Edge-Router X DHCP breaking after upgrade to 23.05

Hello!

I did an in-place attended sysupgrade on both my edge-router X and unifi6 lite AP and i'm having problems with DHCP. My main lan1 wifi works OK, but my second ssid is getting "DHCP" lookup failed. I didn't restore a full backup, just /network /firewall and /DHCP, trying to get a fresh start... but the problem persisted after resets and trial and error. same results. Please help!

also, when using 'clear' via ssh, it returns the terminal history each command I.e
cat /etc/config/network
clear
cat /etc/config/DHCP

will display to the terminal the entire history after clear:

cat /etc/config/network
cat /etc/config/DHCP

is this a known bug?

I would like to only allow luci/ssh access via physical switch ports. I have the mgmt vlan setup in openwrt and my switch. What kind of firewall rules should I be looking at?

finally, I would like to isolate one device on the network only allowing them Internet access, and no access to devices on the same ssid/network.

etc/config/network

        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'GST'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'cams'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'mgmt'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'
        list ports 'eth2:t'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'

config device
        option name 'eth0'

/etc/config/firewall

        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'GST'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'cams'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'mgmt'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'
        list ports 'eth2:t'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'

config device
        option name 'eth0'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'vlan_1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vlan_10'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'
        option input 'DROP'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'vlan_1'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'vlan_1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vlan_10'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'
        option input 'DROP'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'vlan_1'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-vlan10-DNS'
        option src 'vlan_10'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Allow-vlan10-DHCP'
        list proto 'udp'
        option src 'vlan_10'
        option dest_port '67-68'
        option target 'ACCEPT'

config forwarding
        option src 'vlan_10'
        option dest 'wan'

config zone
        option name 'cams'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'cams'

config zone
        option name 'mgmt'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'mgmt'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'

config dhcp 'GST'
        option interface 'GST'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

If VLAN 1 is intended to be untagged, set it explicitly like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:u*'
        list ports 'eth2:u*'
        list ports 'eth3:u*'
        list ports 'eth4:u*'

There are no bridge-vlans for the following two networks/VLANs (20, 30):

Additionally, those networks are not allowed to access the router itself (input = DROP) and they do not have rules for DHCP and DNS (example from VLAN 10 below):

Those two networks also do not have DHCP servers.

1 Like

Thanks for the reply!

Sorry for the incomplete configs... I upgraded the firmware and it seemed like everything went sideways. Just trying to get it back to normal. Any idea why option dhcpv4 'server' dissapeared after the upgrade for GST? It had a DHCP server just fine and worked prior... Have you ever heard of this happening? Worried about some sketchy stuff on my network lately.

What firewall rules do I need to isolate a device from other devices on the network?
Also, what firewall rules do I need to ensure cams and mgmt can only be accessed via secure physical switch ports, not wi-fi?

thank you so much.... you always help me!

Nope, but I don't think that the line is required, actually.
You shouldn't need to add force, though.

No, but there are some odd things that I mentioned -- like the fact that you have two vlans that aren't defined as bridge-vlans.

like what?

let's address this in a different thread once this one is solved. But the ER-X doesn't have WiFi, so you'll set it up on the ER-X ports and that doesn't have WiFi.

That said, you must have a WiFi AP... what's the WiFi situation? Is that AP running OpenWrt? How is it configured?

And how are you testing your DHCP servers? WiFi? wired? Which ports?

that's a relief, I'll ignore it for now. I just noticed that once I upgraded (or even before(I don't connect everyday...) -- I.e the sketchy behavior suspicion) it kept giving me "DHCP lookup failed" when trying to join (note - this is my private VPN network, so if someone wanted to disrupt access, this would be how"). I also found this thread you worked on with someone who had a similar issue, and it wasn't apparent why. He never replied with the solution - so I will Occam's razor this and say it's a bug...

The cams and mgmt vlans are brand new post-upgrade. I just got the cameras, and the aforementioned paranoia makes me want to put my core network devices and cameras on switch ports only - since they are rarely accessed and sensitive. So in this case, I didn't completely understand the bridge-vlan concept. In my head, I thought one bridge devices carried all of the vlans, and all I had to do was add them to /network and set up the /firewall rules.

Wi-Fi access point (unifi6 lite also openwrt 23.05). I currently only had my lan ssid set up on the radios, and nuked the GST to be set from scratch. I suppose I really want to prioritize the cam and mgmt security first, then worry about my secure enclave / VPN network

thanks

While we could certainly be looking at a bug, I don't think it's likely because it would be very widely reported if it was. Let's get a better handle on what is going on with your configs first.

Let's see the current/latest config of your ER-X. Please make sure the files are complete (except for any redacted info required for removing PII).

I just got kicked offline with DNS errors... I rebooted, working OK now... not sure what happened. I was messing with DHCP lease file trying to organize static leases... I also noticed I had DNS servers set on lan interface and wan interface, which is preferred? I see them both duplicating in the logs/startup.

/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipv6 '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'GST'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'cams'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'mgmt'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'
        list ports 'eth2:t'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config device
        option name 'eth0'

/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'vlan_1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vlan_10'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'
        option input 'DROP'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'vlan_1'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-vlan10-DNS'
        option src 'vlan_10'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Allow-vlan10-DHCP'
        list proto 'udp'
        option src 'vlan_10'
        option dest_port '67-68'
        option target 'ACCEPT'

config forwarding
        option src 'vlan_10'
        option dest 'wan'

config zone
        option name 'cams'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'cams'

config zone
        option name 'mgmt'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'mgmt'

/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option ip '192.168.1.100'
        option name 'xxx'
        list mac '48:68:4A:FB:01:2B'

config host
        option name 'Bedroom-Roku'
        option ip '192.168.1.200'
        list mac '8C'

config host
        option name 'LivingRoom-Roku'
        option ip '192.168.1.201'
        list mac 'xxx'

config dhcp 'GST'
        option interface 'GST'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'Livingroom'
        option ip '192.168.1.153'
        option mac 'xx'

I assume I just need to add

    option vlan '20'
    option vlan '30'

and also setup firewall rules for 10 and 20 allowing DHCP/DNS? dropping traffic from other vlans?

DNS is really bugging out... it's showing DNS NOT RESOLVED, then finding the page, lagging, then loading...

DNS servers set in the lan interface don't actually do anything with respect to client devices. Set it on the wan or in the dhcp file (under the dnsmasq section).

So yes... remove the last two lines here:

Meanwhile, I'm going to assume your AP is connected to eth1. If that's wrong, we can fix it... but let's do the following...

First, edit the vlan 1 bridge-vlan to be untagged explicitly on eth1 and eth4.

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:u*'
        list ports 'eth4:u*'

Next, let's make VLAN 10 tagged on eth1 and untagged on eth2. The reason is that we're going to set eth2-eth4 wired for each of the VLANs so that we can test functionality and eliminate the variable of your AP's configuration.

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth1:t'
        list ports 'eth2:u*'

Now, let's add VLANs 20 and 30 (we're out of ports, so vlan30 will not have a dedicated port at this moment -- we can change this later).

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'eth1:t'

Delete this:

Moving onto the firewall...

For now, let's set input to ACCEPT for all your networks:

config zone
        option name 'vlan_10'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GST'
        option input 'ACCEPT'

config zone
        option name 'cams'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'cams'

config zone
        option name 'mgmt'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'mgmt'

Moving on to the DHCP file..
Let's add the ipv4 server line to the guest server (I don't think it's critical, but let's add it to make sure everything is good):

config dhcp 'GST'
        option interface 'GST'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

And let's create DHCP servers for your other networks:

config dhcp 'cams'
        option interface 'cams'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'mgmt'
        option interface 'mgmt'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

Now, reboot and test. To test each VLAN, you'll connect by ethernet to each port in succession:

  • port eth2: guest 192.168.10.0/24, has internet access
  • port eth3: cams 192.168.20.0/24, does not have internet access
  • port eth4: lan 192.168.1.0/24, does have internet access

Let me know what happens and post your latest config.

Before I proceed, Eth0 is the modem, and Eth1 goes to my switch, where the AP is on a bridge port carrying the vlans for WiFi. Does this affect this config change?

I will only be accessing GST from the switch untagged port for 1 client device, otherwise it's using the WiFi bridge.

I do not need to use the edge-routerx ports for anything but mgmt and cams. I will use the switch for all other needs.

I went ahead and set up the DHCP servers for mgmt and cams

I hope this a managed switch.

no, but we do need to verify your switch and AP configs.

Let's test as I have laid out so that we can verify everything is working directly on the ER-X. This eliminates the other variables. We can re-assign the ER-X ports when we're done validating the ER-X configs.

yes, that's fine in the long run. But let's use the ER-X ports to make sure everything is working.

I'm sorry, lots of information and ports going on here.

I'm okay ignoring GST right now, I can troubleshoot it later.

Can we simplify this and remove the switch/AP completely and focus on testing/verifying cams and mgmt on the edge-routerx using port eth2 - cams(no internet access) and eth3 - mgmt?(no internet access).

thank you for your time. If we can achieve this tonight, I can work on the GST issue tomorrow. I need to factory reset the AP anyway... my password manager wiffed the password reset I did today(I have config backup so just waiting for family not to need the WiFi).

I'd recommend that you just do what I suggested in the earlier post... it will get us most of the way there for the ER-X for all the networks at the same time.

Then, post the complete config and let me know what you want each port to do -- we'll modify accordingly.

list ports 'eth1:u*'
This is my AP port, this will be okay? it's carrying br-lan.1 and br-lan.10

edit: sorry let me just try it
edit: don't wanna take the network down. Will this break WiFi?

Yes, as long as the switch expects VLAN 1 untagged.

It shouldn't... I've kept VLAN 1 untagged on port eth1 just as you had it previously.


should be OK

Ok... I don't have enough context on your switch, but as long as the uplink is one of ports 1-7 (and if your switch requires that you set the PVID, make sure that's correct, too), you should be fine.

should be eth3 correct? for port 4? I think I know what you mean. just need to confirm.

edit: I thought I had less ports nevermind

Copying and pasting... will report back soon

rebooted and tested. Behaved as you described. Thank you!

So now we can get the 192.168.1.x network off of port eth4 and use it for vlan-30 correct?