Guest Network client cannot find DHCP

Hello, folks!
I am trying to setup a Guest Network that will have multiple APs and one DHCP server. So far I am on the first steps - setting up the first guest network in the network.
I have my ISP router as a Gateway and a DHCP server for the LAN. It is connected LAN-LAN to my managed switch. To the switch I have connected LAN-LAN 2x TP-Link Archer C7 APs with tagged ports for VLAN 1 (LAN) and VLAN 3 (IOT - the "Guest" VLAN).
On AP 1 I want to have the DHCP server for the guest network and I have it setup according to this guide - https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
The issue I am facing is that when I connect a client to the guest Wi-Fi it does not get a local ip from the DHCP server as it should. I have no such issues with the main network.
I would be thankful for any help or suggestions.
Here is the AP 1 config:

package network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd3e:f70b:af81::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option broadcast '192.168.1.1'
	option delegate '0'
	option device 'br-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1t 2 3 4 5'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '3'
	option ports '0t 1t'
	option description 'IOT'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option igmp_snooping '1'

config device 'iot_dev'
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth1.3'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-iot'
	option vlan '3'
	list ports 'eth1.3:t*'
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option name 'iot'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot'

config rule
	option dest 'lan'
	option proto 'tcp udp'
	option target 'ACCEPT'
	option src 'iot'
	option name 'MQTT'
	option src_port '1883'
	option dest_ip '192.168.1.5'
	option dest_port '1883'

config rule
	option name 'Allow IOT DHCP'
	option src 'iot'
	option target 'ACCEPT'
	option dest_port '67-68'

config rule
	option name 'Allow IOT DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

Thanks a bunch!

You have VLAN 3 defined 3 times in your configuration with multiple different syntax methods. The way you define them depends on the version of OpenWrt and if your device is DSA or not. You need to clean that up first. Chances are you don't need to be putting your IoT VLAN 3 in a bridge (unless you are using the device's wifi, too).

You didn't show us your dhcp file, either... did you setup the DHCP server for that network?

Hi! Sorry for the late reply.. I'm not sure which part you mean is duplicated. I added the VLAN from the LUCI interface. As far as the DHCP goes, it is/should be enabled for the Guest/IOT network.
Here is the full device config:

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iot'
        option leasetime '12h'
        option limit '150'
        option interface 'iot'
        option start '1'
        option force '1'
        list ra_flags 'none'

package dropbear

config dropbear
        option PasswordAuth 'on'
        option RootPasswordAuth 'on'
        option Port '22'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option name 'iot'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'iot'

config rule
        option dest 'lan'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option src 'iot'
        option name 'MQTT'
        option src_port '1883'
        option dest_ip '192.168.1.5'
        option dest_port '1883'

config rule
        option name 'Allow IOT DHCP'
        option src 'iot'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule
        option name 'Allow IOT DNS'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'

package luci

config core 'main'
        option lang 'auto'
        option mediaurlbase '/luci-static/bootstrap'
        option resourcebase '/luci-static/resources'

config extern 'flash_keep'
        option uci '/etc/config/'
        option dropbear '/etc/dropbear/'
        option openvpn '/etc/openvpn/'
        option passwd '/etc/passwd'
        option opkg '/etc/opkg.conf'
        option firewall '/etc/firewall.user'
        option uploads '/lib/uci/upload/'

config internal 'languages'

config internal 'sauth'
        option sessionpath '/tmp/luci-sessions'
        option sessiontime '3600'

config internal 'ccache'
        option enable '1'

config internal 'themes'
        option Bootstrap '/luci-static/bootstrap'

config internal 'apply'
        option rollback '30'
        option holdoff '4'
        option timeout '5'
        option display '1.5'

config internal 'diag'
        option dns 'openwrt.org'
        option ping 'openwrt.org'
        option route 'openwrt.org'

package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd3e:f70b:af81::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option broadcast '192.168.1.1'
        option delegate '0'
        option device 'br-lan'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1t 2 3 4 5'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '3'
        option ports '0t 1t'
        option description 'IOT'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'
        option igmp_snooping '1'

config device 'iot_dev'
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth1.3'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-iot'
        option vlan '3'
        list ports 'eth1.3:t*'

package rpcd

config rpcd
        option timeout '30'
        option socket '/var/run/ubus/ubus.sock'

config login
        option username 'root'
        option password '$p$root'
        list read '*'
        list write '*'

package system

config system
        option ttylogin '0'
        option log_size '64'
        option urandom_seed '0'
        option zonename 'Europe/Sofia'
        option hostname 'SecondFloor'
        option log_proto 'udp'
        option conloglevel '8'
        option cronloglevel '5'
        option timezone 'EET-2EEST,M3.5.0/3,M10.5.0/4'

config timeserver 'ntp'
        list server '0.openwrt.pool.ntp.org'
        list server '1.openwrt.pool.ntp.org'
        list server '2.openwrt.pool.ntp.org'
        list server '3.openwrt.pool.ntp.org'

package ubootenv

package ucitrack

config network
        option init 'network'
        list affects 'dhcp'
        list affects 'radvd'

config wireless
        list affects 'network'

config firewall
        option init 'firewall'
        list affects 'luci-splash'
        list affects 'qos'
        list affects 'miniupnpd'

config olsr
        option init 'olsrd'

config dhcp
        option init 'dnsmasq'
        list affects 'odhcpd'

config odhcpd
        option init 'odhcpd'

config dropbear
        option init 'dropbear'

config httpd
        option init 'httpd'

config fstab
        option exec '/sbin/block mount'

config qos
        option init 'qos'

config system
        option init 'led'
        option exec '/etc/init.d/log reload'
        list affects 'luci_statistics'
        list affects 'dhcp'

config luci_splash
        option init 'luci_splash'

config upnpd
        option init 'miniupnpd'

config ntpclient
        option init 'ntpclient'

config samba
        option init 'samba'

config tinyproxy
        option init 'tinyproxy'

package uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '1'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'defaults'
        option days '730'
        option key_type 'rsa'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'wifipass'
        option ssid 'WiFi'
        option encryption 'psk2'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ieee80211r '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option htmode 'HT40'
        option channel 'auto'
        option path 'platform/ahb/18100000.wmac'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'wifipass'
        option ssid 'WiFi'
        option encryption 'psk2'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ieee80211r '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'WiFi-iot'
        option encryption 'psk2'
        option key 'iotpass'
        option network 'iot'

Thank you for the time!

Any ideas?

A few remarks.

  1. The guide you are using is not applicable in this case. Either you'll add a guest vlan in the trunk along with iot and propagate it to the managed switch and the other AP, or you'll follow the guide to create a guest SSID on a dumbAP.

this is wrong, delete it.
3. IOT zone accepts everything on INPUT, are you sure you want it like this?
4. MQTT rule has src and dst ports 1883. Are you sure this is correct?

1 Like