One DNS server per radio

I have OpenWRT on a router with two radios. I want the devices on one radio get one DNS server, and devices on the second radio to get a different DNS server.

I'm willing to work with the command line config files if you want me to edit /etc/config/dhcp instead. I show below what I tried.

I made two new interfaces, and assigned each one radio. I did not destroy the LAN interface since that seems a good way to lock myself out.

For each interface, I went to Edit > Advanced Settings > and unchecked "Use DNS servers advertised by peer" and put in a custom DNS server.

Now when I connect to an interface, I get the IP of the device itself, not the custom DNS servers I supplied above.

I went to the LAN, and Edit > Advanced Settings, and "Use DNS servers advertised by peer" is not an option. It has "Use Custom DNS servers." I put in a nonsense DNS server here, just to make sure it was not getting sent out. It is not.

Also on the LAN, Edit > DHCP Server > Advanced Settings has "DHCP-Options" and I put yet another DNS server here (as "6,1.1.1.1"). When I connect a device, I do get this DNS server, which is useful information for diagnostics, but it gives that server out on both radios.

It seems like the settings for "lan" are taking precedence. Maybe I defined my interfaces wrong.

... Just to experiment, I tried this in /etc/config/dhcp, to see if I could set dhcp on just the interfaces I want. After stopping and starting dnsmasq, I get the same resuts.

config dhcp 'lan'
        option interface 'lan'
#       option start '100'
#       option limit '150'
#       option leasetime '12h'
#       option dhcpv4 'server'
#       option dhcpv6 'server'
#       option ra 'server'
#       list ra_flags 'managed-config'
#       list ra_flags 'other-config'
#       list dhcp_option '6,1.1.1.1'

config dhcp 'netgyre5'
        option interface 'netgyre5'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,1.0.0.1'

config dhcp 'netgyre2'
        option interface 'netgyre2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,9.9.9.9'

What are my next steps to debug?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board 
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I'm not good with uci commands but I did this by setting up seperate dnsmasq instances on seperate lan segments as below as an example of my config files:

This was to apply filtering adblocking etc.... on the kids' network while leaving the adult's unfretted access.

Wireless config:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option country 'NZ'
	option cell_density '0'
	option txpower '30'
	option log_level '4'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Adults_2.5g'
	option encryption 'psk2'
	option key 'asdf1234'
	option network 'adults_lan'
	option ifname 'Adults_2.5G'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'NZST-12NZDT,M9.5.0,M4.1.0/3'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option proxy_arp '1'
	option nasid 'adult'
	option wnm_sleep_mode_no_keys '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option country 'NZ'
	option cell_density '0'
	option log_level '4'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Adults_5g'
	option encryption 'psk2'
	option key 'asdf1234'
	option network 'adults_lan'
	option ifname 'Adults_5g'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'NZST-12NZDT,M9.5.0,M4.1.0/3'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option nasid 'adult'
	option proxy_arp '1'

config wifi-iface 'wifinet2'
	option ssid 'Kids_2.5g'
	option encryption 'none'
	option device 'radio0'
	option mode 'ap'
	option network 'kids_lan'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'NZST-12NZDT,M9.5.0,M4.1.0/3'
	option bss_transition '1'
	option ifname 'Kids_2.5g'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'

config wifi-iface 'wifinet3'
	option ssid 'Kids_5g'
	option encryption 'none'
	option device 'radio1'
	option mode 'ap'
	option network 'kids_lan'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'NZST-12NZDT,M9.5.0,M4.1.0/3'
	option bss_transition '1'
	option ifname 'Kids_5g'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'

DHCP config:

config dnsmasq 'adults_dns'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/adults_lan/'
	option domain 'adults_lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/adults_lan/dhcp.leases'
	list interface 'adults_lan'
	option localservice '0'
	list notinterface 'kids_lan'
	option confdir '/tmp/adults_lan/dnsmasq.d'
	option quietdhcp '1'
	option filterwin2k '1'
	option allservers '1'
	list server '127.0.0.1#5054'
	list server '127.0.0.1#5053'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '8.8.8.8'
	option boguspriv '0'

config dnsmasq 'kids_dns'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/kids_lan/'
	option domain 'kids_lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/kids_lan/dhcp.leases'
	option confdir '/tmp/kids_lan/dnsmasq.d'
	list interface 'kids_lan'
	option localservice '0'
	list notinterface 'loopback'
	list notinterface 'adults_lan'
	option quietdhcp '1'
	option filterwin2k '1'
	option allservers '1'
	list server '127.0.0.1#5054'
	list server '127.0.0.1#5053'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '8.8.8.8'
	option boguspriv '0'

config dhcp 'adults_lan'
	option instance 'adults_dns'
	option interface 'adults_lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '0'

config dhcp 'kids_lan'
	option instance 'kids_dns'
	option interface 'kids_lan'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option force '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Network config:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fdf6:0e5c:4f41::/48'

config interface 'adults_lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option device 'br-adults_lan'

config interface 'kids_lan'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option device 'wan'
	option metric '1'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'
	option peerdns '0'
	option device 'wan'
	option metric '2'
	option auto '0'

config device
	option name 'br-adults_lan'
	option type 'bridge'
	list ports 'lan'

config device
	option name 'br-kids_lan'

root@OpenWrt:~# ubus call system board 
{
	"kernel": "5.15.98",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Netgear WAX206",
	"board_name": "netgear,wax206",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r22297-1781e7408a",
		"target": "mediatek/mt7622",
		"description": "OpenWrt SNAPSHOT r22297-1781e7408a"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix [DELETED]

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.7.7'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.1.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'netgyre5'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.5.5'

config interface 'netgyre2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.22.22'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan netgyre2'
	option mode 'ap'
	option ssid 'NETGEAR2'
	option encryption 'psk-mixed'
	option key [DELETED]
	option macfilter 'allow'
	list maclist [DELETED]
	list maclist [DELETED]


config wifi-device 'radio1'
	option type 'mac80211'
	option path [DELETED]
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan netgyre5'
	option mode 'ap'
	option ssid 'NETGEAR5'
	option encryption 'psk2'
	option key [DELETED]
	list maclist [DELETED]

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option logqueries '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Chromebook'
	option dns '1'
	option mac [DELETED]
	option ip '192.168.2.176'

config host
	option name 'M1-Macbook'
	option dns '1'
	option mac [DELETED]
	option ip '192.168.2.118'

config ipset
	list name '204.62.247.0/24'
	list domain 'dflkjdsfg.com'

config host
	option name 'MSI'
	option dns '1'
	option mac [DELETED]
	option ip '192.168.2.172'

config host
	option name 'Sprinklers'
	option dns '1'
	option mac [DELETED]
	option ip '192.168.2.194'

config host
	option name 'switch'
	option dns '1'
	option mac [DELETED]
	option ip '192.168.2.179'

config host
	option ip '192.168.2.102'
	option mac [DELETED]
	option name 'PS4'
	option dns '1'

config dhcp 'netgyre5'
	option interface 'netgyre5'
	option ignore '1'

config dhcp 'netgyre2'
	option interface 'netgyre2'
	option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	list src_mac [DELETED]
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Allow-Kids-DNS'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '172.64.36.1'
	list dest_ip '172.64.36.2'
	list src_mac [DELETED]
	list src_mac [DELETED]
	list src_mac [DELETED]

config rule
	option name 'Intercept-Kids-DNS'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option target 'DROP'
	list src_mac [DELETED]
	list src_mac [DELETED]
	list src_mac [DELETED]

config rule
	option name 'Block kid devices 9pm to 5am'
	option target 'NOTRACK'
	option start_time '21:30:00'
	option stop_time '21:31:00'
	option src 'lan'
	option weekdays 'Sun Mon Tue Wed Thu Fri Sat'
	option dest 'wan'
	list src_mac [DELETED]
	list src_mac [DELETED]
	list src_mac [DELETED]

config rule
	option name 'chromebook timeblocking weekday afternoon'
	option src 'lan'
	list src_mac [DELETED]
	option target 'DROP'
	option start_time '16:00:00'
	option stop_time '20:00:00'
	option dest 'wan'
	option weekdays 'Mon Tue Wed Thu Fri'

config rule
	option name 'chromebook timeblocking weekend'
	list src_mac [DELETED]
	option target 'DROP'
	option weekdays 'Sun Sat'
	option start_time '08:00:00'
	option stop_time '09:00:00'
	option src 'lan'
	option dest 'wan'

config rule
	option src 'lan'
	list src_ip '192.168.2.102'
	option target 'REJECT'
	option start_time '23:45:00'
	option stop_time '06:00:00'
	option name 'Ps4'
	option dest 'wan'

config rule
	option name 'ipad timeblocking'
	option src 'lan'
	option target 'DROP'
	option start_time '20:30:00'
	option stop_time '05:00:00'
	option dest 'wan'
	list src_mac [DELETED]
	list src_mac [DELETED]

root@OpenWrt:~# 

As context, "netgyre5" is the interface for the "NETGEAR5" radio, and is the one that is intended for adults, and without any MAC filtering, and the one where I am doing my testing.

I am doing MAC filtering on NETGEAR2 in order to make sure devices keep the intended IP addresses, but I am not testing there yet.

There are many issues here, and I'm going to recommend that you start over from scratch (that's faster than cleaning up a config with many many problems).

Two really big ones immediately jump out:

These are the two networks that you're trying to add, but they have nowhere to go... there is no address (DHCP client won't work for this), and they're not assigned to a firewall zone so there's no forwarding from these networks, either. They also have no DHCP servers assigned (which will likely be necessary, but won't function since you're currently using dhcp client for the interface address).

Your wifi SSIDs are aslo linked to multiple networks. This is not valid, either. Only one network should be assigned here.

There are still many other issues with the configuration, so the fastest solution is to reset and then setup one new network and get that running (lan is there by default, add one new one). If you want to have 3 or more unique local networks, you can use the same recipe as the first added network (once complete).

While you're at it, I'd recommend upgrading to 23.05.0-RC3 (don't keep settings across the upgrade).
https://firmware-selector.openwrt.org/?version=23.05.0-rc3&target=mediatek%2Fmt7622&id=netgear_wax206