I have defined a VLAN that is linked to a physical port. I also created an extra SSID wireless network that I linked to the VLAN network. Clients connecting to the VLAN via the wired Ethernet port receive IP leases, but those connecting to the wireless network do not, and as a result have no internet access.

I checked the settings on the additional SSID against those on the main SSID (which is linked to the main lan network), an they are the same. What could be afoot here – I must have missed something?

Did you setup the DHCP server? What about the firewall zone?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Check as to FS3904

Thanks for the quick reply! Here are my settings:

/etc/network:
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdba:0065:f1da::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        list dns '192.168.2.25'
# 192.168.2.25 is a Pi-Hole on the LAN

config device
        option name 'eth0.2'
        option macaddr 'f8:1a:67:5a:ea:c9'

config interface 'wan'
        option device 'eth0.2'
        option ifname 'usb0'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option delegate '0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '192.168.2.25'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'

config interface 'SmartDNS'
        option proto 'static'
        option device 'eth0.3'
        list dns '45.77.61.165'
        list dns '81.17.17.170'
        option delegate '0'
        option type 'bridge'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'TetheringWAN'
        option proto 'dhcp'
        option device 'usb0'
        option delegate '0'

config device
        option name 'eth0.3'
        option type '8021q'
        option ifname 'eth0'
        option vid '3'
        option acceptlocal '1'

/etc/config/wireless:
config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option channel '1'
        option country 'FR'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'TOPSECRET'
        option ssid 'SOMESSID'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option cell_density '0'
        option channel '48'
        option country 'FR'
        option htmode 'HT40'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'TOPSECRET'
        option ssid 'SOMEOTHERSSID'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SD_nomap'
        option encryption 'psk2'
        option key 'TOPSECRET'
        option network 'SmartDNS'
# This ^ is the problem SSID

/etc/config/dhcp:
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '20'
        option limit '200'
        list dhcp_option '6,192.168.2.25'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option start '100'
        option limit '200'
        option leasetime '12h'
        option dynamicdhcp '0'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'SmartDNS'
        option interface 'SmartDNS'
        option leasetime '12h'
        option start '3'
        option limit '10'
        list dhcp_option '6,45.77.61.165,81.17.17.170'
        option force '1'
        list ra_flags 'none'

config host
        option name 'raspberrypi'
        option mac 'DC:A6:32:98:BF:FF'
        option ip '192.168.2.25'

config host
        option name 'QNAP'
        option dns '1'
        option mac '24:5e:be:2e:16:b0'
        option ip '192.168.2.65'

config host
        option name 'MotoZoom'
        option dns '1'
        option mac '9a:b5:02:e7:73:fe'
        option ip '192.168.2.20'

/etc/config/firewall:
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'TetheringWAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'SmartDNS'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'SmartDNS'
        option forward 'ACCEPT'

config forwarding
        option src 'SmartDNS'
        option dest 'lan'

config forwarding
        option src 'SmartDNS'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'SmartDNS'

Try adding this to the DHCP server for the SmartDNS network.

I added the option to the network, did /etc/init.d/odhcpd restart and /etc/init.d/network restart, and disabled/enabled the SSID, but this did not fix the issue. Note that wired clients on the SmartDNS network receive DHCP leases fine, it is only wireless clients that do not.

Modify the interface and device sections and restart the network service.

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'

config interface 'SmartDNS'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'smartdns'
        option delegate '0'

config device
        option type 'bridge'
        option name 'smartdns'
        list ports 'eth0.3'

If it still doesn't work, post the result of brctl show

Thanks Pavel – just a couple of questions so that I don't waste everyone's time:

1. The purpose of having the separate VLAN is to ensure that all clients on it use a specific set of DNS servers. The changes you propose remove the DNS instructions – how should I then compensate for this to achieve the desired DNS effect?
2. What is the reason for removing the 8021q option?

As I see, dhcp option 6 is set, so all your clients (wired and wireless) will use the specified DNS servers.

The vlan 3 is already created in section switch_vlan. You don't need to duplicate it as a driver-level VLAN.

OK, I made your suggested changes in /etc/config/network. Unfortunately, this did not fix the issue of no IP leases being handed out on the wireless VLAN. It also stopped the one thing that was working – now there are also no IP leases handed out on the wired interface, which was working before.

brctl show:

bridge name     bridge id               STP enabled     interfaces
smartdns                7fff.f81a675aeac8       no              eth0.3
                                                        wlan1-1
br-lan          7fff.f81a675aeac8       no              wlan0
                                                        wlan1
                                                        eth0.1

swconfig dev switch0 vlan 3 show; swconfig dev switch0 port 2 show; \
ip a show dev smartdns;  iptables-save -c | grep smartdns; uci show dhcp.SmartDNS; \
/etc/init.d/log restart; /etc/init.d/dnsmasq restart; sleep 3; \
netstat -nlpu | grep \:67; logread -e dhcp

Hi Pavel, I haven't had time to look at this for a while, but now I decided to look at it again. Weirdly, now things are working! Thanks for your help.

Just one question: as it is, I am using the VLAN over the extra SSID and "hardwired" via one of the LAN ports on the router. If I also wanted the VLAN to be available over the other ports, but only as a tagged VLAN so that it can be picked up elsewhere in the LAN by those devices that should use it, how can I do this? We removed the 802.11q setting, and now I am not sure how to re-introduce it so that it does not conflict with the other settings you helped me enter.

I'm afraid VLANs don't work that way.

First of all, you cannot mix tagged and untagged frames on the same port using this hardware. If you want to assign more than one VLAN to a specific port, all these VLANs must be set as tagged. The device connected to that port must be VLAN-aware. It could be a managed switch, or a PC with a NIC, whose drivers support 802.1q VLAN tagging.

In your config VLAN 1 (lan) is assigned to ports 3,4 and 5, VLAN 2 (wan) is assigned to port 1 and VLAN 3 (SmartDNS) is assigned to port 2. Because most end devices work with untagged frames, here only the router’s CPU port (0t) uses tagged frames.

If you need more wired ports for VLAN 3, you have three options.

A) You could assign one more port to VLAN 3. You’ll have 2 wired ports (4 and 5) for lan and 2 ports (2 and 3) for SmartDNS.

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2 3'
        option vid '3'

B) You could connect an unmanaged switch to port 2 of the router and then connect all yours wired (SmartDNS) devices to that switch.

C) You could increase simultaneously the number of wired ports for VLAN 1 and VLAN 3 using an 8 port managed switch and tagged frames (for both VLANs) between the switch and the router.

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3t 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2 3t'
        option vid '3'

I hope the scheme below will make option C more clear. You’ll have 5 wired ports for each VLAN.

VLAN 1 - Router ports 4,5 / Switch ports 2,3 and 4
VLAN 3 – Router port 2 / Switch ports 5, 6, 7 and 8.

Thanks for taking the time to write such a comprehensive answer!

What I was looking for (I think) is option C, that is to let the SmartDNS traffic flow not just on the dedicated physical port on the OpenWRT but also together with other traffic on the trunk from the OpenWRT to the rest of the LAN so that I can – for example – pick up the SmartDNS VLAN on a wired device elsewhere if the NIC supports VLAN, or let a WAP connected by Ethernet in another part of the house broadcast SmartDNS traffic on a second SSID there.

So if I set things up similar to your description in (C), then what you are saying is that the tagging does the job; the option of 802.11q that we removed is superfluous since the router adds the tags anyway (which I guess is what 802.11q is all about)?

The router adds a VLAN tag only if you add a "t" (for tagged) to the port number.

option ports '0t 2 3t'

If I understand correctly, you want to propagate both VLANs on a port and choose which one VLAN to connect to. You can make some tests using port 3 (if it is free) changing the router’s config to the one from option C. If you are using a Windows PC, check if the NIC supports VLAN tagging.

If yes, connect the PC to port 3 and choose the VLAN ID you want to connect to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.