DSN resolution for OpenWrt AP is incorrect

I have a pfSense router with DHCP server. OpenWRT acts as an access point with LAN interface that has DHCP server disabled and Guest interface where DHCP server is running:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fdef:08b5:67e5::/48'

config interface 'lan'
	option _orig_ifname 'eth0 wlan0 radio1.network1'
	option _orig_bridge 'true'
	option proto 'static'
	option ipaddr '192.168.1.98'
	option netmask '255.255.255.0'
	option device 'br-lan'
	option gateway '192.168.1.1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-guest'

config device
	option name 'eth0'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	option ipv6 '0'

The issue is that while mobile phone receives DNS server that is pfSense router (192.168.1.1), which has openwrt DNS name configured to statically resolve to 192.168.1.98, I get 192.168.2.1 on my phone instead (which is OpenWRT's IP in Guest network).

It doesn't make any sense. In fact none of the local addresses from pfSense are resolving properly.

I'm confused. The only potential explanation I have is that my phone somehow gets IPv6 address fe80::b0b9:eb3e:c12c:ffdf/64 and strange DNS server for IPv6 ending with %wlan0, but since IPv6 is disabled everywhere, I don't think it actually works.

Any suggestions are very appreciated.

Hm... disabling odhcpd fixed the issue and removed strange %wlan0-suffixed DNS server from Android connection details.

Why was it not disabled for the LAN interface if Ignore interface is selected in the interface, a bug?

Let’s see your config.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

/etc/config/network is already attached in the original post.

dhcp:

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option domainneeded '1'
	option authoritative '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:01.0/0000:01:00.0'
	option cell_density '0'
	option txpower '20'
	option channel '44'
	option country 'UA'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'redacted'
	option key 'redacted'
	option wpa_disable_eapol_key_retries '1'
	option encryption 'sae'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:01.2/0000:04:00.0'
	option band '2g'
	option cell_density '0'
	option htmode 'HT40'
	option country 'UA'
	option channel '12'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'redacted'
	option key 'redacted'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'
	option encryption 'sae'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'redacted Guest'
	option encryption 'psk2'
	option isolate '1'
	option key 'redacted'
	option wpa_disable_eapol_key_retries '1'
	option network 'guest'

firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block Guest Access to LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'DROP'

The conclusion I have is that DHCPv6 was applied to LAN even though it is configured to be ignored there. Like if DHCPv6 lives its own life by its own rules.

So everything in your config files looks fine.... are you 100% certain that your phone didn't connect to the guest network? It would seem to me that the only way that it could get an address in 192.168.2.0/24 is if that happens.

I 100% SSHed into my phone while it is connected to normal LAN network and did ping openwrt, which resolved to 192.168.2.1, but, obviously, wasn't able to ping because that is a different network, my phone had IP address 192.168.1.3. Once I stopped odhcpd and reconnected openwrt started to resolve correctly to 192.168.1.98 as I expected initially.

Will probably create a bug report with this later.

oh... I see... so you're saying the phone had an IP on the correct network, but the issue is that DNS of "openwrt" was resolving to the IP that OpenWrt uses for the guest network? That is a bit odd... the only way I could see that happening is if the DHCP server was actually running on OpenWrt and so when your phone connected, the lease was actually issued by the OpenWrt device (which should have nominally been in a true dumb AP config with DHCP disabled). In this scenario, OpenWrt would point to itself as the DNS (and gateway).

Is it possible that you didn't restart the odhcpd process after setting the DHCP lan to ignore?

A packet capture would help understand which nameserver replied this address and troubleshoot further.

DHCP v4 is certainly from pfSense as in there I have a static lease 192.168.1.3 for my phone's IP address. DNS server was also issued correctly to be 192.168.1.1.

The only difference is that with odhcpd running, phone gets another DNS server in front of 192.168.1.1, which is IPv6 and apparently intercepts DNS queries. This implies odhcpd does act as DHCP v6 server on LAN, despite LAN being explicitly configured to not have DHCP. I have IPv6 disabled everywhere on the router and even tried switching some options on OpenWRT, but with no effect so far.

In your config posted above you clearly have DHCPv6 enabled and even RA

config dhcp 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option ignore '1'

ignore there is not related to IPv6 in any way.
For more info: https://openwrt.org/docs/guide-user/base-system/dhcp

Specifies whether dnsmasq should ignore this pool if set to 1

Settings for IPv6 are found in LuCI under DHCP server, in the two tabs named IPv6 Settings and IPv6 RA Settings.

Indeed, thank you!
I thought that option controlled both, but apparently not.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.