Hi,
I am running two openwrt instances, one a physical hardware and another one in proxmox. My ISP lines go to a switch, openwrt and proxmox are both connected to the switch. I've created two VLANs 100 and 200. 100 is just for ISP to dial a PPPoE.
For home usage I am using my hardware openwrt, it has wan.100 interface which dials PPPoE and LAN & Wireless Setup are as usual. Everything works.
I then used VLAN 200 running LAN of virtualized openwrt. I brought VLAN 200 to openwrt (eth2.200) and I created a DHCP client on the interface (eth2.200), and named it VPNLAN. So far, the physical openwrt router gets IP from DHCP.
Then I created an AP, named WiFiPlus and chose an interface as a VPNLAN interface and applied everything.
The problem, clients connected to the new AP WiFiPlus are not able to get IP or connect to virtualized openwrt. Also, I was not sure which firewall zone to choose so I tried with LAN and WAN both but both did not work.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8a:3b77:9b26::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config device
option name 'wan'
config interface 'WAN'
option proto 'pppoe'
option username 'redact'
option password 'redact'
option ipv6 'auto'
option device 'lan2.100'
config device
option type '8021q'
option ifname 'lan2'
option vid '200'
option name 'lan2.200'
config interface 'VPNLAN'
option proto 'static'
option device 'lan2.200'
option ipaddr '192.168.0.3'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
option defaultroute '0'
option type 'bridge'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option htmode 'VHT80'
option channel 'auto'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Wifi'
option encryption 'psk2'
option key 'redact#'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'GGIOT'
option encryption 'psk-mixed'
option key 'redact'
option network 'lan'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'WifiPlus'
option encryption 'psk2'
option key 'redact#'
option network 'VPNLAN'
DHCP
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ndp 'relay'
option ra 'server'
option dhcpv6 'server'
list dns 'fd8a:3b77:9b26::52'
list domain ''
list dhcp_option '6,192.168.1.52'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name '192.168.1.52'
option dns '1'
option mac '06:DD:80:45:94:1B'
option ip '192.168.1.52'
option duid '000100012b56ee3606dd8045941b'
option hostid '52'
option leasetime '10m'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WAN'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH'
list proto 'tcp'
option src 'wan'
option src_dport '28311'
option dest_ip '192.168.1.55'
option dest_port '22'
config forwarding
option src 'lan'
option dest 'wan'
Also with above configuration, I loose internet connection on br-lan or Wifi
I was able to mitigate the no internet situation by unchecking the set default gateway in the interface setting but the problem in question remains the same.
Reading through forums made me believe my setup should work but somehow it's not working.
It could NOT work
you have real PC OpenWRT as gateway + WIFI AP
and you want to use your Proxmox/VM/OpenWRT as DHCP server
VM OpenWRT will introduce own IP address as default GW, and your WIFI client will be directed to VM OpenWRT
from there ? what is next hop ?
I assume these config files are from the "hardware openwrt"? What is the specific hardware you are using?
ubus call system board
And is the "hardware openwrt" serving as a dumb AP, or should it be routing? I'm a bit confused how the virtualized OpenWrt plays in here -- which one is doing the routing? It seems like the virtualized OpenWrt instance is the one that is actually responsibile for the the PPPoE wan connection and the routing for at VLAN 200. But what purpose (if any) is the regular lan on the hardware openwrt (192.168.1.0.24)? A system topology diagram could be useful there.