Pi3 LEDE and DHCP. No leases!

First time posting on the forum.

I am having a hard time getting LEDE to distribute dhcp leases to my wifi connections. Instead, the parent network is giving out dhcp leases. Yes, I am setting up LEDE behind an existing network. However, I do need LEDE to give out it's own addresses. It will not be acceptable to use the addresses given by the parent network.

I have tried all the options I can find in Luci, and have even tried manually modifying settings in /etc/config/dhcp to no avail.

I have been using https://wiki.openwrt.org/doc/uci/dhcp for reference and using this image for my pi: lede-17.01.2-brcm2708-bcm2710-rpi-3-ext4-sdcard.img

You have to route to the "parent network" not bridge to it. Set up a WAN interface with firewall forwarding in the conventional way. The firewall will only forward Internet requests out to the "parent network".

Another option is bridge but use iptables in the bridge to stop DHCP requests from leaving the bridge. Requires turning on a sysctl so the bridge uses iptables and adding some iptables rules.

Advantage here is no NAT is required. Of course given specifics you might want NAT.

So Im trying to give this a shot dlakelan & mk24, however my pain point is maintaining a connection to LuCi while making these changes.

Is there a way to connect to LuCi w/o a network connection? Serial? ect? ideas?

Put a vlan on the switch, with one specific port untagged. Create a new interface in LUCI called "Mgmt" that is assigned to that vlan and have LUCI listen on that as well as the regular default vlan. After doing this, plug a laptop into that port and do all the remaining configurations from this new management vlan.

This is a raspberry pi so I dont know how that is possible.

I do have a 8 port unmanaged switch here however; probably no way to treat these as physical ports eh?

At the moment Im looking at dedicating the wireless interface for Luci. However, I am unsure how to have Luci listen on this. I need the wifi to lease IP addresses correct?

Create a wifi AP and attach it to LAN. Disconnect your computer from Ethernet and log in via WiFi. That is all you should need.

most reasonably modern unmanaged switches pass vlan tags fine. Put a vlan interface in place on both your Pi and your laptop, and just talk to the Pi over that VLAN while the regular LAN remains untagged.

Alright, so... one thing I noticed as well. I dont have a dhcp serve option for protocols. All of the options are for connecting to other interfaces (pppoe, static, dynamic, ect).

If I wanted to create a access point that distributed IP addresses, I dont really have that option.
PS: If I choose static, a dhcp server option appears. However, this requires this interface to request a static IP from another device. Cant I simply have a interface stand by its own?

PPS: IRC anyone?
My handle is darkenvy_

You should have that option.

This is untrue. You don't "request" a static IP. You are to assign an IP from the approproaite network that the interface is connected to (if that's LAN, you give it a private range like 192.168.1.0/24)

You have to create an interface with a Static IP to setup a DHCP server, that simple.

See: https://lede-project.org/docs/user-guide/network_configuration

So if I create a interface called WLAN and connect to to wlan,

Wireless Network: Master "LEDE" (WLAN)

I assign it to 192.168.1.0, I still cannot get a dhcp lease from those connecting to the AP.

Here is an output of my uci show network:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd7a:a564:c74a::/48'
network.lan=interface
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.proto='dhcp'
network.lan._orig_ifname='eth0'
network.lan._orig_bridge='true'
network.lan.ifname='eth0'
network.VPN=interface
network.VPN.ifname='tun0'
network.VPN._orig_ifname='tun0'
network.VPN._orig_bridge='false'
network.VPN.type='bridge'
network.VPN.proto='none'
network.@route[0]=route
network.WLAN=interface
network.WLAN._orig_ifname='wlan0'
network.WLAN._orig_bridge='false'
network.WLAN.proto='static'
network.WLAN.ipaddr='192.168.1.0'
network.WLAN.netmask='255.255.255.0'
network.WLAN.gateway='192.168.1.0'

You have WLAN separate from LAN, yet the ip subnets are the same. If you want these to be separate, rather than bridged, then you should put WLAN on 192.168.2.1 or something similar.

1 Like

Use lowercase for network names. I known that LuCI shows them in upper case but that is not how they should be.

You don't need to create a new network for your wifi AP, and really you should not. Attach it to the existing lan bridge. This is done in the wifi configuration not the network configuration.

The two simplest ways to set up the networks, which serve the large majority of uses, are the LAN device (also called dumb AP) and the routed client.

A LAN device setup has only one network: lan. It is a bridge. The lan can have a static IP or be a DHCP client. The device has no DHCP server. All DHCP requests are bridged over to the primary network. So everything is part of that network. The device needs to be connected to a primary network by Ethernet cable or WDS, not as a regular STA.

The routed client works like a standard router with stock firmware that has some LAN ports and one WAN port. It's LAN network is independent of the network supplying an Internet connection. The routed client's LAN has a DHCP server. The WAN can be connected by wire or by wifi. It is usually a DHCP client. The only use of the WAN (though it is important) is to access the Internet.

Well, it's a raspberry pi, so it has one ethernet port and one wlan interface. @darkenvy The real question is: how do you want your PI to behave?

Are you trying to make it a wifi access point? So ethernet is connected to upstream network, and wifi clients connect to the PI? If so, why do you not want to use the upstream DHCP?

Are you trying to make it a wifi router: same as above except you want a separate subnet for the wifi clients? In that case, do you want NAT between the two networks, or regular routing?

Are you trying to make it act like a regular consumer router? You could with the addition of a managed switch that handles VLANs, then you could have both ethernet clients and wifi clients, as well as an ethernet uplink to the rest of the network.

what do you want it to do? Then it's easier to tell you how to configure it.

I fear it may have been easier to tell my endgoal first :p. I desire to create a hotspot that is always connected to a VPN. Attached below is a mockup image I created.

The routed client works like a standard router with stock firmware that has some LAN ports and one WAN port. It’s LAN network is independent of the network supplying an Internet connection. The routed client’s LAN has a DHCP server. The WAN can be connected by wire or by wifi. It is usually a DHCP client. The only use of the WAN (though it is important) is to access the Internet.

This is much more ideal and what I expected default behavior to be.

Are you trying to make it a wifi router: same as above except you want a separate subnet for the wifi clients? In that case, do you want NAT between the two networks, or regular routing?

Yes separate subnet. I do believe I want NAT between the two networks (I am not entirely sure; learning) as I want a different address space and to not use the upstream dhcp server.

I'm a programmer by trade but don't do a lot of networking outside of the old dd-wrt wrt54g routers of yesteryear :stuck_out_tongue: . Excited and intimidated by the power of openwrt.

If you had a regular TP-Link WDR3600 or similar, LEDE does default to being much like stock firmware. But an install on a device with one Ethernet port by default has no WAN because there is no port for it.

I would set this up as a LAN device with the Pi having its LAN in the 192.168.1 subnet. This is how the VPN client will reach the Internet and the VPN server. Setting up this way as a LAN device allows you to easily access the Pi through the regular home network.

Users of the WLAN will only have access to the VPN tunnel though. This is done by setting up another network like 'vpnuser' and connecting the wifi AP only to it. The vpnuser network has a DHCP server issuing addresses in the 2 subnet. Also another set of firewall zones and rules so those connected to the AP are forwarded only to the VPN.


Make your LEDE LAN a DHCP client and also set a hostname (it doesn't automaticaly take the hostname of the machine).

config network lan
option bridge '1'
option ifname 'eth0'
option mode 'dhcp'
option hostname 'Pi-VPN'

When you plug in the Ethernet cable, the Pi will become part of the regular home network. Connect wired or wifi to the regular home router and log in. If the regular home router is properly configured, you can just type pi-vpn.lan in the browser. If that does not work, log in to the regular home router and check its DHCP lease table to find the IP of your Pi. You may want to use a static address if going by name isn't working.

1 Like

This is great information! Thank you!

How is the vpnuser network to DHCP serve though? You mentioned above that "The device has no DHCP server". When I go to choose protocols, I have these options:

Static address
DHCP client
Dual-Stack Lite (RFC6333)
MAP / LW4over6
464XLAT (CLAT)
IPv6-in-IPv4 (RFC4213)
IPv6-over-IPv4 (6to4)
IPv6-over-IPv4 (6rd)
AICCU (SIXXS)
DHCPv6 client
Automatic Homenet (HNCP)
PPP
PPtP
PPPoE
PPPoATM
UMTS/GPRS/EV-DO
L2TP
PPPoSSH

once again, if I choose 'static' the option for dhcp server appears. Thoughts? Ideas?

Is this implying that you cant just set a port to be a wan port? That it is something special at the hardware level? If not, Ide probably lock myself out of the Pi and would have to get a serial cable for terminal action.

No, you can change the use of ports however you like, but by default LEDE listens on the LAN port with WiFi turned off, for security reasons, and without the ethernet connected to the LAN port you by default have no way to connect :wink: