Hi everyone,
I've got pretty far with this setup, but have only one thing now not working: DHCP. I'm sure it's something obvious, but I'm too far from my comfort zone to find it 
I'm running an x86 OpenWRT box as the "heavy-lifting" main router and have an additional FritzBOX connected as my wireless dump-ap. I'm using tagged VLANs to connect my 3 networks:
- Trusted LAN
- Guest
- IoT gadgets
I can connect to Guest and IoT with a static ip address and all is fine. The problem is just that DHCP isn't bridging to dnsmasq on the router.
Router
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option stp '1'
list ports 'eth1.10'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
list ports 'eth5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option ipv6 '0'
option delegate '0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option ipv6 '0'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
config device
option name 'eth1.10'
option type '8021q'
option ifname 'eth1'
option vid '10'
config device
option name 'eth1.20'
option type '8021q'
option ifname 'eth1'
option vid '20'
config device
option name 'eth1.30'
option type '8021q'
option ifname 'eth1'
option vid '30'
config interface 'guest'
option device 'br-guest'
option proto 'static'
option ipaddr '192.168.77.1'
option netmask '255.255.255.0'
config interface 'iot'
option device 'br-iot'
option proto 'static'
option ipaddr '192.168.55.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-guest'
list ports 'eth1.20'
config device
option type 'bridge'
option name 'br-iot'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '10000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option localuse '0'
list notinterface 'lan'
list interface 'guest'
list interface 'iot'
option noresolv '1'
list server '1.1.1.1'
list server '1.0.0.1'
list server '8.8.8.8'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
option dynamicdhcp '0'
list dhcp_option '6,192.168.99.1'
option netmask '255.255.255.0'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '0'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
list proto 'tcp'
list proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Block Guest to Private Networks'
option src 'guest'
option dest 'lan'
option dest_ip '192.168.0.0/16'
option target 'REJECT'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Homebridge'
list proto 'tcp'
option src 'wan'
option src_dport '51702'
option dest_ip '192.168.99.100'
option dest_port '51702'
option limit '60/minute'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Transmission'
option src 'wan'
option src_dport '51413'
option dest_ip '192.168.99.100'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.99.100'
option dest_port '32400'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'tubby.ovh:80'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.99.100'
option dest_port '8080'
option limit '60/minute'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'tubby.ovh:443'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.99.100'
option dest_port '8443'
option limit '60/minute'
option enabled '0'
config zone
option name 'tailscale'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'tailscale'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'tailscale'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option name 'Allow-DHCP-IoT'
option src 'iot'
option dest_port '67'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DNS-IoT'
option src 'iot'
option dest_port '53'
list proto 'tcp'
list proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'iot'
config rule
option name 'Block-IoT-to-Private-Nets'
option src 'iot'
option dest_ip '192.168.0.0/16'
option target 'REJECT'
option family 'ipv4'
Access Point
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1.10'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.99.2'
option netmask '255.255.255.0'
option gateway '192.168.99.1'
option dns '192.168.99.1'
option ipv6 '0'
option delegate '0'
config device
option type '8021q'
option ifname 'lan1'
option vid '10'
option name 'lan1.10'
config device
option type '8021q'
option ifname 'lan1'
option vid '20'
option name 'lan1.20'
config device
option type '8021q'
option ifname 'lan1'
option vid '30'
option name 'lan1.30'
config interface 'guest'
option proto 'none'
option device 'lan1.20'
config interface 'iot'
option proto 'none'
option device 'lan1.30'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
list interface 'loopback'
option localservice '1'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '11'
option band '2g'
option cell_density '0'
option country 'GB'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '<foo>'
option encryption 'psk2'
option key '<foo>'
option disassoc_low_ack '0'
option ap_max_inactivity '600'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel 'auto'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country '<foo>'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '<foo>'
option encryption 'psk2'
option key '<foo>'
option disassoc_low_ack '0'
option ap_max_inactivity '600'
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option ssid '<foo>'
option encryption 'psk2'
option key '<foo>'
option disassoc_low_ack '0'
option isolate '1'
config wifi-iface 'iot'
option device 'radio0'
option mode 'ap'
option network 'iot'
option ssid '<foo>'
option encryption 'psk2'
option key '<foo>'
option disassoc_low_ack '0'
option isolate '1'
Hope someone can help
Also as an aside, I'd also like to bridge the ports on the FritzBOX to LAN for convenience (the router is much less accessible). I believe I can use:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1.10'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
Can anyone confirm?