Only Windows devices are working in Guest Vlan

Hi there,
I've been playing with OpenWRT the last year or so, but now I got a managed switch, so I decided to add a guest & IoT Vlan in order to isolate guest and IoT clients from my main network. So, I created a new Interface with a static IP, I've created a DHCP server on that interface and I assigned it to ethernet 0.20 for it to be on Vlan 20. I also created a firewall zone and assigned it to this interface. But the problem is that only Windows clients can access the internet. I've installed an Access Point on this network, and all of mine laptops connect to the internet just fine but everything else can't connect. All the clients get an IP address, I can see the DHCP leases in the OpenWRT dashboard, but the non-windows clients simply can't access the internet and all of them are getting the "Connected without internet" error. The only thing that I've tried was to add a firewall rule that's allowing all traffic from the IoT zone to the WAN zone, but that didn't help. At this point I'm out of ideas for where to look for the problem so any help is really appreciated. Some screenshots are included.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd44:a486:ea94::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.0.0'
        option dns '10.0.3.3'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1 2 3t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 3t 4'
        option vid '20'

config interface 'IoT_Guest'
        option proto 'static'
        option ifname 'eth0.20'
        option ipaddr '10.1.0.0'
        option netmask '255.255.255.0'
        option dns '8.8.8.8'
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option domain 'diamondfort.net'
        list server '10.0.3.3'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option ra 'server'
        option limit '100'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'espcam'
        option dns '1'
        option mac 'A8:03:2A:64:E5:A4'
        option ip '10.0.0.160'

config dhcp 'IoT'
        option start '100'
        option leasetime '12h'
        option interface 'IoT'
        option limit '150'

config host
        option name 'VM'
        option dns '1'
        option mac '00:0C:29:14:12:5C'
        option ip '10.0.3.3'



config domain
        option name 'pihole'
        option ip '10.0.3.3'

config host
      

config dhcp 'IoT_Guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'IoT_Guest
'```



config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'IoT_Guest'
        option forward 'ACCEPT'
        option network 'IoT_Guest'

config forwarding
        option dest 'wan'
        option src 'IoT_Guest'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'IoT_Guest'
        option name 'IoT Wan Acept'
        option dest 'wan'

Here is everything. I've just excluded the wireless command since the onboard wireless is disabled.

This address is invalid. Try 10.1.0.1.

Restart the router, and then test again.

1 Like

Also, remove this.

Hi,
Sorry for the late reply, that actually fixed my issue. But if you don't mind, can you please tell me why Windows devices didn't have any issues, but only android devices were affected?

Thanks again :slight_smile:

I'm not sure why Windows works, actually... it shouldn't*. But here's the explanation.

For all networks of size /30 and larger, there are 2 reserved addresses for the 'subnet ID' or network address, and the broadcast address. These are not avilable to be used by any hosts (including the router). On a /24, those would be the .0 and .255 addresses, respectively.

When you set OpenWrt's address to .0, you were overlapping the subnet ID address. The DHCP server in OpenWrt will advertise the router itself for DNS and as the router/gateway, so it sent out the .0 address for both of those fields. Windows just blindly used those addresses, and it seemed to work. The other platforms refused to even try to use that address because it is invalid based on the subnet mask -- they treated it as a misconfiguration.

*I have seen an argument that the reserved address for the subnet ID/network address is being deprecated, similar to how we don't talk about classful address ranges anymore, but instead use CIDR ('/') notatoin for networks. It is possible that Microsoft's engineers on the networking stack believe that this is indeed a deprecated restriction and have adjusted the behaviors to allow it. Or, it could be that Windows simply never restricted the use of the invalid addresses... I don't know. But AFAIK, basically every other platform (Mac, Linux, iOS, Android, ChromeOS, etc.) will not function properly if a critical thing like the gateway or DNS is overlapping the reserved addresses.

Thanks a lot, that was really helpful plus I've learned something new.

Glad I could help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.