New VLAN gets DHCP but does not have access to internet

Hi,

I am quite a greenhorn / self learner in terms of network setup and would appreciate help from OpenWRT gurus.

I am on 23.05.3 on Linksys WRT1900ACS which serves as main router. I have a primary LAN and a DMZ zone for iot devices working properly.
DMZ is served by WRT1900ACS 2.4GHz radio, whereas LAN by wired connections to dedicated access points.

Recently I decided to create a dedicated vlan for wireless guest devices. These would be served by a Linksys LAPAC1750 access point running stock firmware, with the ability to VLAN-tag selected SSIDs. It is connected by wire to main router and is working in VLAN4 for guest network, while main LAN network is untagged. AP is connected to main router on port 3.

This picture shows setup I am trying to achieve:

What works:

  • LAN and DMZ are fully functional
  • GUEST is able to get proper IP addresses, from GUEST range
  • GUEST is able to ping/ssh/access LUCI on main router (using either LAN or GUEST ip)
  • if rules are set, GUEST is able to acess LAN hosts

What doesn't work:

  • GUEST cannot access internet / WAN

It seems packets get to WAN (when connected to guest and checking "nft list ruleset", number of packets forwarded from GUEST to WAN are increasing, however it seems that the response cannot get back through).
This is strange, because DMZ and GUEST are actually setup in the same way, difference being mainly the device used (radio vs wired VLAN).

Any ideas what am I missing?

My config (MAC addresses privatized):
/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:yyyy:zzzz::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.201.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'aa:bb:cc:dd:ee:ff'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option ip6assign '64'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'dmz'
	option proto 'static'
	option device 'phy1-ap0'
	option ipaddr '192.168.202.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '4'
	option name 'lan3.4'
	option macaddr 'ff:ee:dd:cc:bb:aa'

config interface 'guestvlan'
	option proto 'static'
	option device 'lan3.4'
	option ipaddr '192.168.203.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

/etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'dmz'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'dmz'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option dest_port '53'
	option src 'dmz'
	option name 'DMZ DNS'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'dmz'
	option name 'DMZ DHCP'
	option target 'ACCEPT'

config rule
	option name 'DMZ ping'
	list proto 'icmp'
	option src 'dmz'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'lan3.4'
	list network 'guestvlan'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest allow WAN'
	option src 'guest'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Drop WAN input'
	option src 'wan'
	option target 'DROP'

You need to use bridge-VLANs.

Delete this:

Create the bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan3:t'

Edit the guest network to use br-lan.4:

Unrelated, but remove the device from here:

Remove the device from here:

Delete these:

Reboot and test. If that doesn't fix the issue, post your complete config on that device:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Hi @psherman, thanks a lot for reply!
I was sure I was doing something wrong. I followed your advice, in my 'test' environment, before applying to live network.
A clean OpenWRT install of 23.05.3 on Linksys EA7300v2 served as this test environment.

Unfortunately after applying bridge VLAN configuration you suggested:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan3:t'

and rebooting, system stops responding on LAN and Wireless interfaces. I don't want to follow this path in my 'production' network until I confirm it working.

Do you have any idea what could be wrong (I was reverting to clean OpenWRT config twice, failing each time)?
As said, this is clean OpenWRT install, with default, unchanged configuration files, just the above lines added. I can send for reference, if needed.

Ah... I think I neglected to specify one other necessary edit. My apologies.

The edit required is this:
Change the device in the lan interface to use br-lan.1 instead of br-lan.

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.201.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

In the current situation, you can use failsafe mode to get back into the router. Then you can issue mount_root and edit /etc/config/network using the vi text editor.

1 Like

Thanks, will try this and report back! Obviously I should've thought about that.

EDIT: the edit

option device 'br-lan.1'

Solves the inaccessibility issue. I will carry on with testing and applying changes tomorrow, as today I need a working connection without interruptions.
I will reply as soon as I finish.
Thanks a lot for your help!

1 Like

Hi @psherman many thanks! Your suggestion works like a charm, I'll mark it as solution so that others can benefit. I was actually looking on the forum for VLAN setup for newbies, especially for routers without a hardware switch, like mine, to no avail.

Just as an additional curiosity - you suggested (as unrelated advice) to remove device from below section:

config interface 'dmz'
	option proto 'static'
	option device 'phy1-ap0'
	option ipaddr '192.168.202.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

However this part is actually generated from luci and if device is removed it appears not to work. Could you explain a bit more on this?

Thanks again!

The wireless devices should never be referenced in /etc/config/network as they belong solely in /etc/config/wireless. Each SSID can be assigned to a network in the SSID stanzas with the option network line.

If removing this line causes things to break, let's take a look at the current full configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.