DHCP server assigning IPs to different NW segments

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

Not sure if this is possible, but here we go:

I have a setup with the ISP router followed by my OpenWRT router.
The ISP LAN (red - VLAN2 - 192.168.9.0) is the less-secure and then there is the OpenWRT router VLAN (blue - VLAN1 - 192.168.2.0) that is more-secure.
There is one WIFI SSID for each of the VLANs and the wired devices connect to each VLAN depending on the router/switch port they connect.
So far, the devices on the VLAN2 (red), were getting their IP addresses from the ISP router and the ones on the VLAN1 (blue) were getting theirs from the OpenWRT router.

image
image918×733 53.9 KB

Because the ISP router has limitations on DHCP, I'd like to configure the OpenWRT router to be replacing it so it could also assign IP addresses to VLAN2.

I thought it would be as simple as enabling DHCP in the WAN interface via LUCI (which is purelly VLAN2), but it seems it is expecting to assign IPs for the VLAN1 segment.

Basically the rule should be something like: if VLAN1, assign an IP from the range 192.168.2.x , if VLAN2, assign an IP from the range 192.168.9.x. Both VLANs should have a set of pre-defined static-dhcps and a segment dedicated to a pool (in other words: if unknown MAC, assign an IP from the range 192.168.x.100-150).

Is such setup possible in OpenWRT? And if so, any hint how to get there?

Cheers

1 Like
2

Please share content of /etc/config/network and /etc/config/dhcp ? Redact when needed. Device model and its switch settings would also be interesting to look at.

1 Like
3

My question was more generic in the sense if it would be possible, but sure, here you have it.

Router details:

Linksys EA8500 WiFi Router
ARMv7 Processor rev 0 (v7l)
OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363
4.14.180

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:2722:656e::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option broadcast '192.168.2.255'
        option ipaddr '192.168.2.1'
        option igmp_snooping '1'
        list dns '8.8.8.8'
        option gateway '192.168.9.2'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '58:ef:68:58:cf:9d'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option igmp_snooping '1'
        option ipaddr '192.168.9.2'
        option gateway '192.168.9.1'
        list dns '8.8.8.8'
        list dns '192.168.9.1'
        option broadcast '192.168.9.255'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '58:ef:68:58:cf:aa'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1t 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1t 3 4 5'

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list interface 'br-lan'
        list server '8.8.8.8'
        list server '192.168.9.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option dns '1'
        option mac '48:a4:72:08:05:2a'
        option ip '192.168.2.43'
        option leasetime '12'
        option name 'PT-00000129'

config host
        option name 'Impressora'
        option dns '1'
        option mac '68:B5:99:80:9C:07'
        option ip '192.168.2.41'
        option leasetime '12'
4

Just to be clear, changing the above sniped to the below one didn't work as expected.

config dhcp 'wan'
        option interface 'wan'
        option force '1'
        option start '200'
        option limit '250'
        option leasetime '12h'

So I'm wondering if this would be really possible, or would I need to attach a small device to this NW segment to act just as DHCP server (like a RaspberryPI or something)

5
  • Disable ISP DHCP role.
  • Clone the DHCP LAN pool settings to the WAN pool.
  • Make sure you have the proper permissive firewall policy/rules.
6

Good point:

I've tried actions 1 and 2 but forgot about action 3. Maybe that's why it didn't work.
Will try tonight and report back.

Thanks!

7

Took a quick look into the FW and it seems it was enabled already (didn't change anything).

So, if I understood correctly, it seems that I also covered step 3 without knowing it, and it didn't seem to have worked. New devices couldn't get an IP address....

image
image894×216 12.5 KB

8

That's the rule for DHCP client.
You need to allow DHCP server, i.e. port 67/UDP.

9

Still no success...

I've added a similar entry for UDP 67

image
image862×279 18 KB

Edited the /etc/config/dhcp according to this:

config dhcp 'lan'
        option interface 'lan'
        option start '200'
        option limit '250'
        option leasetime '12h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option leasetime '12h'
        option force '1'
        #option ignore '1'
        option start '200'
        option limit '250'

Disabled the DHCP on the ISP router.

Used LUCI to restart processes "dnsmasq" and "odhcpd".

In my phone, changed the network from VLAN2 to VLAN1. It connects, authenticates, but can't get an IP address...

Any idea what could I be doing wrong?

10

Fix your settings:

uci -q delete dhcp.@dnsmasq[0].interface
uci set dhcp.lan.start="100"
uci set dhcp.lan.limit="150"
uci set dhcp.wan.start="100"
uci set dhcp.wan.limit="150"
uci commit dhcp
/etc/init.d/dnsmasq restart
uci -q delete network.lan.broadcast
uci -q delete network.lan.dns
uci -q delete network.lan.gateway
uci -q delete network.wan.broadcast
uci commit network
/etc/init.d/network restart

If the issue persists, its cause is likely related to the VLAN config.

11

Thanks Vgaetera for the commands.

I'm getting closer now. The /tmp/dhcp.leases show some beatifull entries on the 192.168.9.x and 192.168.2.x segments :slight_smile: and my phone can now get an IP address but it seems it has no internet connection.

Looking into the android network settings, I detected 2 things that seem wrong in the phone:

a) It seems its gateway is 192.168.9.2 (this is WAN interface of the router) - shouldn't it be the IP of the ISP router (192.168.9.1)?

b) It seems the DNS server is 192.168.9.2 (this is WAN interface of the router) - shouldn't it be the IP of the ISP router (192.168.9.1)?

Don't know where these values we got from as the /etc/config/network is like:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        option igmp_snooping '1'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '58:ef:68:58:cf:9d'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option igmp_snooping '1'
        option ipaddr '192.168.9.2'
        option gateway '192.168.9.1'
        list dns '8.8.8.8'
        list dns '192.168.9.1'

and the /etc/config/dhcp looks like:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '8.8.8.8'
        list server '192.168.9.1'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option force '1'
        option start '100'
        option limit '150'

config dhcp 'wan'
        option interface 'wan'
        option leasetime '12h'
        option force '1'
        option start '100'
        option limit '150'

Any idea? It seems we're closer

1 Like
12
2 Likes
13

Thanks vgaetera, you pointed me into the right direction.

I believe it is working now. I've always wondered what would be the DHCP option codes.

My working config is:

config dhcp 'wan'
        option interface 'wan'
        option leasetime '12h'
        option force '1'
        option start '100'
        option limit '150'
        list dhcp_option '6, 8.8.8.8'
        list dhcp_option '3, 192.168.9.1'

Used option 3 to define the default router and option 6 to define the DNS server.

1 Like
14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.