OpenWrt as DHCP but not NAT GW for a subnet

I only know to use Luci to do OpenWRT configurations. If needed, I will following instruction to do configurations in terminal as well.

My OpenWRT is like follows:

vlan1: 192.168.1.1/24, DHCP, DNS, NAT access via vlan2, lan/wifi SSID vlan1
vlan2: Internet Uplink. DHCP from ISP. NAT outgoing interface.
vlan3: 192.168.3.1/24, DHCP, DNS, NAT access via vlan2, lan/wifi SSID vlan3

I want to further achieve the following:

  • vlan1 can access vlan3, but vlan3 cannot access vlan1
  • add vlan 4, such that OpenWRT only offer DHCP on this new subnet. No DNS, no NAT access, vlan4 cannot access other vlans and vice versa.

Please give me directions on where I can find more information.

Thanks in Advance!

If you are looking for information, as far as documentation goes check https://openwrt.org/docs/guide-user/network/vlan/start, there are several topics you should check for your use-case, especially VLAN Switch for VLAN access and traffic control.

1 Like

Thank you for the pointer!

VLAN3 machines cannot access VLAN1 machines now.

Can OpenWRT is not allow NAT access for VLAN4 client machines also.

I still have two issues:

  1. From a VLAN1 client machine, I can still ping 192.168.4.1, which is the vlan4 IP address of OpenWRT (it is not a big deal, but if possible, I want to hide that also.)
  2. From a VLAN4 client machine, the Default GW giving by DHCP@OpenWRT is 192.168.4.1 . How can I change that to 192.168.4.2?
  1. If you separated the VLANs, any communication (unless allowed by firewall rules) shouldn't be allowed, check your setup and refer to this example https://openwrt.org/docs/guide-user/network/vlan/creating_virtual_switches.

  2. You should use static leases if the IP is within DHCP range, if not, simply set a static IP, refer to https://openwrt.org/docs/guide-user/base-system/dhcp

  1. If you allow INPUT in the zone of vlan1 then 192.168.4.1 will reply, as it still is the router itself. You'd have to create a specific DROP/REJECT rule to block it in the INPUT chain.
  2. You can add a custom option in DHCP server for interface vlan4 . Check the description of the first line here.
1 Like

Thank you for the hints, @trendy and @freezeheat.

I tried two methods to override the Router value issued to DHCP clients:

  1. From Luci -> Network->Interfaces->vlan4->edit
  • DHCP Server -> Advanced Settings -> DHCP-Options, enter "3,192.168.4.2", then click on the '+' size.
  • Save, Save & Apply
  • Result: Win10, ipconfig /renew, timeout without getting any IP.
  1. Using uci
  • run at OpenWRT ssh shell:
    uci add_list dhcp.vlan4.dhcp_option=”3,192.168.4.2″
    uci commit dhcp
    /etc/init.d/dnsmasq restart
  • Result: Same as 1./

Removing that Option3, then DHCP offer is ok. Just GW is not overrided.

should be 4.2

If you still have problem, you need to run a tcpdump to examine the contents of the DHCP offer, to make sure that options are applied and advertised properly.

Yes, I used is 4.2 . Thanks for spotting my typo.

I will try to learn tcpdump and see what I can find out.

1 Like