Hello. I have a Netgear R7800 that today I updated from OpenWRT 23.05 to 24.10. Since I read that the configuration needs to be rebuilt from scratch given the adoption of DSA, I am trying to replicate my old configuration but it seems something is wrong.
These screenshots represents the previous VLAN and Interfaces configurations:
As you can imagine from the colors in the Interfaces, each and every one of them was related to a different Firewall Zone. The default Input/Output/Forward settings were Reject/Accept/Reject, the lan zone had Accept/Accept/Accept while the other ones had Reject/Accept/Reject. The aim for this configuration was to be able to access the Router only from the devices in the lan zone.
Because of this, I also had the following Traffic Rule (one for each zone) in place to have all the devices in all zones to be able to reach out to the router for DHCP and DNS:
Now, as I said, migrating to 24.10 means that I have to switch to DSA configuration. So this is the VLAN section of br.lan:
and the new Interfaces:
Again, each VLAN has its own firewall zone, and they are configured with the same Input/Output/Forward. However, despite creating the same Traffic Rule, I see that the devices in zones outside of lan cannot reach to the router for both DHCP and DNS, unless I set Accept to the default Input section in the Firewall.
It would be great if someone could help me to restore my previous setup. Thanks!
Can you provide specific explanations about what is not working as expected? And let's review your configuration in text format:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Sorry, it probably got lost in the post 
My problem is that the devices in zones other than lan fail to get their IP via DHCP, despite a rule that should explicitly allow them.
Here's the output of the commands:
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ipq806x/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd52:6b6e:d7a1::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config interface 'lan'
option device 'br-lan.11'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'br-lan.835'
option proto 'dhcp'
option vendorid 'huawei_HW_E1A.A_SW_1.0.1b/dslforum.org'
option ip6assign '64'
config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '36'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '835'
list ports 'wan:t*'
config device
option name 'br-lan.835'
option type '8021q'
option ifname 'br-lan'
option vid '835'
option macaddr 'REDACTED'
config interface '36'
option proto 'static'
option device 'br-lan.36'
option ipaddr '192.168.36.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option channel '1'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'Zireael 5 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'lan'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'Zireael 2.4 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Zireael Guest 5 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'guest'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Zireael Guest 2.4 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'guest'
option disabled '1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name '36'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '36'
config forwarding
option src 'lan'
option dest '36'
config rule
option name '[36] Allow-DHCP-and-DNS'
list proto 'udp'
option src '36'
option dest_port '53 67 68'
option target 'ACCEPT'
config forwarding
option src '36'
option dest 'wan'
That should be everything!
You don't have DHCP servers setup for the 36 and guest networks.
Also, DNS (port 53) runs on both TCP and UDP.
You're also likely to have an issue with the guest network if you enable both bands... you should create an empty bridge for the guest network to manage that.
Thanks for pointing everything out. I applied those changes but apparently it's not working yet. Here's the updated outputs (except for the first one):
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd52:6b6e:d7a1::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config interface 'lan'
option device 'br-lan.11'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'br-lan.835'
option proto 'dhcp'
option vendorid 'huawei_HW_E1A.A_SW_1.0.1b/dslforum.org'
option ip6assign '64'
config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '36'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '835'
list ports 'wan:t*'
config device
option name 'br-lan.835'
option type '8021q'
option ifname 'br-lan'
option vid '835'
option macaddr 'REDACTED'
config interface '36'
option proto 'static'
option device 'br-lan.36'
option ipaddr '192.168.46.1'
option netmask '255.255.255.0'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option device 'br-guest'
config device
option type 'bridge'
option name 'br-guest'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option channel '1'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'Zireael 5 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'lan'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'Zireael 2.4 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Zireael Guest 5 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'guest'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Zireael Guest 2.4 GHz'
option encryption 'sae-mixed'
option macfilter 'deny'
list maclist 'REDACTED'
option key 'REDACTED'
option ocv '0'
option network 'guest'
option disabled '1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp '36'
option interface '36'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name '36'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '36'
config forwarding
option src 'lan'
option dest '36'
config rule
option name '[36] Allow-DHCP-and-DNS'
option src '36'
option dest_port '53 67 68'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config forwarding
option src '36'
option dest 'wan'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
Did you restart the router after making the changes?
How are you testing? (wired or wifi or both)?
Yep, just restarted. I have a server attached to eth4 (which is the physical port attached to VLAN 36) and I see it cannot lease a new IP 
Also the same happening if I join one of the guest wifi networks...
Is the server's Ethernet interface expecting the network to be tagged or untagged?
One test we can do is set the 36 zone firewall to accept input:
Meanwhile, you didn't add the DHCP+DNS accept rule for the guest firewall zone -- that will be necessary.
Good question, but unfortunately I'm not really sure where to look for the answer. The server is a Windows 10, and I can't find anything related in the options. Is that an hardware property?
However, two considerations:
- Before the migration it was working as untagged. Here's the excerpt from the old configuration:
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '36'
option description '36'
option ports '6t 1'
- Setting Input to Accept in 36 makes the DHCP seems to have no effect (isn't it related to the traffic incoming in the zone though?). If I set Accept to the global Input the DHCP works fine though.
Yeah, sorry about that -- I've been working on this all day, and I locked myself out of the firewall a few times, so I had a few factory resets as well and I may have skipped some steps. I'm glad you asked though, because after this the guest network is now working fine! Still no luck about the [36] though
Does VLAN 36 need to be used on wifi or on more than one Ethernet port?
I don't know how VLANs are configured on Windows, but it's probably untagged if it worked previously.
Try plugging it into one of the other lan ports and see if it gets an IP.
Yes, as soon as it's connected to one of the ports of VLAN11 the DHCP works fine
Ok...
If it's only used on one port, I'll recommend a few changes.
No, it's supposed to be used only on this single port at the moment.
Ok... let's make a bunch of changes. Make a backup first, just in case anything goes wrong here.
Remove port lan4 and wan from br-lan:
Delete the bridge-VLANs:
Also delete the 802.1q stanza:
[quote="Lorthirk, post:5, topic:228182"]
config device
option name 'br-lan.835'
option type '8021q'
option ifname 'br-lan'
option vid '835'
option macaddr 'REDACTED'
Edit the wan interface to use wan.835:
config interface 'wan'
option device 'wan.835'
option proto 'dhcp'
option vendorid 'huawei_HW_E1A.A_SW_1.0.1b/dslforum.org'
option ip6assign '64'
edit the lan to use br-lan:
Edit 36 to use device lan4 and let's also change the name of it to something alphanumeric:
config interface 'lan46'
option proto 'static'
option device 'lan4'
option ipaddr '192.168.46.1'
option netmask '255.255.255.0'
Likewise, we need to fix the DHCP server for the 36 network:
config dhcp 'lan46'
option interface 'lan46'
option start '100'
option limit '150'
option leasetime '12h'
And the firewall config needs to use the new name, too:
config zone
option name 'lan46'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan46'
config forwarding
option src 'lan'
option dest 'lan46'
config rule
option name 'lan46 Allow-DHCP-and-DNS'
option src 'lan46'
option dest_port '53 67 68'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config forwarding
option src 'lan46'
option dest 'wan'
Reboot and test again.
Ok... with this new configuration everything is working as expected!
Just one question though: I thought that the VLAN-based setup provided an additional layer of security, helping the server to stay as much isolated as possible from the rest of the network. Switching now to this port-based setup would be somehow less secure in that regard?
No difference in security.
Nope. Not directly, anyway. It is the firewall that is responsible for keeping the networks isolated.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
Thanks for the explanation
Marked as solved with great pleasure! 
1 Like
I'm afraid I spoke too soon 
I just noticed I still had Accept in the global Input. As soon as I put it back to Reject the issues came back 
So, while simpler, it seems that this configuration is still not working.
Let’s see the latest firewall config.
1 Like
Did you name everything lan36 or did you use lan46 which was a minor deviation in the suggested config?
