[Solved] DHCP in VLANs dnsmasq-full

Ilyasha · March 1, 2025, 5:45pm

Hello, I have trouble to setup VLNAs
On router installed dnsmasq-full for dns target routing.
And now i want to setup VLANs
2 VLANs:

192.168.1.0/24 - LAN network
192.168.2.0/24 - untrasted network
But when did this, laptop or smartphone can't get IP address from DHCP in LAN network.
On laptop i run tcpdump and find no dhcp offer from dnsmasq for some reason and cant figure why.

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option serversfile '/etc/dnsmasq.servers'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config host
        option name 'SOMENAME'
        list mac 'MAC'
        option ip '192.168.1.100'

config host
        option name 'SOMENAME'
        option ip '192.168.1.240'
        list mac 'MAC'

config ipset
        list name 'vpn_domains'
        option table_family 'ip'
        list domain 'graylog.org'
        list domain 'terraform.io'

config host
        option name 'SOMENAME'
        list mac 'MAC'
        option ip '192.168.1.254'

config host
        option name 'SOMENAME'
        list mac 'MAC'
        option ip '192.168.1.200'

config host
        list mac 'MAC'
        option ip '192.168.1.101'
        option name 'SOMENAME'

config ipset
        list name 'direct_domains'
        option table_family 'ip'
        list domain 'faceit.com'
        list domain 'ac-client-ws.faceit.com'
        list domain 'distribution.faceit-cdn.net'
        list domain 'api.faceit.com'

config host
        option name 'SOMENAME'
        list mac 'MAC'
        option ip '192.168.1.199'

config dhcp 'untrasted'
        option interface 'untrasted'
        option start '100'
        option limit '150'
        option leasetime '12h'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option ipv6 '0'
        option promisc '1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipv6 '0'

config device
        option name 'wan'
        option macaddr 'MAC'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option ipv6 '0'
        option peerdns '0'

config interface 'tun0'
        option device 'tun0'
        option proto 'static'
        option ipaddr '172.16.250.1'
        option netmask '255.255.255.0'

config rule
        option name 'mark0x1'
        option mark '0x1'
        option priority '100'
        option lookup 'vpn'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'KEY'
        option listen_port '51840'
        list addresses '192.168.25.1/24'
        option deleage '0'

config wireguard_wg0
        option public_key 'KEY'
        option private_key 'KEY'
        option description 'Phone'
        option preshared_key 'KEY'
        list allowed_ips '192.168.25.2/24'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:t'

config interface 'untrasted'
        option proto 'static'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option promisc '1'
        option multicast '1'
        option ipv6 '0'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option log '1'
        option auto_helper '0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option proto 'udp'
        option target 'ACCEPT'
        option dest_port '51840'
        option family 'ipv4'

config rule
        option name 'Mark-Direct'
        option src 'lan'
        option dest '*'
        option ipset 'direct_domains'
        option set_mark '0x0'
        option target 'MARK'
        option family 'ipv4'
        list proto 'all'

config zone
        option name 'tun'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option device 'tun0'
        option family 'ipv4'
        list network 'tun0'

config forwarding
        option name 'lan-tun'
        option dest 'tun'
        option src 'lan'
        option family 'ipv4'

config ipset
        option name 'vpn_domains'
        option family 'ipv4'
        list match 'dst_net'

config ipset
        option name 'vpn_subnet'
        option match 'dst_net'

config rule
        option name 'Mark-Subnet'
        option src 'lan'
        option dest '*'
        option ipset 'vpn_subnet'
        option set_mark '0x1'
        option target 'MARK'
        option family 'ipv4'
        list proto 'all'

config rule
        option name 'Mark-Domains'
        option src 'lan'
        option dest '*'
        option ipset 'vpn_domains'
        option set_mark '0x1'
        option target 'MARK'
        option family 'ipv4'
        list proto 'all'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wg0'

config forwarding
        option src 'wireguard'
        option dest 'wan'

config ipset
        option name 'direct_domains'
        option family 'ipv4'
        option match 'dst_net'

Any advice will help. Thanks!

psherman · March 1, 2025, 5:48pm

There are some strange things in this config. Before we go into trying to fix stuff, what version of OpenWrt is this?

ubus call system board

Ilyasha · March 1, 2025, 5:50pm

{
        "kernel": "5.15.162",
        "hostname": "XiaomiWRT",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Redmi Router AX6S",
        "board_name": "xiaomi,redmi-router-ax6s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

There's some configuration for DNS-based routing to VPN(tun0) interface

_bernd · March 1, 2025, 5:55pm

Maybe you start with configure an address on the interface. Your router can not answer DHCP request if it has no address on that interface and or subnet.
This would only work for a dhcp server which gets requests from a dhcp relay.

Ilyasha · March 1, 2025, 5:57pm

I know about untrasted network. But i have trouble to get addresses even when i connect to LAN network

psherman · March 1, 2025, 6:02pm

So the first, and most significant issue is that you created an interface, but didn't give it an address or a device. These are required.

So... try this:

config interface 'untrasted'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

This network is also not assigned to a firewall zone:

config zone 'untrasted'
        option name 'untrasted'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'untrasted'

You probably also want to give it internet access

config forwarding 
        option src 'untrasted'
        option dest 'wan'

Also, keep in mind that this is setup on port lan2 as a tagged network. The device connected to port lan2 must be VLAN aware to use the network:

If you want to be able to plug a normal device into port lan2, remove it from VLAN1 and then specify untagged + PVID on vlan2:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:u*'

Restart the router after the changes. And then test.

Ilyasha · March 1, 2025, 6:08pm

Thanks for answer. But as i said, problem exists in LAN network.
But, you got me an idea, after creating VLANs and Networks i never fully restart a router.
Maybe full restart will help to solve a problem.
Will come back with results in few days.

psherman · March 1, 2025, 6:18pm

There are other issues, too... I didn't go through your config in detail, but there's a lot that looks wrong. You may be best served by resetting to defaults and starting over.

Ilyasha · March 1, 2025, 6:35pm

Well.
As the saying goes, "it takes one reboot to get rid of all the troubles."
I configured 2 Vlans and then reboot router, now i can connect to all network correctly.
Thanks for help

psherman · March 1, 2025, 6:36pm

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · March 11, 2025, 6:37pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.