[Solved] Simple private LAN: DHCP not giving leases (or more)

Installing and Using OpenWrt
1

Hi everyone,

I've been using OpenWRT for some time, and loving it. However my current setup is definitely not correct, and I'm tired of hacking it around trying to do basic things since the fundamental setup is not right. So I'd like to finally get this right and understand things better.

The setup is very standard: private LAN connected to the building WAN

  • AVM Fritz!BOX 7530 (ipq40xx)
  • Uplink to the wan through LAN4 (DHCP client)
  • Private LAN on 192.168.1.x through Wifi and LAN1-3

Status:

  • Set up the private LAN using the switch config, seems correct
  • Get internet connection through the WAN no probs
  • Can still connect to the box w/ manual 192.168.1.2 address: but DHCP not working, and can't go further right now

As far as I can see, I just need to get DHCP server working on the private LAN and I'm good to go

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd7:d848:9186::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1'
	option vid '9'
	option description 'wan'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 4 3 2'
	option vid '6'
	option description 'lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'br-wan'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth0.9'

config device
	option type 'bridge'
	list ports 'eth0.6'
	option name 'br-lan'

I added the bridges as an experiment, but do I need them? Ideally I want the basic setup to be as simple as possible

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Basics seem correct?

/etc/config/firewall

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

Not that relevant right now, but posting anyway. Not posting /etc/config/wireless since I should be able to do that myself once the connection is basically correct.

Sorry for the basic question. I'm sure I'm missing something obvious due to my lack of skills :frowning:

Thanks in advance

2

please post a diagram of the network, I'm getting lost in trying to decipher what you want, with corresponding ip addresses you have various devices that you have

3

since it all sounds very basic, why not reset it ?
the setting should work out of the box.

1 Like
4

Custom VLANs and ipq40xx/swconfig is not a good match, while technically possible, the swconfig is very quirky and buggy. Please do yourself a favour and upgrade to 23.05~ with the new DSA based drivers first.

1 Like
5

Sure:

Network
Network859×513 48 KB

It's very standard. Just connect to the building network as the uplink, then create a private LAN: everything connected to the box (wifi/LAN sockets) uses that network. Firewall to between the two of course

6

I've reset it many times. The default setup doesn't give me anything like this:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd5:9a29:3e72::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Unless I'm really missing something, that's wrong for me because it seems to just give me a dump access point, and I don't have the private LAN that I want.

7

Ah! It turns out that the router page hasn't been updated, but there is a build available. Ok great, I'll give that a try right away. Thanks!

https://firmware-selector.openwrt.org/?version=23.05.0-rc2&target=ipq40xx%2Fgeneric&id=avm_fritzbox-7530

8

ok, already clearer

if you switch to Openwrt 23.05-rc2 version it will be much easier.

if you don't want to upgrade to next version of Openwrt (don't touch vlan 1 or 2)

create a new vlan for example 99 or whatever you want.
put the port for example port1 as off and assign it as untag to vlan 99 and put cpu tagged.

create a new wanb interface (dhcp client) and connect the cable
it should be okay

immagine
immagine979×659 39.9 KB

9

this is the easiest way

10

Ok great, thanks for your input. I'm going to give 23.05rc2 a try first and report back. I'm recreating my setup from scratch anyway, so I'd prefer to use the latest and upgrade from rc2 whenever the final version is out

11

ok.

connect your pc into lan2 or lan3 or lan4

remove lan1 to br-lan

create wanb to lan1 (dhcp client)

finish

immagine
immagine820×307 23.2 KB

immagine
immagine710×139 7.35 KB

1 Like
12

Just to confirm - the above would be how to do it with 23.05, correct?

13

Does your screen look different (e.g no switch page)?

14

Reporting back. I installed 23.05rc2, and was able to do what I wanted to do right away :tada:

For reference, this is as of @ncompact's screenshot, although just having the numbered LAN ports available w/o need for configuring the switch (and in correct order!) makes this quite self-explanatory.

Thanks for your help, everyone. Will mark this as solved

1 Like
15

ok

it was a pleasure to be able to help you

2 Likes
16

a tip creates a label to stick near the port that you have transformed into a wan port so you know it when you perform maintenance.

1 Like