No internet on VLAN. Not sending DNS inquiries to AdguardHome

Installing and Using OpenWrt
1

Have openwrt on router and dumb apn. Just got VLANs set up for the first time.

Outline of the set up:
VLAN1 is local network
VLAN99 is for iot and guest.

Since I am still learning this process, I have VLAN99 configured identical to VLAN1 but on a different subnet.
Also, VLAN1 devices(on subnet 10.1.1.x) can ping VLAN99 devices (on 10.1.99.x), NOT vice versa.

Did basically the same on dumb AP.
Wifi on Router is associated with VLAN1 and Wifi on AP is associated wityh VLAN99

AdGuardHome(AGH) is set up on the main router 10.1.1.1

Issue: Devices connected to VLAN99 receives their IP on 10.1.99.x subnet fine. But they cannot connect to the internet.

However, when I manually change the DNS Server on the VLAN99 devices to IP of AGH - 10.1.1.1, everything works as expected.

Basically the same story over at dumb AP. Devices on VLAN1 works fine. VLAN99 does not connect to internet unless I set the IP of AGH - 10.1.1.1 as the DNS Server.

What I tried:
I tried setting the IP of AGH - 10.1.1.1 to the VLAN99 interface
Interfaces> VLAN99 >Advanced Settings > Use custom DNS servers : 10.1.1.1

Not sure what I am doing wrong. Any help is greatly appreciated.

Configs:

root@wrt1900ac:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option cachesize '1000'
        option noresolv '0'
        option rebind_protection '0'
        option port '54'
        list server '10.1.1.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.1.1.1'
        list dhcp_option '3,10.1.1.1'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN99'
        option interface 'VLAN99'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

root@wrt1900ac:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'


config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'


config zone
        option name 'vlan99'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VLAN99'

config forwarding
        option src 'vlan99'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vlan99'

root@wrt1900ac:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd57:ce2e:0624::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.1.1.1'
        option device 'br-lan.1'
        list dns '10.1.1.1'

config device
        option name 'wan'
        option macaddr 'c2:52:22:d5:52:52'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan3'
        list ports 'lan4:t'

config interface 'VLAN99'
        option proto 'static'
        option device 'br-lan.99'
        option ipaddr '10.1.99.1'
        option netmask '255.255.255.0'
        list dns '10.1.1.1'

Thanks again for looking into this.

2

This method of assigning the DNS server won't do what you want. Instead, you want to set option 6 in the DHCP server for this network to advertise the desired server (10.1.1.1). You will also need to allow connections from VLAN99 to the lan (or just to 10.1.1.1)... you can even restrict to only port 53 (DNS) in that rule.

EDIT: You can also verify that the only real issue is DNS by pinging an IP address on the internet like 8.8.8.8. If that fails, you may have other connectivity issues. But if it works, yet pinging by domain name fails, it would mean that this is purely a DNS problem.

2 Likes
3

Thank you! That did it.
Adding my notes for anyone who might need help in the future.

I first tried pinging 8.8.8.8 and it was working fine. Then when I pinged google.com, it was failing.
That way, I ruled out there was no other issue besides this.

Then I created a firewall traffic rule to let vlan99 interface access 10.1.1.1 on port 53
EDIT: I just tried disabling this rule and it still works. So this might not be needed.

config rule
        option name 'VLAN Allow DNS'
        option family 'ipv4'
        option src 'vlan99'
        option dest 'lan'
        list dest_ip '10.1.1.1'
        option dest_port '53'
        option target 'ACCEPT'

After that I edited the VLAN99 interface and added the dhcp option 6 as 10.1.1.1

config dhcp 'VLAN99'
        option interface 'VLAN99'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.1.1.1'
        list ra_flags 'none'

After a restart everything is working perfectly. Dumb AP is also working as expected.
Now I can move on to start adding some more restrictions to this VLAN99 interface.

Thanks for your help.

4

I just realized that this is the LAN address of the OpenWrt router itself. For whatever reason, I was thinking that 10.1.1.1 was a different host.

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.