Difficulties about OpenWRT Settings

Hello !

I've installed openwrt on a AX3000T Wifi Router.
It's work but i have some difficulties to add a new network.

So Internet is plug into entry LAN 1. So it's WAN if I understand.
I have two SSID for the WIFI (2.4/5G) and Lan entry 2 and 3, using existing interface lan (and br-lan device). For that, it's ok.

I wnat to create a new network for domotic device. I create a new interface, Fixed IP, with only Lan 4. I set also rules into firewall.
Lan 4 seems to received internet
But when i add a new wifi network using that interface, this wifi doesn't have internet. I don't undestand why.

I begin on that kind of topic and i would appreciate your help !

Thanks in advance

Maybe you need a DHCP server for new lan4?
And lan4->wan forward rule similar to one for (br-)lan

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Yes I added it.
Lan 4 have access to internet, because a Zigbee Gateway is plugged in, and i have connection into Home Assistant
It's only for the wifi connection i added on the same interface

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.142",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r0-edb4da3",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r0-edb4da3"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd48:ebaa:3f5a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'xxxxx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'lan_domotique'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option device 'lan4'
        option ip6assign '64'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'FlopWN'
        option encryption 'sae-mixed'
        option key 'xxxx'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'FlopWD'
        option encryption 'sae-mixed'
        option key 'xxxx'
        option network 'lan_domotique'
        option macaddr 'random'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'FlopWN_5G'
        option encryption 'sae-mixed'
        option key 'xxxx'
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'FlopWM_5G'
        option encryption 'sae-mixed'
        option key 'xxxxx'
        option network 'lan'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan_domotique'
        option interface 'lan_domotique'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Mobile'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'Mobile'
        option dest 'wan'

config zone
        option name 'Domotique'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan_domotique'

config forwarding
        option src 'Domotique'
        option dest 'wan'

Where did this build come from? It doesn't look like a typical snapshot.

I cannot see anything wrong with that config... Does it work on the ethernet port? Do wireless client aquire an IP address? Can you ping external servers by IP / name?

Ethernet port seems working because a zigbee gateway is plug in, and i received data into home assistance.
For IP adress, i will check it this evening, i'm not currently at home.

For firmware, i taked it here

Release Xiaomi AX3000T 2023-12-12 · dimfishr/openwrt · GitHub

If i make a ipconfig :

Suffixe DNS propre Ă  la connexion. . . :
Adresse IPv6 de liaison locale. . . . .: fe80::ec34:a63c:e190:2c01%9
Adresse d’autoconfiguration IPv4 . . . : 169.254.238.119
Masque de sous-réseau. . . . . . . . . : 255.255.0.0
Passerelle par défaut. . . . . . . . . :slight_smile:

it's strange because it doesn't respect setting. I define a ip 192.168.3.100 to 150 into the DHCP.
An network mask isn't 255.255.255.0

I can ping anything when i am connected on this wifi network. But Zigbee Gateway connected on lan4 with the same interface have a good ip 192.168.3.xxx and connected to the wan

That means it is not getting a DHCP response from the router.

My answer below is assuming that nothing significant has changed in the general operation of OpenWrt (it's a non-standard build and I don't know what might be different):

This stanza has problems...

You cannot declare a bridge from within the network interface. It must be done in an explicit bridge device stanza. However, the other thing is that you won't be able to move lan4 into a new bridge because your device uses DSA which only supports a single bridge.

So the solution is to use bridge-vlans.

Put lan4 back into the br-lan:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

Creat bridge-VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan4:u*'

Now edit your lan and lan_demotique to use the bridge VLANs so that they look like this:

config interface 'lan'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'lan_domotique'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

I'd also recommend avoiding sae-mixed enryption. That tends to cause problems.

Use either WPA2 or WPA3, but not mixed mode. (this recommendation applies for all your SSIDs.)

Restart and test again. If that doesn't help, we may need @dimfish to comment since it appears to be their build.

It's working

Thanks a lot for your help !

I have to continue to set firewall rules etc.

Édit : i unanswered too quickly. Lan ethernet works, but not WiFi. If i change for vlan to put t* value, wifi works but not ethernet...

Let’s see the latest config.

i ajusted firewall and it's ok

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

i have a new problem :slight_smile:

I want to create a interface for mobile device.
I create it without device;
I created two wifi network (one 2,4G and one 5G), linked with that interface.

And only one (the first i added) works.
Is it possible to have several wifi network on the same interface ?

Can you be more specific about the issue... it's hard to follow your description. And also post the config files so that we can see the current state.

For me, smartphone connected on doesn't get a ip

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd48:ebaa:3f5a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'XXXXX'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'lan_domotique'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option device 'br-lan.3'
        option ip6assign '64'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan4:u*'

config interface 'lan_mobile'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

config interface 'lan_guest'
        option proto 'static'
        option device 'phy0-ap3'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'FlopWN'
        option encryption 'psk2'
        option key 'XXXXX'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'FlopWD'
        option encryption 'psk2'
        option key 'XXXXX'
        option macaddr 'random'
        option network 'lan_domotique'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'FlopWN_5G'
        option encryption 'psk2'
        option key 'XXXXX'
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'FlopWM_5G'
        option encryption 'psk2'
        option key 'XXXXX'
        option network 'lan_mobile'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'FlopWM'
        option encryption 'psk2'
        option key 'XXXXX'
        option network 'lan_mobile'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'FlopWGuest'
        option encryption 'psk2'
        option key 'XXXXX'
        option network 'lan_guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan_domotique'
        option interface 'lan_domotique'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'lan_mobile'
        option interface 'lan_mobile'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'lan_guest'
        option interface 'lan_guest'
        option start '100'
        option limit '5'
        option leasetime '2h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config zone
        option name 'domotique'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_domotique'

config forwarding
        option src 'domotique'
        option dest 'wan'

config zone
        option name 'mobile'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_mobile'

config forwarding
        option src 'mobile'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_guest'

config forwarding
        option src 'guest'
        option dest 'wan'
````Preformatted text`