Thought I'd solved VLAN Filtering Bridge - Now DHCP giving me a headache

Humble ask for someone to tell me what I need to copy and paste and from where to help them to point out the error of my ways.

Can't get pfsense based DHCP server to hand out IPs for Guest SSID VLAN through my AP.

Could someone idiot check the both way I've constructed my VLANs and DHCP setup?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Thanks for responding. Just having a look at another potential issue on the pfsense side that may be causing this before I ask for the effort of anyone.

Will check back if still issues. I'll also stop being lazy and make a drawing of exactly what it is I'm trying to achieve to help you guys, help me, as it were.

Thanks

Hello again,

As promised.

What I want to achieve:

Included is the current pfsense and switch VLAN port setup.

My current AP config as requested. I removed the word "option" to hopefully make it easier on the eye:

    "kernel": "5.15.150",
        "hostname": "xxx",
        "system": "ARMv8 Processor rev 4",
        "model": "ZyXEL NWA50AX Pro",
        "board_name": "zyxel,nwa50ax-pro",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@xxx:~# cat /etc/config/network

config interface 'loopback'
        device 'lo'
        proto 'static'
        ipaddr '127.0.0.1'
        netmask '255.0.0.0'

config globals 'globals'
         ula_prefix 'fdefxxxxxxxxxxxxxxxx’

config device
        name 'br-lan'
        type 'bridge'
        list ports 'eth0'
        ipv6 '0'
        obridge_empty '1'

config interface 'lan'
        device 'br-lan'
        proto 'none'
        force_link '1'

config device
        type '8021q'
        ifname 'br-lan'
        vid '50'
        name 'br-lan.50'
        ipv6 '0'

config interface 'Guest'
        proto 'none'
        device 'br-lan.50'

config device
        type '8021q'
        ifname 'br-lan'
        vid '60'
        name 'br-lan.60'
        ipv6 '0'

config interface 'IoT'
        proto 'none'
        device 'br-lan.60'

config device
         type '8021q'
         ifname 'br-lan'
         vid '1'
         name 'br-lan.1'
         ipv6 '0'

config device
         type '8021q'
         ifname 'br-lan'
         vid '10'
         name 'br-lan.10'
         ipv6 '0'

config interface 'Management'
         proto 'static'
         device 'br-lan.10'
         ipaddr '10.10.10.14' (This is the AP I'm configuring before bringing the other 3 online)
         netmask '255.255.255.0'
         gateway '10.10.10.1'

config bridge-vlan
         device 'br-lan'
         vlan '1'
        list ports 'eth0:u*'

config bridge-vlan
         device 'br-lan'
         vlan '10'
        list ports 'eth0:t'

config bridge-vlan
         device 'br-lan'
         vlan '20'
        list ports 'eth0:t'

config bridge-vlan
         device 'br-lan'
         vlan '30'
        list ports 'eth0:t'

config bridge-vlan
         device 'br-lan'
         vlan '40'
        list ports 'eth0:t'

config bridge-vlan
         device 'br-lan'
         vlan '50'
        list ports 'eth0:t'

config bridge-vlan
         device 'br-lan'
         vlan '60'
        list ports 'eth0:t'

config bridge-vlan
         device 'br-lan'
         vlan '70'

config bridge-vlan
         device 'br-lan'
         vlan '80'

config device
         name 'br-lan.20'
         type '8021q'
         ifname 'br-lan'
         vid '20'

config interface 'Default'
         proto 'none'
         device 'br-lan.1'

config interface 'Main'
         proto 'none'
         device 'br-lan.20'

config device
         name 'phy0-ap0'
         ipv6 '0'

root@xxx:~# cat /etc/config/wireless

config wifi-device 'radio0'
         type 'mac80211'
         path 'platform/18000000.wifi'
         channel '1'
         band '2g'
         htmode 'HE20'
         cell_density '0'

config wifi-iface 'default_radio0'
         device 'radio0'
         network 'Guest'
         mode 'ap'
         ssid 'xxxxxx'
         encryption 'sae-mixed'
         key 'xxxxxxxxxxxxx'
         isolate '1'

config wifi-device 'radio1'
         type 'mac80211'
         path 'platform/18000000.wifi+1'
         channel '36'
         band '5g'
         htmode 'HE80'
         disabled '1'

config wifi-iface 'default_radio1'
         device 'radio1'
         network 'lan'
         mode 'ap'
         ssid 'OpenWrt'
         encryption 'none'

root@xxx:~# cat /etc/config/dhcp

config dhcp 'lan'
         interface 'lan'
         start '100'
         limit '150'
         leasetime '12h'
         dhcpv4 'server'
        list dhcp_ '10.10.1.1'

config dhcp 'wan'
         interface 'wan'
         ignore '1'

config odhcpd 'odhcpd'
         maindhcp '0'
         leasefile '/tmp/hosts/odhcpd'
         leasetrigger '/usr/sbin/odhcpd-update'
         loglevel '4'

config dhcp 'Guest'
         interface 'Guest'
         start '100'
         limit '150'
         leasetime '12h'
        list dhcp_ '10.10.50.1'

root@xxx:~# cat /etc/config/firewall

config defaults
         syn_flood '1'
         input 'REJECT'
         output 'ACCEPT'
         forward 'REJECT'

config zone
         name 'lan'
         input 'ACCEPT'
         output 'ACCEPT'
         forward 'ACCEPT'
        list network 'lan'
        list network 'IoT'
        list network 'Management'
        list network 'Default'
        list network 'Main'
        list network 'Guest'

config zone
         name 'wan'
         input 'REJECT'
         output 'ACCEPT'
         forward 'REJECT'
         masq '1'
         mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
         src 'lan'
         dest 'wan'

config rule
         name 'Allow-DHCP-Renew'
         src 'wan'
         proto 'udp'
         dest_port '68'
         target 'ACCEPT'
         family 'ipv4'

config rule
         name 'Allow-Ping'
         src 'wan'
         proto 'icmp'
         icmp_type 'echo-request'
         family 'ipv4'
         target 'ACCEPT'

config rule
         name 'Allow-IGMP'
         src 'wan'
         proto 'igmp'
         family 'ipv4'
         target 'ACCEPT'

config rule
         name 'Allow-DHCPv6'
         src 'wan'
         proto 'udp'
         dest_port '546'
         family 'ipv6'
         target 'ACCEPT'

config rule
         name 'Allow-MLD'
         src 'wan'
         proto 'icmp'
         src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
         family 'ipv6'
         target 'ACCEPT'

config rule
         name 'Allow-ICMPv6-Input'
         src 'wan'
         proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
         limit '1000/sec'
         family 'ipv6'
         target 'ACCEPT'

config rule
         name 'Allow-ICMPv6-Forward'
         src 'wan'
         dest '*'
         proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
         limit '1000/sec'
         family 'ipv6'
         target 'ACCEPT'

config rule
         name 'Allow-IPSec-ESP'
         src 'wan'
         dest 'lan'
         proto 'esp'
         target 'ACCEPT'

config rule
         name 'Allow-ISAKMP'
         src 'wan'
         dest 'lan'
         dest_port '500'
         proto 'udp'
         target 'ACCEPT'

Let me know if you need anything else.

Thanks in advance for your time.

Cheers :tumbler_glass:

Things I intend to do is assign an alternative native VLAN for the Tagged Ports (on this switch indicated by moving the U to a newly created VLAN) and move items in VLAN 1 in my setup to VLAN XX, and have nothing on the default VLAN

Ok... thanks for showing what you want to achieve.

There are a lot of issues with the network config, so let's go through that:
Delete the last 2 lines below.
In your switch configuration image, you have the lan untagged (vlan 1), but then you talk about moving this to a tagged configuration.... if it is tagged VLAN 1, then make the port eth0.1.

Remove the last line here:

Delete this:

and delete this, too:

And these two:

And delete all of these:

And finally remove this:

Next, create new bridges for the VLANs:

config device
        name 'br-mgmnt'
        type 'bridge'
        list ports 'eth0.10'

config device
        name 'br-guest'
        type 'bridge'
        list ports 'eth0.50'

config device
        name 'br-iot'
        type 'bridge'
        list ports 'eth0.60'

Now, edit the network interfaces accordingly:

config interface 'Guest'
        proto 'none'
        device 'br-guest'

config interface 'IoT'
        proto 'none'
        device 'br-iot'

config interface 'Management'
         proto 'static'
         device 'br-mgmnt'
         ipaddr '10.10.10.14'
         netmask '255.255.255.0'
         gateway '10.10.10.1'

Although your lan interface is unmanaged, you should explicitly turn off the DHCP server on that interface (/etc/config/dhcp) -- remove the last line and add the ignore line:

config dhcp 'lan'
         interface 'lan'
         start '100'
         limit '150'
         leasetime '12h'
         dhcpv4 'server'
         ignore '1'

And delete this:

In your firewall, the Management network is the only one you need. Delete the others.

Then reboot and it should work as expected.

1 Like

Thank you.

It would appear I had two MAIN misunderstandings.

  1. I read I could only create 1 x Bridge per physical port. I believed that. The root of most of the creative mess I think. I have 1 port.
  2. I have not read enough about the purpose and function of the firewall on an open wet pure AP. Clearly. Too focussed on correctly configuring pfsense.

I'd already fixed the DHCP issues since posting that and the guest network functions on the surface at least.

This exercise in embarrassment has shown me the virtue of becoming comfortable with raw config files. Following what your doing is so much easier than dancing around LuCi.

I'll check back when I've implemented.

Thank you very much so far.

That is true for DSA. For devices where you are working with a single ethernet port, typically you can use multiple bridges and dotted VLAN notation. If my suggestions don't work, we'll try the DSA method.

Basically, the only aspect of the firewall that matters in AP mode is access to the device itself (i.e. "Input") -- you only want your management network to have access to manage the device.

CLI/config files can be easier in some situations. I actually bounce back and forth depending on what I'm doing. Don't be embarrassed, though.

1 Like

Cheers. I'll update tomorrow when I get some time to sort it.

I'm pretty sure I have a DSA setup.

Thank you for posting the config but that approach does not appear to be working. I cannot access the AP with the configuration you kindly provided. I tried to configure what you said using LuCi too, but keep getting locked out of the AP for reasons I do not understand at all which means I have no way of guaranteeing future success.

Is it because DSA vs 1 Physical Ethernet Port and my attempting to create multiple bridges rather than creating 1 x VLAN aware Bridge with filtering enabled?

I even create backup static management ips etc. to ensure I don't get locked out, test them, but eventually get locked out anyway.

I'm stumped here.

My apologies.... let's get you back to a working base config.

Use the failsafe mode to reset to defaults.
https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

Once that is done, post your device's default network config and we'll go from there. It shouldn't be too hard.

If you have any questions or issues with failsafe mode, lmk.

1 Like

Hey @psherman ,

Not ignoring you, just been working it out. No apologies required. You've been giving me your time for free and helping me. Appreciated. Think I've done it thanks to your bits of advice steering me to look in the right places for solutions. Right now, it works as needed.

I went back to the DSA method of configuring a VLAN filtered bridge, but less clumsily.

My inability to configure a VLAN Filtered Bridge with a single physical port being used for the same setup access was giving me the ultimate headache. It seemed like no matter what I did it would disconnect and not apply the settings.

So I went for the raw config file method.

When I'm sure everything is fine I'll post the configs and my lessons learned to perhaps help others with a "single physical port DSA multi-VLAN setup for an AP".

Cheers,
D

Sounds good. Feel free to post your current config for review if you'd like input based on what's there now.

1 Like