Guest SSID VLAN cannot see DHCP

I have a BT Homehub 5a with the 'uplink' connected to a dumb procurve switch, and a VLAN interface with DHCP on a PFSense box. The VLAN on PFsense is set to 5 on the LAN interface.

I want to create a guest SSID, so created a bridged guest interface to eth0.5 (VLAN 5 in pfsense) and the guest wifi SSID. I also created the VLAN in the switch configuration page of openwrt, and tagged the uplink and cpu ports as VLAN 5. The openwrt guest interface has a static IP in the correct range for the pfsense interface. I've also set the gateway to the pfsense interface IP.

I've also created an allow any/any rule in pfsense, and disabled the firewall service from startup on openwrt.

When I connect to the guest wifi SSID I don't get an IP address however. I've followed numerous threads and my configuration appears to match all of the solutions. I'm really stumped.

Does anyone have any ideas what else I can check? I can't find any settings I haven't tried!

Thank you in advance for any help!

Please post here the following:
uci export network; uci export dhcp; uci export wireless; uci export firewall

Thanks @trendy

Here's the output:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:a177:33c4::/48'

config dsl 'dsl'
        option tone 'av'
        option xfer_mode 'ptm'
        option annex 'b'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'dhcp'
        option hostname 'AP2'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '84:a4:23:07:1a:8c'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '84:a4:23:07:1a:8d'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 4 5 6t'

config interface 'GUEST'
        option type 'bridge'
        option proto 'static'
        option ipaddr '10.20.1.12'
        option netmask '255.255.255.0'
        option gateway '10.20.1.1'
        option ifname 'eth0.5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '5'
        option ports '4t 6t'

package dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option country 'GB'
        option legacy_rates '1'
        option channel '44'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wpa_group_rekey '86400'
        option wpa_strict_rekey '1'
        option key 'REDACTED'
        option ssid 'Fritz_5G'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option country 'GB'
        option legacy_rates '1'
        option channel '13'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wpa_group_rekey '86400'
        option wpa_strict_rekey '1'
        option ssid 'Fritz'
        option key 'REDACTED'
        option disassoc_low_ack '0'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'Soundwell'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'lan'
        option disassoc_low_ack '0'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'BH Guest LV'
        option key 'REDACTED'
        option encryption 'psk-mixed'
        option network 'GUEST'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Guest_VLAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'GUEST'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'guest_interface'

Remove the gateway from the GUEST interface. You could also remove the IP and mask, there is no need to have IP on the guest interface.

Add a disabled dhcp entry for guest:

config dhcp 'guest'
        option interface 'GUEST'
        option ignore '1'

You have not created a zone for guest properly

config zone
        option name 'GUEST'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'guest_interface'

Here the network is non existant.

and here too:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Guest_VLAN'

Although I am sure you don't want to assign lan and guest in the same zone.

Thanks for the reply @trendy!
I've removed the gateway, and tried with setting the guest interface to DHCP but still get the same result. I've also tried with no IP or mask set at all on the interface.

I've added a disabled DHCP server on the interface :white_check_mark:

I'm not sure what else I need to add here:


config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'guest_int'
        option forward 'ACCEPT'

I'm using the web UI to make these configuration changes at the moment, but am starting to get familiar with the openwrt config files now so more than happy to try any suggestions you have :slight_smile:

At the moment, the issue persists.

Edit: Do these 'config zone' sections apply if I've disabled the firewall service from startup?

Thanks again!

Post the same configs as they are now after your latest changes and I'll guide you through the Luci (web gui).

No, nothing from firewall section applies if you have disabled the firewall in startup.

Here's the current config following those changes I made:

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:a177:33c4::/48'

config dsl 'dsl'
        option tone 'av'
        option xfer_mode 'ptm'
        option annex 'b'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'dhcp'
        option hostname 'AP2'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '84:a4:23:07:1a:8c'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '84:a4:23:07:1a:8d'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 4 5 6t'

config interface 'GUEST'
        option type 'bridge'
        option ifname 'eth0.5'
        option proto 'dhcp'
        option hostname 'ap2guest'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '5'
        option ports '4t 6t'

package dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GUEST'
        option interface 'GUEST'
        option ignore '1'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option country 'GB'
        option legacy_rates '1'
        option channel '44'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wpa_group_rekey '86400'
        option wpa_strict_rekey '1'
        option key 'REDACTED'
        option ssid 'Fritz_5G'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option country 'GB'
        option legacy_rates '1'
        option channel '13'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk-mixed'
        option wpa_group_rekey '86400'
        option wpa_strict_rekey '1'
        option ssid 'Fritz'
        option key 'REDACTED'
        option disassoc_low_ack '0'

config wifi-iface 'wifinet0'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Soundwell'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'lan'
        option disassoc_low_ack '0'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'BH Guest LV'
        option key 'REDACTED'
        option encryption 'psk-mixed'
        option network 'GUEST'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Guest_VLAN'

config zone
        option name 'GUEST'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'guest_interface GUEST'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option dest '*'
        option src 'GUEST'
        option name 'vvlan5'
        option target 'ACCEPT'

config rule
        option dest 'GUEST'
        option src '*'
        option name 'vlan52'
        option target 'ACCEPT'

I just double checked and the firewall doesn't start on boot so hopefully those ALLOW/ALLOW rules don't apply. I created them anyway just in case.

Thanks so much!

Configuration looks correct although I believe it is best if you didn't add IP on the GUEST interface. Switch from protocol dhcp to none.
Verify that you are using port 1 on the box as uplink, as per switch diagram.
Then connect one client to the guest wifi and monitor the traffic. tcpdump -i br-GUEST -vn

As far as I can see I can set the interface to unmanaged or a static IP but then not actually supply an IP - I don't see an option for none. Am I in the right place?

I am using port 1 on the box, verified by unplugging other devices and checking the port status under network > switch. The numbering in LUCI and on that wiki you linked don't match up though. I'm connected to the physical port labelled '1' which matches up with LAN1 in the UI.

This is the output from logging with tcpdump while connecting to the SSID. This stays on 'obtaining an IP address'

16:00:11.636786 EAPOL key (3) v1, len 117
16:00:11.655781 EAPOL key (3) v1, len 95
16:00:11.657877 c4:9f:4c:2b:87:b3 > ff:ff:ff:ff:ff:ff Null Unnumbered, xid, Flags [Response], length 6: 01 00
16:00:14.810066 EAPOL key (3) v1, len 117
16:00:14.853772 EAPOL key (3) v1, len 95
16:00:14.855663 c4:9f:4c:2b:87:b3 > ff:ff:ff:ff:ff:ff Null Unnumbered, xid, Flags [Response], length 6: 01 00
16:00:14.995935 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) :: > ff02::1:ff2b:87b3: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has fe80::c69f:4cff:fe2b:87b3
16:00:14.996200 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:15.151249 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0x7ec511ee, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:15.317508 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:15.992530 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::c69f:4cff:fe2b:87b3 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:15.992810 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::c69f:4cff:fe2b:87b3 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): c4:9f:4c:2b:87:b3
16:00:16.404510 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::c69f:4cff:fe2b:87b3 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:16.444440 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0x7ec511ee, secs 1, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:18.626696 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0x7ec511ee, secs 3, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:20.436536 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::c69f:4cff:fe2b:87b3 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): c4:9f:4c:2b:87:b3
16:00:23.628575 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0x7ec511ee, secs 8, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:29.405154 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::c69f:4cff:fe2b:87b3 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): c4:9f:4c:2b:87:b3
16:00:31.170320 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0x7ec511ee, secs 16, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:45.914007 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0x7ec511ee, secs 30, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:49.114262 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::c69f:4cff:fe2b:87b3 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): c4:9f:4c:2b:87:b3
16:00:53.555131 EAPOL key (3) v1, len 117
16:00:53.564471 EAPOL key (3) v1, len 95
16:00:53.566594 c4:9f:4c:2b:87:b3 > ff:ff:ff:ff:ff:ff Null Unnumbered, xid, Flags [Response], length 6: 01 00
16:00:53.666578 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) :: > ff02::1:ff2b:87b3: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has fe80::c69f:4cff:fe2b:87b3
16:00:53.672140 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:53.864909 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0xcc207cf3, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:54.333692 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:54.676380 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::c69f:4cff:fe2b:87b3 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:54.676695 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::c69f:4cff:fe2b:87b3 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): c4:9f:4c:2b:87:b3
16:00:54.777636 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0xcc207cf3, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option
16:00:55.669133 IP6 (hlim 1, next-header Options (0) payload length: 36) fe80::c69f:4cff:fe2b:87b3 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff2b:87b3 to_ex, 0 source(s)]
16:00:59.093175 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::c69f:4cff:fe2b:87b3 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): c4:9f:4c:2b:87:b3
16:00:59.719015 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 344)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from c4:9f:4c:2b:87:b3, length 316, xid 0xcc207cf3, secs 5, Flags [none]
	  Client-Ethernet-Address c4:9f:4c:2b:87:b3
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Client-ID Option 61, length 7: ether c4:9f:4c:2b:87:b3
	    MSZ Option 57, length 2: 1500
	    Vendor-Class Option 60, length 18: "HUAWEI:android:CLT"
	    Hostname Option 12, length 25: "HUAWEI_P20_Pro-573844fa3c"
	    Parameter-Request Option 55, length 10: 
	      Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
	      MTU, BR, Lease-Time, RN
	      RB, Vendor-Option

I definitely feel like i'm closer than i've ever been - just not quite there. I couldn't see anything relating to my 10.20. address in that tcpdump output - though i'm not really sure what i'm looking for.

Thanks again!

Yes, correct 'unmanaged' is the name in Luci. In the config file it is 'none'.

Okay if you are sure about the port maybe the wiki is outdated.

Regarding the packet capture I don't see any response from pfsense. There are dhcp discoveries and router solicitations from the huawei phone but no response.

Verify that the correct interfaces are assigned to the bridge brctl show
Also verify that you can see the mac address of pfsense on the correct interface (device) in arp .

OK i've set the interface to unmanaged. Thanks for clarifying that.

The output from brctl show is:

bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.84a423071a8c       no              eth0.1
                                                        wlan0
                                                        wlan1
                                                        wlan1-1
br-GUEST         fff.b60a6fb8c855       no              eth0.5
                                                        wlan1-2

Which looks correct - eth0.5 is VLAN5 and wlan 1-2 is the guest SSID.

I checked the arp output on my openwrt box and saw this:

192.168.0.35     0x1         0x2         00:0e:c4:d0:57:ea     *        br-lan
192.168.0.53     0x1         0x2         c4:8e:8f:f8:87:c3     *        br-lan
192.168.0.65     0x1         0x2         9c:b6:d0:fb:ac:21     *        br-lan
192.168.0.61     0x1         0x2         00:0c:29:56:3b:a0     *        br-lan

192.168.0.35 is my pfsense box - but I don't see any entries for br-GUEST. Could this be my issue?

Maybe, let's try something. Assign an IP and mask on br-GUEST interface, after you set protocol to static. Then ping the IP of pfsense. Does it reply?
If not then from pfsense start a ping to the temporary IP of br-GUEST and run a tcpdump on OpenWrt to verify that you can see the incoming traffic.
tcpdump -i eth0.5 -vn

I joined the guest SSID, but because i'm still getting a self assigned IP (169.254.213.48) I can't ping pfsense. I can ping the pfsense guest vlan interface static IP from my main SSID though.

From PFSense, I don't get a response from my guest interface with static IP in openwrt. I've double and triple checked my pfsense vlan config - its vlan5 on my pfsense lan interface, the interface has a static IP and a dhcp server serving in the 10.20.1.10-50 range. The only rule on that vlan interface firewall is an allow any/any.

I meant to assign the IP on OpenWrt br-GUEST interface, but the rest of your message makes me think that there is something wrong in the link between them.
You have a straight cable, right? No intermediate switch or something else?

Yeah this is with a static IP on the br-GUEST interface:

Between the AP and my PFsense box is an unmanaged procurve switch, but that's all. I'm using a straight through cable.

Try to connect them directly.

I have two spare ports on my pfsense NIC, could dedicate one of those to the VLAN?

If not i'll schedule in some downtime (lots of us working from home at the moment, using the WAN) and get back to you. :+1:

That could also work, use untagged interfaces just to rule out the misconfiguration and put the blame on the intermediate switch.

Got you. Just did a bit of Googling - I (wrongly!) just assumed VLAN tags would pass through an unmanaged switch, but it seems that might not be the case.

I'll report back!

I was under the same impression up until recently, but someone else verified me that this is not always the case.