Openwrt, vlans, ubiquity, dhcp and dns

Hello, I'm struggling to set up a new network. I hope someone is willing to verify this.

I'm working with vlans and a "real" switch for the first time and it has been a struggle..

Devices:
1: telecom operator supplied modem
2: openwrt AX3600, connected via ethernet on WAN <> modem and via PPPoE
3: ubiquity switch connected via ethernet openwrt on port 1 <> openwrt LAN1
4: other devices connected to various switch ports: access points ethernet backhaul

My openwrt router also has wifi interfaces which are on the default 1 vlan and that I can use to configure the router.

It seems that I need to tag vlans on both the router's switch + the ubiquity switch. Is that correct?

So far I have managed to create vlans, which function at least for the default network but which do not work for the intended purpose (IOT, guest,...).

I'm configuring the ubiquity AP's (unify) to have 3 or more wireless networks (for vlan's default 1 , iot 2 and guest 11). I can configure that in the unify software but I do not get an IP via DHCP on guest 11 - I also do not get an IP when I plug a device in a switch port natively tagged for vlan 11.

With DHCP and DNS I also have been battling to create specifc dnsmasq configurations per vlan - where dnsmasq seems to want to launch multiple instances and crashes because it is already bound to port 53.

Some things are unclear such as the gateway to mention in each vlan and the DNS configuration/forwarding.,

cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        option master '1'
        list dhcp_option '6,8.8.8.8,8.8.4.4,1.1.1.1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dnsmasq 'brlan'
        option authoritative '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option rebind_protection '0'
        option localservice '1'
        list interface 'lan'
        list interface 'vlan1'
        list interface 'vlan2'
        list interface 'vlan11'
        list notinterface 'pppoe-redact'
        option leasefile '/tmp/dhcp-brlan.lease'
        option readethers '1'
        option serversfile '/etc/dnsmasq.servers'
        option nonwildcard '0'

config dhcp 'vlan1'
        option interface 'vlan1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan2'
        option interface 'vlan2'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan11'
        option interface 'vlan11'
        option start '100'
        option limit '150'
        option leasetime '12h'


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd3:53dd:b67b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t*'
        list ports 'lan2:t*'
        list ports 'lan3:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'

config interface 'vlan1'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '10.10.1.1'
        option netmask '255.255.255.0'
        option gateway '10.1.1.1'
        option broadcast '10.10.1.255'
        list dns '10.1.1.1'
        list dns_search 'lan'
        option defaultroute '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'

config bridge-vlan
        option device 'br-lan'
        option vlan '6'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'lan1:t'

config interface 'vlan2'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '10.10.2.1'
        option netmask '255.255.255.0'
        option gateway '10.1.1.1'
        list dns '10.1.1.1'

config interface 'pppoe-redacted'
        option proto 'pppoe'
        option device 'wan'
        option username '*'
        option password '*'
        option ipv6 '1'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        list dns '1.1.1.1'

config interface 'vlan11'
        option proto 'static'
        option device 'br-lan.11'
        option ipaddr '10.10.11.1'
        option netmask '255.255.255.0'
        list dns '10.1.1.1'
        option gateway '10.1.1.1'

config device
        option name 'pppoe-redacted*'
        option ipv6 '0'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan1'
        list network 'vlan2'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'redacted'
        list device 'pppoe-redacted'
        list device 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan11'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'guest'

What you want to do is very easily achievable. However...

I would recommend that you reset your OpenWrt router to defaults because there is a lot of stuff that is either wrong or unnecessary and would need to be cleaned up. It'll be fastest to start fresh. Feel free to make a backup, but we won't be using it.

After the reset, configure just the basics (internet connectivity, wifi, your primary lan IP/subnet). Once that's done, post your config files again and we'll make the necessary additions for one additional network. From there, you'll be able to prove that network to be functional, and then you can use the same recipe to add the others.

2 Likes

Good to hear. Thanks.

I have reset the configuration for a minimal config with internet access over PPPoE. An extra device was created however, not sure what to do with it:
Protocol: Virtual dynamic interface (DHCPv6 client)
It appears to not be zoned automatically in the firewall. I deleted the interface last time.

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdeb:95ea:89d3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'user@telecom'
        option password 'password'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'


cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

image

Sorry for the delay here -- I missed the fact that you had replied here. Anyway...

I'm not an expert on PPPoE and IPv6, so I don't know if the DHCPv6 client will just work or if it needs other configuration details. That said, if you're not concerned about IPv6, you can just delete the interface. Normally, the wan6 interface should be attached to the wan firewall zone.

Meanwhile, now you are in a good (near-) default state and we can begin setting up the VLANs.

  • What port is used to connect the router to the switch?
  • What are the VLAN IDs and subnets that you want to configure on the router (ideally also with the names/functions of the interface -- for example: VLAN 5, 192.168.5.0/24, Guest).
  • What do you want the other ports of the router to do in terms of VLAN memberships?

What port is used to connect the router to the switch?
lan1

What are the VLAN IDs and subnets that you want to configure on the router (ideally also with the names/functions of the interface -- for example: VLAN 5, 192.168.5.0/24, Guest).
1 mgt 10.10.1.0/24
2 media 10.10.2.0/24
2 iot1 10.10.3.0/24
3 iot2 10.10.4.0/24
4 guest 10.10.5.0/28

What do you want the other ports of the router to do in terms of VLAN memberships?
Not sure I understood this question.
It's various bits and pieces to enable different configurations with a vlan primarily designed in function of its usage.
And ofcourse I like to be learning in the process of doing but right now I'm hitting a wall at the configuration.
Some vlan's should be isolated from the rest with network access but no access to the management interface (guest) with client isolation and are on wifi only. Some parts should have a different DNS server, for example media. Some parts should have unfettered access to everything with mac allow (management vlan?).
I'd like to use the openwrt wifi only for management vlan (so mgt wifi is disabled when unneeded).
iot1 may be internet enabled while iot2 may be internet disabled...

Why don't we start with the guest network.

Run through this tutorial to create a guest wifi network. We'll make a slight modification after it is done to allow it to connect to ethernet.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Once complete, post your updated configs for review and modification.

I have deleted the ipv6 interface because it's not sufficiently clear for me how that is zoned - the tunnel interface does not allow the same type of configuration.

I learned from the guide that you need to also need to add dhcp and dns firewall rules. Indeed : that explains not getting an ipv4 address on the guest vlan before.

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        option master '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan4'
        option interface 'vlan4'
        option start '10'
        option limit '50'
        option leasetime '4h'
/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdeb:95ea:89d3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'user@telecom'
        option password 'password'
        option ipv6 '0'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option disabled '1'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config device
        option name 'pppoe-wan'
        option ipv6 '0'

config interface 'vlan4'
        option proto 'static'
        option device 'phy1-ap0'
        list ipaddr '10.10.4.1/24'
        option gateway '10.1.1.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guestwifi'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan4'

config forwarding
        option src 'guestwifi'
        option dest 'wan'

config rule
        option name 'vlan4-guest-dns'
        option src 'guestwifi'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'vlan4-guest-dhcp'
        option src 'guestwifi'
        option dest_port '67'
        option target 'ACCEPT'
        list proto 'udp'

Hello @psherman
You probably missed this post. Would you like to take a look at the configuration above?
Many thanks

Sorry... I did miss this one. Didn't mean to leave you hanging.

Did you test with wifi to ensure that the guest network is functioning as expected? If everything is good, we will move on to the following changes (but if not, hold off on these changes and then let me know what issues you've observed).

First, we'll create some bridge-vlans in /etc/config/network -- add this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'

Now, edit the main lan to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

And edit vlan4 to use br-lan.4 (we'll also remove the DNS and gateway lines):

config interface 'vlan4'
        option proto 'static'
        option device 'br-lan.4'
        list ipaddr '10.10.4.1/24'

Now restart your router and connect port lan1 to your switch. Assuming VLAN 4 is setup as tagged on the switch uplink port, your guest network should now spring to life (bonus if you have a port on the switch that is configured with untagged VLAN 4 -- this will allow you to directly plug in a device and verify that the guest network operates as expected).

Ok... running into some issues where this first step causes to lose connectivity.
Regardless if I'm setting up via wireless or ethernet I lose connectivity via both.

I tried "Bridge VLAN filtering" (1=t 2=u* 3=u*) on lan (br-lan).
Also with intermediary step (1=u* 2=u* 3=u*) and then (1=t)
I have connected via both ethernet ports tagged and untagged and also via wifi.

I also have tried doing this in one go and in seperate steps (add vlan, change br-lan interface to use device br-lan.1)

This is probably invalid - only one network can be untagged on a port (although to be fair, I’m not exactly sure what you did based on your description). The best way to do this is via the config file since you can edit everything without an issue of sequencing.

But then you have a duplicate piece of configuration here under /etc/config/network

They was a typo :man_facepalming:

The second one should be vlan4

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'

Unfortunately, just changing this (first step) and restarting the network via init causes the device to be unreachable over wifi and ethernet and not just without DHCP but also with a fixed ip...

Funnily enough I can still connect to the guest wifi and post this.

Right. You need to change the lan interface to use device br-lan.1

Sorry, I changed some things so that vlan4 becomes br-lan.5 at 10.10.5.1/24.

After much reading, the terminilogy of tagging, trunking, untagged, excluded, default vlan is still unclear. Do you have another good resource to distinguish these terms besides the openwrt info?

Step 1: so far so good. Lesson learnt: change "lan" interface at the same time to use the new management br-lan.1 else it loses connectivity.

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

Step 2:
I guess I'll need to set up the switch before I can test and see this live...

Interestingly, the "vlan5" wifi-only-vlan-network has now been replaced: the wifi network was "vlan4"("vlan5") and now has network "br-lan.5".
image

Let’s see the complete config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

{
        "kernel": "5.15.162",
        "hostname": "AX3600",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi AX3600",
        "board_name": "xiaomi,ax3600",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ipq807x/generic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdeb:95ea:89d3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.10.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'user@telecom'
        option password 'password'
        option ipv6 '0'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option disabled '1'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config device
        option name 'pppoe-wan'
        option ipv6 '0'

config interface 'vlan5'
        option proto 'static'
        option device 'br-lan.5'
        list ipaddr '10.10.5.1/24'
        list ipaddr '10.10.5.1/24'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan3:t'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'BE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'owrt'
        option encryption 'sae-mixed'
        option key 'password'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'BE'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'bp-guest'
        option encryption 'sae-mixed'
        option key 'password'
        option network 'vlan5'

config wifi-iface 'wifinet2'
        option device 'radio2'
        option mode 'ap'
        option ssid 'bp-auto1'
        option encryption 'sae-mixed'
        option key 'password'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'bp'
        option encryption 'sae-mixed'
        option key 'password'
        option disabled '1'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        option master '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan5'
        option interface 'vlan5'
        option start '10'
        option limit '50'
        option leasetime '6h'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan5'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'guest-vlan5-allow_dns'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'guest-vlan5-allow_dhcp'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'