Multiple VLANs

I've been trying to set up VLANs with tagging on a E7350 for week. I know that OpenWRT 24 uses DSA so i started from this tutorial. But nothing works, all 4 ports and 4 WiFi can't connect neither dhcp or static.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config bridge-vlan 'br-vlan1'
	option device 'br-lan.1'
	option vlan '1'
	option ipv6 '0'

config bridge-vlan 'br-vlan2'
	option device 'br-lan.2'
	option vlan '2'
	list ports 'lan1t'
	list ports 'lan2t'
	option ipv6 '0'

config bridge-vlan 'br-vlan3'
	option device 'br-lan.3'
	option vlan '2'
        list ports 'lan1t'
	list ports 'lan2t'
	list ports 'lan3u'
	list ports 'lan4u'
	option ipv6 '0'

config interface 'vlan1'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan2'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan3'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'
	option ipv6 '0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option family 'ipv4'
	option log '1'

config zone
    option name 'vlan1'
    option input 'REJECT'
    option output 'REJECT'
    option forward 'REJECT'
    option network 'vlan1'
    option masq '1'
    option mtu_fix '1'
	option family 'ipv4'
	option log '1'

config zone
    option name 'vlan2'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vlan2'
    option masq '1'
    option mtu_fix '1'
	option family 'ipv4'
	option log '1'

config zone
    option name 'vlan3'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vlan3'
    option masq '1'
    option mtu_fix '1'
	option family 'ipv4'
	option log '1'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option network 'wan'
    option masq '1'
    option mtu_fix '1'
	option family 'ipv4'
	option log '1'

config forwarding
	option src 'vlan2'
	option dest 'wan'

config forwarding
	option src 'vlan3'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
    option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option logqueries '1'

config dhcp 'vlan1'
	option interface 'vlan1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
    option dynamicdhcp '0'

config dhcp 'vlan2'
    option interface 'vlan2'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcp_option '6,192.168.2.1'
    option force '1'
    option local '/vlan2/'
    option domain 'vlan2'

config dhcp 'vlan3'
    option interface 'vlan2'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcp_option '6,192.168.3.1'
    option force '1'
    option local '/vlan3/'
    option domain 'vlan3'
	
config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel 'auto'
	option htmode 'HE20'
	option txpower '26'
	option country 'CA'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'vlan2'
	option mode 'ap'
	option ssid 'Home_2.4_nomap'
	option encryption 'sae-mixed'
	option key 'PASSWORD'
	option ocv '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'vlan3'
	option mode 'ap'
	option ssid 'Office_2.4_nomap'
	option encryption 'sae-mixed'
	option key 'PASSWORD'
	option ocv '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option txpower '18'
	option country 'CA'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'vlan2'
	option mode 'ap'
	option ssid 'Home_5_nomap'
	option encryption 'sae-mixed'
	option key 'PASSWORD'
	option ocv '0'

	config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'vlan3'
	option mode 'ap'
	option ssid 'Office_5_nomap'
	option encryption 'sae-mixed'
	option key 'PASSWORD'
	option ocv '0'

I don't see any error in logread ...

Lots of issues here. I'm going to recommend that you reset to defaults and then we can work with a clean, known good config to start. From there, please post your default config files and I'll show you how to get the VLANs working.

It's not clear what your intent is with VLAN 1 since you don't have ports assigned to it. And there may be other issues in terms of the intent vs how things are actually showing up. With that in mind...

Please also define the port VLAN membership. For example (making this up):

• port lan1: VLAN 1 untagged
• port lan 2: VLAN 2 untagged
• ports lan3 and lan 4: VLANs 1 and 2, both tagged.

Then define the intent such as:

• VLANs 1 and 2 are completely isolated from each other, but both can reach the internet

or maybe:

• VLAN 2 cannot initiate connections to VLAN 1, but VLAN 1 is allowed to initiate to VLAN 2; both can reach the internet

or another option:

• VLAN 2 cannot reach the internet, but VLAN 1 can. Both VLANs can talk to each other freely.

You get the idea.

Great, i wasn't sure where to start without error message.

The default working config is the following:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns_search 'lan'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option family 'ipv4'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option family 'ipv4'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'
	option logqueries '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel 'auto'
	option htmode 'HE20'
	option txpower '26'
	option country 'CA'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid SOMETHING'
	option encryption 'sae-mixed'
	option key 'SOMETHING'
	option ocv '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option channel 'auto'
	option htmode 'HE80'
	option txpower '18'
	option country 'CA'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SOMETHING'
	option encryption 'sae-mixed'
	option key 'SOMETHING'
	option ocv '0'

What i am trying to accomplish is:

• VLAN1: Dummy default subnet (192.168.1.0/24) (not used)
• VLAN2: Home subnet (192.168.2.0/24)
• VLAN3: Office subnet (192.168.3.0/24)
• Internet on both VLANs
• Allow local traffic between clients of a same VLAN
• Block local traffic between VLANs

Sorry for the delay.

You didn't specify the port-VLAN memberships, so I'm just going to make everything untagged with VLAN 2 on ports 1 and 2, and VLAN 3 on ports 3 and 4. This isn't hard to change if you need something different.

You may want to first enable wifi and connect via wifi while you make these changes.

I'm going to assume that the home subnet is trusted, and that the office is not (from the perspective of managing the router).

Create bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

Edit the lan to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

And create your two new interfaces like this:

config interface 'home'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'office'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

Now, in the firewall, add home to the lan firewall zone... it will look like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'home'

And create a new zone for office along with rules to allow DHCP and DNS as well as forwarding to the internet:

config zone
	option name 'office'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'office'

config rule
	option name 'Allow-office-dhcp'
	option src 'office'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-office-dns'
	option src 'office'
	option dest_port '53'
	option family 'ipv4'
	option target 'ACCEPT'

config forwarding
	option src 'office'
	option dest 'wan'

While you're in the firewall, remove the loging from the wan zone (you'll notice I removed it from the lan zone).

In the DHCP file, remove these lines:

Create two new DHCP servers:

config dhcp 'home'
	option interface 'home'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'office'
	option interface 'office'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Now you can restart and you should find that on ports 1 and 2, you will be connected to the home network with access to the router, while ports 3 and 4 will be on the office network and will not have access to the router. The two networks will be isolated from each other.

If all that works, you can then add wifi SSIDs and link them to the respective networks.

Thanks for your time. Sadly, this config didn't work either There really isn't much differences with the default working config, i'm quite lost.

For a start i can see the bridge is not going up:

root@OpenWrt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 06:3C:81:20:0B:7F
          inet6 addr: fe80::43c:81ff:fe20:b7f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:882 (882.0 B)
          Interrupt:19

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:51 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5314 (5.1 KiB)  TX bytes:5314 (5.1 KiB)

wan       Link encap:Ethernet  HWaddr 7A:57:C8:5A:B5:69
          inet addr:192.168.18.28  Bcast:192.168.18.255  Mask:255.255.255.0
          inet6 addr: fe80::7857:c8ff:fe5a:b569/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1216 errors:0 dropped:538 overruns:0 frame:0
          TX packets:388 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:78063 (76.2 KiB)  TX bytes:29008 (28.3 KiB)
          Interrupt:19

Here are the bootup console and logread.

Please post the config after the edits.

FWIW, I know this works — including on the e7350 since I have one of these at work.

/etc/config/network

config bridge-vlan
        option device 'br-lan'
        option vlan '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'home'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'office'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

/etc/config/firewall

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option synflood_protect '1'
    option drop_invalid '1'
    option family 'ipv4'
    option log '1'

# Dummy
config zone
    option name 'vlan1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vlan1'
    option family 'ipv4'
    option log '1'

config zone
    option name 'home'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vlan2'
    option family 'ipv4'
    option log '1'

config zone
    option name 'office'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vlan3'
    option family 'ipv4'
    option log '1'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option network 'wan'
    option family 'ipv4'
    option log '1'

config forwarding
    option src 'home'
    option dest 'wan'

config forwarding
    option src 'office'
    option dest 'wan'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
        option name 'Allow-home-dhcp'
        option src 'home'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-home-dns'
        option src 'vlan2'
        option dest_port '53'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-office-dhcp'
        option src 'home'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-office-dns'
        option src 'vlan2'
        option dest_port '53'
        option family 'ipv4'
        option target 'ACCEPT'

/etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option localservice '1'
    option ednspacket_max '1232'
    option logqueries '1'

config dhcp 'vlan1'
    option interface 'vlan1'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'
    option dynamicdhcp '0'

config dhcp 'home'
    option interface 'home'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcp_option '6,192.168.2.1'

config dhcp 'office'
    option interface 'office'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcp_option '6,192.168.3.1'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

Is that the complete network config file? There are a bunch of things missing -- most notably the actual bridge.

There's exactly what you gave me, there are no 'device' at all in your suggestion.

Sorry if there was any confusion. The instructions I gave were for things to add, delete, or edit. That was not intended to be a representation of the complete file... just the things that needed to change.

That said, you should reset to defaults and then implement the changes that I recommended -- again, adding, deleting, or editing.

Also, I notice that you have a lot of logging happening in the firewall file... why? Are you sure you really want that? (it almost certainly won't be useful). If so, why?

Yes logging is just while i'm working on it. I tried again starting from the default config but exact same behavior, DHCP not working and if i connect static i have no LAN and no WAN access. A ping to 192.168.3.1 when connected to port 3 gives:

PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
From 192.168.3.101 icmp_seq=1 Destination Host Unreachable
From 192.168.3.101 icmp_seq=2 Destination Host Unreachable
...

Here's the config

/etc/config/network

interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipv6 '0'

config interface 'vlan2'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipv6 '0'

config interface 'vlan3'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option delegate '0'
        option ipv6 '0'

/etc/config/firewall

option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option family 'ipv4'
        option log '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option family 'ipv4'
        option log '1'

config zone
        option name 'vlan2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan2'
        option family 'ipv4'
        option log '1'

config zone
        option name 'vlan3'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan3'
        option family 'ipv4'
        option log '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wan'
        option masq '1'
        option family 'ipv4'
        option log '1'

config rule
        option name 'Allow-vlan2-dhcp'
        option src 'vlan2'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-vlan2-dns'
        option src 'vlan2'
        option dest_port '53'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-vlan3-dhcp'
        option src 'vlan3'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-vlan3-dns'
        option src 'vlan3'
        option dest_port '53'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'vlan2'
        option dest 'wan'

config forwarding
        option src 'vlan3'
        option dest 'wan'

/etc/config/dhcp

dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '100'
        option limit '250'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan3'
        option interface 'vlan3'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

End of console after booting (from the first mention of a device)

[    4.755085] init: - preinit -
[    5.446675] mtk_soc_eth 1e100000.ethernet wan: renamed from eth1
[    6.848464] random: crng init done
[    7.022553] mtdblock: MTD device 'Config' is NAND, please consider using UBI block devices instead.
[    7.249033] mtdblock: MTD device 'Config' is NAND, please consider using UBI block devices instead.
Cannot parse config file '/etc/fw_env.config': No such file or directory
Failed to find NVMEM device
[    8.036367] mtk_soc_eth 1e100000.ethernet eth0: configuring for fixed/rgmii link mode
[    8.049286] mtk_soc_eth 1e100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[    8.049671] mt7530-mdio mdio-bus:1f lan1: configuring for phy/gmii link mode
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[   12.452447] UBIFS (ubi0:1): Mounting in unauthenticated mode
[   12.458582] UBIFS (ubi0:1): background thread "ubifs_bgt0_1" started, PID 654
[   12.516400] UBIFS (ubi0:1): recovery needed
[   12.676970] UBIFS (ubi0:1): recovery completed
[   12.681669] UBIFS (ubi0:1): UBIFS: mounted UBI device 0, volume 1, name "rootfs_data"
[   12.689543] UBIFS (ubi0:1): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[   12.699490] UBIFS (ubi0:1): FS size: 35807232 bytes (34 MiB, 282 LEBs), max 292 LEBs, journal size 1777664 bytes (1 MiB, 14 LEBs)
[   12.711149] UBIFS (ubi0:1): reserved for root: 1691263 bytes (1651 KiB)
[   12.717741] UBIFS (ubi0:1): media format: w5/r0 (latest is w5/r0), UUID A9719326-E8EF-432C-BEB4-0F76DBEAEBC2, small LPT model
[   12.740825] mount_root: switching to ubifs overlay
[   12.764639] urandom-seed: Seeding with /etc/urandom.seed
[   12.950303] procd: - early -
[   12.953450] procd: - watchdog -
[   13.602169] procd: - watchdog -
[   13.608706] procd: - ubus -
[   13.771670] procd: - init -
Please press Enter to activate this console.
[   15.114844] kmodloader: loading kernel modules from /etc/modules.d/*
[   15.184052] mtk-eip93 1e004000.crypto: EIP93 Crypto Engine Initialized.
[   15.820994] GACT probability on
[   15.826183] Mirror/redirect action on
[   15.845253] u32 classifier
[   15.847997]     input device check on
[   15.851713]     Actions configured
[   15.896298] Loading modules backported from Linux version v6.12.6-0-ge9d65b48ce1a
[   15.903830] Backport generated by backports.git v6.1.110-1-35-g410656ef04d2
[   15.920200] urngd: v1.0.2 started.
[   16.017384] xt_time: kernel timezone is -0000
[   16.190203] pci 0000:00:00.0: enabling device (0006 -> 0007)
[   16.195899] mt7915e_hif 0000:01:00.0: enabling device (0000 -> 0002)
[   16.203075] pci 0000:00:01.0: enabling device (0006 -> 0007)
[   16.208827] mt7915e 0000:02:00.0: enabling device (0000 -> 0002)
[   16.506498] mt7915e 0000:02:00.0: HW/SW Version: 0x8a108a10, Build Time: 20240429200716a
[   16.506498]
[   16.873544] mt7915e 0000:02:00.0: WM Firmware Version: ____000000, Build Time: 20240429200752
[   16.913017] mt7915e 0000:02:00.0: WA Firmware Version: DEV_000000, Build Time: 20240429200812
[   17.032043] mt7915e 0000:02:00.0: registering led 'mt76-phy0'
[   17.083778] mt7915e 0000:02:00.0: registering led 'mt76-phy1'
[   17.197206] PPP generic driver version 2.4.2
[   17.203925] NET: Registered PF_PPPOX protocol family
[   17.230368] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[   17.238201] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[   17.265672] kmodloader: done loading kernel modules from /etc/modules.d/*
[   17.427618] mtdblock: MTD device 'Config' is NAND, please consider using UBI block devices instead.
[   18.220105] mtdblock: MTD device 'Config' is NAND, please consider using UBI block devices instead.
[   26.003526] keepalived[2159]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[   26.398656] mtk_soc_eth 1e100000.ethernet eth0: Link is Down
[   26.441715] mtk_soc_eth 1e100000.ethernet eth0: configuring for fixed/rgmii link mode
[   26.453862] mtk_soc_eth 1e100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[   26.477052] mt7530-mdio mdio-bus:1f lan1: configuring for phy/gmii link mode
[   26.486750] br-lan: port 1(lan1) entered blocking state
[   26.492327] br-lan: port 1(lan1) entered disabled state
[   26.497812] mt7530-mdio mdio-bus:1f lan1: entered allmulticast mode
[   26.504322] mtk_soc_eth 1e100000.ethernet eth0: entered allmulticast mode
[   26.523345] mt7530-mdio mdio-bus:1f lan1: entered promiscuous mode
[   26.654212] mt7530-mdio mdio-bus:1f lan2: configuring for phy/gmii link mode
[   26.674014] br-lan: port 2(lan2) entered blocking state
[   26.679441] br-lan: port 2(lan2) entered disabled state
[   26.684842] mt7530-mdio mdio-bus:1f lan2: entered allmulticast mode
[   26.695859] mt7530-mdio mdio-bus:1f lan2: entered promiscuous mode
[   26.739372] mt7530-mdio mdio-bus:1f lan3: configuring for phy/gmii link mode
[   26.750837] br-lan: port 3(lan3) entered blocking state
[   26.756168] br-lan: port 3(lan3) entered disabled state
[   26.761740] mt7530-mdio mdio-bus:1f lan3: entered allmulticast mode
[   26.771905] mt7530-mdio mdio-bus:1f lan3: entered promiscuous mode
[   26.806317] mt7530-mdio mdio-bus:1f lan4: configuring for phy/gmii link mode
[   26.816105] br-lan: port 4(lan4) entered blocking state
[   26.821594] br-lan: port 4(lan4) entered disabled state
[   26.826984] mt7530-mdio mdio-bus:1f lan4: entered allmulticast mode
[   26.838237] mt7530-mdio mdio-bus:1f lan4: entered promiscuous mode
[   26.884326] mtk_soc_eth 1e100000.ethernet wan: PHY [mt7530-0:00] driver [MediaTek MT7530 PHY] (irq=POLL)
[   26.894089] mtk_soc_eth 1e100000.ethernet wan: configuring for phy/rgmii link mode
[   29.009060] mtk_soc_eth 1e100000.ethernet wan: Link is Up - 100Mbps/Full - flow control rx/tx
[   29.698262] mt7530-mdio mdio-bus:1f lan3: Link is Up - 1Gbps/Full - flow control rx/tx
[   29.706715] br-lan: port 3(lan3) entered blocking state
[   29.712257] br-lan: port 3(lan3) entered forwarding state

I see the following issues:

The first line here should be config dnsmasq (maybe just a copy/paste omission, but if the word config is missing from the real file, that will cause a problem):

The second issue in the above is that you have the interface lan defined. remove that line so dnsmasq will operate on all subnets (the wan is firewalled, so no issue there).

Then, you have an invalid limit -- it must be <=155 when your start is 100. The limit is the size of the pool, not the end position:

Restart and test again.

Some things i would have spend days figuring out! Thanks. Still not up though

corrected config (i changed to generic vlan names for simplicity, vlan1, vlan2, etc.):

/etc/config/network

interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'


# Devices

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option delegate '0'
        option ipv6 '0'


# Interfaces

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipv6 '0'

config interface 'vlan2'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipv6 '0'

config interface 'vlan3'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option delegate '0'
        option ipv6 '0'

/etc/config/firewall

config default
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option family 'ipv4'
        option log '1'

# Dummy
config zone
        ption name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option family 'ipv4'
        option log '1'

# Smart Home
config zone
        option name 'vlan2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan2'
        option family 'ipv4'
        option log '1'

# Computing (ISP)
config zone
        option name 'vlan3'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan3'
        option family 'ipv4'
        option log '1'


# ISP
config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wan'
        option masq '1'
        option family 'ipv4'
        option log '1'


# Rules

config rule
        option name 'Allow-vlan2-dhcp'
        option src 'vlan2'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-vlan2-dns'
        option src 'vlan2'
        option dest_port '53'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-vlan3-dhcp'
        option src 'vlan3'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-vlan3-dns'
        option src 'vlan3'
        option dest_port '53'
        option family 'ipv4'
        option target 'ACCEPT'


# Forwarding

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'vlan2'
        option dest 'wan'

config forwarding
        option src 'vlan3'
        option dest 'wan'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan3'
        option interface 'vlan3'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

I also checked that system time is right and WAN always did work btw, i can install packages. Also, do these config files accept comments?

These configs look generally fine. I would remove the comments so that it is clean - I’m not sure how comments are parsed and it could cause problems.

They said, you show two wan interface stanzas. Is that actually an issue, or just a copy/paste error?

What actually happens when you plug your computer into each of the Ethernet ports?

Indeed the double WAN was a copy/paste typo, but removing comments didn't do it.

There is progress though, turns out sysupgrade is not working, it never overwrite the kernel and i get errors because /lib/modules/<version> are never the same version as the kernel. I have to install a factory image through TFTP. Now the kernel version in the status page, the modules directory and the actual kernel are all the same version. But VLANs are still not working.

When i plug in any port the console only shows:

[   30.046215] br-lan: port 1(lan1) entered blocking state
[   30.057709] br-lan: port 1(lan1) entered forwarding state

But no DHCP and using static there is still no network access to anything, kind of desperate now.

Mon May 19 21:44:05 2025 daemon.info dnsmasq[1]: read /etc/hosts - 6 names
Mon May 19 21:44:05 2025 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 names
Mon May 19 21:44:05 2025 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Mon May 19 21:44:07 2025 daemon.err procd: Got unexpected signal 1
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: started, version 2.90 cachesize 1000
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon May 19 21:44:07 2025 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.3.100 -- 192.168.3.249, lease time 12h
Mon May 19 21:44:07 2025 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Mon May 19 21:44:07 2025 daemon.info dnsmasq-dhcp[1]: DHCP relay from 192.168.2.1 to 192.168.1.1 via br-lan.2
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using nameserver 192.168.18.1#53
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: read /etc/hosts - 6 names
Mon May 19 21:44:07 2025 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 2 names
Mon May 19 21:44:07 2025 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon May 19 21:44:12 2025 auth.info login[3285]: root login on 'ttyS0'
Mon May 19 21:45:45 2025 daemon.notice netifd: Network device 'lan1' link is down
Mon May 19 21:45:45 2025 kern.info kernel: [  136.533511] mt7530-mdio mdio-bus:1f lan1: Link is Down
Mon May 19 21:45:45 2025 kern.info kernel: [  136.538891] br-lan: port 1(lan1) entered disabled state
Mon May 19 21:45:48 2025 kern.info kernel: [  139.135942] mt7530-mdio mdio-bus:1f lan1: Link is Up - 100Mbps/Full - flow control off
Mon May 19 21:45:48 2025 kern.info kernel: [  139.144109] br-lan: port 1(lan1) entered blocking state
Mon May 19 21:45:48 2025 daemon.notice netifd: Network device 'lan1' link is up
Mon May 19 21:45:48 2025 kern.info kernel: [  139.149407] br-lan: port 1(lan1) entered forwarding state

I'm nothing that you have VLANs 2 and 3 defined, but not VLAN 1. I wonder if that is part of the problem.

Try adding:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'

And remove port lan1 from VLAN 2 (just for now):

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:u*'

Restart and try again.

Okay so progressing slowly, with this config local traffic works on VLANs 2 and 3 with static settings, i can access LuCl. But still no dhcp or internet.

For some reason local traffic only works with the explicit following rule:

config rule
	option name 'Allow-vlan2-browsing'
	option src 'vlan2'
	option proto 'tcp'
	list dest_port '80'
	list dest_port '443'
	option family 'ipv4'
	option target 'ACCEPT'

Which i don't understand since it should be covered by the forwarding rule.

Btw, after solving the kernel stuff i'm on v24.10.1 r28597-0425664679 with kernel 6.6.86.

Present config:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'lan2:t'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan2:t'
	list ports 'lan3:u'
	list ports 'lan4:u'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan2'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan3'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

/etc/config/firewall

config default
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option family 'ipv4'
	option log '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option family 'ipv4'
	option log '1'

config zone
	option name 'vlan2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan2'
	option family 'ipv4'
	option log '1'

config zone
	option name 'vlan3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan3'
	option family 'ipv4'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	option masq '1'
	option family 'ipv4'
	option log '1'

config rule
	option name 'Allow-vlan2-dhcp'
	option src 'vlan2'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan2-dns'
	option src 'vlan2'
	option dest_port '53'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan2-netbios'
	option src 'vlan2'
	option proto 'udp'
	option dest_port '137,138'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan2-browsing'
	option src 'vlan2'
	option proto 'tcp'
	list dest_port '80'
	list dest_port '443'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-dhcp'
	option src 'vlan3'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-dns'
	option src 'vlan3'
	option dest_port '53'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-netbios'
	option src 'vlan3'
	option proto 'udp'
	option dest_port '137,138'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-browsing'
	option src 'vlan3'
	option proto 'tcp'
	list dest_port '80'
	list dest_port '443'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Restrict-ICMP'
	option src 'wan'
	option proto 'icmp'
	option target 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vlan2'
	option dest 'wan'

config forwarding
	option src 'vlan3'
	option dest 'wan'

/etc/config/dhcp

interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan2:u*'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan2'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan3'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

I do have one weird log from the fireall, i don't get why it gives br-lan.2 as input rather than vlan2. Aren't forwarding rules suppose to be applied on interfaces not devices?

reject vlan2 in: IN=br-lan.2 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.2.151 DST=192.168.2.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=109 PROTO=UDP SPT=137 DPT=137 LEN=76

You mention this rule is the only way you're able to get "local traffic" to work:

What exactly do you mean by local traffic? To the router itself (I.e. to reach the LuCI web interface)? The internet? The other subnets?

You failed to provide the DHCP file (it's just another instance of the network file -- can you post that again, please).

Also, have you installed any DNS modifications such as Adblock/Adguard, DoH/DoT/Stubby, etc.? Or for that matter, any non-default packages? Or any VPNs?

Finally...

These shouldn't cause any issues, but why do you have them? Netbios is a largely obsolete thing, and there are no default services that use this on OpenWrt. Did you install additional packages that use this?? (same is true for VLAN 3):

Now that I read it more, you have 2 versions of the network config file in one post -- one under the heading of network, while the other under the heading (mistakenly) of DHCP. Which one is accurate to what's really running on your system? Or... does it suggest that the DHCP file was somehow overwritten by a copy of the network file??? (that would most certainly explain your issues)

Yes by local traffic i was talking about LuCl, i can only access it with the Allow-vlan2-browsing rule.

Only manually installed package is luci-file-manager, no VPN, no other modif. than those 3 files.

I had NetBios simply because the console kept filling with reject log for it it was annoying. The PC i use to configure the router is a fresh Windows 11 install so it seems like it still uses it by default...

The dhcp file is correct on the router it's just my copy/paste that didn't work in my last post.

Here they are all again re-checked but yes still no dhcp or internet and that rejected vlan log from br-lan.3.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u*'
	list ports 'lan2:t'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan2:t'
	list ports 'lan3:u'
	list ports 'lan4:u'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan2'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

config interface 'vlan3'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipv6 '0'

/etc/config/firewall

config default
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option family 'ipv4'
	option log '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option family 'ipv4'
	option log '1'

config zone
	option name 'vlan2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan2'
	option family 'ipv4'
	option log '1'

config zone
	option name 'vlan3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan3'
	option family 'ipv4'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	option masq '1'
	option family 'ipv4'
	option log '1'

config rule
	option name 'Allow-vlan2-dhcp'
	option src 'vlan2'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan2-dns'
	option src 'vlan2'
	option dest_port '53'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan2-netbios'
	option src 'vlan2'
	option proto 'udp'
	option dest_port '137,138'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan2-browsing'
	option src 'vlan2'
	option proto 'tcp'
	list dest_port '80'
	list dest_port '443'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-dhcp'
	option src 'vlan3'
	option proto 'udp'
	option dest_port '67'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-dns'
	option src 'vlan3'
	option dest_port '53'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-netbios'
	option src 'vlan3'
	option proto 'udp'
	option dest_port '137,138'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-vlan3-browsing'
	option src 'vlan3'
	option proto 'tcp'
	list dest_port '80'
	list dest_port '443'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Restrict-ICMP'
	option src 'wan'
	option proto 'icmp'
	option target 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vlan2'
	option dest 'wan'

config forwarding
	option src 'vlan3'
	option dest 'wan'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'