I'm trying to microsegment my LAN into smaller networks (e.g: IoT) for security. The normal LAN is working fine but the new vlan I created and have DHCP enabled for does not seem to be handing any leases. Any idea what I may have missed in my configuration?
interfaces
root@meow:~# ifconfig
br-lan Link encap:Ethernet HWaddr A6:E0:8D:DF:24:BD
inet addr:192.168.44.1 Bcast:192.168.44.255 Mask:255.255.255.0
inet6 addr: fe80::a4e0:8dff:fedf:24bd/64 Scope:Link
inet6 addr: fdb6:bf3f:ddd8::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3682 (3.5 KiB)
eth0 Link encap:Ethernet HWaddr A6:E0:8D:DF:24:BD
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46941 (45.8 KiB) TX bytes:6125 (5.9 KiB)
eth0.700 Link encap:Ethernet HWaddr A6:E0:8D:DF:24:BD
inet addr:172.17.0.1 Bcast:172.17.0.255 Mask:255.255.255.0
inet6 addr: fe80::a4e0:8dff:fedf:24bd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:254 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41657 (40.6 KiB) TX bytes:1458 (1.4 KiB)
eth1 Link encap:Ethernet HWaddr 5E:09:4D:5A:83:A0
inet addr:192.168.12.103 Bcast:192.168.12.255 Mask:255.255.255.0
{ removed for privacy reasons}
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4481 errors:0 dropped:53 overruns:0 frame:0
TX packets:9141 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:527169 (514.8 KiB) TX bytes:4906443 (4.6 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:632 errors:0 dropped:0 overruns:0 frame:0
TX packets:632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47737 (46.6 KiB) TX bytes:47737 (46.6 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.8.9 P-t-P:10.8.8.9 Mask:255.255.255.0
inet6 addr: fe80::7e2:4742:6f8c:d67a/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:496 (496.0 B)
config dump
root@meow:~# uci export
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option domain 'x'
option local '/x/'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option ra 'server'
option ra_management '1'
option ra_default '1'
option start '20'
option dhcpv6 'server'
option limit '50'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'vlan700'
option leasetime '12h'
option interface 'vlan700'
option start '10'
option limit '30'
package dhcp-opkg
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
package dropbear
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option masq6 '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/etc/firewall.nat6'
option name 'nat6'
option reload '1'
config zone
option device 'eth0.700'
option forward 'ACCEPT'
option input 'REJECT'
option name 'untrusted'
option output 'ACCEPT'
config zone
option device 'tun0'
option name 'surfshark'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option input 'REJECT'
option mtu_fix '1'
option network 'privacy_vpn'
config forwarding
option dest 'surfshark'
option src 'untrusted'
package luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
option ubuspath '/ubus/'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
config internal 'apply'
option rollback '90'
option holdoff '4'
option timeout '5'
option display '1.5'
config internal 'diag'
option dns 'openwrt.org'
option ping 'openwrt.org'
option route 'openwrt.org'
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb6:bf3f:ddd8::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
option ipv6 'on'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option reqaddress 'force'
option reqprefix 'no'
option defaultroute '1'
config interface 'vlan700'
option ifname 'eth0.700'
option ipaddr '172.17.0.1'
option netmask '255.255.255.0'
option proto 'static'
config interface 'privacy_vpn'
option ifname 'tun0'
option proto 'none'
package openvpn
config openvpn 'custom_config'
option enabled '0'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option enabled '0'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option enabled '0'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'surfshark'
option ifname 'tun0'
option enabled '1'
option config '/etc/openvpn/surfshark_udp.ovpn'
package openvpn_recipes
config openvpn_recipe 'server_tun_ptp'
option _description 'Simple server configuration for a routed point-to-point VPN'
option _role 'server'
option dev 'tun'
option ifconfig '10.0.0.1 10.0.0.2'
option secret 'shared-secret.key'
option keepalive '10 60'
option comp_lzo 'yes'
option verb '3'
option mssfix '1420'
config openvpn_recipe 'client_tun_ptp'
option _description 'Simple client configuration for a routed point-to-point VPN'
option _role 'client'
option dev 'tun'
list remote 'vpnserver.example.org'
option ifconfig '10.0.0.2 10.0.0.1'
option secret 'shared-secret.key'
option nobind '1'
option comp_lzo 'yes'
option verb '3'
config openvpn_recipe 'server_tun'
option _description 'Server configuration for a routed multi-client VPN'
option _role 'server'
option dev 'tun'
option server '10.0.100.0 255.255.255.0'
option ca 'ca.crt'
option cert 'server.crt'
option key 'server.key'
option dh 'dh1024.pem'
option keepalive '10 60'
option comp_lzo 'yes'
option verb '3'
option mssfix '1420'
config openvpn_recipe 'client_tun'
option _description 'Client configuration for a routed multi-client VPN'
option _role 'client'
option client '1'
option dev 'tun'
list remote 'vpnserver.example.org'
option pkcs12 'my_client.p12'
option remote_cert_tls 'server'
option comp_lzo 'yes'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option verb '3'
option reneg_sec '0'
option float '1'
config openvpn_recipe 'server_tap_bridge'
option _description 'Server configuration for an ethernet bridge VPN'
option _role 'server'
option dev 'tap'
option server_bridge '192.168.1.1 255.255.255.0 192.168.1.128 192.168.1.254'
option ca 'ca.crt'
option cert 'server.crt'
option key 'server.key'
option dh 'dh1024.pem'
option keepalive '10 60'
option comp_lzo 'yes'
option verb '3'
option mssfix '1420'
config openvpn_recipe 'client_tap_bridge'
option _description 'Client configuration for an ethernet bridge VPN'
option _role 'client'
option client '1'
option dev 'tap'
list remote 'vpnserver.example.org'
option ca 'ca.crt'
option cert 'my_client.crt'
option key 'my_client.key'
option dh 'dh1024.pem'
option remote_cert_tls 'server'
option comp_lzo 'yes'
option nobind '1'
option persist_key '1'
option verb '3'
option reneg_sec '0'
option float '1'
package rpcd
config rpcd
option socket '/var/run/ubus.sock'
option timeout '30'
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
package system
config system
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
option hostname 'meow'
option timezone 'EST5EDT,M3.2.0,M11.1.0'
option zonename 'America/New York'
config timeserver 'ntp'
option enabled '1'
option enable_server '0'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
package ucitrack
config network
option init 'network'
list affects 'dhcp'
list affects 'radvd'
config wireless
list affects 'network'
config firewall
option init 'firewall'
list affects 'luci-splash'
list affects 'qos'
list affects 'miniupnpd'
config olsr
option init 'olsrd'
config dhcp
option init 'dnsmasq'
list affects 'odhcpd'
config odhcpd
option init 'odhcpd'
config dropbear
option init 'dropbear'
config httpd
option init 'httpd'
config fstab
option exec '/sbin/block mount'
config qos
option init 'qos'
config system
option init 'led'
option exec '/etc/init.d/log reload'
list affects 'luci_statistics'
list affects 'dhcp'
config luci_splash
option init 'luci_splash'
config upnpd
option init 'miniupnpd'
config ntpclient
option init 'ntpclient'
config samba
option init 'samba'
config tinyproxy
option init 'tinyproxy'
package uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
config cert 'defaults'
option days '730'
option key_type 'rsa'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
package vpn-policy-routing
config vpn-policy-routing 'config'
option enabled '0'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
Doing IPv6 multicast blast from a Win10 host direct connected to this openwrt instance, I do see traffic on the routers eth0.700 interface.
root@meow:~# tcpdump -i eth0.700
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.700, link-type EN10MB (Ethernet), capture size 262144 bytes
17:56:10.770056 IP6 fe80::4c30:7b06:ef3:1f0e > ip6-allnodes: ICMP6, echo request, seq 299, length 40
17:56:13.659587 IP 169.254.31.14.138 > 169.254.255.255.138: UDP, length 201
17:56:15.680554 IP6 fe80::4c30:7b06:ef3:1f0e > ip6-allnodes: ICMP6, echo request, seq 300, length 40
openwrt is not responding to them though. Do VLANs have a deny-all by default - is this a firewall zone or rule issue?