Linksys MX4300 networking: VLAN not working

Hello Team, I've configured a Linksys MX 4300 with OpenWrt 24.10.1 r28597-0425664679 / LuCI openwrt-24.10 branch 25.133.85963~b1383cc, the plan is to use it as a dumb AP so I'm trying to create 3 VLANs but I cannot make it work, my IoT and Guest Wireless doesn't obtain IP from DHCP, would you please be so kind as to help me by guiding me on what else should I configure to make it work?
This is my network config file

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:xxxx:xx1::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '80:69:1a:xx:xx:x9'

config device
	option name 'lan2'
	option macaddr '80:69:1a:xx:xx:x9'

config device
	option name 'lan3'
	option macaddr '80:69:1a:xx:xx:x9'

config interface 'lan'
	option device 'br-lan.9'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.2.1'
	list dns '192.168.2.1'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'dhcp'
	option device 'br-lan.4'
	option hostname 'MX4300-guest'

config device 'iot_dev'
	option type 'bridge'
	option name 'br-iot'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-lan.3'
	option hostname 'MX4300.IoT'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'lan1:u*'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan1:t'
	list ports 'lan3:u*'
	list ports 'wan:t'

and this is my wireless config

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'MyWifi'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option ocv '0'
	option ieee80211r '1'
	option mobility_domain 'fedc'
	option ft_over_ds '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE40'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'MyWifi'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option ocv '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+2'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'MyWifi'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option ocv '0'

config wifi-iface 'guest0'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid 'guest'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option isolate '1'
	option ocv '0'

config wifi-iface 'guest1'
	option device 'radio1'
	option mode 'ap'
	option network 'guest'
	option ssid 'MyGuest'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option isolate '1'
	option ocv '0'

config wifi-iface 'iot'
	option device 'radio1'
	option mode 'ap'
	option network 'iot'
	option ssid 'Myiot'
	option encryption 'psk2+ccmp'
	option key 'MyPassword'
	option isolate '1'

What port is connected to upstream?

Assuming it is wan you need to set wan to be tagged for all vlans

yes, it is correct is wan,

image1420×670 34.2 KB

Any change?

I'm assuming you have confirmed that the upstream device is properly handling Vlans? If it is also running OpenWRT please post it's config as well.

No change
This is the configuration of the upstream device
network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd06:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '14:91:82:95:xx:xx'

config device
	option name 'lan2'
	option macaddr '14:91:82:95:xx:xx'

config device
	option name 'lan3'
	option macaddr '14:91:82:95:xx:xx'

config device
	option name 'lan4'
	option macaddr '14:91:82:95:xx:xx'

config interface 'lan'
	option device 'br-lan.9'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.4'
	list ipaddr '192.168.3.1/24'

config device 'iot_dev'
	option type 'bridge'
	option name 'br-iot'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:t'
	list ports 'lan4:t'

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'MyWifi'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option ocv '0'
	option ieee80211r '1'
	option mobility_domain 'fedc'
	option ft_over_ds '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option channel 'auto'
	option htmode 'HT40'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'MyWifi'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option ocv '0'

config wifi-iface 'guest0'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid 'Myguest'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option isolate '1'
	option ocv '0'

config wifi-iface 'guest1'
	option device 'radio1'
	option mode 'ap'
	option network 'guest'
	option ssid 'Myguest'
	option encryption 'sae-mixed'
	option key 'MyPassword'
	option isolate '1'

config wifi-iface 'iot'
	option device 'radio1'
	option mode 'ap'
	option network 'iot'
	option ssid 'my-iot'
	option encryption 'psk2'
	option key 'MyPassword'
	option isolate '1'

Do you have DHCP enabled?

On the upstream, yes, this is the config

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '24h'

Delete this:

Make your guest network unmanaged:

config interface 'guest'
	option proto 'none'
	option device 'br-lan.4'

Delete this:

Make the iot network unmanaged:

config interface 'iot'
	option proto 'none'
	option device 'br-lan.3'

Remove all 802.11r related items and the ocv line (so the last 4 lines) and use WAP3 or WPA2, not mixed mode.

Same deal here:

And here:

Also remove 802.11r from your other device, and fix it to use WPA3 or WPA2.

Reboot and test again.

Made all the changes that you suggested on the dumb AP and the same result

image677×357 23.9 KB

Changes Applied, no luck, same result

Is there anything between the two devices or are they directly connected?

Let's review both devices, complete configs as they are now configured:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

There is nothing between the devices, they are connected directly via ethernet cable from WAN port on MX4300 to Lan 1 in EA8500
EA8500 config, this is the default gateway

root@EA8500:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "EA8500",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Linksys EA8500 WiFi Router",
        "board_name": "linksys,ea8500",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "ipq806x/generic",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}
root@EA8500:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:xxxx:xxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '14:91:82:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr '14:91:82:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr '14:91:82:xx:xx:xx'

config device
        option name 'lan4'
        option macaddr '14:91:82:xx:xx:xx'

config interface 'lan'
        option device 'br-lan.9'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.4'
        list ipaddr '192.168.3.1/24'

config device 'iot_dev'
        option type 'bridge'
        option name 'br-iot'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'lan4:t'

root@EA8500:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option band '5g'
        option channel 'auto'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'MyWifi'
        option encryption 'psk2'
        option key 'xx:xx:xx'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '2g'
        option channel 'auto'
        option htmode 'HT40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MyWifi'
        option encryption 'psk2'
        option key 'xx:xx:xx'

config wifi-iface 'guest0'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'psk2'
        option key 'xx:xx:xx'
        option isolate '1'

config wifi-iface 'guest1'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'psk2'
        option key 'xx:xx:xx'
        option isolate '1'

config wifi-iface 'iot'
        option device 'radio1'
        option mode 'ap'
        option network 'iot'
        option ssid 'my-iot'
        option encryption 'psk2'
        option key 'xx:xx:xx'
        option isolate '1'
root@EA8500:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '24h'

root@EA8500:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config zone 'iot'
        option name 'iot'
        option network 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'iot_wan'
        option src 'iot'
        option dest 'wan'

config rule 'iot_dns'
        option name 'Allow-DNS-IoT'
        option src 'iot'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'iot_dhcp'
        option name 'Allow-DHCP-IoT'
        option src 'iot'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding 'lan_iot'
        option src 'lan'
        option dest 'iot'

config rule
        option src 'iot'
        option dest 'lan'
        option name 'Allow-Rsync-Mac-IoT'
        list proto 'tcp'
        list src_ip '192.168.4.123'
        list dest_ip '192.168.2.10'
        option target 'ACCEPT'
        option dest_port '873'

config rule
        option src 'iot'
        option dest 'lan'
        option name 'Allow-SSH-Mac-IoT'
        list proto 'tcp'
        list src_ip '192.168.4.123'
        list dest_ip '192.168.2.10'
        option target 'ACCEPT'
        option dest_port '22'

MX4300, this is the dumb AP

root@MX4300:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "MX4300",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys MX4300",
        "board_name": "linksys,mx4300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}
root@MX4300:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:78b7:161::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

config device
        option name 'lan1'
        option macaddr '80:69:1a:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr '80:69:1a:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr '80:69:1a:xx:xx:xx'

config interface 'lan'
        option device 'br-lan.9'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'

config interface 'guest'
        option proto 'none'
        option device 'br-lan.4'
        option hostname 'MX4300-guest'

config interface 'iot'
        option proto 'none'
        option device 'br-lan.3'
        option hostname 'MX4300.IoT'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'lan1:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'
        list ports 'lan3:u*'
        list ports 'wan:t'

root@MX4300:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option cell_density '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'MyWifi'
        option encryption 'psk2'
        option key 'xx:xx:xx'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+1'
        option band '2g'
        option channel '1'
        option htmode 'HE40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MyWifi'
        option encryption 'psk2'
        option key 'xx:xx:xx'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+2'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'MyWifi'
        option encryption 'psk2'
        option key 'xx:xx:xx'

config wifi-iface 'guest0'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'psk2'
        option key 'xx:xx:xx'
        option isolate '1'

config wifi-iface 'guest1'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'psk2'
        option key 'xx:xx:xx'
        option isolate '1'

config wifi-iface 'iot'
        option device 'radio1'
        option mode 'ap'
        option network 'iot'
        option ssid 'iot'
        option encryption 'psk2+ccmp'
        option key 'xx:xx:xx'
        option isolate '1'

root@MX4300:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@MX4300:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

This is your problem. Port lan1 only has the lan (VLAN 9), untagged, with no tagged networks.

Ports lan3 and lan4 have all 3 networks (all tagged). So update your MX4300 to expect VLAN 9 tagged on the wan port. Then move the cable from lan1 on your EA8500 to lan4.

Aside from that... (not related, but also for good config hygiene), delete this:

and this:

As per your guidance, I've updated MX4300 wan VLAN config to expect all VLANs Tagged on Wan Port

image1414×702 42.2 KB

image1420×678 42.3 KB

Did you change the physical port on the EA8500 to port lan3 or lan4?

no, just adjusted lan1 to have all 3 networks tagged, I'll change it to lan3 and report back

it's working!!!, thank you all for your kind help!!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.