DHCP Running but no response

Hello,

I try to add a guest VLAN so I followed this article.
My key defference is I want a DHCP on this Guest VLAN 9 for my guest.
I put lan15 in VLAN 9 (untagged)
I activate DHCP, set it listening to the interface (linked to my VLAN and excluding all other) .

And plug a computer and ... no lease.

I see with tcp dump Discover goind out, but no response.

tcpdump -i lan15 -pvn port 67 and port 68

0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:e0:4c:68:00:dd, length 300, xid 0x4fe2af5f, Flags [none]

Service is listening

netstat -lnp | grep dnsmasq

tcp        0      0 192.168.8.1:53          0.0.0.0:*               LISTEN      13879/dnsmasq
tcp        0      0 192.168.9.1:53          0.0.0.0:*               LISTEN      13878/dnsmasq
tcp        0      0 fe80::201:2ff:fe03:405:53 :::*                    LISTEN      13878/dnsmasq
udp        0      0 192.168.8.1:53          0.0.0.0:*                           13879/dnsmasq
udp        0      0 192.168.9.1:53          0.0.0.0:*                           13878/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           13879/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           13878/dnsmasq
udp        0      0 fe80::201:2ff:fe03:405:53 :::*                                13878/dnsmasq

No critical problem in log :

logread -e dnsmasq
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: exiting on receipt of SIGTERM
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: exiting on receipt of SIGTERM
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: started, version 2.90 cachesize 150
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: started, version 2.90 cachesize 150
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Tue Jun  4 23:25:46 2024 local4.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.9.20 -- 192.168.9.119, lease time 12h
Tue Jun  4 23:25:46 2024 local4.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.8.20 -- 192.168.8.169, lease time 12h
Tue Jun  4 23:25:46 2024 local4.info dnsmasq[1]: UBus support enabled: connected to system bus
Tue Jun  4 23:25:46 2024 local4.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled
Tue Jun  4 23:25:46 2024 local4.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.9.20 -- 192.168.9.119, lease time 12h
Tue Jun  4 23:25:46 2024 local4.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.8.20 -- 192.168.8.169, lease time 12h
Tue Jun  4 23:25:47 2024 local4.info dnsmasq-dhcp[1]: DHCP, sockets bound exclusively to interface VLAN09_Guest
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for test
Tue Jun  4 23:25:47 2024 local4.info dnsmasq-dhcp[1]: IPv6 router advertisement enabled
Tue Jun  4 23:25:47 2024 local4.info dnsmasq-dhcp[1]: DHCP, sockets bound exclusively to interface VLAN08_IPphone
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for onion
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for test
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for onion
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for local
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for local
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for bind
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for bind
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using nameserver 192.168.1.4#53
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using nameserver 192.168.1.4#53
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using nameserver 192.168.1.254#53
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using nameserver 8.8.8.8#53
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using nameserver 192.168.1.254#53
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for test
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using nameserver 8.8.8.8#53
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for onion
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for test
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for onion
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for local
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for localhost
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for local
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for invalid
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for bind
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: using only locally-known addresses for bind
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /etc/hosts - 6 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /etc/hosts - 6 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /tmp/hosts/dhcp.08_IP_Phones - 2 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /tmp/hosts/dhcp.08_IP_Phones - 2 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /tmp/hosts/dhcp.09_GUEST - 2 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /tmp/hosts/dhcp.09_GUEST - 2 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /tmp/hosts/dhcp.09_Guest - 3 names
Tue Jun  4 23:25:47 2024 local4.info dnsmasq[1]: read /tmp/hosts/dhcp.09_Guest - 3 names

And of course i made a firewall rule to allow

config rule
        option name 'DHCP-DNS 09 Guest'
        option src '09_Guest'
        option dest_port '53 68 67'
        option target 'ACCEPT'

And in my ELK, no log about DHCP (except DNSmasq starting...) like it's not receving anything

what did I miss?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "DGS-1210-28MP",
        "system": "RTL8382",
        "model": "D-Link DGS-1210-28MP F",
        "board_name": "d-link,dgs-1210-28mp-f",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "realtek/rtl838x",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcc:4e7a:36cb::/48'

config device 'switch'
        option name 'switch'
        option type 'bridge'
        option macaddr '00:01:02:03:04:05'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'
        list ports 'lan9'
        list ports 'lan10'
        list ports 'lan11'
        list ports 'lan12'
        list ports 'lan13'
        list ports 'lan14'
        list ports 'lan15'
        list ports 'lan16'
        list ports 'lan17'
        list ports 'lan18'
        list ports 'lan19'
        list ports 'lan20'
        list ports 'lan21'
        list ports 'lan22'
        list ports 'lan23'
        list ports 'lan24'
        list ports 'lan25'
        list ports 'lan26'
        list ports 'lan28'

config bridge-vlan 'lan_vlan'
        option device 'switch'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'
        list ports 'lan9'
        list ports 'lan10'
        list ports 'lan11'
        list ports 'lan12'
        list ports 'lan13'
        list ports 'lan14'
        list ports 'lan17'
        list ports 'lan18'
        list ports 'lan19'
        list ports 'lan20'
        list ports 'lan21'
        list ports 'lan22'
        list ports 'lan23'
        list ports 'lan24'
        list ports 'lan25'
        list ports 'lan26'
        list ports 'lan28'

config device
        option name 'switch.1'
        option macaddr '00:01:02:03:01:01'
        option ipv6 '0'

config interface 'lan'
        option device 'switch.1'
        option proto 'static'
        option ipaddr '192.168.1.251'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        list dns '192.168.1.4'
        list dns '192.168.1.254'
        list dns '8.8.8.8'
        list dns_search 'physaphae.fr'

config interface 'wan'
        option proto 'static'
        option device 'lan27'
        option ipaddr '192.168.1.250'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '8'
        option name 'VLAN08_IPphone'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '9'
        option name 'VLAN09_Guest'

config interface 'Ghest'
        option proto 'static'
        option device 'VLAN09_Guest'
        option gateway '192.168.1.254'
        list ipaddr '192.168.9.1/24'

config interface 'IP_Phones'
        option proto 'static'
        option device 'VLAN08_IPphone'
        list ipaddr '192.168.8.1/24'

config bridge-vlan
        option device 'switch'
        option vlan '2'
        option local '0'

config bridge-vlan
        option device 'switch'
        option vlan '3'
        option local '0'

config bridge-vlan
        option device 'switch'
        option vlan '4'
        option local '0'

config bridge-vlan
        option device 'switch'
        option vlan '5'
        option local '0'

config bridge-vlan
        option device 'switch'
        option vlan '6'
        option local '0'

config bridge-vlan
        option device 'switch'
        option vlan '7'
        option local '0'

config bridge-vlan
        option device 'switch'
        option vlan '8'
        list ports 'lan16'

config bridge-vlan
        option device 'switch'
        option vlan '9'
        list ports 'lan15'
cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'IP_Phones'
        option interface 'IP_Phones'
        option start '20'
        option limit '150'
        option leasetime '12h'
        option force '1'

config dhcp 'Ghest'
        option interface 'Ghest'
        option start '20'
        option limit '150'
        option leasetime '12h'

config dnsmasq '09_Guest'
        option rebind_protection '0'
        option localservice '0'
        list interface 'Ghest'
        option logqueries '1'
        option logdhcp '1'
        option logfacility 'LOCAL7'
        option leasefile '/etc/dhcp_09_Guest'
        option dhcpleasemax '20'
        option domain 'guest09.local'
        list notinterface 'IP_Phones'
        list notinterface 'lan'
        list notinterface 'loopback'
        list notinterface 'wan'

config dnsmasq '08_IP_Phones'
        option rebind_protection '0'
        option localservice '0'
        list interface 'IP_Phones'
        option logqueries '1'
        option logdhcp '1'
        option logfacility 'LOCAL7'
        option leasefile '/etc/dhcp_08_IP_Phones'
        option dhcpleasemax '10'
        option domain 'ipphone08.local'
        list notinterface 'Ghest'
        list notinterface 'lan'
        list notinterface 'loopback'
        list notinterface 'wan'
cat /etc/config/firewall

onfig defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name '09_Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'VLAN09_Guest'
        list subnet '192.168.1.160/27'

config forwarding
        option src '09_Guest'
        option dest 'wan'

config zone
        option name '08_IP_Phone'
        option input 'ACCEPT'
        option output 'REJECT'
        option forward 'REJECT'
        list subnet '192.168.8.0/24'
        option family 'ipv4'

config forwarding
        option src 'lan'
        option dest '08_IP_Phone'

config rule
        option name 'DHCP-DNS 09 Guest rule'
        option family 'ipv4'
        option src '09_Guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'DHCP-DNS 08 IP Phone'
        option src '08_IP_Phone'
        option dest_port '53 68 69'
        option target 'ACCEPT'

Can we see the rest?

sorry it post while i was adding element...

There are quite a few issues with the config, but importantly, it is not recommended to perform routing on a switch. You will likely only get in the range of maybe 20Mbps throughput.

Routing should be performed on proper routing equipment.

My idea is not a complexe routing: some /24 (one by VLAN so arround 10), a DHCP, ad a common gateway. VLAN are just for isolation (chinese stuff in one VLAN, Alexa in another...)

Is it too much ?

Does one of this solution is possible?

  • reduce to 10 /27 :slight_smile:
  • do not use VLAN

But DHCP is important my provider's box does nots do it correctly :frowning:

lan15 is excluded from the default bridge, so just use it as a device in the Ghest interface section.

EDIT:

My mistake, exclude it from the default bridge first.

I tried, i did not get a lease either.

So I reset all OpenWRT, and there is vlan, event after a uboot firmware push.
I redo my conf for Guest (192.168.9.1/25), and now it works: i get a lease \o/

I do the same conf for IP Phone network (192.168.8.1/25)... and it does not work... I am going crazy :open_mouth:

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd52:6def:5f8e::/48'

config device 'switch'
        option name 'switch'
        option type 'bridge'
        option macaddr '00:01:02:03:04:05'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'
        list ports 'lan9'
        list ports 'lan10'
        list ports 'lan11'
        list ports 'lan12'
        list ports 'lan13'
        list ports 'lan14'
        list ports 'lan15'
        list ports 'lan16'
        list ports 'lan17'
        list ports 'lan18'
        list ports 'lan19'
        list ports 'lan20'
        list ports 'lan21'
        list ports 'lan22'
        list ports 'lan23'
        list ports 'lan24'
        list ports 'lan25'
        list ports 'lan26'
        list ports 'lan27'

config bridge-vlan 'lan_vlan'
        option device 'switch'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'
        list ports 'lan9'
        list ports 'lan10'
        list ports 'lan11'
        list ports 'lan12'
        list ports 'lan13'
        list ports 'lan14'
        list ports 'lan17'
        list ports 'lan18'
        list ports 'lan19'
        list ports 'lan20'
        list ports 'lan21'
        list ports 'lan22'
        list ports 'lan23'
        list ports 'lan24'
        list ports 'lan25'
        list ports 'lan26'

config device
        option name 'switch.1'
        option macaddr '00:01:02:03:04:05'
        option ipv6 '0'

config interface 'lan'
        option device 'switch.1'
        option proto 'static'
        option ipaddr '192.168.1.251'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        list dns '192.168.1.4'
        list dns '192.168.1.254'
        list dns '8.8.8.8'

config device
        option name 'eth0'
        option ipv6 '0'

config bridge-vlan
        option device 'switch'
        option vlan '9'
        list ports 'lan15'

config interface 'wan'
        option proto 'static'
        option device 'lan28'
        option ipaddr '192.168.1.250'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'
        list dns '192.168.1.4'
        list dns '192.168.1.254'
        list dns '8.8.8.8'

config interface '09_Guest'
        option proto 'static'
        option device 'switch.9'
        list ipaddr '192.168.9.1/25'

config bridge-vlan
        option device 'switch'
        option vlan '8'
        list ports 'lan16'

config interface '08_IP_Phones'
        option proto 'static'
        option device 'switch.8'
        list ipaddr '192.168.8.1/25'

config device
        option name 'switch.8'
        option type '8021q'
        option ifname 'switch'
        option vid '8'
        option ipv6 '0'

config device
        option name 'switch.9'
        option type '8021q'
        option ifname 'switch'
        option vid '9'
        option ipv6 '0'
cat /etc/config/wireless

cat: can't open '/etc/config/wireless': No such file or directory
cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp '09_Guest'
        option interface '09_Guest'
        option start '5'
        option limit '55'
        option leasetime '12h'
        option force '1'

config dnsmasq '09_Guest_DHCP'
        option authoritative '1'
        option rebind_protection '0'
        option localservice '0'
        list interface '09_Guest'
        list notinterface 'lan'
        list notinterface 'loopback'
        list notinterface 'wan'
        option logqueries '1'
        option logdhcp '1'
        option logfacility 'LOCAL0'

config dhcp '08_IP_Phones'
        option interface '08_IP_Phones'
        option start '5'
        option limit '55'
        option leasetime '12h'
        option force '1'

config dnsmasq '08_IP_Phone_DHCP'
        option authoritative '1'
        option rebind_protection '0'
        option localservice '0'
        list interface '08_IP_Phones'
        list notinterface '09_Guest'
        list notinterface 'lan'
        list notinterface 'loopback'
        list notinterface 'wan'
        option authoritative '1'
        option logqueries '1'
        option logdhcp '1'
        option logfacility 'LOCAL0'
cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network '09_Guest'

config rule
        option name 'DNS-DHCP Guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option src 'Guest'

config zone
        option name 'IP_Phones'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list subnet '192.168.8.1/25'
        list network '08_IP_Phones'

config rule
        option name 'DNS-DHCP IP Phone 9'
        option src 'IP_Phones'
        option dest_port '53 67 68'
        option target 'ACCEPT'
netstat -lnp | grep dnsmasq
tcp        0      0 192.168.9.1:53          0.0.0.0:*               LISTEN      2650/dnsmasq
tcp        0      0 192.168.8.1:53          0.0.0.0:*               LISTEN      2654/dnsmasq
udp        0      0 192.168.8.1:53          0.0.0.0:*                           2654/dnsmasq
udp        0      0 192.168.9.1:53          0.0.0.0:*                           2650/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2654/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2650/dnsmasq

I found a Way \o/

I only have one DHCP server running.
I declared my vlan interface with 192.168.x.1/20 IP/Mask
And on interface, I ask to start lease at (x*256+1)

Like this I cant have 2^4 = 16 VLAN of /24 with one DHCP :slight_smile:

The important DHCP part:

config dhcp '08_IP_Phones'
        option interface '08_IP_Phones'
        option start '2049'
        option limit '64'
        option leasetime '5m'
        option force '1'

config dhcp '09_Guest'
        option interface '09_Guest'
        option start '2305'
        option limit '64'
        option leasetime '5m'
        option force '1'

The point I was making is that a switch is not a good place to route unless it is designed specifically as an L3 switch. Read this. Typically, L3 switches are much more expensive as they have much more powerful CPUs that can perform proper routing. For example, the Unifi USW-24 (L2 switch) is $225 USD while the USW-Pro-24 (L3 switch) is $400. AFAIK, no L3 switches are currently supported by OpenWrt.

It's also worth calling out that regardless of the "complexity" of your configuration, routing on an L2 switch is just going to be very slow (but yes, it can technically be achieved).

I'm not sure what you mean here -- are you talking about a /27 subnet instead of a /24? That won't change anything in terms of routing performance.

Not using VLANs is of course an option, but seems to defeat the purpose of what you are trying to do.

Where is the DHCP server running? On the switch or on your router? Are you positive there is only one?

I suspect that this actually not the right approach, but I need to see your configuration to know for sure. It appears that you may be entirely negating the benefits and constructs of VLANs with this method, which will end up causing you other issues.

And, looking at the config you posted earlier, there are massive issues that may become problematic in various ways. Please post your config and I'll take a look.