Guests interfaces can't connect to the AP (Pi-hole)

Recently I've switched to a NanoPi R3S LTS and flashed FriendlyWrt v25.12.2 to it, but the secondary interfaces (guests,depts) can't connect to the AP. Here's my network topology:

image750×414 44.6 KB

My configs:

root@FriendlyWrt:~# ubus call system board
{
        "kernel": "6.1.141",
        "hostname": "FriendlyWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R3S LTS",
        "board_name": "friendlyelec,nanopi-r3s",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32802-f505120278",
                "target": "rockchip/armv8",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}
root@FriendlyWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '0004213017e7a02c48db9c352d6f6ceb5d0d'
        option ula_prefix 'fd00:ab:cd::/48'
        option packet_steering '1'

config device
        option name 'eth0'
        option macaddr 'ea:f8:73:31:8e:c3'

config interface 'wan'
        option device 'eth0'
        option proto 'pppoe'
        option username '912007'
        option password '0104859715'
        option ipv6 'auto'
        option norelease '1'
        option multipath 'off'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'ea:f8:73:31:8e:c4'

config interface 'lan'
        option device 'br-lan.20'
        option proto 'static'
        option ip6assign '60'
        option multipath 'off'
        list ipaddr '10.12.20.1/24'

config interface 'guests'
        option proto 'static'
        option ipaddr '10.12.21.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option device 'br-lan.21'

config interface 'depts'
        option proto 'static'
        option ipaddr '10.12.22.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option device 'br-lan.22'

config interface 'iot'
        option proto 'static'
        option ipaddr '10.12.23.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option device 'br-lan.23'

config interface 'ext'
        option proto 'static'
        option ipaddr '10.12.24.1'
        option netmask '255.255.255.0'
        option multipath 'off'
        option device 'br-lan.24'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '21'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '22'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '23'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '24'
        list ports 'eth1:t'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

root@FriendlyWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.12.20.2'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config dhcp 'guests'
        option interface 'guests'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.12.20.2'

config dhcp 'depts'
        option interface 'depts'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.12.20.2'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.12.20.2'

config dhcp 'ext'
        option interface 'ext'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.12.20.2'

config host
        option name 'dvr'
        list mac '7C:83:34:B8:CF:56'
        option ip '10.12.20.10'
        option leasetime 'infinite'

config host
        option name 'printer'
        list mac 'E0:BB:9E:AB:D3:9D'
        option ip '10.12.20.20'
        option leasetime 'infinite'

config host
        option name 'poe-switch'
        list mac '5C:15:C5:06:94:1B'
        option ip '10.12.20.30'
        option leasetime 'infinite'

config host
        option name 'omada'
        list mac '0C:EF:15:C0:EA:92'
        option ip '10.12.20.40'
        option leasetime 'infinite'

config host
        option name 'cam-entrance'
        list mac '3C:EF:8C:8B:74:06'
        option ip '10.12.23.10'
        option leasetime 'infinite'

config host
        option name 'cam-garage'
        list mac '3C:EF:8C:8B:85:C5'
        option ip '10.12.23.20'
        option leasetime 'infinite'

config host
        option name 'cam-reception'
        list mac '9C:8E:CD:3C:8D:7C'
        option ip '10.12.23.30'
        option leasetime 'infinite'

config host
        option name 'pihole'
        list mac '1A:1E:C5:50:0B:3E'
        option ip '10.12.20.2'
        option leasetime 'infinite'

root@FriendlyWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone4 '1'
        option fullcone6 '0'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Reject-IPv6'
        option family 'ipv6'
        option src 'wan'
        option dest '*'
        option target 'REJECT'
        option enabled '0'

config zone
        option name 'guests'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guests'

config forwarding
        option src 'guests'
        option dest 'wan'

config zone
        option name 'depts'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'depts'

config forwarding
        option src 'depts'
        option dest 'wan'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'lan'

config zone
        option name 'ext'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ext'

config forwarding
        option src 'ext'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'lan'
        option dest 'tailscale'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config rule
        option src 'guests'
        option name 'Allow-DNS-Guests'
        option dest_port '53'
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip '10.12.20.2'
        list proto 'udp'

config rule
        option src 'depts'
        option dest 'lan'
        option name 'Allow-DNS-Depts'
        list dest_ip '10.12.20.2'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option src 'ext'
        option dest 'lan'
        option name 'Allow-DNS-Ext'
        list dest_ip '10.12.20.2'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option src 'iot'
        option name 'Allow-NTP-Iot'
        list proto 'udp'
        option dest_port '123'
        option target 'ACCEPT'

I'd like that the secondary interfaces do the DNS requests to the Pi-hole.

Thanks in advance.

FriendlyWRT is a heavily modified fork and there is no knowledge present on the OpenWRT forum.
So better ask at the FriendlyWRT forum.

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Thanks for your response. It's okay, I understand.

Just in case anyone has the same problem, I solved it by adding separated 'Allow-DHCP' firewall rules for each interface that has rejected forwarding to the LAN zone. They should be with destination zone 'Device (input)'. Then, in Pi-hole > Settings> DNS > Interface settings change to 'Permit all origins' and then Save and Apply.