Multiple VLAN with different DHCP/DNS server/forwarder instances

hawkeleon · December 14, 2022, 12:26pm

Hello,

My router is connected to a switch on lan1 port and to the WAN on wan port.
What I am trying to achieve is to create multiple vlan's on the router, each with a DHCP/DNS server/forwarder instance, and set vlan port mapping on the switch.

To do this, I have

removed br-lan device
removed lan interface.
created the vlan's all mapped to the same router port (lan1).
configured dhcp server and dns forwarder (using this guide)
set to 'tagged mode' the switch port attached to the router's lan1 port for all the vlan's
mapped the other ports of the switch to a specific vlan

Everything seems working fine: on the switch I can see that each vlan has the correct dhcp server instance and devices acquire the correct ip according to the port they are attached to.

Following the configuration of OpenWrt:

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:b906:624c::/48'

config device
        option name 'wan'
        option macaddr '***omitted***'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '101'
        option name 'lan1.101'
        option macaddr '61:38:E0:D6:4D:65'

config interface 'main'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option device 'lan1.101'

config device
        option type '8021q'
        option ifname 'lan1'
        option vid '102'
        option name 'lan1.102'
        option macaddr '61:38:E0:D6:4D:66'

config interface 'domotic'
        option proto 'static'
        option device 'lan1.102'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

dhcp

config dnsmasq 'main_dns'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/main.local/'
        option domain 'main.local'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.main'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'main'

config dhcp 'main'
        option instance 'main_dns'
        option interface 'main'
        option start '251'
        option limit '5'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dnsmasq 'domotic_dns'
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/domotic.local/'
        option domain 'domotic.local'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.domotic'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'domotic'
        list notinterface 'loopback'

config dhcp 'domotic'
        option instance 'domotic_dns'
        option interface 'domotic'
        option start '251'
        option limit '5'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'main'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'main'

config forwarding
        option src 'main'
        option dest 'wan'

config zone
        option name 'domotic'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'domotic'

config forwarding
        option src 'domotic'
        option dest 'wan'

The problem is that the /etc/resolv.conf is overwritten on startup with the data of the last DNS forwarder (in this case 'domotic') therefore the router is not able to resolve external names.
What am I missing?

Moreover, if I try to ping a device on vlan 102 from a device on vlan 101 I get this message (I think it is correct):

~ % ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
92 bytes from router.main.local (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 ea51   0 0000  3f  01 353a 192.168.1.251  192.168.2.2

But if I, on the same device, try to ping the router IP address of vlan 102 it replies:

~ % ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.627 ms

Is this the correct behavior? I was expecting it wasn't reachable as well. Is there something wrong with my configuration?

This is the device/OpenWrt version using DSA

{
        "kernel": "5.10.146",
        "hostname": "***omitted***",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}

Thanks in advance for helping.

trendy · December 14, 2022, 1:51pm

This file is by default a symbolic link to /tmp/resolv.conf which is then manipulated by dnsmasq. If you don't like this, you can delete the link and recreate the file with the content of your choice.

It is, you don't allow forwarding from main to domotic.

The input of domotic zone is accept, so it is also correct.

suiram · April 27, 2023, 7:15pm

Hi @hawkeleon
I know it's been a while, but I cannot manage to do partly that (goal is using different DHCP IP ranges, in two different Wifi interfaces).
I've followed the example in the documentation (https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#multiple_dhcpdns_serverforwarder_instances) with no effect:

LAN works and gets correct IP from range.
GUEST does not got any IP.

I have no VLAN, as no more than one LAN is going through a single interface (except that in the WAN), so I think it's not needed for me to make use of it.
But I will if it's the only way to get each LAN with its IP range...

suiram · April 28, 2023, 6:06am

Forget about it
The firewall rule to allow DHCP traffic between zones was not enabled so, request never reached DHCP server
Once enabled, works like a charm