DHCPDISCOVER(br-lan) no address available - Not assigning ipv4 address, cannot use interface

DNSMasq giving out dynamic leases instead of static leases:

I have been using the same firmware for the past year (23.05) and now when I try to connect to my lan network dnsmasq will not assign an ipv4 address. My computer will assign its own address and I wont be able to use the interface. An ipv6 address is assigned. I want to know how to fix this issue.

Error:
The IP address should be in the 192.168.1.1/24 range. My computer will assign its own address.

DHCP:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'TheLoft_Guest'
	option interface 'TheLoft_Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'TheLoft_IOT'
	option interface 'TheLoft_IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'TheLoft_VPN'
	option interface 'TheLoft_VPN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,ip_address,ip_address'

config dhcp 'wg0'
	option interface 'wg0'
	option ignore '1'

config host
	option name 'openipc-t31'
	option ip '172.16.0.108'
	option mac 'MAC'

config host
	option name 'alienware-ubuntu'
	option ip '172.16.0.136'
	option mac 'MAC'

Firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'TheLoft_Guest'
	list network 'wg2'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'TheLoft_IOT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'TheLoft_VPN'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'TheLoft_Guest DHCP and DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'TheLoft IOT DHCP and DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'TheLoft_VPN DHCP'
	option src 'vpn'
	option dest_port '67 68'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'vpn'
	option dest 'wg0'

config rule
	option name 'TheLoft_VPN WAN Block'
	option src '*'
	list src_ip '10.20.40.1/24'
	option dest 'wan'
	option target 'REJECT'

config forwarding
	option src 'vpn'
	option dest 'guest'

config forwarding
	option src 'guest'
	option dest 'vpn'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'nginx_http'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.236'
	option dest_port '40080'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'nginx_https'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.236'
	option dest_port '40443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wg_loft'
	option src 'wan'
	option src_dport '61420'
	option dest_ip '192.168.1.1'
	option dest_port '61420'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:c585:2ebe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.10'
	list ports 'eth1.1'
	option ipv6 '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 4 3 2 1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.20'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.30'

config device
	option type 'bridge'
	option name 'br-vpn'
	list ports 'eth0.40'

config interface 'TheLoft_Guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '10.20.30.1'
	option netmask '255.255.255.0'

config interface 'TheLoft_IOT'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'

config interface 'TheLoft_VPN'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '10.20.40.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '10'
	option ports '0t 6t 4t 3t 2t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '20'
	option ports '0t 6t 4t 3t 2t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '30'
	option ports '0t 6t 4t 3t 2t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 6t 4t 3t 2t 1t'
	option vid '40'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'KEY'
	list addresses '10.5.0.2'
	list dns 'DNS'
	list dns 'DNS'

config wireguard_wg0
	option description 'Description'
	option public_key 'KEY'
	option endpoint_host 'IP_ADDRESS'
	option endpoint_port 'port'
	option persistent_keepalive '30'
	list allowed_ips '0.0.0.0/0'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'KEY'
	list addresses '10.20.50.1/24'
	option listen_port 'PORT'

config wireguard_wg1
	option description 'MACBOOK
	option public_key 'KEY'
	option private_key 'KEY'
	list allowed_ips '10.20.50.2/32'
	option endpoint_host 'HOST'
	option endpoint_port 'PORT'
	option persistent_keepalive '30'

config interface 'wg2'
	option proto 'wireguard'
	option private_key 'KEY'
	option listen_port 'port'
	list addresses '10.20.60.1/24'

config wireguard_wg2
	option description 'macboo'
	option public_key 'KEY'
	option private_key 'KEY'
	list allowed_ips '10.20.60.2/32'
	option endpoint_host 'ADDRESS'
	option endpoint_port 'PORT'
	option persistent_keepalive '30'

Wireless:


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'TheLoft'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'TheLoft'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TheLoft_Guest'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'TheLoft_Guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TheLoft_Guest'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'TheLoft_Guest'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TheLoft_IOT'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'TheLoft_IOT'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TheLoft_IOT'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'TheLoft_IOT'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TheLoft_VPN'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'TheLoft_VPN'

config wifi-iface 'wifinet7'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TheLoft_VPN'
	option encryption 'psk2'
	option key 'KEY'
	option ieee80211r '1'
	option mobility_domain 'domain'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'TheLoft_VPN'

I see a bunch of issues, but importantly how is your computer connected to this router? Is it via a downstream managed switch? Or a port on this router?

This doesn't look right:

What was the intent of bridging eth0.10 and eth1.1?
This WG interface should have a subnet size (I.e. /24 or /32 or whatever) in the address:

This should be a traffic rule, not a redirect/port forward.

2 Likes

Upon further review, and while I still see other issues, I think that the primary issue is here:

Remove eth0.10 from the bridge and then restart.

Ports eth0.10, eth0.20, eth0.30, and 0.40 are all of my specific VLANs. The switch on my router is completely untagged. The computer has to provide tag "10", "20", "30", and "40" to connect to the interface you want. If I remove eth0.10 then I wont be able to connect to the switch via ethernet with tag 10 to connect to TheLoft interface. Honestly, removing that eth0.10 port I do not think will do anything. Its an issue with providing ipv4 addresses.

I connect to my router via wifi mostly. All the other networks: TheLoft_Guest (Vlan tag 20), TheLoft_IOT (Vlan tag 30), and TheLoft_VPN (Vlan tag 40) all work.

Do not worry about the wireguard settings as they are working right now. Only focus on TheLoft interface which is the lan interface and main network. I have a complicated setup.

What is odd is that if I set my ip address manually to "192.168.1.18" or any ip in that subnet then it will connect to the network. The router just doesnt hand out that address manually. Do you see what I am saying?

My systemlog in openwrt displays this:

Wed Sep 25 23:09:12 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.229 bc:24:11:fa:3b:ff
Wed Sep 25 23:09:12 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.229 bc:24:11:fa:3b:ff
Wed Sep 25 23:09:12 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.229 bc:24:11:fa:3b:ff debshare
Wed Sep 25 23:09:12 2024 daemon.info dnsmasq-dhcp[1]: DHCPDECLINE(br-lan) 192.168.1.229 bc:24:11:fa:3b:ff
Wed Sep 25 23:09:25 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) bc:24:11:fa:3b:ff
Wed Sep 25 23:09:25 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.230 bc:24:11:fa:3b:ff
Wed Sep 25 23:09:25 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.230 bc:24:11:fa:3b:ff
Wed Sep 25 23:09:25 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.230 bc:24:11:fa:3b:ff debshare
Wed Sep 25 23:09:25 2024 daemon.info dnsmasq-dhcp[1]: DHCPDECLINE(br-lan) 192.168.1.230 bc:24:11:fa:3b:ff

More errors:

Wed Sep 25 23:20:30 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-guest) 18:3e:ef:dd:7f:b7
Wed Sep 25 23:20:30 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-guest) 10.20.30.132 18:3e:ef:dd:7f:b7
Wed Sep 25 23:20:31 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-guest) 10.20.30.132 18:3e:ef:dd:7f:b7
Wed Sep 25 23:20:31 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-guest) 10.20.30.132 18:3e:ef:dd:7f:b7 Deans-Air
Wed Sep 25 23:20:44 2024 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED 18:3e:ef:dd:7f:b7
Wed Sep 25 23:20:44 2024 daemon.info hostapd: phy0-ap1: STA 18:3e:ef:dd:7f:b7 IEEE 802.11: disassociated
Wed Sep 25 23:20:44 2024 kern.info kernel: [  130.554896] ath10k_pci 0000:01:00.0: mac flush vdev 1 drop 0 queues 0x2 ar->paused: 0x0  arvif->paused: 0x0
Wed Sep 25 23:20:44 2024 daemon.info hostapd: phy0-ap0: STA 18:3e:ef:dd:7f:b7 IEEE 802.11: authenticated
Wed Sep 25 23:20:44 2024 daemon.info hostapd: phy0-ap0: STA 18:3e:ef:dd:7f:b7 IEEE 802.11: associated (aid 1)
Wed Sep 25 23:20:44 2024 daemon.notice hostapd: phy0-ap1: Prune association for 18:3e:ef:dd:7f:b7
Wed Sep 25 23:20:44 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED 18:3e:ef:dd:7f:b7 auth_alg=open
Wed Sep 25 23:20:44 2024 daemon.info hostapd: phy0-ap0: STA 18:3e:ef:dd:7f:b7 WPA: pairwise key handshake completed (RSN)
Wed Sep 25 23:20:44 2024 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED 18:3e:ef:dd:7f:b7
Wed Sep 25 23:20:44 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 18:3e:ef:dd:7f:b7 no address available
Wed Sep 25 23:20:45 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 18:3e:ef:dd:7f:b7 no address available
Wed Sep 25 23:20:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 18:3e:ef:dd:7f:b7 no address available
Wed Sep 25 23:20:48 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) bc:24:11:fa:3b:ff no address available
Wed Sep 25 23:20:52 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 18:3e:ef:dd:7f:b7 no address available
Wed Sep 25 23:21:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) bc:24:11:fa:3b:ff no address available
Wed Sep 25 23:21:01 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 18:3e:ef:dd:7f:b7 no address available
Wed Sep 25 23:21:09 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) bc:24:11:fa:3b:ff no address available
Wed Sep 25 23:21:10 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 18:3e:ef:dd:7f:b7 no address available
Wed Sep 25 23:21:14 2024 daemon.info hostapd: phy0-ap1: STA 18:3e:ef:dd:7f:b7 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Sep 25 23:21:17 2024 daemon.info dnsmasq-dhcp[1]: DHCPINFORM(br-lan) 192.168.1.18 18:3e:ef:dd:7f:b7
Wed Sep 25 23:21:17 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.18 18:3e:ef:dd:7f:b7 Air

Keeps saying no address available




I believe eth0.10 if my tagged port connection. Eth1.1 is my wan untagged connection.

Not according to your config...

What the above shows is VLAN 1 untagged on all ports, and VLANs 10, 20, 30, 40 tagged on all ports, including both CPU ports (typically only one CPU port is used per VLAN).

This is unusual and not best practice, but if your computer's OS is VLAN aware and it is easy to set the tags, sure, you can do that.

To be clear, I'm telling you to remove eth0.10 from br-lan:

A bridge is the software equivalent of an unmanaged switch. What you've done here is basically put two VLANs through an unamanged switch, mixing them in a way that is not intended and will not function as desired.

The issue of providing an IP address is caused by eth0.10 being part of the bridge.

Good...

VLAN 10 doesn't appear to be anything but an incorrectly applied 'alias' for VLAN 1 since they are both part of br-lan and thus connected to the lan network interface.

What is the purpose of VLAN 10?

Ok...

Well, obviously the router doesn't hand out 'manual' IP addresses. However, the specific issue is DHCPDECLINE

and I think these other issues are actually related to the incorrect assignment of VLAN 10 into br-lan.

I removed the incorrect assignment of VLAN 10 into br-lan. This fixed my issue. I still do not understand why it was causing issues, do you mind explaining it to me? It was working for a long time and then became a problem.

I also do not know how I am going to assign another vlan to br-lan....

I'm glad (but not at all surprised) that it worked.

It's not clear to me why VLAN 10 existed in the first place, but it was causing a conflict. I am not exactly certain what happens at the lowest level (I'd need to give this a lot of thought to trace through exactly what would happen), but the bridge basically merges these two VLANs such that there were tagged and untagged frames for the same network, duplicated across two VLANs and assigned to all ports.

Just as unmanaged switches should never be used with VLANs, bridges should also not be handling multiple networks/VLANs -- the behavior is undefined and will be unpredictable.

I don't know why it was ever working, but it certainly is not a valid configuration.

I think you're looking at this the wrong way... you already have VLAN 1 assigned to br-lan and that is associated with the lan interface.

What is your goal here? Do you want to change the VLAN ID? Do you want it tagged on the ports? Something else?

I think I see where you are going with this. Maybe I should have a managed switch that tags vlans and goes into the switch port on the back of the router that is tagged with the specific vlan. I bought a managed switch to do this. I was using the router as an unmanaged switch because I did not have a managed switch myself.

It was VLAN 10 in the first place because each ethernet port on the back of the router can accept any VLAN tag. It then takes this tag and sends it to the correct network. I have four networks.

VLAN 10: TheLoft (part of lan and br-lan)
VLAN 20: TheLoft_Guest (part of TheLoft_Guest and br-guest)
VLAN 30: TheLoft_IOT (part of TheLoft_IOT and br-iot)
VLAN 40: TheLoft_VPN (part of TheLoft_VPN and br-vpn)

The only one that had issues was VLAN 10. I was trying to bridge the ethernet port (eth0.10) with br-lan to make it part of the lan network (wireless interface is called TheLoft).

How would I appropriately setup my network with these four interfaces? For instance, on proxmox I want to assign each vm to have either vlan 10,20,30, or 40. It will easily assign to each of my four networks. Should I create another interface called "TheLoft" and then assign firewall settings to forward to lan?

Also, this is my port forward for my wireguard network accepting traffic from wan and redirecting to my router. Why would I make this a traffic rule? Whats the difference?

The switch that is built into the router is VLAN aware and can be used as a managed switch. You currently have it configured in a way that doesn't really make a lot of sense and is very likely not going to achieve any of your goals. But, if you can describe what you're aiming to do on a port-by-port basis, I can help you configure it properly.

Your use of VLAN 10 is not how VLANs are supposed to be used, and that's why it broke your network.

The use of the words "part of" are rather unusual.

I would phrase it differently... for example:

  • TheLoftGuest uses the device br-guest which contains VLAN 20

It could also be phrased that:

  • VLAN 20 is TheLoftGuest with subnet 10.20.30.0/24.

VLAN 10 was unnecessary because br-lan already contains VLAN 1 and the lan network interface already used device br-lan.

The best way to approach this is to define what each port does. You have 4 lan ports on your device. What is the purpose of each one. For example (making these up):

  • LAN 1: connects to an AP that will broadcast SSIDs for all of the VLANs. It expects VLAN 1 untagged and all the other VLANs tagged
  • LAN 2: Connects to a game consoles that uses VLAN 40. The game console is not VLAN aware -- this means it should be untagged VLAN 40.
    ... and so on.

I can help you get your router configured properly. But, if you're using proxmox and expecting this to work with all the VLANs, you will need to know how to configure your entire proxmox environment (from the host OS > supervisor/hypervisor > VMs) to deal with the tagged networks. That part is out of scope for this forum.



image

For instance TheLoftGuest uses the device br-guest which contains VLAN 20. If you look at the switch configuration on the router. All the VLAN 10, VLAN 20, VLAN 30, VLAN 40 are all tagged. For instance, I would create a proxmox vm with vlan tag "20" and then it would be plugged into lan3. Lan3 ethernet port would appropriately assign it to TheLoftGuest. This has been working fantastic and I could not be asking for better.

However, VLAN 10 is lan with subnet 192.168.1.0/24. However, it is bridged to wan (eth1.1) and cannot be bridged with vlan 10 (eth0.10). Just want to know how to change that. I must not be understanding something.

It seems like on the device section br-guest, I add bridge port eth0.20 which allows me to use information coming in from the ethernet ports with vlan tag 20 on that specific subnet. Its all worked for all the other VLANs (20,30,40). Worked for VLAN 10 for an entire year. However, it is causing issues now for some reason.

All I want to do is have four ethernet ports that accept any vlan tag. Based on the vlan tag it will direct the traffic to the specific subnet. If it has vlan tag 40 then it can be plugged into any ethernet port and then be directed to TheLoft_VPN subnet. If it has vlan tag 10 it can be plugged into any ethernet port and then be directed to TheLoft subnet. Maybe I should create another interface TheLoft and direct all traffic to lan. This would be a different subnet and could be connect to device br-theloft (new device - not br-lan device) and bridge port "eth0.10".

No, that subnet is actually VLAN 1 (by default). You added VLAN 10 to this via a bridge and caused a conflcit. You can reassign this to VLAN 10 (and remove VLAN 1) if you want.

  • Do you want the lan (192.168.1.0/24) which is currently VLAN 1 to be VLAN 10 instead?
  • Do you want it to be tagged or untagged on the ports (or tagged on some, untagged on others)?

I don't know why it actually worked as you had it previously configured, but that configuration was not correctly applied. However, as stated above, you can remove VLAN 1 and use VLAN 10 instead.

Ok... based on your current configuration, you have all ports configured with:

  • VLAN 1: untagged; lan (192.168.1.0/24) -- this one could become VLAN 10 instead, if desired.
  • VLAN 20: tagged; TheLoft_Guest (10.20.30.0/24)
  • VLAN 30: tagged; TheLoft_IOT (172.16.0.0/24)
  • VLAN 40: tagged; TheLoft_VPN (10.20.40.1)

However, only VLAN aware devices will be able to use VLANs 20, 30, 40. Most end devices (i.e. computers, STBs, game consoles, etc.) are not VLAN aware (or those that are usually don't make it all that easy to configure VLANs). This means that manual configuration of the end device is required to use any of the VLANs.

No, do not create another interface. The fact is that the names of the networks don't impact their actual use, and an SSID, if applicable, can use a different name. That said, if you want it to be TheLoft -- just rename the lan interface (and make sure it is also renamed in the other files that reference it -- DHCP, firewall, and wireless).

As I said above, the network alraedy exists, just not with the name you want... the simple solution is to simply rename it.

Another thing that should be addressed is that you have VLANs 10, 20, 30, and 40 connected to both CPU ports (eth0, eth1). You should only have one of them assigned (nominally eth1).

In the switch configuration:

  • logical port 6 equates to CPU port eth1
  • logical port 0 equates to CPU port eth0

You have both of those connected in the stanza below (which is also true for the other VLANs):

You should remove port 0, so the ports line would look like this:

	option ports '6t 4t 3t 2t 1t'

Apply this change to all the VLANs.

And are you really sure you want all VLANs on all ports (that is to say, all ports are trunk ports)? Do you want the lan (currently VLAN 1, maybe VLAN 10 in the future) to be tagged or untagged?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.