Multiple routes between main-router and AP; no replys from outside

I have a main-router without WIFI and an AP. The two are connected using LAN and two VLANs, each of them using an own network. When I ping the main-router from the AP it looks like it is using one of the connections at random:

root@ap:~# ping main-router
PING main-router (192.168.22.1): 56 data bytes
64 bytes from 192.168.22.1: seq=0 ttl=64 time=0.636 ms
^C
root@ap:~# ping main-router
PING main-router (192.168.33.1): 56 data bytes
64 bytes from 192.168.33.1: seq=0 ttl=64 time=0.782 ms
^C
root@ap:~# ping main-router
PING main-router (192.168.44.1): 56 data bytes
64 bytes from 192.168.44.1: seq=0 ttl=64 time=0.865 ms
[...]

As long as I do no firewalling, this might even work for my internal network.

The main-router is doing NAT on eth0 (wan). After this there is the providers router doing its own NAT.

root@main-router:~# ip r
default via 192.168.0.1 dev eth0 src 192.168.0.150
192.168.0.0/24 dev eth0 scope link src 192.168.0.150
192.168.22.0/24 dev br-lan scope link src 192.168.22.1
192.168.33.0/24 dev br-iot scope link src 192.168.33.1
192.168.44.0/24 dev br-guest scope link src 192.168.44.1

root@ap:~# ip r
default via 192.168.44.1 dev br-guest src 192.168.44.101
192.168.22.0/24 dev br-lan scope link src 192.168.22.101
192.168.33.0/24 dev br-iot scope link src 192.168.33.101
192.168.44.0/24 dev br-guest scope link src 192.168.44.101

When I start to ping an external address, it works on the main-router:

root@main-router:~# ping example.com
PING example.com (93.184.216.34): 56 data bytes
64 bytes from 93.184.216.34: seq=0 ttl=54 time=113.987 ms

On the AP it will not work at all:

root@ap:~# ping example.com
PING example.com (93.184.216.34): 56 data bytes
^C
--- example.com ping statistics ---
15 packets transmitted, 0 packets received, 100% packet loss

I suspect it has to do with the routing, as tcpdump (on the main-router) is showing me in wireshark:

No. Time Source Destination Protocol Length Info
11 0.002284 192.168.44.101 192.168.44.1 ICMP 131 Destination unreachable (Port unreachable)
12 0.002448 192.168.44.101 93.184.216.34 ICMP 102 Echo (ping) request id=0x100c, seq=0/0, ttl=64 (no response found!)
13 0.002720 192.168.44.1 192.168.44.101 ICMP 130 Destination unreachable (Port unreachable)
14 0.002856 192.168.33.1 192.168.33.101 DNS 91 Standard query response 0x5bcb A example.com A 93.184.216.34
15 0.003175 192.168.33.101 192.168.33.1 ICMP 119 Destination unreachable (Port unreachable)
16 0.003465 192.168.33.1 192.168.33.101 DNS 103 Standard query response 0x6bd4 AAAA example.com AAAA 2606:2800:220:1:248:1893:25c8:1946
17 0.003778 192.168.33.101 192.168.33.1 ICMP 131 Destination unreachable (Port unreachable)
18 1.005794 192.168.44.101 93.184.216.34 ICMP 102 Echo (ping) request id=0x100c, seq=1/256, ttl=64 (no response found!)
19 1.006153 192.168.44.1 192.168.44.101 ICMP 130 Destination unreachable (Port unreachable)

traceroute is strange, too:

root@ap:~# traceroute example.com
traceroute to example.com (93.184.216.34), 30 hops max, 38 byte packets
1 main-router.mydomain (192.168.44.1) 0.777 ms 0.799 ms 0.763 ms
2 main-router.mydomain (192.168.44.1) 0.676 ms 0.817 ms 0.796 ms
root@ap:~#

Clients connected to the AP on a certain network work fine (can ping and connect to the outside world).

I can't even get a grip on to what my issue exactly is...
The only significant fact is: my AP can not reach the internet (or, more specific, can not get a reply from outside).

Do you have any tips, ideas or questions about the setup?

Device in AP mode works just as bridge, so it does not have routing.

I am starting to think that the always different routes from the AP to the main-router are caused by the nameservers. I got one on each interface, serving an own domain.

root@main-router:~# cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface wan
nameserver 192.168.0.1

All three interfaces on the AP get their nameservers by DHCP from the main-router.

root@ap-eg:~# cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface guest
nameserver 192.168.44.1
search guest.mydomain
# Interface iot
nameserver 192.168.33.1
search iot.mydomain
# Interface lan
nameserver 192.168.22.1
search mydomain

I wonder how to tell the resolver to prefer 192.168.22.1, preferably using DHCP (without static configuration on the AP).

There are three bridges on my AP. The main-router is routing the three networks to the three bridges.

This is a dumb AP, so you need to configure IP settings on only one interface - for management and Internet access of the AP itself.

Set the protocol of the guest and iot interfaces to Unmanaged/none.

I saw some examples do that. I will try...

Setting proto to none for iot and guest did indeed fix the problems described. The AP can connect to the outside world, now. Yet now both interfaces don't get an IP address anymore.

I would like the main-router to firewall and separate the lan, iot and guest networks. Can you give me a hint on how I am supposed to set this up?

Well, a client connected to guest can still connect to the outside world.

This feels like magic ATM.

It maybe was an error in my tests. Connecting from the guest network does not work at all. I can ping the router. But the router can to send any reply.

The main-router can also not ping the client connected to the guest network.

Meaning what? One cable and tagged VLANs? Three separate cables?

Post the output of the following commands redacting the SSIDs, MACs and passwords.

AP

uci show network; uci show wireless; brctl show

Router

uci show network; uci show dhcp; uci show firewall

Currently, my setup looks a lot like https://openwrt.org/docs/guide-user/network/vlan/switch_configuration#assigning_vlan_ids_using_dsa_on_devices_with_one_physical_port

PS/2 This configuration assumes another device providing DHCP servers per network segment (on the untagged LAN, and on the tagged VLAN 2 & 3 on the same link) and was tested on a Unifi nanoHD.

As far as I understand, I am providing DHCP servers per network segment from my main-router.

root@main-router:~# grep -E "config dhcp|option interface|option instance|config
 dnsmasq|option domain|list interface" /etc/config/dhcp 
config dhcp 'wan'
	option interface 'wan'
config dnsmasq 'lan_dns'
	option domain 'mydomain'
	option domainneeded '1'
	list interface 'lan'
config dhcp 'lan'
	option interface 'lan'
	option instance 'lan_dns'
config dnsmasq 'iot_dns'
	option domain 'iot.mydomain'
	option domainneeded '1'
	list interface 'iot'
config dhcp 'iot'
	option interface 'iot'
	option instance 'iot_dns'
config dnsmasq 'guest_dns'
	option domain 'guest.mydomain'
	option domainneeded '1'
	list interface 'guest'
config dhcp 'guest'
	option interface 'guest'
	option instance 'guest_dns'

Yet my br-iot and br-guest do not get IP addresses assigned...

If these interfaces belong to the AP, they do not need IP addresses.
If everything else is fine, the traffic from iot and guest networks will be L2 forwarded to the main router.

So you are saying there indeed is magic involved?

Here you go

root@ap-eg:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fd51:47c1:8e58::/48'
network.lan=interface
network.lan.proto='dhcp'
network.lan.device='br-lan'
network.iot=interface
network.iot.device='br-iot'
network.iot.proto='none'
network.guest=interface
network.guest.device='br-guest'
network.guest.proto='none'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan'
network.@device[1]=device
network.@device[1].name='br-iot'
network.@device[1].type='bridge'
network.@device[1].ports='lan.33'
network.@device[2]=device
network.@device[2].name='br-guest'
network.@device[2].type='bridge'
network.@device[2].ports='lan.44'

root@ap-eg:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio0.channel='8'
wireless.radio0.band='2g'
wireless.radio0.cell_density='0'
wireless.radio0.country='DE'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='<redacted>'
wireless.default_radio0.encryption='sae-mixed'
wireless.default_radio0.key='<redacted>'
wireless.default_radio0.wpa_disable_eapol_key_retries='1'
wireless.wifinet0=wifi-iface
wireless.wifinet0.device='radio0'
wireless.wifinet0.network='iot'
wireless.wifinet0.mode='ap'
wireless.wifinet0.ssid='<redacted>'
wireless.wifinet0.encryption='sae-mixed'
wireless.wifinet0.key='<redacted>'
wireless.wifinet0.wpa_disable_eapol_key_retries='1'
wireless.wifinet1=wifi-iface
wireless.wifinet1.device='radio0'
wireless.wifinet1.network='guest'
wireless.wifinet1.mode='ap'
wireless.wifinet1.ssid='<redacted>'
wireless.wifinet1.encryption='sae-mixed'
wireless.wifinet1.key='<redacted>'
wireless.wifinet1.wpa_disable_eapol_key_retries='1'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio1.channel='124'
wireless.radio1.band='5g'
wireless.radio1.htmode='HE80'
wireless.radio1.cell_density='0'
wireless.radio1.country='DE'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='<redacted>'
wireless.default_radio1.encryption='sae-mixed'
wireless.default_radio1.key='<redacted>'
wireless.default_radio1.wpa_disable_eapol_key_retries='1'
wireless.wifinet2=wifi-iface
wireless.wifinet2.device='radio1'
wireless.wifinet2.network='iot'
wireless.wifinet2.mode='ap'
wireless.wifinet2.ssid='<redacted>'
wireless.wifinet2.encryption='sae-mixed'
wireless.wifinet2.key='<redacted>'
wireless.wifinet2.wpa_disable_eapol_key_retries='1'
wireless.wifinet3=wifi-iface
wireless.wifinet3.device='radio1'
wireless.wifinet3.network='guest'
wireless.wifinet3.mode='ap'
wireless.wifinet3.ssid='<redacted>'
wireless.wifinet3.encryption='sae-mixed'
wireless.wifinet3.key='<redacted>'
wireless.wifinet3.wpa_disable_eapol_key_retries='1'

root@ap-eg:~# brctl show
bridge name bridge id STP enabled interfaces
br-guest 7fff.7845584df3b4 no lan.44
                              wlan1-2
                              wlan0-2
br-lan 7fff.7845584df3b4 no lan
                            wlan0
                            wlan1
br-iot 7fff.7845584df3b4 no wlan0-1
                            lan.33
                            wlan1-1

root@main-router:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdcc:7ee7:366e::/48'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='dhcp'
network.lan=interface
network.lan.proto='static'
network.lan.ipaddr='192.168.22.1'
network.lan.netmask='255.255.255.0'
network.lan.device='br-lan'
network.iot=interface
network.iot.proto='static'
network.iot.ipaddr='192.168.33.1'
network.iot.netmask='255.255.255.0'
network.iot.device='br-iot'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='192.168.44.1'
network.guest.netmask='255.255.255.0'
network.guest.device='br-guest'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.@device[1]=device
network.@device[1].name='br-iot'
network.@device[1].type='bridge'
network.@device[1].ports='eth1.33'
network.@device[2]=device
network.@device[2].name='br-guest'
network.@device[2].type='bridge'
network.@device[2].ports='eth1.44'

root@main-router:~# uci show dhcp
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.lan_dns=dnsmasq
dhcp.lan_dns.domain='mydomain'
dhcp.lan_dns.domainneeded='1'
dhcp.lan_dns.boguspriv='1'
dhcp.lan_dns.filterwin2k='0'
dhcp.lan_dns.localise_queries='1'
dhcp.lan_dns.rebind_protection='1'
dhcp.lan_dns.rebind_localhost='1'
dhcp.lan_dns.local='/mydomain/'
dhcp.lan_dns.expandhosts='1'
dhcp.lan_dns.nonegcache='0'
dhcp.lan_dns.authoritative='1'
dhcp.lan_dns.readethers='1'
dhcp.lan_dns.leasefile='/tmp/dhcp.lan.leases'
dhcp.lan_dns.nonwildcard='1'
dhcp.lan_dns.localservice='1'
dhcp.lan_dns.ednspacket_max='1232'
dhcp.lan_dns.interface='lan'
dhcp.lan_dns.resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.lan_dns.logqueries='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='150'
dhcp.lan.limit='100'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.instance='lan_dns'
dhcp.iot_dns=dnsmasq
dhcp.iot_dns.domain='iot.mydomain'
dhcp.iot_dns.domainneeded='1'
dhcp.iot_dns.boguspriv='1'
dhcp.iot_dns.filterwin2k='0'
dhcp.iot_dns.localise_queries='1'
dhcp.iot_dns.rebind_protection='1'
dhcp.iot_dns.rebind_localhost='1'
dhcp.iot_dns.local='/iot.mydomain/'
dhcp.iot_dns.expandhosts='1'
dhcp.iot_dns.nonegcache='0'
dhcp.iot_dns.authoritative='1'
dhcp.iot_dns.readethers='1'
dhcp.iot_dns.leasefile='/tmp/dhcp.iot.leases'
dhcp.iot_dns.nonwildcard='1'
dhcp.iot_dns.localservice='1'
dhcp.iot_dns.ednspacket_max='1232'
dhcp.iot_dns.interface='iot'
dhcp.iot_dns.resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.iot_dns.logqueries='0'
dhcp.iot=dhcp
dhcp.iot.interface='iot'
dhcp.iot.instance='iot_dns'
dhcp.iot.start='150'
dhcp.iot.limit='100'
dhcp.iot.leasetime='12h'
dhcp.iot.dhcpv4='server'
dhcp.guest_dns=dnsmasq
dhcp.guest_dns.domain='guest.mydomain'
dhcp.guest_dns.domainneeded='1'
dhcp.guest_dns.boguspriv='1'
dhcp.guest_dns.filterwin2k='0'
dhcp.guest_dns.localise_queries='1'
dhcp.guest_dns.rebind_protection='1'
dhcp.guest_dns.rebind_localhost='1'
dhcp.guest_dns.local='/guest.mydomain/'
dhcp.guest_dns.expandhosts='1'
dhcp.guest_dns.nonegcache='0'
dhcp.guest_dns.authoritative='1'
dhcp.guest_dns.readethers='1'
dhcp.guest_dns.leasefile='/tmp/dhcp.guest.leases'
dhcp.guest_dns.nonwildcard='1'
dhcp.guest_dns.localservice='1'
dhcp.guest_dns.ednspacket_max='1232'
dhcp.guest_dns.interface='guest'
dhcp.guest_dns.resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.guest_dns.logqueries='0'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.instance='guest_dns'
dhcp.guest.start='150'
dhcp.guest.limit='100'
dhcp.guest.leasetime='12h'
dhcp.guest.dhcpv4='server'
dhcp.@host[0]=host
dhcp.@host[0].mac='<redacted id:0>'
dhcp.@host[0].name='ap-eg'
dhcp.@host[0].dns='1'
dhcp.@host[0].ip='192.168.22.101'
dhcp.@host[1]=host
dhcp.@host[1].mac='<redacted id:0>'
dhcp.@host[1].name='ap-eg'
dhcp.@host[1].dns='1'
dhcp.@host[1].ip='192.168.44.101'
dhcp.@host[1].instance='guest_dns'
dhcp.@host[2]=host
dhcp.@host[2].mac='<redacted id:0>'
dhcp.@host[2].name='ap-eg'
dhcp.@host[2].dns='1'
dhcp.@host[2].ip='192.168.33.101'
dhcp.@host[2].instance='iot_dns'
dhcp.@host[3]=host
dhcp.@host[3].mac='<redacted id:0>'
dhcp.@host[3].name='phonus-longus'
dhcp.@host[3].dns='1'
dhcp.@host[3].ip='192.168.22.67'

root@main-router:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[3]=zone
firewall.@zone[3].name='iot'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].network='iot'
firewall.@zone[3].forward='ACCEPT'

Thank you very much for taking a patient look at this!

You don't want them to. That prevents guests and IoTs from being able to hack the AP's OpenWrt at all with IP-based protocols.

You are trying to mix tagged and untagged packets on the Ethernet trunk cable, which is not recommended. Give the lan network a VLAN number on the cable as well.

AP

/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop
/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
/etc/init.d/firewall disable
/etc/init.d/firewall stop

Router

uci set firewall.@zone[2].input='REJECT'
uci set firewall.@zone[2].forward='REJECT'
uci set firewall.@zone[3].input='REJECT'
uci set firewall.@zone[3].forward='REJECT'
uci add firewall rule
uci set firewall.@rule[-1].name='Guest-DHCP-DNS'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='IOT-DHCP-DNS'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='iot'
uci set firewall.@rule[-1].dest_port='53 67 68'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='guest'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='iot'
uci set firewall.@forwarding[-1].dest='wan'
uci commit firewall
/etc/init.d/firewall restart

You don't need such a complicated dnsmasq configuration (three instances), but leave it that way for now.

Very recently I was asking on the #OpenWRT in IRC if there is a problem mixing tagged and untagged but got no answer.

I have some clients on my LAN which don't support VLANs and I got no free ports on my router and no VLAN capable switch.

Do you have a link where I could read up on the consequences of mixing tagged and untagged packets?

On my AP I am deploying this to /etc/rc.local

# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop
  fi
done

On the main-router your suggested changes worked like a charm!

I still don't get why the interfaces don't need an IP address, but I have a vague idea and I am reading up on it.

When I make my dnsmasq configuration less complicated, can I still use dedicated domain names for my networks? Can you give me a hint on how to do it?

And finally, a very huge "Thank you!" for your help. It is greatly appreciated. Can I, by any chance, "buy you a beer" in any way?

Cheers!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.