Guest lan not receiving IP from DHCP

kattivius · March 27, 2022, 1:54pm

Greetings,
I have setup a Guest lan.
Running Openwrt 21.02.2 on Netgear R7800
I created a traffic rule for Guests: dns and DHCP

I created the interface

I created the VLAN4
I created the firewall zone for the guests (gueststzone)

I choose Input reject to avoid the Guests to reach the LAN. (but even trying accept did not solve my problem)

When trying to connect any device to my Guests network, the device trys to get an IP from DHCP but it waits for ever, dont get the ip and eventually falls back to the LAP wifi.

Can someone help me understand what do I do wrong?
If you need more screenshots or logs, let me know.

Thanks

RuralRoots · March 27, 2022, 2:54pm

Did you enable DHCP on the interface?

kattivius · March 27, 2022, 3:37pm

Yes:

psherman · March 27, 2022, 3:44pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

eduperez · March 27, 2022, 5:03pm

Start with the default configuration (just copy on the guest network what you have on the LAN). See that you can get an IP address and reach the internet.

Then try to reach LAN from the guest network (you will probably won't be able), and check that forwarding from guest to LAN is disabled.

lleachii · March 27, 2022, 7:13pm

Try udp/67 (DHCPv4 request from client)
Try one port per rule

mk24 · March 27, 2022, 7:25pm

That configuration looks correct. Building a DHCP server on a new interface won't start up from the usual "restarting network". Either go to the Startup page and restart dnsmaq, or reboot.

kattivius · March 27, 2022, 8:02pm

Actually I did.
I have even upgraded with new firmware preserving configuration... same issue.

kattivius · March 27, 2022, 8:02pm

I have tried in the past to separate DHCP from DNS and therefore creating 2 rules for Guest. Did not make a difference

psherman · March 27, 2022, 8:07pm

Please post your config so we can see the whole picture (in text form) - we will probably be able to spot what is wrong.

kattivius · March 27, 2022, 8:29pm

Ook, here is is:
NETWORK:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.21.254'
        list dns '192.168.21.60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.300'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option description 'LAN'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 5t'
        option vid '300'
        option description 'WAN-Internet-IPTV'

config device
        option name 'eth0.300'
        option type '8021q'
        option ifname 'eth0'
        option vid '300'

config interface 'PIA_VPN'
        option proto 'none'
        option device 'tun0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '3'
        option description 'IoT'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '4'
        option description 'Guest'
        option ports '4t 6t'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.40.40'
        option netmask '255.255.255.0'
        option type 'bridge'
        option device 'eth1.4'

Wireless (dont mind about the IoT, I chosen network lan to make sure my IoT would have internet access. eventually they have the same issue as guests ... about receiving dhcp lease)

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option cell_density '0'
        option htmode 'VHT40'
        option country 'NL'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'mystrongpassword'
        option ssid '-={ ChronoS }=-'
        option dtim_period '3'
        option ieee80211r '1'
        option mobility_domain '210f'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'HT20'
        option cell_density '0'
        option channel 'auto'
        option country 'NL'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'mystrongpassword'
        option ssid '-={ ChronoS }=-'
        option ieee80211r '1'
        option mobility_domain '21f0'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option dtim_period '3'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid '[ - Smart-Y - ]'
        option encryption 'psk2'
        option key 'mystrongpassword'
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key 'mystrongpassword'
        option network 'GUEST'
        option ssid 'GUESTS'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'GUESTS'
        option encryption 'psk2'
        option network 'GUEST'
        option key 'mystrongpassword'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'
        list dhcp_option '6,192.168.21.60'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'IPTV'
        option dns '1'
        option mac 'the:mac:address'
        option ip '192.168.21.124'

config host
        option name 'Galaxy-Tab-S3'
        option ip '192.168.21.248'
        option mac 'the:mac:address'

config host
        option name 'cassandra-lap'
        option ip '192.168.21.222'
        option mac 'the:mac:address'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config host
        option name 'MasterPH'
        option ip '192.168.21.129'
        option mac 'the:mac:address'

config host
        option name 'devolo-608-store-room'
        option ip '192.168.21.210'
        option mac 'the:mac:address'

config host
        option name 'devolo-518-sotto'
        option ip '192.168.21.121'
        option mac 'the:mac:address'

config host
        option name 'devolo-801'
        option mac 'the:mac:address'
        option ip '192.168.21.131'

config host
        option mac 'the:mac:address'
        option name 'devolo-329-WIFI'
        option dns '1'
        option ip '192.168.21.240'

config host
        option name 'DautherShip-1'
        option dns '1'
        option mac 'the:mac:address'
        option ip '192.168.21.250'

config host
        option name 'MasterPH'
        option mac 'the:mac:address'
        option ip '192.168.21.111'

config host
        option mac 'the:mac:address'
        option name 'Federico-GSM'
        option dns '1'
        option ip '192.168.21.112'

config host
        option name 'Caput-mundi-wired'
        option dns '1'
        option mac 'the:mac:address'
        option ip '192.168.21.171'
        option leasetime '0'

config host
        option name 'Lenovo-wifi'
        option dns '1'
        option mac 'the:mac:address'
        option ip '192.168.21.236'
        option leasetime '0'

config host
        option name 'nextcloudpi'
        option mac 'the:mac:address'
        option ip '192.168.21.138'

config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'PIA_VPN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'nextcloud 80'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.21.138'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option name 'nextcloud 443'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '192.168.21.138'
        option dest_port '443'

config zone
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'GuestZone'
        list network 'GUEST'
        option input 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'
        option name 'IoTZone'

config forwarding
        option dest 'wan'
        option src 'GuestZone'

config rule
        option name 'Guest DHCP and DNS'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option src 'GuestZone'

config rule
        option src '*'
        option dest 'wan'
        option extra '--kerneltz'
        option proto '0'
        option target 'REJECT'
        option weekdays ' mon tue wed thu fri'
        option src_mac 'mac:address'
        option start_time '20:30'
        option stop_time '8:30'
        option name 'Tablet-week'
        option enabled '0'
        option ac_enabled '0'

config rule
        option src '*'
        option dest 'wan'
        option extra '--kerneltz'
        option proto '0'
        option target 'REJECT'
        option weekdays ' sat sun'
        option name 'tablet-W-E'
        option src_mac 'mac:address'
        option start_time '10:00'
        option stop_time '16:00'
        option enabled '0'
        option ac_enabled '0'

config rule
        option src '*'
        option dest 'wan'
        option extra '--kerneltz'
        option proto '0'
        option target 'REJECT'
        option weekdays ' sat sun'
        option name 'tablet-W-E'
        option src_mac 'mac:address'
        option start_time '18:00'
        option stop_time '07:00'
        option enabled '0'
        option ac_enabled '0'

config rule
        option src '*'
        option dest 'wan'
        option extra '--kerneltz'
        option proto '0'
        option target 'REJECT'
        option name 'tablet'
        option src_mac 'mac:address'
        option start_time '00:00'
        option stop_time '23:59'
        option enabled '0'
        option ac_enabled '0'

config rule
        option src '*'
        option dest 'wan'
        option extra '--kerneltz'
        option proto '0'
        option target 'REJECT'
        option weekdays ' mon tue wed thu fri'
        option name 'Fede-laptop'
        option src_mac 'mac:address'
        option start_time '20:00'
        option stop_time '8:30'
        option enabled '0'
        option ac_enabled '0'

config forwarding
        option dest 'wan'
        option src 'IoTZone'

config rule
        option name 'IoT  DHCP and DNS'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option src 'IoTZone'

config redirect
        option target 'DNAT'
        option name 'aMule TCP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '4662'
        option dest 'lan'
        option dest_port '4662'
        option dest_ip '192.168.21.171'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'aMule UDP-1'
        list proto 'udp'
        option src 'wan'
        option dest 'lan'
        option src_dport '4665'
        option dest_port '4665'
        option dest_ip '192.168.21.171'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'aMule UDP-2'
        list proto 'udp'
        option src 'wan'
        option src_dport '4672'
        option dest 'lan'
        option dest_port '4672'
        option dest_ip '192.168.21.171'
        option enabled '0'

kattivius · March 27, 2022, 8:30pm

sorry, it took me a while to put things together and mask sensible info. I hope I did the right job doing so!

psherman · March 27, 2022, 8:32pm

OpenWrt is case sensitive. This needs to be in all caps to match your network configuration (or alternatively, make it lower case everywhere)

        option interface 'GUEST'

kattivius · March 27, 2022, 9:01pm

I made the correction but the guest network keeps not giving ip. (I am testing the wifi connection.)

Why the option interface 'guest' was in lower case?
I user LUCI (web interface) for the all configuration.
Additional info:
even before the change to upper cases, when trying to connect to guest wifi network, I can see under /network/wireless associated stations that it seems the association did happen:

But than fail...

kattivius · March 27, 2022, 9:03pm

I tested again to be sure: no difference.

kattivius · March 27, 2022, 9:05pm

PS
if you notice, in the attempt association you notice the MAC address and again a mac address (I assume is ip6 version), no IP at all. Strange sort of association

psherman · March 27, 2022, 9:12pm

Have you tried hardwired. Remove port 4 from the LAN and then set port for as untagged VLAN 4 (your guest network). Then plug in a device and see if it gets an IP in the correct subnet.

kattivius · March 27, 2022, 9:14pm

No, I have not tried. Something I cant do tonight as the router in in a odd place in the house.
Would it make a difference?
Wouldn't it be the same issue as the wifi would follow the same configuration of the wired (and vice versa)?

psherman · March 27, 2022, 9:17pm

Yes, in theory. But given that things aren't working that way, I'd recommend testing explicitly on port 4.

but while we are at it -- what is downstream of port 4 right now? Assuming it is a managed switch, you could just configure one of the ports on that managed switch as an access port for VLAN 4 (i.e. untagged VLAN 4, no tagged networks).

If you have an unmanaged/dumb switch or something that is not VLAN aware, unplug it and see if that resolves the issue (unmanaged switches should never be tasked with handling tagged networks).

psherman · March 27, 2022, 9:28pm

There is also another approach you could try... not sure if it will make the difference here, but could be worth trying:

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth1.4'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.40.40'
        option netmask '255.255.255.0'
        option device 'br-guest'