DHCP with VLANs

Hi, I’m working to move my network over to using VLANs. Currently I have all devices connected to an unmanaged switch. I have a new L3 switch that I’m introducing and I’m trying to configure and test things before swapping it in place of the unmanaged switch.

My managed switch connects directly to one of the ports on my OpenWRT router (Bana Pi RPI-R4)

I configured a new interface for a VLAN in LuCI and enabled the DHCP server for that interface.
I used tcpdump and I can see the dhcp request coming into the router relayed from the managed switch. However, I see no response and there is nothing in the system log indicating that the request has been dropped for some reason.

I have gone around and around with AI on this one and have gotten no satisfactory results.

I nearly forgot to mention that I do have a firewall rule for my lan zone to allow forwarded dhcp requests.

Any help on how to troubleshoot or what I might need to do to get this working would be appreciated!

Oh, I also need to keep the router working for my existing network with no vlans in the meantime.

Thanks!

Do not attempt to pass VLANs through an unmanaged switch. It can have unpredictable results.

Do you plan to use the L3 switch for actual routing, or just as a vlan aware/managed switch at L2?

If you have an unmanaged switch connected to the port that carries the VLAN, this is not entirely unexpected for a few possible reasons.

Whatever you do, don't use AI. If you have AI suggested things in your current config, reset it and start over from scratch. We can help you.

Let's start by looking at your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

@psherman Thanks SO much!

I should give a bit of background on my overall setup.

On the router I'm running Tailscale and a Docker container running ntopng. The router is not handling any WiFi, I have 2 APs for that.

I have my unmanaged switch connecting to one LAN port on the router. I have the managed switch connected to another LAN port on the router. No VLAN tagged traffic passes through the unmanaged router.

On the Dell managed switch, I have the "uplink" port that goes to the Router configured as a "general" port. The port that the test device is connected to is configured for access mode and tagged as VLAN 10.

I ran one test with the test device port tagged as VLAN 1 so it passed to the router without ant VLAN tag and the test device did get a 192.168.0.0/24 IP address. I then switched to tagging the port as VLAN 10 and the test device does not get an IP address.

Here is the output from the commands you asked me to run:

ubus call system board

{
	"kernel": "6.6.93",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 0",
	"model": "Bananapi BPI-R4",
	"board_name": "bananapi,bpi-r4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.2",
		"revision": "r28739-d9340319c6",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.2 r28739-d9340319c6",
		"builddate": "1750711236"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6a:27f8:d662::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option vlan_filtering '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'wan'
	list ports 'eth2'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'eth2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config interface 'Tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'lan_ntopng'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'

config route
	option interface 'Tailscale'
	option target '100.64.0.0/10'

config interface 'iot'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '10.01.20.254'
	option netmask '255.255.255.0'

config interface 'cameras'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '10.01.30.254'

config interface 'servers'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '10.01.40.254'
	option netmask '255.255.255.0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '10.01.50.254'
	option netmask '255.255.255.0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '10.01.99.254'
	option netmask '255.255.255.0'

config interface 'tempIF'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '10.255.255.1'
	option netmask '255.255.255.252'

config route
	option interface 'lan'
	option target '10.1.0.0/16'
	option gateway '192.168.0.3'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option name 'br-lan.10'

config interface 'VLAN10_Trusted'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '10.1.10.1'
	option netmask '255.255.255.0'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'xxxxxxxx.us'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'
	list interface 'Tailscale'
	list server '/xxxx-xxxx.ts.net/100.xx.xx.xx'
	list rebind_domain 'xxxxx-xxxxx.ts.net'
	list rebind_domain 'xxxxxxx.com'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '140'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Camera1'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.20'

config host
	option name 'Camera2'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.21'

config host
	option name 'Camera3'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.22'

config host
	option name 'Camera4'
	option dns '1'
	option ip '192.168.0.23'
	list mac 'xx:xx:xx:xx:xx:xx'

config host
	option name 'PrintColor'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.199'

config domain
	option name 'nas'
	option ip '192.168.0.15'

config domain
	option name 'idrac'
	option ip '192.168.0.6'

config domain
	option name 'cameras'
	option ip '192.168.0.15'

config domain
	option name 'frigate'
	option ip '192.168.0.15'

config domain
	option name 'ntop'
	option ip '192.168.0.15'

config domain
	option name 'prometheus'
	option ip '192.168.0.15'

config domain
	option name 'grafana'
	option ip '192.168.0.15'

config domain
	option name 'plex'
	option ip '192.168.0.15'

config domain
	option name 'git'
	option ip '192.168.0.15'

config host
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.10'
	option name 'ha'

config domain
	option name 'ha'
	option ip '192.168.0.15'

config domain
	option name 'ngnix'
	option ip '192.168.0.15'

config host
	option name 'PrintBnW'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.202'
	option dns '1'

config domain
	option name 'grocy'
	option ip '192.168.0.15'

config domain
	option name 'registry'
	option ip '192.168.0.15'

config domain
	option name 'draw'
	option ip '192.168.0.38'

config host
	option name 'WiFiAP-1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.254'

config host
	option name 'WiFiAP-2'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.253'

config domain
	option name 'db'
	option ip '192.168.0.39'

config domain
	option name 'redis'
	option ip '192.168.0.40'

config domain
	option name 'netbox'
	option ip '192.168.0.15'

config dhcp 'servers'
	option interface 'servers'
	option start '100'
	option limit '99'
	option leasetime '12h'
	option force '1'

config dhcp 'mgmt'
	option interface 'mgmt'
	option start '100'
	option limit '99'
	option leasetime '12h'
	option force '1'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '99'
	option leasetime '12h'
	option force '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '99'
	option leasetime '12h'
	option force '1'

config dhcp 'cameras'
	option interface 'cameras'
	option start '100'
	option limit '99'
	option leasetime '12h'
	option force '1'

config dhcp 'VLAN10Trusted'
	option interface 'VLAN10Trusted'
	option start '100'
	option limit '199'
	option leasetime '12h'
	option force '1'
	list dhcp_option '3,10.1.10.1'
	list dhcp_option '6,192.168.0.1'

config dhcp 'VLAN10_Trusted'
	option interface 'VLAN10_Trusted'
	option start '100'
	option limit '199'
	option leasetime '12h'
	option force '1'

cat /config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan_ntopng'
	list network 'VLAN10Trusted'
	list network 'VLAN10_Trusted'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'Tailscale'

config forwarding
	option src 'Tailscale'
	option dest 'lan'

config forwarding
	option src 'Tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Tailscale'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config rule
	option src 'wan'
	option dest 'lan'
	option name 'Allow-Tailscale-Inbound'
	list proto 'udp'
	option dest_port '41641'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block HP BnW'
	list src_ip '192.168.0.202'
	list src_ip '2600:4040:b671:9400::9be'
	option target 'REJECT'

config rule
	option src 'lan'
	option name 'Allow-Relayed-DHCP'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

You have a number of major issues in the config.

First and most critically, you have 8 networks all bound to br-lan. This is not a valid approach and may lead to unpredictable and unreliable behavior. It also lacks any proper isolation of the subnets, so subnet hopping is trivially easy and therefore there is no real security in this config, either. And, to top it all off, a device connected to the network cannot be guaranteed to get a DHCP issued address in the correct/desired subnet.

To implement VLANs, you need to use bridge-VLANs since your device is DSA.

Moving on to the DHCP file...

The initial dnsmasq configuration where you have the list interface declarations means that dnsmasq is not listening on the other interfaces. I recommend removing those directies.

I see that you have the force option enabled for all of the DHCP servers. This should not be necessary normally, but I can see a situation where this would be required given that all the networks are tied to br-lan so you effectively have 8 DHCP servers on a single network device.

With all o that said, I would highly recommend that you start over. Make a backup and then reset to defaults. Don't restore the backup, but go ahead and configure your main/trusted lan, docker and tailscale (you can copy the docker and tailscale bits back over from your backup).

Then, add bridge VLANs and just one additional network (for a total of 2). I can help you with that process if you'd like... once you're at the near-default config, you can post your configs again and I'll show you what to add/edit to make it work.

Many thanks again!

I will work on getting back to the state before I started adding things for the VLANs.

In the design for this in my head (Based on limited knowledge. I know you can tell! LOL!) the Dell switch would take care of not letting traffic move from one VLAN to the other where that is desired. After digesting your response, it makes me think that this design won't really keep things split apart because even though the Dell could prevent traffic going directly from VLAN 1 to VLAN 2, once the traffic makes it to OpenWRT it could just get routed back to the Dell and move from VLAN 1 to VLAN 2. Is that correct?

I forgot to mention that all of the VLANS above 10 are not currently being used and I know they're not correct. I created them and then set about making VLAN 10 work properly. My intent was to go back and fix those later. I'll remove them for now.

Here are the new contents of the files:

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6a:27f8:d662::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option vlan_filtering '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'wan'
	list ports 'eth2'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'eth2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config interface 'Tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'lan_ntopng'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'

config route
	option interface 'Tailscale'
	option target '100.64.0.0/10'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'xxxx.us'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'
	list interface 'Tailscale'
	list server '/xxxx-xxxx.ts.net/100.100.100.100'
	list rebind_domain 'xxxx-xxxx.ts.net'
	list rebind_domain 'xxxx.com'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '140'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Camera1'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.20'

config host
	option name 'Camera2'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.21'

config host
	option name 'Camera3'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.22'

config host
	option name 'Camera4'
	option dns '1'
	option ip '192.168.0.23'
	list mac 'xx:xx:xx:xx:xx:xx'

config host
	option name 'PrintColor'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.199'

config domain
	option name 'truenas'
	option ip '192.168.0.15'

config domain
	option name 'idrac'
	option ip '192.168.0.6'

config domain
	option name 'cameras'
	option ip '192.168.0.15'

config domain
	option name 'frigate'
	option ip '192.168.0.15'

config domain
	option name 'ntop'
	option ip '192.168.0.15'

config domain
	option name 'prometheus'
	option ip '192.168.0.15'

config domain
	option name 'grafana'
	option ip '192.168.0.15'

config domain
	option name 'plex'
	option ip '192.168.0.15'

config domain
	option name 'git'
	option ip '192.168.0.15'

config host
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.10'
	option name 'ha'

config domain
	option name 'ha'
	option ip '192.168.0.15'

config domain
	option name 'ngnix'
	option ip '192.168.0.15'

config host
	option name 'PrintBnW'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.202'
	option dns '1'

config domain
	option name 'grocy'
	option ip '192.168.0.15'

config domain
	option name 'registry'
	option ip '192.168.0.15'

config domain
	option name 'draw'
	option ip '192.168.0.38'

config host
	option name 'WiFiAP-1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.254'

config host
	option name 'WiFiAP-2'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.253'

config domain
	option name 'db'
	option ip '192.168.0.39'

config domain
	option name 'redis'
	option ip '192.168.0.40'

config domain
	option name 'netbox'
	option ip '192.168.0.15'

Thanks.

We've still got a few problems, but we'll correct those as we go.

Meanwhile, I'm going to make some assumptions here. Please feel free to adapt the configs if these aren't consistent with your topology and/or if you need help doing that, tell me what your topology looks like in terms of the ports and their functions.

I'm going to assume that:

• eth1 and lan1 are used for the lan.
• lan2 is available to be used as a 'test' port for sanity checking the new VLAN
• lan3 connects to the managed switch.

We will add the guest network (10.1.99.0/24), so you'll have 2 networks - lan and guest (not counting the tailscale and docker).

Starting with the network config...

Delete the vlan_filtering line below:

Add bridge VLANs:

config bridge_vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:u*'
	list ports 'lan1:u*'
	list ports 'lan3:u*'

config bridge_vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan2:u*'
	list ports 'lan3:t'

Edit the lan interface to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

Add the guest network with device br-lan.99:

config interface 'guest'
	option device 'br-lan.99'
	option proto 'static'
	option ipaddr '10.1.99.1'
	option netmask '255.255.255.0'

Delete this (it overlaps the lan and is thus invalid):

Now we'll move onto the dhcp file:

Delete the list interface lines in this section:

Remove the force line below:

Add a new DHCP server for the guest network:

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Now, onto the firewall file:

Create a new zone. This will reject input to the router, so we also need rules for DHCP and DNS. Additionally, we'll allow internet access, but nothing else. It'll all look like this:

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option src 'guest'
	option name 'Allow-guest-DHCP'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Allow-guest-DNS'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

Reboot the router after making these changes.

Now, you can plug a computer into port lan1 and get an address on the main lan (192.168.0.0/24). Move that computer to port lan2 and you'll join the guest network (10.1.99.0/24) and it will have internet access, but no access to the lan (and currently vice versa).

Finally, your managed switch, connected to lan3, needs to be configured as a trunk on its corresponding port. That should expect VLAN 1 untagged and VLAN 99 tagged.

My recommendation is to setup the switch like this (again assuming this works for you, at least temporarily for testing):

• port 1: uplink/trunk (VLAN 1 untagged+PVID, VLAN 99 tagged)
• port 2: access port for lan (VLAN 1 untagged + PVID)
• port 3: access port for guest (VLAN 99 untagged + PVID)

Now, plug your computer into port 2 and make sure it joins the lan (192.168.0.0/24). Then move it to port 3 and test that it joins the guest network (10.1.99.0/24).

You'll know that everything is working as expected if the above tests work. From there, you can follow a similar recipe and/or reassign ports to build out the other VLANs.

If anything fails, please report that here along with the update config. (you're also welcome to post the config for general review, of course).

Also, keep in mind that the specific configuration of your managed switch is out of scope for this forum as it is not OpenWrt. We'll try to provide general help, but if you need more detailed config assistance, please reach out to the vendor's support channels or their user forums.

Thanks a ton!

I'm figuring out how things are working somewhat.

I made changes in new files and I'll apply them tomorrow because it's getting late here and I don't want a full panic late night because I broke my entire network with a typo in one of the files!

One thing that I'm unclear about is the interaction (if any) between the Dell switch and OpenWRT when it comes to traffic purely inside my network. If I allow traffic from one VLAN to another in the switch, OpenWRT does not even see that traffic right? (This is what I want)

Yes, this is what an L3 switch should do. The configuration of that switch is out of scope for this forum, though, since it's a bit of a different animal and not running OpenWrt. Dell should have documentation about how to setup the switch for this purpose.

Finally got around to trying and the router does not come up and operate with my new configuration.

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'theborlands.us'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '/xxxx-xxxx.ts.net/100.100.100.100'
	list rebind_domain 'xxxx-xxxx.ts.net'
	list rebind_domain 'xxxx.com'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '140'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'VLAN10_Trusted'
	option interface 'VLAN10_Trusted'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'FrontPorchCamera'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.20'

config host
	option name 'Camera1'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.21'

config host
	option name 'Camera2'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.22'

config host
	option name 'Camera3'
	option dns '1'
	option ip '192.168.0.23'
	list mac 'xx:xx:xx:xx:xx:xx'

config host
	option name 'PrintColor'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.199'

config domain
	option name 'truenas'
	option ip '192.168.0.15'

config domain
	option name 'idrac'
	option ip '192.168.0.6'

config domain
	option name 'cameras'
	option ip '192.168.0.15'

config domain
	option name 'frigate'
	option ip '192.168.0.15'

config domain
	option name 'ntop'
	option ip '192.168.0.15'

config domain
	option name 'prometheus'
	option ip '192.168.0.15'

config domain
	option name 'grafana'
	option ip '192.168.0.15'

config domain
	option name 'plex'
	option ip '192.168.0.15'

config domain
	option name 'git'
	option ip '192.168.0.15'

config host
	list mac '00:A0:98:72:17:05'
	option ip '192.168.0.10'
	option name 'ha'

config domain
	option name 'ha'
	option ip '192.168.0.15'

config domain
	option name 'ngnix'
	option ip '192.168.0.15'

config host
	option name 'PrintBnW'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.202'
	option dns '1'

config domain
	option name 'grocy'
	option ip '192.168.0.15'

config domain
	option name 'registry'
	option ip '192.168.0.15'

config domain
	option name 'draw'
	option ip '192.168.0.38'

config host
	option name 'WiFiAP-1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.254'

config host
	option name 'WiFiAP-2'
	option dns '1'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.0.253'

config domain
	option name 'db'
	option ip '192.168.0.39'

config domain
	option name 'redis'
	option ip '192.168.0.40'

config domain
	option name 'netbox'
	option ip '192.168.0.15'

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6a:27f8:d662::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'VLAN10_Trusted'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.1.10.1'
	option netmask '255.255.255.0'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'wan'
	list ports 'eth2'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'eth2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config interface 'Tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config route
	option interface 'Tailscale'
	option target '100.64.0.0/10'

config bridge_vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:u*'
	list ports 'lan1:u*'
	list ports 'lan3:u*'

config bridge_vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan2:u*'
	list ports 'lan3:t'

firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'VLAN10_Trusted'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'Tailscale'

config forwarding
	option src 'Tailscale'
	option dest 'lan'

config forwarding
	option src 'Tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Tailscale'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config rule
	option src 'wan'
	option dest 'lan'
	option name 'Allow-Tailscale-Inbound'
	list proto 'udp'
	option dest_port '41641'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block HP BnW'
	list src_ip '192.168.0.202'
	list src_ip '2600:4040:b671:9400::9be'
	option target 'REJECT'

config rule
	option src 'lan'
	option name 'Allow-Relayed-DHCP'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config zone
	option name 'VLAN10_Trusted'
	option input 'REJECT'
	option output 'ACEPT'
	option forward 'REJECT'
	list network 'VLAN10_Trusted'

config rule
	option src 'VLAN10_Trusted'
	option name 'Allow-trusted-DNS'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'VLAN10_Trusted'
	option dest 'wan'

I see one specific problem...

You have the network VLAN10_Trusted in 2 zones. A network may only be in a single zone:

Either delete the network from the lan zone, or remove the entire VLAN10_Trusted zone (and the related rules).

If this doesn't fix the problem, you might try changing the name of VLAN10_Trusted (network and firewall zone) to something like Trusted10 -- specifically avoiding the underscore (_) as that might be part of the issue.

As usual, thanks a ton for your input!

I have been doing some research because I'm getting tired of taking down my internet connection while trying to play around with this.

From what I've read it might be better for me to do DHCP in the switch and then only pass untagged internet bound traffic to OpenWRT. From there I can make granular firewall rules for specific subnets of my 10.1.x.0/24 network. (Specifically enabling only firmware update sites for cameras and printers.)

I realize this isn't specifically OpenWRT related, but I I'm hoping you might add your two cents worth.

Thanks!

A true L3 capable switch can certainly do routing as you desire. However, the real benefit of an L3 switch is for handling the routing between the local subnets when there is a significant volume of inter-vlan traffic. The concept is that it prevents the saturation of the link (and/or CPU) on the main router under heavy inter-vlan traffic loads. However, if your inter-vlan specific routing loads are relatively light, the L3 switch configuration may be more complex than is really warranted.

IMO, if your inter-vlan routing needs are relatively light, I'd just use the switch as a VLAN aware L2 managed switch instead of trying to use the L3 features. This would be the pragmatic approach, of course, and it doesn't account for the educational value of learning how to offload the routing.

That said, although I actually do own an L3 switch, I don't use it for that purpose, so I haven't performed any setups with the routing loads offloaded to the switch. Thus, I don't necessarily have the necessary experience or opinions to comment further on the L3 switch setup.

Thanks for the honest opinion!

I think that I'm going to go the L3 switch route. It will allow me to play and learn while keeping my network up. If I decide the juice isn't worth the squeeze, I'll revert back to using it as L2 only.