Swconfig -> wtf not DSA, ipq806x

Hello, everyone. I have been hesitating to upgrade to the newest OpenWrt due to the changes involving DSA. I am currently attempting to set up my VLANs, but unfortunately, they are not able to connect to the internet. I have already eliminated the possibility of the firewall being the issue, so it is likely that there is a misconfiguration with the VLANs.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb7:e4fe:7d99::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'
        option stp '1'

config device
        option name 'eth1.1'
        option macaddr '14:91:82:6a:c5:d4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '14:91:82:6a:c5:d4'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1 2 3 4'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'
        option description 'WAN'

config interface 'IOT'
        option proto 'static'
        option device 'IOT'
        option netmask '255.255.255.0'
        option ipaddr '10.0.0.1'
        option type 'bridge'

config device
        option type 'bridge'
        option name 'IOT'
        list ports 'eth1.4'

config interface 'Guest'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option device 'guest'
        option type 'bridge'

config device
        option type 'bridge'
        option name 'guest'
        option igmp_snooping '1'
        list ports 'eth1.5'

config interface 'IA'
        option proto 'static'
        option ipaddr '10.0.2.1'
        option netmask '255.255.255.0'
        option device 'IA'
        option type 'bridge'
        list dns '1.1.1.1'

config device
        option type 'bridge'
        option name 'IA'
        option igmp_snooping '1'
        list ports 'eth1.3'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 4t'
        option vid '3'
        option description 'I&A'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '6t'
        option description 'IOT'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '6t'
        option vid '5'
        option description 'GUEST'

cat /etc/config/firewall

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'IOT'
        option dest 'wan'

config rule
        option name 'Allow-DNS-IOT'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'IOT'

config rule
        option name 'Allow-DHCP-IOT'
        list proto 'udp'
        option src 'IOT'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'Zir_G'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Zir_Guest'

config forwarding
        option src 'Zir_G'
        option dest 'wan'

config rule
        option name 'Allow-DNS-Zir-G'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'Zir_G'

config rule
        option name 'Allow-DHCP-Zir-G'
        list proto 'udp'
        option src 'Zievinger_G'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'IA_Zir'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IA_Zir'

config forwarding
        option src 'IA_Zir'
        option dest 'wan'

config rule
        option name 'Allow-DNS-IA_Zir'
        option src 'IA_Zir'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-IA_Zir'
        list proto 'udp'
        option src 'IA_Zir'
        option target 'ACCEPT'
        option src_port '68'
        option dest_port '67'

Remove the bridge statement in all of your new networks.

Next, your VLANs for your guest and iot networks are only present on the CPU... are you expecting them to be used on any actual ethernet ports? The one for VLAN 3 (I&A) is present on logical port 4, but is tagged... you'll need a managed switch or other vlan aware device to understand the tag.

Also, let's see your complete firewall file as well as the DHCP file.

Thanks for the response! My goal is to use the vlans to segregate my wireless devices, then later making a trunk port. All of the vlans are successfully assigning IP addresses, but they are lacking connectivity.

Firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'IOT'
        option dest 'wan'

config rule
        option name 'Allow-DNS-IOT'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'IOT'

config rule
        option name 'Allow-DHCP-IOT'
        list proto 'udp'
        option src 'IOT'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'Zir_G'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Zir_Guest'

config forwarding
        option src 'Zir_G'
        option dest 'wan'

config rule
        option name 'Allow-DNS-Zir-G'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'Zir_G'

config rule
        option name 'Allow-DHCP-Zir-G'
        list proto 'udp'
        option src 'Zir_G'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'

config zone
        option name 'IA_Zievnger'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IA_Zir'

config forwarding
        option src 'IA_Zievnger'
        option dest 'wan'

config rule
        option name 'Allow-DNS-IA_Zir'
        option src 'IA_Zievnger'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-IA_Zir'
        list proto 'udp'
        option src 'IA_Zievnger'
        option target 'ACCEPT'
        option src_port '68'
        option dest_port '67

DHCP

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '0'
        option port '54'
        list server '192.168.0.2'

config dhcp 'lan'
        option interface 'lan'
        option start '4'
        option limit '20'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.0.2'
        list dhcp_option '3,192.168.0.2'
        list dns 'fdb7:e4fe:7d99::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IA_Zir'
        option interface 'IA_Zir'
        option start '2'
        option limit '10'
        option leasetime '12h'

config dhcp 'Zir_Guest'
        option interface 'Zir_Guest'
        option start '2'
        option limit '10'
        option leasetime '12h'

config dhcp 'IOT'
        option interface 'IOT'
        option start '2'
        option limit '10'
        option leasetime '12h'

Your guest network isn't assigned to a firewall zone...

The guest network in your firewall zone is called Zir_Guest and the network as defined in the network config file is called Guest... correct one or the other so that they are consistent.

Is the connectivity issue the same for all three of the new networks (IOT, Guest, IA)? You said that they get a DHCP assigned IP address? What address do you see on the a computer connected to the Guest network? (what is the IP, subnet mask, gateway/router, and dns)?

Welp it was a DNS issue sigh, fooled by the oldest trick in the book. Thanks for your help!

yeah... DNS will get you.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.