Current set up is OPNSense and a separate dnsmasq container acting as a dhcp/dns server on a docker node. Wanted to kick the tires of OpenWrt out of pure curiosity.
Note, this is all the same hardware, the only difference is between booting the PC with a USB vs the internal drive.
To set up, I've
installed Generic x86/64 23.05.3 on a USB stick and booted the pc from it.
Configured my password
Configured my LAN address
disabled (ignored) dhcp on the br-lan so the standalone server is authoritative.
rebooted
When the PC is booted with OpenWrt, nothing can get a DHCP address from the dnsmasq container.
When I reboot with OPNSense, everything works again.
I've installed pfSense on another USB stick and that works as well.
When OpenWRT is booted, if I manually assign an ip address and my dns server's address to a PC, name lookups and Internet access work. It's just DHCP for everything else does not work.
I can't seem to find that anyone else has had this issue and I'm not quite sure that taking dnsmasq out of the docker container would actually fix this.
There are no mac address conflicts and I'm not even sure what to try.
Any ideas?
Yes, they are.
OPNSense boots from the internal hard drive.
To test OpenWrt, I boot from a USB stick on the same hardware.
They are NOT running simultaneously.
Thank you
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
The docker container is on a separate PC.
It has my DHCP reservations and dns settings and tags for the kids devices so they get forced to safe search and youtube.
I'm trying to avoid recreating the above things if I decide to try yet another firewall, like I did with pfSense.
I did disable dnsmasq on OpenWrt.
The heart of the problem is when Openwrt is running, my standalone DHCP server will not hand out ip addresses. Running tcpdump on the docker server sees the requests. I can remove the LAN cable from OW and the PC's get an address. I plug the cable back in and they work just fine until their leases expires. Also rebooting them results in them not getting an address too.
Are you referring to disabling DHCP on the br-lan interface or did you disable the entire dnsmasq service?
It might be worth ruining wireshark on a separate machine and seeing what different DHCP traffic is being sent when OpenWRT is connected and when it's not.
Hi, yes, I disabled the entire service.
I'll try another tcpdump on a separate machine later on today.
Can't take down the internet right now as I'm using my ipsec tunnel on OPNSense to work from home. (This will be my next adventure with OpenWrt. )
Thank you.
Ok, I just had to try.
I stopped the docker container and installed and ran dnsmasq as a service on the same host.
Everything is working fine.
I'll be scratching my head over this.
)
