Guest WiFi DHCP not working on TPLINK WDR3600

I have 3 access points configured as dumb access points:

  • ubiquiti AC LR
  • ubiquiti AC Lite
  • tplink WDR3600

I have 2 SSIDs on all of them:

  • homeWRT(VLAN 1, untagged)
  • guestWRT(VLAN 102, tagged)

I have setup VLANs and the corresponding interfaces, and over WiFi it is working fine on Ubiquiti AP(s), but on WDR3600, I am only able to use homeWRT. All of them are running openWRT 21.02.7, and the main router is a pineA64 running the same openWRT 21.02.7.

When I connect to guestWRT, I see the device getting connected over WiFi, then check for IP address and drop off from the WiFi after that. Meanwhile, if I configure the LAN port of the WDR3600, I am able to get DHCP working abolutely fine.

How should I diagnose this problem ?

Let's start here...

  • what port on the WDR3600 connects to the upstream device?
  • Are you running a managed switch between the router and the APs?
  • Have you verified that the port on the upstream device (to which the WDR3600 connects) is configured as a trunk with the VLANs as you've described?
  • You mentioned that connecting to the lan port of your WDR3600 works, but is that for the guest network or the main home network?

And now, for the WDR3600...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

what port on the WDR3600 connects to the upstream device?

I have the WAN(WDR3600) <--> UNMANAGED SWITCH <--> ROUTER(pine64), reconfigured the switch to include the WAN into LAN.

Are you running a managed switch between the router and the APs?

ROUTER(pine64) <--> UNAMANGED SWITCH(5 PORT) <--> AP_1 or AP_2 or AP_3

Have you verified that the port on the upstream device (to which the WDR3600 connects) is configured as a trunk with the VLANs as you've described?

I have checked the interface on the WDR3600 by setting the IOT interface as DHCP, and it does get the correct IP from the IP range: 192.168.102.xxx

You mentioned that connecting to the lan port of your WDR3600 works, but is that for the guest network or the main home network?

I configured LAN 01, 02 for VLAN 01 and LAN 03, 04 for VLAN 102, both work as expected. It is over Wi-Fi only that it doesn't work.

I have disabled the firewall and odhcp services as mentioned on the dumb access point guide.

$cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option proto 'dhcp'
	option device 'eth0.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0t 4 5 1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option description 'WAN'
	option ports '0t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '102'
	option description 'IOT'
	option ports '0t 2 3 1t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '101'
	option description 'GUEST'
	option ports '0t 1t'

config interface 'guest'
	option device 'eth0.101'
	option proto 'none'

config interface 'iot'
	option device 'eth0.102'
	option type 'bridge'
	option proto 'dhcp'
$cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option txpower '20'
	option channel '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'archWRT'
	option dtim_period '3'
	option encryption 'psk2'
	option key 'password_psk'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option bss_transition '1'
	option wnm_sleep_mode '1'
	option time_advertisement '2'
	option time_zone 'GMT0'
	option ieee80211k '1'
	option rrm_neighbor_report '1'
	option rrm_beacon_report '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option cell_density '0'
	option txpower '17'
	option htmode 'HT40'
	option channel '36'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'archWRT'
	option dtim_period '3'
	option encryption 'psk2'
	option key 'password_psk'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option bss_transition '1'
	option wnm_sleep_mode '1'
	option time_advertisement '2'
	option time_zone 'GMT0'
	option ieee80211k '1'
	option rrm_neighbor_report '1'
	option rrm_beacon_report '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'matter_openwrt'
	option encryption 'psk2'
	option key 'password_psk'
	option network 'iot'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'matter_openwrt_5G'
	option encryption 'psk2'
	option key 'password_psk'
	option wds '1'
	option network 'iot'
$cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/local/'
	option domain 'local'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
$cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config include
	option path '/etc/firewall.user'

Here are the settings from my pine router.

$cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option hostname 'pineWRT'
	option delegate '0'
	option device 'br-lan.1'
	option ipaddr '192.168.10.1'

config interface 'wan'
	option proto 'static'
	option device 'eth1'
	option ipaddr '10.16.239.74'
	option netmask '255.255.255.128'
	option gateway '10.16.239.1'
	list dns '8.8.8.8'
	list dns '10.16.239.1'

config bridge-vlan
	option device 'br-lan'
	list ports 'eth0'
	option vlan '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'eth0:t'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.101'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.102'
	option ipaddr '192.168.102.1'
	option netmask '255.255.255.0'

config device
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'onu'
	option device '@wan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option metric '10'
	option auto '0'
$cat /etc/config/wireless
$cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/local/'
	option domain 'local'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dynamicdhcp '0'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'none'

config host
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.10.3'
	option name 'ubnt-unifiac-lr'
	option dns '1'

config host
	option name 'ubnt-unifiac-lite'
	option dns '1'
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.10.4'

config host
	option name 'tplink-tl-wdr3600'
	option dns '1'
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.10.2'
$cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'onu'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'ACCEPT'
	list network 'guest'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'ACCEPT'
	list network 'iot'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-IOT'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-IOT'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-mDNS-IOT'
	list proto 'udp'
	option src 'iot'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	list dest_ip 'ff02::fb'
	option dest_port '5353'
	option target 'ACCEPT'

Could you repots the WDR3600 to fix the formatting -- it's really hard to read. (the Pine router's formatting looks fine).

Your router config looks good.

You should be using a managed switch if you are using VLANs. These are designed to handle VLANs and allow you to set port memberships.

I'm guessing that your unmanaged switch does the job here by transparently switching the tagged and untagged networks without issue (assuming that the other APs are working properly), but this is not a given and could be problematic with some devices. This is because the behavior of an unmanaged switch when tagged frames are used is actually undefined. They are only designed to work with a single, untagged network. Anything more and there could be issues. Some unmanaged siwtches work fine, others may have minor issues, and in some could cause major problems for the whole network.

Okay, I was under the impression that unmanaged switch can be used across other VLAN aware devices. Also, since it was working with the other access points, I didn't think much into it. Additionally, reformatted the output of WDR3600.

1 Like

Thanks for fixing the config formatting.

These are slightly wrong...

You need to define a bridge (outside the network stanza) for these to work with both wired and wireless (or with more than one radio).

Make it look like this instead (also, note that I changed the iot to proto none, as you only need an IP on the trusted lan):

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.101'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.102'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

config interface 'iot'
	option device 'br-iot'
	option proto 'none'
1 Like

I was just trying this and came here to check for a response. Thanks will revert with the results shortly.

It worked, I have to read some more into this now :slight_smile: thanks for the help

Great! Glad it is working!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.