How to configure two LAN: eth0 for WAN as DHCP Client, eth1 for LAN with DHCP server on it

Installing and Using OpenWrt Network and Wireless Configuration
1

I look through the forum, yet still I have some lack of understanding. Shall I edit network config manually or I must just go to LUCI in browser and

  1. Turn off DHCP server on br-lan,
  2. Create new interface on eth1 and set up DHCP server on this one (Do I set it as 'unmanaged' in this case?)

Should I instead manage dnsmasq settings and its config files telling dnsmasq to listen on eth1 interface? I am a bit confused.

Here is my ifconfig:

br-lan    Link encap:Ethernet  HWaddr 
          inet addr:192.168.0.101  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:b9ff:feba:88e/64 Scope:Link
          inet6 addr: fdf8:7d73:bde7::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:779 errors:0 dropped:0 overruns:0 frame:0
          TX packets:301 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109822 (107.2 KiB)  TX bytes:39962 (39.0 KiB)

eth0      Link encap:Ethernet  HWaddr 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:815 errors:0 dropped:17 overruns:0 frame:0
          TX packets:299 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:124454 (121.5 KiB)  TX bytes:39810 (38.8 KiB)

eth1      Link encap:Ethernet  HWaddr 
          inet6 addr: fe80::a2a3:f0ff:fea9:d1bc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:94 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10216 (9.9 KiB)  TX bytes:826 (826.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11426 (11.1 KiB)  TX bytes:11426 (11.1 KiB)

I understand theoretically what I must do, yet I fail in practical realisation.

P.S. What text editor I use in OpenWRT? nano, vim? Can I install Midnight Commander?

Thank you.

2

For basic editing use LuCI, for advanced editing manually edit config file.

Network > Interfaces > LAN ... EDIT button > DHCP server, check Ignore interface

If your goal is to exchange eth0 and eth1, it's easier to edit interfaces and assign right eth to the wanted interfaces. There is no need to edit DHCP server.
Network > Interfaces > devices

1 Like
3

Default installed is vim. I don't use vim, the person that made vim probably hate people! It is crazy that I must google how to save something in vim or do anything at all and even then the save process is crazy complicated.
So I only use nano but you must install it manually.

You can also use WinSCP or similar and change the files in a real computer.

2 Likes
4

Let’s take a look at your current configuration so we can be sure to give you the right guidance.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
5

Default is exactly opposite, eth0 lan eth1 wan

1 Like
6

ubus call system board

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "Intel(R) Pentium(R) Dual  CPU  E2160  @ 1.80GHz",
        "model": "ECS G31T-M",
        "board_name": "ecs-g31t-m",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"

/cat /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:7d73:bde7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.101'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        option dns '192.168.0.1'

root@OpenWrt:~#

cat /etc/config/wireless

cat: can't open '/etc/config/wireless': No such file or directory

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
7

I completely absolutely agree!

For example, if I want to open network interfaces config file I just use command

nano etc/config/network
1 Like
8

This is very strange- the configuration appears to be as a host on an existing network ( but you also seem to have the dhcp server enabled, which could produce unexpected results).

Can you clarify why this setup in this way? And what is your intent for this device?

9

I just want this interface to be WAN: get IP from other router or ISP using DHCP protocol as DHCP Client.
Second interface "eth1" I have, I just want to be a DHCP server and give DHCP leases to local computers which will be connected to this interface.

My goal is that LAN clients connected via eth1 can recieve internet from eth0

P.S. I edited manually /etc/network/config and get an error now in Web-Interface:

RPCError

RPC call to uci/get failed with ubus code 9: Unspecified error
  at handleCallReply (https://192.168.0.101/luci-static/resources/rpc.js?v=git-24.264.56413-c7a3562:15:3)
10

Start by setting up a new network interface for eth1.

Something like:

config interface 'lan2'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'

Add that to the lan firewall zone, and setup a dhcp server for this interface. Plug a device into eth1 and make sure it gets an ip and can reach the router.

Then you can change the interface name of the existing lan to wan (all lowercase) and it should just work.

1 Like
11

I can not see Interfaces in Admin Panel. I get error:

RPCError

RPC call to uci/get failed with ubus code 9: Unspecified error
  at handleCallReply (https://192.168.0.101/luci-static/resources/rpc.js?v=git-24.264.56413-c7a3562:15:3)

I will try to set up via config files

Well, I managed to configure eth0 as wan interface with dhcp client I believe

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

for it retrieved address 192.168.0.62 from higher level router.
But no longer I am able to access my OpenWRT device via https or ssh, yet it answer pings.

I guess the problem is that SSH and LUCI continue to listen on eth0 interface. How do I change it?

UPD: Firewall was a problem! Since eth0 is wan interface firewall automatically blocked I guess all connections on https and ssh protocols. I had to disable it to get access to web-interface and SSH.

Still this configuration

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:7d73:bde7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'br-lan2'
        option type 'bridge'
        list ports 'eth1'

config interface 'wan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'lan2'
        option device 'br-lan2'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

does not work. Because if I connect my PC with eth1 via switch, I have no inernet no network, even if I manually assign to PC address from same subnet, for example 192.168.3.5, 255.255.255.0 and try co connect

UPD: I find a solution for luci error - it was bad config file formatting

uci show /etc/config/network

stated that there is syntax eror on line 29, yet there was only ~ sign there. I was thinking it is some vim feature to add tildas instead of empty lines... Whatever. Now I can see luci in browser and my interfaces are there!

The only thing I left to do is to set up DHCP server on lan interface so that clients recieve IP-Address and Internet.

UPD: Well, now clients on LAN (eth1) recieve IP-addresses from DHCP-server. Looks great. The only issue I can not solve - they still have no access to Internet, while WAN (eth0) interface can ping www.google.com just fine.
I need some additional configuration?

Here is my Interfaces Picture

Luci-Interfaces
Luci-Interfaces960Ă—462 38.1 KB

UPD: Working configuration:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
  
config globals 'globals'
        option ula_prefix 'fdf8:7d73:bde7::/48'
  
config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'
  
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
  
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
  
config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

I believe my only option is to set up DHCP Relay for 192.168.3.x subnet? Yet I wish there were a simplier way. may be set up bridge interface from eth1 to eth0

12

Is this working now? If not, please post your dhcp and firewall files.

13

Unfortunately, clients still have no access to Internet. I even disabled firewall temporary, it is in "inactive" state now.

root@OpenWrt:~# /etc/init.d/firewall status
inactive
root@OpenWrt:~#

DHCP rules are default, here they are:

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        list notinterface 'wan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
14

The firewall is required, otherwise masquerading won't work, which means no internet.

Remove the last two lines:

As I said, though, the firewall is critical. And operating without it may be dangerous. Re-enable it, and post that config here for review.

15

OMG! It is working! I just enable firewall and immediately clients got internet! Many thanks!

/etc/config/firewall/

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

P.S. Why I need dnsmasq to listen on all interfaces instead of lan? I mean if I remove two last lines in dnsmasq config, dnsmasq will listen as DHCP-Server on all interfaces if I am correct. But I only need it to be DHCP-server for 'lan' interface while 'wan' interface obtain IP-Address from higher level router as DHCP-Client. I guess there might be some problems if dnsmasq will listen on all interfaces? I mean may it conflict with higher level DHCP-server in this case?

Here are other configs (yet they are not changed a bit, I only enable firewall. But for the sake of better view for future users I post it)

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:7d73:bde7::/48'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option peerdns '0'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        list notinterface 'wan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Thanks again, friend!

16

Everything looks fine, but I still recommend removing these two lines - they’re unnecessary.

The wan is explicitly set to ignore, so it will not activate as a dhcp server on that subnet. Further, the firewall does not allow for input from the wan, so no inbound requests can happen. And the dhco server can only be active if the interface protocol is static ip. The wan here is dhcp. So for those reasons, the dhcp server can listen on all interfaces without causing a conflict or risk on the wan.

If those lines were required, they would be part of the default set. Bt they’re not needed. And the best practice is to leave the services listening on all interfaces and let the firewall or other explicit config items handle the access or service details.

17

These lines are for when you setup dnsmasq multi instances, which you haven't done.
And even then you don’t put wan in “not interface”, that setting is for the loopback interface if you want to.

1 Like
18

Thanks for your guidance, kind sir.

19

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.