No wireless internet for VLAN

Hello! First, its amazing to see how responsive this community has been to all questions posted. I've been perusing this forum for the past couple of days trying to figure out how to setup VLAN. I did watch the videos by OneMarcFifty but haven't fully able to configure it correctly.

Device context:
Router: Netgear R7800
OpenWrt firmware: 23.05.1

Note: DSA is still not available for my router. Its still using swconfig

I'm trying to setup the usual 3 VLANs:
VLAN20 - Primary devices (phones, laptop etc)
VLAN30 - IOT
VLAN40 - Guest

  • My primary devices have connected to the VLAN20 network (192.168.20.0/24)
  • My IOT devices are on 2.4G, and have got the new IP address from VLAN30 network (192.168.30.0/24)
  • However, I'm unable to connect to the guest network. I've added firewall rule to allow guest network to forward to WAN.

Here are the configs:

Network:

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipv6 '0'
        option delegate '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option ipv6 '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'
        option description 'WAN'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '20'
        option ports '1t 6t'
        option description 'PRI'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '30'
        option ports '1t 6t'
        option description 'IOT'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '1t 6t'
        option vid '40'
        option description 'GUEST'

config device
        option type 'bridge'
        option name 'br-pri'
        list ports 'eth1.20'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth1.30'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.40'
        option ipv6 '0'

config interface 'pri_interface'
        option proto 'static'
        option device 'br-pri'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'iot_interface'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'guest_interface'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        option delegate '0'

Firewall:

root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'pri_zone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'pri_interface'

config zone
        option name 'iot_zone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot_interface'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'

config forwarding
        option src 'pri_zone'
        option dest 'iot_zone'

config forwarding
        option src 'pri_zone'
        option dest 'wan'

config forwarding
        option src 'guest_zone'
        option dest 'wan'

DHCP:

root@OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.5,94.140.14.14,94.140.14.15,1.1.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'pri_interface'
        option interface 'pri_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.5,94.140.14.14,94.140.14.15,1.1.1.1'

config dhcp 'iot_interface'
        option interface 'iot_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.5,94.140.14.14,94.140.14.15,1.1.1.1'

config dhcp 'guest_interface'
        option interface 'guest_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.5,94.140.14.14,94.140.14.15,1.1.1.1'

Wireless:

root@OpenWrt:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'pri_interface'
        option mode 'ap'
        option ssid 'OpenWrt-5G'
        option key 'REDACTED'
        option encryption 'psk2'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'iot_interface'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key 'REDACTED'
        option encryption 'psk2'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt Guest'
        option encryption 'psk2'
        option key 'REDACTED'
        option network 'guest_interface'

Sorry this is such a long post

There was a major bug in 23.05.1 -- please upgrade to 23.05.2.

1 Like

Hi

maybe i am wrong, but if you drop input to zone, then your device could not get dhcp leases

However, I'm unable to connect to the guest network.

or maybe this sentence need further clarification

1 Like

@NPeca75 is correct (at least for part of the issue) -- your guest network doesn't allow input, so it will not be reachable for DHCP (and DNS as well). Setting input=reject is actually not a bad thing in principle for untrusted networks (guest, also potentially your iot network), but you need to create a traffic rule to accept DHCP traffic that comes from those zones and is destined for the router itself. (this is true for DNS, as well, if you use your router as a DNS server; in this case, it appears that the DHCP advertised DNS servers specifically exclude the router).

Meanwhile... you mentioned stuff on VLANs 20, 30, and 40. But you haven't mentioned anything on VLAN 1 (192.168.1.0/24).

In the above line, you are advertising a DNS server on the 192.168.1.0/24 (lan) network -- is there a DHCP server on a host at 192.168.1.5? If not, that address should be removed.

Further, you don't have any firewall rules that will allow the hosts on other networks from reaching that DNS server, so this could cause DNS failures (ideally, those hosts should try another DNS server in the list automatically, but it does depend on the behavior of the host/OS; some dumber devices like cheap IoT things may not handle this well).

2 Likes

Hey! Firstly, its amazing how consistent you are at responding!

Thanks for pointing out the security issues with the firmware. Flashed the new firmware on the router.

Ah I see! I added traffic rule in the firewall to allow DHCP and I'm connected to the wireless network finally!

Regarding, dhcp option, I've used '6' prefix to set DNS. 192.168.1.5 is a static IP and is a raspberry pi running pi hole. I want all devices in my network to access this pi for their DNS. This device doesn't handle DHCP. Thats being handed out by my router I think. If I'm understanding correctly, the DHCP server is advertising DNS using dhcp_option, and thats how devices can connect to pi hole for DNS

If this is not correct, please let me know and I can remove it. I guess since IOT is not being forwarded to WAN, it doesn't need DNS and I can disable it for that interface

Regarding VLAN1, I'm not sure which setting you want to see. However, here is a screenshot for the vlans

AFAIK, it was actually a routing issue, not a security one. A big enough bug, though, that it was actually not officially announced (officially, the release announcements go from 23.05.0 > 23.05.2). But glad you're updated now.

Great!

Sounds good. Thanks for clarifying.

Yes, my mistake. I meant to ask if you were running a DNS (not DHCP) server at that address. And you are. And DHCP is being handled by your router.

Yes, you've understood correctly. But you also need to allow devices to access the pihole. Currently, they will try, but will fail to actually connect to the pihole because of there are no firewall rules that allow it.

Probably true. But not always... some devices will assume they are offline and refuse to function if they can't at least resolve a domain. But more than likely not an issue.

My question was really about the fact that you didn't mention using it for anything... but we now know that there is a pihole on that network.

For DNS from the other two networks, you need to create a rule to accept udp + tcp desitnation port 53 from those zones > lan zone 192.168.1.5 port 53.

Hey @psherman ,
I've realized the pihole setup is not working correctly. Previously, I was using multiple DNS servers in addition to pihole IP. When I switched it back to just using the pihole IP (192.168.1.5) on lan, DNS queries are not being served.

For now I'm just trying to get this work on my Guest network as I need my other devices to work. I added the traffic rule as you pointed out (also as suggested in OneMarkFifty's firewall video)

No luck. I tried just forwarding guest zone to the pihole IP on port 53 to lan, but it still didn't work

When I'm connected to the Guest network, I'm able to ping the 192.168.1.5 and also access the pihole web interface. There is internet connectivity but no dns resolution i.e. I can ping 8.8.8.8 but not google.com

Attaching relevant details from

  • /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.5,94.140.14.14,94.140.14.15,1.1.1.1'    

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'guest_interface'
        option interface 'guest_interface'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.5'

Relevant Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_interface'

config rule
        option name 'Allow-DHCP-DNS-Guest'
        option src 'guest_zone'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest_zone'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        list dest_ip '192.168.1.5'

config forwarding
        option src 'guest_zone'
        option dest 'wan'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.