I run into following problem. I have 2 OpenWRT routers - gateway and roaming.
Gateway has DHCP server and is configured in following way:
Lan port is part of a lan bridge. Bridge is not VLAN filtered
Lan bridge is split on vlans
Vlans are part of bridges with WLAN
The bridges on WLAN has DHCP server
Roaming device is getting DHCP via VLAN without problems. However device connected to roaming device is not getting IP address. By using tcpdump I noticed that:
DHCP OFFER is sent to LAN bridge properly tagged as VLAN
DHCP OFFER is not sent to LAN port - only DHCP REQUEST
I'm stuck - why is DHCP OFFER not sent to the port?
let's see the configs... please make it clear which router is which...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I took liberty of also cutting down to relevant parts (yeah, I'm paranoid ) - but removing unrelated config parts (like DHCP static leases, wan etc.) really cut down on already large text I need to sanitize.
# router /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX:XXXX:XXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '64'
list ip6class 'wan6'
option ip6weight '0'
option ipaddr '192.168.XX.1'
config device
option type 'bridge'
option name 'br-lan-vlan'
option bridge_empty '1'
list ports 'br-lan.vlan'
config interface 'LAN_VLAN'
option proto 'static'
option device 'br-lan-vlan'
option ipaddr '192.168.XY.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6weight '1'
config device
option type '8021ad'
option ifname 'br-lan'
option vid '1'
option name 'br-lan.vlan'
# router /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'LAN_VLAN'
option interface 'LAN_VLAN'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'
config dhcp 'LAN'
option interface 'LAN'
option start '100'
option limit '150'
option leasetime '12h'
# This is leftover from original interface I think? But including in case
# interfaces were case insensitive
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option ra_slaac '0'
option dhcpv6 'server'
# router /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'lan_vlan'
list network 'LAN_VLAN'
config forwarding
option dest 'wan'
option src 'lan_vlan'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
list network 'LAN'
option name 'lan'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
There is no /etc/firewall.user file.
Unfortunately on roaming system ssh doesn't work yet (not network related as I see packets going back and forth, still need to figure it out - I have access via serial and luci). However since packet is dropped before that point I don't think it will be needed?
I dumped packets on br-lan (has DHCP REQUEST and DHCP OFFER) and lan1 (has DHCP REQUEST only).
I think you really should be using bridge VLAN for your configuration. There is an explainer in the DSA mini tutorial... but here's the basic config that I'd recommend... using port lan1 tagged as the example, here:
great! If you have any additional questions about how to get the specific config you're looking for (in terms of port membership for each of the VLANs, etc.), let me know.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'wan:t'
list ports 'lan1:u'
to direct content of lan1 to VLAN 1. The non-VLAN enabled network doesn't seem to work anymore on wan but that's least of my problems (it was set up only for debugging).
I assume I need to have set forward as ACCEPT in zone? I had hard time understanding if forward chain of nft is for bridges or passing between networks.
Which device are we talking about now (I'm guessing AP, but want to verify).
On the AP, the firewall rules will not be used at all because the traffic will never be routed (only switched/bridged).
It is important to make sure that the bridge is configured properly, though... let's see the complete network config file from the AP (assuming this is the one in question).
Which device are we talking about now (I'm guessing AP, but want to verify).
Both
On the AP, the firewall rules will not be used at all because the traffic will never be routed (only switched/bridged).
Ok. So the roaming device should have it as REJECT and gateway as ACCEPT? Calling either AP is confusing as both are APs.
It is important to make sure that the bridge is configured properly, though... let's see the complete network config file from the AP (assuming this is the one in question).
# gateway
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX:XXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
# This doesn't work. I assume it needs to be on vlan and marked as 'lan1:u', 'lan2:u' etc.
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '64'
list ip6class 'wan6'
option ip6weight '0'
option ipaddr '192.168.XX.1'
config device
option type 'bridge'
option name 'br-lan-vlan'
option bridge_empty '1'
list ports 'br-lan.1'
config interface 'LAN_VLAN'
option proto 'static'
option device 'br-lan-vlan'
option ipaddr '192.168.XX.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6weight '1'
# roaming
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX:XXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
option macaddr 'XX:XX:XX:XX:XX:XX'
option empty_bridge '1'
list ports 'wan'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'wan:t'
list ports 'lan1:u'
list ports 'lan2:u'
list ports 'lan3:u'
list ports 'lan4:u'
# This doesn't work. I assume I need vlan with 'wan:u'?
config interface 'LAN'
option device 'br-lan'
option proto 'dhcp'
#config interface 'LAN6'
# option device 'br-lan'
# option proto 'dhcp6'
config device
option name 'br-lan-vlan'
option type 'bridge'
option empty_bridge 1
list ports 'br-lan.1'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'LAN_VLAN'
option device 'br-lan-vlan'
option proto 'dhcp'
Let's call the device that does the routing the "router" (it is clear it is both routing and serving as an AP), and the other device as a "dumb AP" or just "AP"
In the section below, you've redacted the lan address... it is not necessary to do that, and it actually is helpful if it is not redacted. RFC1918 addresses are not sensitive data.
Meanwhile, I'm pretty sure that ip6class should be removed.
Probably not -- you're using br-lan for this, which is already untagged on all ports.
When you say it is not working, can you elaborate, please? How are you testing it? The best way to test the standard lan here is to plug a regular computer into one of the ethernet ports and see if it gets a DHCP lease. If it does, this is working correctly.
This below is incorrectly specified all around, and doesn't actually connect to any ports. For this VLAN, which physical ports do you want as members here?
it should already be untagged on the wan, so don't make any changes here yet.
Delete all of the stuff below:
Below should be br-lan.1 (not br-lan-vlan). Also, it is recommended to only have an address on one interface on the the AP -- this will be the one used to manage the device. The other one does not need an address. make it proto 'none'
) - but removing unrelated config parts (like DHCP static leases, wan etc.) really cut down on already large text I need to sanitize.