It seems only BR-LAN works , however i created a LAN4 and wanted to ensure i have two wifi , one for guest and one for myself how can i create an interface and connect it to wifi. Yet no luck on getting an IP
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.147",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Mi Router AX3000T",
"board_name": "xiaomi,mi-router-ax3000t",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r24858-189838517e",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r24858-189838517e"
}
}
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '..'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr ''
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'lan4'
option proto 'static'
option device 'lan4'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option type 'bridge'
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'l'
option encryption 'sae'
option key 'll_'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'll'
option encryption 'sae'
option key 'll'
option network 'lan4'
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-http'
option src 'lan'
option proto 'tcp'
option dest_port '80'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option family 'any'
option target 'DNAT'
root@OpenWrt:~#
Port lan4 is part of br-lan, so it can't be used in another place. But that's okay... we're going to make bridge VLANs.
Add the following:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan4:u*'
Now, edit the main lan interface to use br-lan.1 like this:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
and now on lan4, we'll edit it to remove the bridge line (that's invalid here) and give it device br-lan.2, like this
config interface 'lan4'
option proto 'static'
option device 'br-lan.2'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
Next, your lan4 network needs to be assigned to a firewall zone. For now, we'll make it part of the lan zone (this can be changed later if you have specific goals for isolation, but this will ensure we reduce the number of variables that could cause issues):
config zone
option name 'lan'
list network 'lan'
list network 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
I don't see your dhcp file here, so I can't tell if you've got that setup or not, but these changes should get the network functioning. If it doesn't work, post all 4 of the config files again and I'll check again.
Restart your router and test.
Thank you very much the interface worked but DHCP working is not working on lan4 , my goal was to have a seperate kind of WIFI for others, however I would like this network to be on its zone so I may redirect DNS traffic only on the LAN traffic and this machine . If you see my last firewall rule I am intercepting DNS traffic , i want each network to have separate dns servers and only one network have dns traffic inerectepred to use the WAN dns or nextdns. I am also still confused on how to get the best wifi , as I need two wifi networks.
Please post your complete config again -- including the dhcp file (that is the one we haven't seen, yet).
There are several ways to achieve this... I think it might be best to have a separate thread for this once the other issues are resolved.
What exactly do you mean "get the best wifi" in this case? Setting up 2 wifi networks isn't a problem, but not sure if there is something else you are asking about.
my bad I aplogize for that reply and here is my dhcp config. I am looking two have two seperate dns servers please refer to lan4 , br-lan currently uses nextdns whihc is a script I ran. I mean I would like to have two wifis that work properly each with seperate public dns servers and I would still like my firewall rule to apply regarding dns , thank you
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan4'
option interface 'lan4'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '"6,1.1.1.3,1.0.0.3"'
option dhcpv4 'server' should be included in lan4 to make sure it is a server. A DHCP server is implied when start and limit are set but this is mostly a concession to the old syntax and it may be taken out.
After changing DHCP configuration you need to run service dnsmasq restart or reboot entirely, as a simple network restart does not pick up new DHCP servers.
1 Like
I cant seem to get an IP even after that change , it seems to only work on static. Thanks for the suggestion mk24
WRT the DNS servers -- option 6 is a good way to specify the desired servers. This doesn't force clients to use the advertised DNS, though -- if a client has a manual override or hard-coded DNS server, the client's locally specified DNS will be used instead of the ones advertised via option 6. If you wish to enforce the use of specific DNS servers, you'll want to use DNS hijacking.
But otherwise, all looks fine from a DNS perspective.
the dhcp server is broken on all lans now 
Let's see the latest config files (all of them, please)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '..::/48'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan4:u*'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'lan4'
option proto 'static'
option device 'br-lan.2'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config device
option name 'wan'
option macaddr '..'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid '..'
option encryption 'sae'
option key '..'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid '..'
option encryption 'sae'
option key '..'
option network 'lan4'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan4'
option interface 'lan4'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '"6,1.1.1.3,1.0.0.3"'
option dhcpv4 'server'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-http'
option src 'lan'
option proto 'tcp'
option dest_port '80'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option family 'any'
option target 'DNAT'
I think the problem is here with the quotes. Try this:
list dhcp_option '6,1.1.1.3,1.0.0.3'
thank you psherman
also how does the wifi look , looks normal?? I do not have much knowledge on wireless tech
Add your country to the wifi radio configuration, same country on both radios. Do some scans and change channel if your strongest neighbors are on the channel you're using.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.