port 10, and untagged on one port each one.

Apparently OpenWrt on the Fritz!Box 4040 does not support VLAN tagging on the WAN port.
You can only use the LAN ports for tagged VLANs.

Ahh, so much reading, but I don't see, that the WAN-Port on the 4040 don't work with VLAN..

I changed the /etc/config/network:

config switch_vlan
        option device 'switch0'
        option vlan '100'
        option vid '100'
        option ports '0t 1t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '103'
        option vid '103'
        option ports '0t 1t'

Now the internet radio get an ip-address 192.168.103.107!

But there are still problems:

  1. As DNS it gets 192.168.103.1 and this don't exist. So no connection to internet is made.
    I have a raspi with pi-hole, which acts as DNS-Resolver, but this is in the network 192.168.178 of the FritzBox 7490. Is it a good solution, to define this DNS-server in the network-interface of each VLAN?

  2. Openwrt is after tagging ot port LAN1 not reachable. I tagged port 1 (LAN1) for VLAN 100 too, is this cause the problem?

Matthias

I solved issue 2 by adding port 5 (WAN) for VLAN 100 as tagged:

config switch_vlan
        option device 'switch0'
        option vlan '100'
        option vid '100'
        option ports '0t 1t 2 3 4 5t'

I don't really understand this, because the WAN-port cannot be used with VLAN, but it works!

Problem 2 is still unsolved. I try to set dns to 192.168.178.1 (= FritzBox 7490, where the raspi is set as DNS) and then add gateway 192.168.178.1. In the internet radio I still see gateway and DNS is set to 192.168.103.1. In openwrt I see it correct:
Screenshot_20200716_100051
Any hints about this?

Matthias

The DHCP server at the OpenWrt is offering itself as a DNS, because that is the default behavior. DNSMASQ acts both as a DHCP server and a DNS cache.

If you want to use a different DNS, you have two options:

  • Configure the DNS at the router to use a different upstream DNS.
  • Send a different DNS to your client, using specific DHCP options.

The gateway must always be within the network segment where it is defined. You cannot have a gateway at 182.168.178.1 in a 192.168.103.1/24 network, because it cannot be reached. Besides, a gateway and a DNS are two completely different things, and (as far as I know) the PiHole is just a DNS.

The FritzBox 7490 (192.168.178.1) acts as DHCP-Server in my network. But in the 7490 is the raspi (192.168.178.52) configured as DNS-server. On the raspi runs pi-hole.

The openwrt router gets via WAN an ip-address 192.168.178.73 from the main network and so automatically uses the raspi as DNS.

The openwrt lan-interface is configured with static ip-address 192.168.1.1.

I understand, that a DNS-server has to be in the same network as the client. But which strategy can be used with VLANs on openwrt? Is it necessary, to configure a DNS-server for each VLAN-network? And how get this DNS-Server the necessary information from Internet DNS-Server?
Or is it possible to use the DNS information, which the the router gets over the WAN interface? If yes, how to do?

I add firewall rules from https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan:

# Allow DNS Guest -> Router
# Client DNS queries originate from dynamic UDP ports (>1023)
  config rule
    option name 'Allow DNS Queries'
    option src 'IOT'
    option dest_port '53' 
    option proto 'tcp udp'
    option target 'ACCEPT'

# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
  config rule
    option name 'Allow DHCP request'
    option src 'IOT'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'

but, the internet radio still gets no internet connection.

Matthias

PiHole is based on dnsmasq, so it can be configured as DHCP and/or DNS server.

Not true: many people use Google's DNSs, and nobody is inside their network... Now, the DHCP is another issue.

OK, a DNS-server has to be in the same local network or in internet.

The google DNS is only a temporary option for me. But I set the DNS 8.8.8.8 in IOT interface for testing. This is also not working. The internet radio still gets the same DNS 192.168.103.1 and cannot establish a internet connection.

Maybe my firewall configuration is not correct? Here is the /etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'VPN'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option network 'WG0'

config forwarding
        option dest 'lan'
        option src 'VPN'

config nat
        option target 'MASQUERADE'
        option name 'VPN'
        option src_ip '192.168.20.0/24'
        option src '*'

config forwarding
        option dest 'wan'
        option src 'VPN'

config zone
        option network 'DMZ'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option name 'DMZ'
        option output 'ACCEPT'

config zone
        option network 'Gast'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option name 'GAST'

config zone
        option network 'IOT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option name 'IOT'
        option output 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'DMZ'

config forwarding
        option dest 'wan'
        option src 'GAST'

config forwarding
        option dest 'wan'
        option src 'IOT'

config forwarding
        option dest 'DMZ'
        option src 'lan'

config forwarding
        option dest 'IOT'
        option src 'lan'

# Allow DNS Guest -> Router
# Client DNS queries originate from dynamic UDP ports (>1023) 
  config rule
    option name 'Allow DNS Queries'
    option src 'IOT'
    option dest_port '53'
    option proto 'tcp udp'
    option target 'ACCEPT'

# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
  config rule
    option name 'Allow DHCP request'
    option src 'IOT'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'

Matthias

The DNS has to be anywhere that can be reached from the device.

So, there is a DHCP server answering to that radio, have you determined which device is that?

I would debug the issue with a computer connected to the IoT network: can you ping an external IP address? Does DNS work? ...?

192.168.103.1 is the openwrt router. It is pingible from a laptop, which is connected to a VLAN 103 port.

But this laptop has no connection to network 192.168.178.xx where the DNS-server is located and no connection to internet addresses. I guess, the VLAN-interfaces has no access to WAN, altough forwarding for the zones in the firewall is allowed.

Matthias

I found the solution:
In the firewall zone wan Masquerading and MSS clamping was deactived. I activate this settings and after that dns is working and ping of 192.168.178.x works.

I have to look, if this solution is practicable, because the goal was to separate the VLANs from each other. Maybe I have to create another VLAN for the "normal" devices which then cannot be reached from IOT and Guest VLAN.

Matthias