I cant seem to get multiple vlans with multiple subnets and DHCP all workign together for the life of me

can you folks help me set up multiple VLANs?

I have tired studyign and doing this on my own and every possible config i try, i run into some combo of these 3 issues:

1. Only the primary lan that's out of the box works regardless of what config i do
2. no dhcp assignmetns on anythign (or atleast anything other than br-lan, and nothing if i turn that off) even tho dhcp is on
3. just complete no IP at all on any, even when i static set it on my pc

System

Model D-Link AQUILA PRO AI M30 A1

Firmware Version OpenWrt 24.10.0 r28427-6df0e3d02a

The device is currently in default config after i recently bricked and reset it again

Set up is as follows:

I have an isp wan with IPoE static IP config

I want to set up the DHCP server on openwrt with multiple IP ranges to be given out based on VLAN

First VLAN - Primary:

LAN port 1

LAN port 2 (will be shared between vlans, connected to the switch)

Can initiate traffic to second vlan, discover services in second vlan, etc.

full internet/wan access

DHCP: IPs in range 10.148.221.1 - 10.148.222.255

LuCI and router SSH access only in this VLAN

Second VLAN - IoT:

LAN port 2 (will be shared between vlans, connected to the switch)

LAN port 3

Devices cannot see or talk to each other in the same vlan

devices need to be accessible from first VLAN but devices in this VLAN cannot see or access other VLANs

DHCP: IPs in range 10.148.225.1 - 10.148.225.255

NO LuCI and router SSH

Third VLAN - VPN

LAN Port 4

Devices cannot communicate with any other vlan, and all clients in this vlan should be directly connected through VPN connection

I have a wg vpn conf file

DHCP: IPs in range 10.148.229.1 - 10.148.229.255

NO LuCI and router SSH access

I have tried asking AI also (like chatgpt) and it seems to gimme the same config I created, and I cant seem to figure this out (i swear i've done this a few years ago but I cant seem to get it now)

What i tried is setting up VLAN devices, then bridge devices bridging to those VLAN devices, then created interfaces with type static IP, gave the first IP x.x.x.1 in each VLAN above to the relevant interface, added the bridge device, started dhcp - nothing works.

DHCP literlally doesnt work if i change ANYTHIGN at all in anything, except maybe the first IP in static conf for the br-lan interface

Especially if i have any subnet mask other thatn 255.255.255.0, nothing works

I cant seem to understand how dnsmasq settings are laid out in luci as well, for subnets

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
: cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here you go:

root@OpenWrt:~# ubus call system board

cat /etc/config/dhcp
cat /etc/config/fir{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "D-Link AQUILA PRO AI M30 A1",
        "board_name": "dlink,aquila-pro-ai-m30-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:60fb:8b15::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'
        option disabled '1'

config interface 'wan'
        option device 'internet'
        option proto 'static'
		#######<REDACTED>#####

config interface 'wan6'
        option device 'internet'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan4'

config interface 'vlan1'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '10.148.221.1'
        option netmask '255.255.255.0'

config interface 'vlan2'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '10.148.225.1'
        option netmask '255.255.255.0'

config interface 'vlan3'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '10.148.229.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HE40'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE160'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Primary_2.4'
        option encryption 'psk2'
        option key '<REDACTED>'
        option network 'vlan1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IoT'
        option encryption 'psk2'
        option key '<REDACTED>'
        option network 'vlan2'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Primary'
        option encryption 'sae'
        option key '<REDACTED>'
        option ocv '0'
        option network 'vlan1'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'VPN-wifi'
        option encryption 'sae'
        option key '<REDACTED>'
        option ocv '0'
        option network 'vlan3'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan1'
        option interface 'vlan1'
        option start '1'
        option limit '254'
        option leasetime '12h'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '1'
        option limit '250'
        option leasetime '12h'

config dhcp 'vlan3'
        option interface 'vlan3'
        option start '1'
        option limit '250'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vlan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan1'

config zone
        option name 'vlan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan2'

config zone
        option name 'vlan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan3'
``

Currently, DHCP auto assignments are not working
And if i change the primary subnet mask to 255.255.254.0, then no ports work at all, it becomes a brick till the config autoreverts or i soft reset.

Remove this since it is not being used:

Your DHCP configs are invalid because the router's address is inside the DHCP pool. Change them so that they look like this:

config dhcp 'vlan1'
        option interface 'vlan1'
        option start '2'
        option limit '253'
        option leasetime '12h'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '2'
        option limit '250'
        option leasetime '12h'

config dhcp 'vlan3'
        option interface 'vlan3'
        option start '2'
        option limit '250'
        option leasetime '12h'

Reboot and try again.

Why don't you start with your dhcp clan config by coping the dhcp pan stanza and just change the names?
Your mistake is that you start your pool on the first address of the subnet but this is assigned to the clan interface already.
Second, please recalculate your limits.

I figured out that DHCP was also being blocked if I set input to reject because the devices couldn't talk to the router IP for DHCP.

Now I get DHCP properly on the right vlan range depending on which lan port or wifi network i connect to
However, there still seems to be no filtering between vlans.
Devices in vlans 2 and 3 aree able to access services on IPs on all VLANs including VLAN 1 IPs. Seems to be no separation which is the entire point for me to use VLANs.

root@AQUILA# ubus call system board

/config/dhcp
cat /etc/config/fir{
        "kernel": "6.6.73",
        "hostname": "AQUILA",
        "system": "ARMv8 Processor rev 4",
        "model": "D-Link AQUILA PRO AI M30 A1",
        "board_name": "dlink,aquila-pro-ai-m30-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

root@AQUILA:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:60fb:8b15::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'wan'
        option device 'internet'
        option proto 'static'
        option ipaddr '<redacted>'
        option netmask '<redacted>'
        option gateway '<redacted>'
        list dns '<redacted>'
        list dns '<redacted>'

config interface 'wan6'
        option device 'internet'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option reqprefix 'no'
        option norelease '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan4'

config interface 'vlan1'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '10.148.221.1'
        option netmask '255.255.255.0'

config interface 'vlan2'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '10.148.225.1'
        option netmask '255.255.255.0'

config interface 'vlan3'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '10.148.229.1'
        option netmask '255.255.255.0'

root@AQUILA:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HE40'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE160'
        option cell_density '0'
        option country 'US'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid '<redacted>'
        option encryption 'psk2'
        option key '<redacted>'
        option network 'vlan1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '<redacted>'
        option encryption 'psk2'
        option key '<redacted>'
        option network 'vlan2'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '<redacted>'
        option encryption 'sae-mixed'
        option key '<redacted>'
        option ocv '0'
        option network 'vlan1'

root@AQUILA:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan1'
        option interface 'vlan1'
        option start '2'
        option limit '253'
        option leasetime '12h'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '2'
        option limit '253'
        option leasetime '12h'
        option force '1'

config dhcp 'vlan3'
        option interface 'vlan3'
        option start '2'
        option limit '253'
        option leasetime '12h'

root@AQUILA:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'vlan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan1'

config zone
        option name 'vlan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan2'

config zone
        option name 'vlan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan3'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'DISAllow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'DROP'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config forwarding
        option src 'vlan1'
        option dest 'wan'

config forwarding
        option src 'vlan1'
        option dest 'vlan2'

config forwarding
        option src 'vlan2'
        option dest 'wan'

config forwarding
        option src 'vlan3'
        option dest 'wan'

How exactly are you testing? What host(s) are your probing?

Your firewall looks fine with respect to isolating the VLANs from each other (VLAN 1 can connect to VLAN2, but not the other way around, VLAN3 is on its own; all can reach the interent).

Keep in mind that if you are testing with the router itself as the target... your input rule (ACCEPT) means that the router will accept those connections....

The router has 3 local addresses (plus the wan). Input allows access to the router, and the router will respond to any of its interface addresses. That is to say that a host on VLAN 3 (10.148.229.0/24) can reach the router at 10.148.225.1, 10.148.221.1, and 10.148.229.1. This is not inter-VLAN routing... this is the local accept rule.

If you want to be able to limit a VLAN's ability to connect to the router itself, set that input rule to REJECT and then create rules for the specific services that are allowed (usually DHCP and DNS).

If you're actually testing between two hosts (other than the router) and able to get connections, please describe.

Are set arp Filter to 1

@psherman

I am testing between two hosts on different VLANs

For testing purposes, i connected my laptop to VLAN1 and my phone to vlan2
I put a simple http server on both that just displays some text on web browser.

I went to my laptop and entered the phone's IP in the 10.148.225.123 vlan2 and i could see the page (expected behavior)

I went to my phone and entered the laptop's VLAN1 IP 10.148.221.45 and i could see the page on served by the PC (unwanted behavior)

I can also connect to any of the routers' IPs from any VLAN, according tot he local accept rule, which at this point i do expect, like you said, so I am not bothered about hat. I will set up a deny-rule later for that in the fw or set it to reject and put an allow rule. This part is fine for now.

This seems to work
I am going to run some more tests and come back

See I cant seem to get multiple vlans with multiple subnets and DHCP all workign together for the life of me - #9 by _bernd

In enterprise networks vlan 1 is usually avoided because you will find lots of buggy treatments regarding vlan 1.

Or your firewall rules are wrong.

I followed your advice to set the ARP filter value
I have set it temporary
If it does what we expect , I will put it in thte config

Will letyou know how it goes, thank you