[SOLVED] Clients of AP with VLAN's isn't getting DHCP leases, pc's on VLAN do get a lease

Hi All,

I'm having this curious problem, WLAN clients can connect to a SSID (multiple SSID's are provided; LAN, IoT and guest) but don't get an IP address via DHCP, even with a static assigned address, no internet connectivity is possible. The AP itself can ping successful up to the router, but not beyond.
PC's on the same vlan's do get an IP address and can browse the internet.

Before I used VLAN's, this setup allowed internet access via the WLAN to these same clients. So it has to be setup error, to my opinion!

My setup:
My router is a 2x gigabit port NanoPi R4s with openwrt 23.05.3 and host the WAN connection from a fiber connection to my LAN, with a vlan setup for vlan: 1, 10 and 20.

After the router is a 8x gigabit port managed switch from NetGear type GS108Ev3 with 3x VLAN 802.1q, ports 6, 7 and 8 are (T)agged for all vlan's, ports 1-5 are (U)ntagged for vlan1.

Connected to the switch is a Ubiquiti UniFi U6-lite with openwrt 23.05.0 as a Dumb Access Point, with the same vlan id's.

The WLAN client connected to this U6-lite cannot get an IP address, but all pc's connected to the switch can.
To complete, there is a second NetGear GS108Ev3 and a second U6-lite on the second floor, with the same issue's but also with the PC's/Server connected to it successful.

router /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd11:4af2:1000::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns_search 'lanhome'

config device
	option name 'eth0'
	option mtu '1508'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '6'
	option name 'eth0.6'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth0.6'
	option username 'username'
	option password 'passwd'
	option mtu '1500'
	option peerdns '0'
	option ipv6 '1'
	option metric '1'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'pppoe-wan'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'iptv'
	option proto 'dhcp'
	option defaultroute '0'
	option peerdns '0'
	option vendorid 'IPTV_RG'
	option device 'br-iptv'
	option delegate '0'

config device
	option name 'br-iptv'
	option type 'bridge'
	list ports 'eth0.4'

config interface 'guest'
	option proto 'static'
	option ipaddr '10.0.20.1'
	option netmask '255.255.255.0'
	option device 'br-lan.20'

config interface 'IoT'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option device 'br-lan.10'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option name 'br-lan.10'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option name 'br-lan.20'

AP /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option name 'br-lan.10'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option name 'br-lan.20'

config interface 'IoT'
	option proto 'dhcp'
	option device 'br-lan.10'

config interface 'guest'
	option proto 'dhcp'
	option device 'br-lan.20'

The SSID's on the AP all link to one of the interfaces.
Also, off course there are firewall zones defined on both devices.
...no screenshot allowed...

I'm struggling with the VLAN filtering for the 'br-lan' interface, is it needed to enable the VLAN filtering on the router or AP or both?
Or am I missing something else up.

I followed all of OneMarkFifty's video's about this topic, but these are in the 19.x era, and are ever so slightly different in setup.
I aslo looked at this topic: openwrt-forum-topic, and noticed the list ports 'lan2:u*' and list ports 'lan1:t' which hints to VLAN filtering. But everytime I set this up, LuCi resets the settings due to not being able to reach the router of AP anymore.

Can some provide some insights in my error?

BR,
xvlvx

There are multiple problems...
(a dhcp relay is not necessary).

Let's start with the main router. Before I start making suggestions, I want to see the rest of the configs here:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
root@openwrt:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "openwrt",
	"system": "ARMv8 Processor rev 4",
	"model": "FriendlyElec NanoPi R4S",
	"board_name": "friendlyarm,nanopi-r4s",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "rockchip/armv8",
		"description": "AO Build@2024.03.27"
	}
}
root@openwrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory

root@openwrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'lanhome'
	option noresolv '1'
	option port '53'
	list server '127.0.0.1#1053'
	list server '::1#1053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '50'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.218,192.168.1.1'
	list dns '::DA'
	list dns '::01'
	option ra_default '2'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'server'
	option dns '1'
	option mac 'aa:bb:cc:dd:ee:ff'
	option ip '192.168.1.5'
	option hostid '05'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '25'
	option leasetime '12h'
	option force '1'

config dhcp 'IoT'
	option interface 'IoT'
	option start '100'
	option limit '25'
	option leasetime '12h'
	option force '1'

root@openwrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option log '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.1.1'
	option dest_port '53'
	option name 'Redirect IPv4 DNS-53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Redirect IPv4 DNS-853'
	option src 'lan'
	option src_dport '853'
	option dest_ip '192.168.1.1'
	option dest_port '853'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Redirect IPv4 DNS-5353'
	option src 'lan'
	option src_dport '5353'
	option dest_ip '192.168.1.1'
	option dest_port '5353'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option dest_port '53'
	option dest_ip 'aabb:ccdd:eeff::1/60'
	option name 'Redirect IPv6 DNS-53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Redirect IPv6 DNS-853'
	option src 'lan'
	option src_dport '853'
	option dest_port '853'
	option dest_ip 'aabb:ccdd:eeff::1/60'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Redirect IPv6 DNS-5353'
	option src 'lan'
	option src_dport '5353'
	option dest_port '5353'
	option dest_ip 'aabb:ccdd:eeff::1/60'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'guests'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IoT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config forwarding
	option src 'guests'
	option dest 'wan'

config rule
	option name 'Guest DNS DHCP'
	option src 'guests'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'IoT'

This doesn't look like it is from the official OpenWrt project. Where did it come from?

Correct, the default build has difficulties with the NanoPi R4s, here is the git page:

You need to ask the maintainer of that build... there are lots of things that look unusual for OpenWrt, but it's possible that it's expected for that user's build.

As per official openwrt pages this build is suggested:

openwrt nanopi r4s hardware page

Could you please elaborate about your findings, as this device suited me well for over a year now, I'm just struggling with the vlan's.

Sure... I just don't want your config to break because of things that are different in that build. But here goes:

Change br-lan to use eth1.1, then change the lan to use device br-lan.

delete this:

Create bridges for the guest and iot networks:

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth1.20'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth1.10'

And then edit your networks to use these new bridges:

config interface 'guest'
	option proto 'static'
	option ipaddr '10.0.20.1'
	option netmask '255.255.255.0'
	option device 'br-guest'

config interface 'IoT'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option device 'br-iot'

Then, on your switch, make sure that all 3 networks are tagged (vlan 1, 10, 20) and finally setup access ports for each network (i.e. untagged+PVID one network per port). Then plug a computer into the ports, one at a time, and make sure they get the expected connectivity.

Mate, that was magic!!!!

Yeaz, I read pages and pages of openwrt documentation, but this wasn't clear to me.
It is so elegant, and ... working...!

Can I (or need I) also do this at the AP?

BR,
xvlvx

Your AP needs to be configured differently, but obviously with the same VLANs:

Start by deleting these:

On this device, we need to create bridge-vlans:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan:t'

Then edit the iot and guest networks to be unmanaged:

config interface 'IoT'
	option proto 'none'
	option device 'br-lan.10'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.20'

Make sure that all three VLANS (1, 10, 20) are tagged on the switch port that connects to the AP. Finally, reboot the AP and try connecting to each network.

Once more...magic....!
I tried to see what it is that is different via the LuCI interface, and the changes are actually quiet small.

One question: why are the iot and guest unmanged but the lan not?

I actually answered that same question recently:

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

That makes sence, indeed the device needs a IP and that's it!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.