Stuck on VLANs after much work, still not working

I have tried to get vlans with separate DHCP ranges working for over a week and I'm out of ideas. I've read many posts on this forum and the reddit sub, gone through several youtube vids, read many pages of the OpenWRT setup and tried to get AI to help both give me the steps to do this, and to troubleshoot the failures (claude 4.5 thinking) and still no luck. At this point I can't give up, it's driving me crazy, any help is deeply appreciated.

To make this post, and troubleshooting, easier, I just reset the router to default and built out JUST a test case which reproduces what I've been seeing. I hope this simplifies things.

Router Netgear r6220. Running openwrt 24.10.1 or .3 (same problem exists with both versions). INTENTION: Lan 1 should be assigned to interface br20, should have dhcp 10.42.20.1/24 and vlan 20. Lans 2 - 4 are my control group, left at default dhcp 192.168.1.1, no vlan settings.

What works: I can get a separate dhcp server running on lan 1 serving the client (macbook pro, but have reproduced with other clients) 10.42.20.x, and when I switch the cable to lan 2, 3, or 4 I get 192.168.1.x - The working configuration files are below labeled 'Working, No Vlan'.

What doesn't work: As soon as I assign a vlan ID to br20, the DHCP server on Lan1 / br20 stops working. In this state, if I plug the ethernet into Lans 2-4 I get a lease and can access the router. The not working configuration files are below as well. Noteably, if I manually assign a 10.42.20.x IP to the client, I can then access the router, but DHCP just will not work. I see no errors in any of the default system logs either..

QUESTIONS: Can i improve the system logging? I don't know why I'm not seeing a failure to start dnsmasq or similar. Does anyone know of a tutorial on how to set up multiple networks with Vlans that I can follow that will work? Does anyone know why I can't make this work? Any ideas are really appreciated!!!

WORKING EXAMPLE - 2 networks are working (10.x and 192.168.x) but no VLAN is applied - here are the configuration files (I'm not using wifi at all so I omitted that file):

>> ubus call system board
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear R6220",
"board_name": "netgear,r6220",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
-=-=-=-=
cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd72:43f0:545a::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'lan1'
option macaddr '44:A5:6E:78:9C:F9'
config device
option type 'bridge'
option name 'br20'
list ports 'lan1'
option igmp_snooping '1'
option macaddr '44:A5:6E:78:9C:F9'
option mtu '1500'
option vlan_filtering '1'
config interface 'i20'
option proto 'static'
option device 'br20'
option ipaddr '10.42.20.1'
option netmask '255.255.255.0'
config device
option name 'br20.20'
option type '8021q'
option ifname 'br20'
option vid '20'
-=-=-=-=
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'i20'
option interface 'i20'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
-=-=-=-=
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'i20'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

NOT WORKING EXAMPLE - Same as the working config but I've assigned Vlan 20 to the 10.x network and DHCP fails. I tried it with the vlan tagged U, T, U*, T* and all 4 fail. I tried so many things...

>>ubus call system board

"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear R6220",
"board_name": "netgear,r6220",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
-=-=-=-=
>> cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd72:43f0:545a::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'lan1'
option macaddr '44:A5:6E:78:9C:F9'
config device
option type 'bridge'
option name 'br20'
list ports 'lan1'
option igmp_snooping '1'
option macaddr '44:A5:6E:78:9C:F9'
option mtu '1500'
config interface 'i20'
option proto 'static'
option device 'br20'
option ipaddr '10.42.20.1'
option netmask '255.255.255.0'
config device
option name 'br20.20'
option type '8021q'
option ifname 'br20'
option vid '20'
config bridge-vlan
option device 'br20'
option vlan '1'
list ports 'lan1:u*'
-=-=-=-=
>> cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'i20'
option interface 'i20'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
-=-=-=-=
>> cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'i20'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

((for what it's worth I'm only asking for help after I've literally spent 30+ hours just trying to get this to work. My forehead is virtually bloody from virtually banging my head against this virtual wall (almost literally... like I'm soooooo annoyed I want to thrash and cry, sigh). So, I'm not coming here for help after trying for a half hour and getting frustrated. I've tried for a LONG time and am questioning if I can even do technical work at this point ))

Which AI you used to make “QUESTION:” ?

Please check the documentation on gateway side setup for guest network.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

already did that (ran those commands) the output is in the question above. I knew you'd ask for those
[edit - did you mean which ai wrote the question? that was all hand typed by me, I thought that would be obvious b/c it's not that well written?]
for the ai - I tried a bunch of different instructions then ran several types of prompts trying to get steps to create the network I specified. i made network diagrams, made spreadsheets, I fed it specific sections of documentation, specific links, and I gave it configuration files from the router, updated as I completed various steps to confirm they were updated as expected. I tried having it generate instructions for luci, and for ssh in bash scripts. I spent like, days with it, seeing how different approaches worked but I never got it to create specific steps, or even general steps, that resulted in vlan separated networks. I tried a few different models including open ai, claude and gemini. I may be suffering from a concussion that I don't remember due to ... the concussion? but none of my friends have noticed anything and I don't have any scrapes and I haven't hit my head but... maybe there's a gas leak around here?

Formatting is damaged.

remove br20, it yields conflicting configuration.

Could you please describe your goal, i.e. why do you need VLANs at all? Do you want one VLAN trunk (i.e. all VLANs over one single cable) to a managed switch?

The problem is that you lost all formatting, your files are very hard to read.

sure! my goal is to have clients be able to choose what type of internet gateway they want to connect to - these gateways are all set up on the same openwrt router. The wan --> isp modem in a bridge-like mode. Router has gateways to a wireguard VPN, a PtP tunnel to a remote site, and a gateway connecting directly to the web. These networks carry different types of clients, e.g. IoT on the network with the direct connection, a server on the PtP tunnel, etc. I would like them to choose between networks by the wifi network they connect to, with a couple Ubiquiti Unifi wifi devices (meshed together) presenting multiple SSID but all using the same network bandwidth. The Unifi os allows something like virtual SSIDs that are separated by vlan IDs, but that all run off the same radio so they don't need to use like... all the spectrum.

I hope that answers your question?

will attempt tomorrow am, thanks! when you say remove it, do you mean delete and re-add? I think I need a bridge device, I don't get the option to assign a static IP and have a DHCP server on network or .q vlan devices, those options are only on bridge devices I create (I think???) so br20 is the bridge I need to create a separate network with its own dhcp and gateway. will revisit tomorrow though, ty

oh! oh shit sorry. It may have messed up b/c I copied from term to my notes app, then to this post, maybe the notes app f'd up the formatting. will fix

Bridge devices are in br-lan.20 and they exclusively manage ports added to bridge.

If you want to emulate swconfig like lan4.45 you have to rid lan4 from the br-lan first.

thanks, now it got readable

I would assume the main reason things aren’t is working because you’ve put the vlan to ‘1’ instead of ‘20’

No, this is not the reason... the OP should be using a single bridge with bridge-VLANs to set the appropriate port-vlan membership.

No, this is not the reason...

Yes it is, it might not be the best way to do it, but that’s why it’s not working.

No, there appears to be more than that wrong... but it's really hard to read because of the formatting.