Current setup has two zones
1 - Lan + wifi
2 - Separate guest network (wifi only)
DNS Resolver is NextDNS Doh, most clients except router are sending encrypted DoH requests
I want to setup a 3rd wifi that will access only ovpnbridgeif, receive an ip in the subnet 192.168.3.0/24, and later use PBR to route this through ovpn
There is an active ovpn connection configured, although this is a problem for later, because it seems to make no difference active or not
HOWEVER, clients trying to connect to wifinet4 cannot get an ip and don't connect at all. If this ssid is changed to use the 'guest' interface, it works flawlessy. They seem to have the same configuration, why isn't DHCP working for this third net?
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
list server '45.90.28.0'
list server '45.90.30.0'
list server '2a07:a8c0::'
list server '2a07:a8c1::'
option dnssec '1'
option sequential_ip '1'
list interface 'guest'
list interface 'lan'
list interface 'OVPN'
list interface 'ovpnbridgeif'
list interface 'wan'
list interface 'wan_6'
list interface 'wan6'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,45.90.28.39,45.90.30.39'
config dhcp 'ovpnbridgeif'
option interface 'ovpnbridgeif'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,45.90.28.39,45.90.30.39'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd57:e6d0:1a07::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option mtu '1492'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'redacted'
option password 'redacted'
option ipv6 'auto'
option peerdns '0'
list dns '45.90.28.39'
list dns '45.90.30.39'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2a07:a8c0::9c:99bc'
list dns '2a07:a8c1::9c:99bc'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
option mtu '1492'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.2.1/24'
config interface 'OVPN'
option proto 'none'
option device 'tun0'
config device
option type 'bridge'
option name 'br-vpn'
option bridge_empty '1'
option mtu '1492'
config interface 'ovpnbridgeif'
option proto 'static'
list ipaddr '192.168.3.1/24'
option device 'br-vpn'
option type 'bridge'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'OVPN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'allow-dhcp-dns-guest'
option src 'guest'
option dest_port '67-68 443 5353 5453 80'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option src 'wan'
option dest 'lan'
config zone
option name 'ovpn_net'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'ovpnbridgeif'
config forwarding
option src 'ovpn_net'
option dest 'wan'
config rule
option src 'ovpn_net'
option dest_port '67-68 443 5353 5453 80'
option target 'ACCEPT'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'redacted'
option txpower '25'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel '112'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'redacted'
option txpower '25'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'redacted'
option encryption 'psk2'
option key 'redacted'
option network 'lan'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'redacted 5'
option encryption 'psk2'
option key 'redacted'
option network 'lan'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'redacted C'
option encryption 'psk2'
option key 'redacted'
option network 'guest'
option isolate '1'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'redacted'
option encryption 'none'
option network 'ovpnbridgeif'
netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1917/uhttpd
tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 4098/stubby
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1917/uhttpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1285/dropbear
tcp 0 0 :::80 :::* LISTEN 1917/uhttpd
tcp 0 0 :::53 :::* LISTEN 1515/nextdns
tcp 0 0 ::1:5453 :::* LISTEN 4098/stubby
tcp 0 0 :::443 :::* LISTEN 1917/uhttpd
tcp 0 0 :::22 :::* LISTEN 1285/dropbear
udp 0 0 0.0.0.0:36806 0.0.0.0:* 2503/openvpn
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1515/nextdns
udp 0 0 0.0.0.0:67 0.0.0.0:* 24950/dnsmasq
udp 0 0 127.0.0.1:5453 0.0.0.0:* 4098/stubby
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::5353 :::* 1515/nextdns
udp 0 0 :::546 :::* 3256/odhcp6c
udp 0 0 :::546 :::* 3041/odhcp6c
udp 0 0 :::547 :::* 1803/odhcpd
udp 0 0 :::53 :::* 1515/nextdns
udp 0 0 ::1:5453 :::* 4098/stubby