Segregated DHCP on multiple VLANs - stumped!

Hi folks

I'm trying to learn now to use VLANs to segregate my network, but can't seem to get the VLAN and DHCP options to work as I expect.

I have a BT HomeHub 5a running LEDE r3716-cd0f990. I want to have three separate VLANs with three separate subnets, firewalled appropriately (but that's for a later step).

LAN 1 (switch port 4) - Admin LAN 172.24.1.0/24 - VLAN 1
LAN 2 (switch port 2) - Family LAN 172.24.10.0/24 - VLAN 3
LAN 3 (switch port 0) - Guest LAN 172.24.20.0/24 - VLAN 4
LAN 4 (switch port 1) - unused for now.
WAN (switch port 5) - to my ISP

So having read the config docs, I set up:

/etc/config/network
config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd9a:a11c:0075::/48'

config atm-bridge 'atm'
    option vpi '1'
    option vci '32'
    option encaps 'llc'
    option payload 'bridged'

config dsl 'dsl'
    option annex 'a'
    option tone 'av'
    option xfer_mode 'ptm'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '172.24.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'family'
    option type 'bridge'
    option ifname 'eth0.3'
    option proto 'static'
    option ipaddr '172.24.10.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'guests'
    option type 'bridge'
    option ifname 'eth0.4'
    option proto 'static'
    option ipaddr '172.24.20.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device 'lan_dev'
    option name 'eth0.1'
    option macaddr '84:a4:23:0a:5b:02'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'
    option ipv6 'auto'

config device 'wan_dev'
    option name 'ptm0'
    option macaddr '84:a4:23:0a:5b:03'

config interface 'wan6'
    option ifname 'pppoe-wan'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '4 6t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 6t'

config switch_vlan
    option device 'switch0'
    option vlan '3'
    option ports '2 6t'

config switch_vlan
    option device 'switch0'
    option vlan '4'
    option ports '0 6t'

config device 'eth0_3'
    option type '8021q'
    option name 'eth0.3'
    option ifname 'eth0'
    option vid '3'

config device 'eth0_4'
    option type '8021q'
    option name 'eth0.4'
    option ifname 'eth0'
    option vid '4'
/etc/config/dhcp
config dnsmasq 'admin'
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    list interface 'lan'

config dnsmasq 'family'
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/family/'
    option domain 'family'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases.family'
    option resolvfile '/tmp/resolv.conf.family'
    option strictorder '1'
    option nonwildcard '1'
    list interface 'family'
    list notinterface 'lo'

config dnsmasq 'guests'
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/guests/'
    option domain 'guests'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases.guests'
    option resolvfile '/tmp/resolv.conf.guests'
    option strictorder '1'
    option nonwildcard '1'
    list interface 'guests'
    list notinterface 'lo'

config dhcp 'lan'
    option instance 'admin'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'family'
    option instance 'family'
    option interface 'family'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'guests'
    option instance 'guests'
    option interface 'guests'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'
/etc/config/firewall
config defaults
    option syn_flood        1
    option input            ACCEPT
    option output           ACCEPT
    option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
    option name             lan
    list   network          'lan'
    option input            ACCEPT
    option output           ACCEPT
    option forward          ACCEPT

config zone
    option name             family
    list   network          'family'
    option input            ACCEPT
    option output           ACCEPT
    option forward          ACCEPT

config zone
    option name             guests
    list   network          'guests'
    option input            ACCEPT
    option output           ACCEPT
    option forward          ACCEPT

config zone
    option name             wan
    list   network          'wan'
    list   network          'wan6'
    option input            REJECT
    option output           ACCEPT
    option forward          REJECT
    option masq             1
    option mtu_fix          1

config forwarding
    option src              lan
    option dest             wan

config forwarding
    option src              family
    option dest             wan

config forwarding
    option src              guests
    option dest             wan

# We need to accept udp packets on port 53,
# to enable DNS to work
config rule
    option name             Allow-DNS-family
    option src              family
    option proto            'tcp udp'
    option dest_port        53
    option target           ACCEPT

config rule
    option name             Allow-DNS-guest
    option src              guest
    option proto            'tcp udp'
    option dest_port        53
    option target           ACCEPT

# We need to accept udp packets on port 67-68,
# to enable DHCP to work
config rule
    option name             Allow-DHCP-family
    option src              family
    option proto            udp
    option src_port         67-68
    option dest_port        67-68
    option target           ACCEPT

config rule
    option name             Allow-DHCP-guests
    option src              guests
    option proto            udp
    option src_port         67-68
    option dest_port        67-68
    option target           ACCEPT

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name             Allow-DHCP-Renew
    option src              wan
    option proto            udp
    option dest_port        68
    option target           ACCEPT
    option family           ipv4

# Allow IPv4 ping
config rule
    option name             Allow-Ping
    option src              wan
    option proto            icmp
    option icmp_type        echo-request
    option family           ipv4
    option target           ACCEPT

config rule
    option name             Allow-IGMP
    option src              wan
    option proto            igmp
    option family           ipv4
    option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name             Allow-DHCPv6
    option src              wan
    option proto            udp
    option src_ip           fc00::/6
    option dest_ip          fc00::/6
    option dest_port        546
    option family           ipv6
    option target           ACCEPT

config rule
    option name             Allow-MLD
    option src              wan
    option proto            icmp
    option src_ip           fe80::/10
    list icmp_type          '130/0'
    list icmp_type          '131/0'
    list icmp_type          '132/0'
    list icmp_type          '143/0'
    option family           ipv6
    option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name             Allow-ICMPv6-Input
    option src              wan
    option proto    icmp
    list icmp_type          echo-request
    list icmp_type          echo-reply
    list icmp_type          destination-unreachable
    list icmp_type          packet-too-big
    list icmp_type          time-exceeded
    list icmp_type          bad-header
    list icmp_type          unknown-header-type
    list icmp_type          router-solicitation
    list icmp_type          neighbour-solicitation
    list icmp_type          router-advertisement
    list icmp_type          neighbour-advertisement
    option limit            1000/sec
    option family           ipv6
    option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name             Allow-ICMPv6-Forward
    option src              wan
    option dest             *
    option proto            icmp
    list icmp_type          echo-request
    list icmp_type          echo-reply
    list icmp_type          destination-unreachable
    list icmp_type          packet-too-big
    list icmp_type          time-exceeded
    list icmp_type          bad-header
    list icmp_type          unknown-header-type
    option limit            1000/sec
    option family           ipv6
    option target           ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

# allow IPsec/ESP and ISAKMP passthrough
config rule
    option src              wan
    option dest             lan
    option proto            esp
    option target           ACCEPT

config rule
    option src              wan
    option dest             lan
    option dest_port        500
    option proto            udp
    option target           ACCEPT

Plugging a device in to LAN 1 gets a DHCP address in the expected range.
Plugging into ports 2 and 3 I get no allocation, and end up with a self-assigned address?!

I realise I could have mucked this up in several ways:

  • Incorrect VLAN definition / interface allocation / subnet definition against those interfaces
  • Improper DHCP config to allocate new addresses inside those subnets
  • Failing firewall rules blocking the DHCP traffic from getting where it needs to go.

So rather than flail around in the dark, I thought I'd ask for help in spotting what I've missed or failed to understand.

Any help gratefully received.
Cheers
Mike

Can you post/link the contents of your config files?

/etc/config/network
/etc/config/dhcp
/etc/config/firewall

They're in my post! Twist the disclosure triangles to reveal the gory details...

1 Like

Ha, didn't know you could do that.

I'm comparing your config to mine on a WRT3200ACM where I have VLANs working just fine using "swconfig" and interfaces not on the switch. What I can say so far:

/etc/config/network
"config device ..." I don't have any of those in my config file. Maybe it's specific to your router or other settings you have.

"option vid ..." I have these under "config switch_vlan" together with "option vlan". Maybe try adding them there.

Make sure you have the right port number mappings (internal to actual plug on the router). Example: Port 0 in my config is plug 4 on the router. The mappings should be on the respective wiki page.

The rest looks fine to me.

/etc/config/dhcp
"config dnsmasq ..." I only have one of those but still giving out unique subnets to each VLAN. All under the same domain tho. Didn't even know you could have several different configs for dnsmasq at once.

You might want to try with a single dnsmasq instance. You can still have them split by subnet and firewall zone. But they will have the same domain.

Not listening on the loopback adapter might also be troublesome (list notinterface 'lo').

The rest looks fine to me.

/etc/config/firewall
Looks fine to me. You might want to simplify it a bit and go with per zone settings only when testing. So you can make sure all traffic to the router goes through.

I mostly use per zone settings and only block certain ports to the router from certain interfaces with custom firewall rules.

Here are my configs as a reference (single extra VLAN on port 4 of the switch and extra interfaces for WLAN):

/etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd42:ac64:47f2::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.110.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '1'
	list ip6class 'wan6'

config interface 'lan4'
	option ifname 'eth0.3'
	option proto 'static'
	option ipaddr '192.168.130.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config interface 'wlan02'
	option _orig_ifname 'radio1.network2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.111.1'
	option netmask '255.255.255.0'

config interface 'wlan03'
	option _orig_ifname 'radio1.network3'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '192.168.112.1'
	option netmask '255.255.255.0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
    option vid '2'
	option ports '4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0 5t'
/etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option sequential_ip '1'
	option filterwin2k '1'
	option local '/lan/'
	option domain 'lan'
	option strictorder '1'
	option dnsforwardmax '500'
	option cachesize '10000'
	option nonwildcard '1'
	list notinterface 'wan'
	list notinterface 'wan6'
	list interface 'lan'
	list interface 'wlan02'
	list interface 'wlan03'
	list interface 'lan4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '50'
	option leasetime '8h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'lan4'
	option interface 'lan4'
	option start '100'
	option limit '50'
	option leasetime '8h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wlan02'
	option start '100'
	option interface 'wlan02'
	option limit '50'
	option leasetime '8h'

config dhcp 'wlan03'
	option start '100'
	option interface 'wlan03'
	option limit '50'
	option leasetime '8h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
/etc/config/firewall
config defaults
	option syn_flood '1'
	option forward 'REJECT'
	option input 'REJECT'
	option output 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan'

config zone
	option name 'lan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config zone
	option name 'wlan02'
	option forward 'REJECT'
	option network 'wlan02'
	option input 'ACCEPT'
	option output 'ACCEPT'

config zone
	option name 'wlan03'
	option forward 'REJECT'
	option network 'wlan03'
	option input 'ACCEPT'
	option output 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan4'
	option dest 'wan'

config forwarding
	option dest 'wan'
	option src 'wlan02'

config forwarding
	option dest 'wan'
	option src 'wlan03'

config rule
	option name 'Allow-ICMPv4-To-Router'
	option src 'wan'
	option proto 'icmp'
	option target 'ACCEPT'
	option family 'ipv4'
	option limit '1000/sec'
	list icmp_type '3/4'

config rule
	option name 'Allow-ICMPv4-To-Any'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'icmp'
	option family 'ipv4'
	option limit '1000/sec'
	list icmp_type '3/4'
	option dest '*'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Block-Lan4-To-Router-HTTP'
	option src 'lan4'
	option proto 'tcp udp'
	option dest_port '80'
	option target 'REJECT'

config rule
	option name 'Block-Lan4-To-Router-HTTPS'
	option src 'lan4'
	option proto 'tcp udp'
	option dest_port '443'
	option target 'REJECT'

config rule
	option name 'Block-Lan4-To-Router-SSH'
	option src 'lan4'
	option proto 'tcp udp'
	option dest_port '22'
	option target 'REJECT'
    
config rule
	option name 'Block-Wlan02-To-Router-HTTP'
	option src 'wlan02'
	option proto 'tcp udp'
	option dest_port '80'
	option target 'REJECT'

config rule
	option name 'Block-Wlan02-To-Router-HTTPS'
	option src 'wlan02'
	option proto 'tcp udp'
	option dest_port '443'
	option target 'REJECT'

config rule
	option name 'Block-Wlan02-To-Router-SSH'
	option src 'wlan02'
	option proto 'tcp udp'
	option dest_port '22'
	option target 'REJECT'

config rule
	option name 'Block-Wlan03-To-Router-HTTP'
	option src 'wlan03'
	option proto 'tcp udp'
	option dest_port '80'
	option target 'REJECT'

config rule
	option name 'Block-Wlan03-To-Router-HTTPS'
	option src 'wlan03'
	option proto 'tcp udp'
	option dest_port '443'
	option target 'REJECT'

config rule
	option name 'Block-Wlan03-To-Router-SSH'
	option src 'wlan03'
	option proto 'tcp udp'
	option dest_port '22'
	option target 'REJECT'

config include
	option path '/etc/firewall.user'

You can execute "ifconfig" to see your interfaces and the IP address assigned to each one; you can also enable debugging on DNSMASQ to see the messages received and sent.

Thanks all for the assistance - I'll look at the differences in config offered, and at dnsmasq debug logs and see if the problem reveals itself.

It's immediately obvious that dnsmasq is not seeing the DHCP requests arrive from anything but the main admin port, so clearly the problem is upstream of that in the other settings. Thanks for setting me on a path to the answer!

Try removing src_port lines from your VLAN DHCP firewall rules. All you really care about is the dest_port (which appears to be set properly).

Further experimentation, I don't think it matters if you have the src_port in there or not. However, I may have found the culprit...
You're missing 'single quotes' around the values in many of your firewall entries (so in the quoted section below, it should be: option name 'Allow-DNS-guest' and so on... every value should be in 'quotes'. Improperly formatted entries will most likely just not work at all, but I'm not sure if it can create other issues, too. You might want to start over with a new firewall file, or completely start fresh as I'll describe below.

As an aside, I chose the quote above because you also have a typo in the DNS-guest (the src should be 'guests' to be consistent with the rest of the firewall rules, else DNS might not work).

If you have the luxury of completely resetting the config and starting fresh, I would recommend doing so and then just making small changes (maybe just make 2 VLANs to start) and make sure it works. From there, you can copy/paste relevant bits of the config files and make the minor changes, rather than typing everything multiple times.

Another idea... if you have the LuCI web interface installed (or are willing to install it), you will be pleasantly surprised that it actually is pretty easy to make functional VLANs that way (and then you don't have to worry much about typos).

Here's the LuCI method:

  1. Network > Switch > Add button (under VLAN ID section)
  2. for the new VLAN, make sure the CPU is tagged, then select untagged for the LAN port(s) you are want to use this new VLAN. Make sure that port is off for all other VLANs. Click Save & Apply
  3. Network > Interfaces > Add new interface button (under the interface overview section)
  4. Name the new interface (Guest), select the new VLAN (likely something like eth0.3); the rest of the defaults are okay. Click Submit.
  5. Set your desired IPv4 address (for the router on this VLAN), net mask, and gateway, and any other stuff here you want. Click Save.
  6. Click Setup DHCP Server button. Defaults here are fine, but you can change them if you want. Click Save.
  7. Select the Firewall Settings tab for the interface. The radio button will default to the "unspecified -or- create" box. Name your firewall zone (guest). Click Save & Apply.
  8. Network > Firewall > Zones section, edit the new (guest) zone. Check 'wan' in the "allow forward to destination zones" area of inter-zone forwarding. Click Save & Apply.
  9. Select Traffic Rules and go to the Open ports on router section. Name a new rule (allow-DHCP-guest), select UDP, click add. Defaults here are good except that the source zone should be the new zone you created (guest) and the destination port should be 67-68. Click Save & Apply.
  10. Add another open port for DNS (TCP+UDP, source zone guest, destination zone device (input). dest port 53), click Save & Apply.

That should do it. Try it out (keep in mind that sometimes the ports don't match up between the GUI and the device itself, so you might need to try more than one port).

You may also want to configure the firewall to prevent inter-zone forwarding, if desired (especially from guest > admin or guest > family). If you don't specifically do this, I think it is possible to navigate across subnets since the router will actually allow traffic routing that way.

Good luck!

Wow! Thanks for the generous help, Peter!
I'll be unable to do further work on it for a while but I had made some progress by starting afresh as you suggested.
I'd steered away from LUCI due to the documentation advising that it couldn't cope with multiple dnsmasq instances, but as I've found my intentions can be realised with one instance I think I shall stop being "too clever for my own good" and try your suggestions when I get my next chance.
Mike

Mike - Have you had a chance to try your VLANs again? Any luck/progress/issues?

Hi Peter

I'm back from holiday but haven't experimented much beyond what I managed before I left.

Current state of play is that I have a "working" config with one DNSMasq instance but several VLANs that seem to be properly segregated, as far as I've tested anyway. I'm not fully happy yet - I need to make sure the firewall lets my internet-exposed services work as expected, and I'm hoping to add an incoming VPN to the setup to let me dial in from outside when required.

Current config files are below, and I'll be taking another look when I get some time, but please don't hold your breath, you've got me on the right track already.

I hope to get a config I'm 100% happy with, that I can post later, but this is a long way better than when I initially posted, for which I thank everyone that replied.

Cheers
Mike

[details=/etc/config/network]config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9a:a11c:0075::/48'

config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'

config dsl 'dsl'
option annex 'a'
option tone 'av'
option xfer_mode 'ptm'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '172.24.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device 'lan_dev'
option name 'eth0.1'
option macaddr '84:a4:23:0a:5b:02'

config interface 'family'
option type 'bridge'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '172.24.10.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device 'family_dev'
option name 'eth0.2'
option macaddr '84:a4:23:0a:5b:12'

config interface 'guests'
option type 'bridge'
option ifname 'eth0.3'
option proto 'static'
option ipaddr '172.24.20.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device 'guests_dev'
option name 'eth0.3'
option macaddr '84:a4:23:0a:5b:22'

config interface 'spare'
option type 'bridge'
option ifname 'eth0.4'
option proto 'static'
option ipaddr '172.24.30.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device 'spare_dev'
option name 'eth0.4'
option macaddr '84:a4:23:0a:5b:32'

config interface 'wan'
option ifname 'eth0.5'
option proto 'dhcp'
option ipv6 'auto'

config interface 'wan6'
option ifname 'eth0.5'
option proto 'dhcpv6'

config device 'wan_dev'
option name 'eth0.5'
option macaddr '84:a4:23:0a:5b:03'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '2 6t'

config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0 6t'

config switch_vlan
option device 'switch0'
option vlan '4'
option ports '1 6t'

config switch_vlan
option device 'switch0'
option vlan '5'
option ports '5 6t'[/details]

[details=/etc/config/dhcp]config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'family'
option interface 'family'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'guests'
option interface 'guests'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'spare'
option interface 'spare'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'[/details]

[details=/etc/config/firewall]config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT

Uncomment this line to disable ipv6 rules

option disable_ipv6 1

config zone
option name lan
option input ACCEPT
option output ACCEPT
option forward ACCEPT

config zone
option name family
option input REJECT
option output ACCEPT
option forward REJECT

config zone
option name guests
option input REJECT
option output ACCEPT
option forward REJECT

config zone
option name spare
option input REJECT
option output ACCEPT
option forward REJECT

config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1

config forwarding
option src lan
option dest wan

config forwarding
option src family
option dest wan

config forwarding
option src guests
option dest wan

config forwarding
option src spare
option dest wan

We need to allow DHCP and DNS to the router from the VLANs

#config rule

option name Allow-DHCP-family

option src family

option src_port 67-68

option dest_port 67-68

option proto udp

option target ACCEPT

option name Allow-DHCP-guests

option src guests

option src_port 67-68

option dest_port 67-68

option proto udp

option target ACCEPT

option name Allow-DHCP-spare

option src spare

option src_port 67-68

option dest_port 67-68

option proto udp

option target ACCEPT

We need to accept udp packets on port 68,

see https://dev.openwrt.org/ticket/4108

config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

Allow IPv4 ping

config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT

Allow DHCPv6 replies

see https://dev.openwrt.org/ticket/10381

config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT

config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT

Allow essential incoming IPv6 ICMP traffic

config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT

Allow essential forwarded IPv6 ICMP traffic

config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

include a file with users custom iptables rules

config include
option path /etc/firewall.user

allow IPsec/ESP and ISAKMP passthrough

config rule
option src wan
option dest lan
option proto esp
option target ACCEPT

config rule
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT[/details]

1 Like

Hi,

I would like to share my experience in this.
I have a Tplink TL-WA701ND v2.2 flashed with latest LEDE firmware.
I have successful experience with MultiSSID each with different VLAN ID and giving up different IP address from a single Windows DHCP server.
I created each VLAN interface and assign with VLAN id, and SSID with VLAN ID.
In DHCP page all I did was put in the DHCP server address to forward to, and that's it!
I am hooking this AP to hp layer 2 switches and backend with hp layer 3 switches that do ip helper to different DHCP scope to the DHCP server.