Unable to access DHCP on virtual lan

pcampan · November 13, 2022, 2:36am

Hi folks, very new to openwrt and would appreciate some help. I have been struggling with this for a few weeks trying to get it work.

In this my pfsense gateway is on 192.168.1.1 and I am able get get everything working on VL 1 (192.168.1.0/24), but on VL 20 (192.168.20.0/24) the devices are unable to get a DHCP address on the wireless SID (DAP). I can however plug into the back of my device and get a DHCP address on both networks.

Port
LAN 1 - from pfsense (switch tagged 1,20; pvid 1)
LAN 2 - VL 20
LAN 3 - VL 1

I ran make_dumb_ap.sh to convert the installation to Dumb AP. I believe firewall/dhcp is disabled on openwrt.

I'd appreciate any help, I have been trying for a few weeks to get this working.

root@WifiAP:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdde:fb53:f7e7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option ip6assign '60'
        option proto 'dhcp'
        option device 'br-lan.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2t 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 1'
        option vid '2'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1.1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1.1:t'

config interface 'DAP'
        option device 'br-lan.20'
        option proto 'dhcp'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '20'
        option ports '0t 2t 3'

config interface 'TEST'
        option proto 'dhcp'
        option device 'br-lan.1'

root@WifiAP:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'CA'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'sae-mixed'
        option key 'REDACTED'
        option ieee80211r '1'
        option mobility_domain '123f'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option ssid 'VL1'
        option network 'TEST'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'CA'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'VL20'
        option network 'DAP'
        option encryption 'sae-mixed'
        option key 'REDACTED'

root@WifiAP:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'hybrid'
        option dhcpv6 'hybrid'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@WifiAP:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

psherman · November 13, 2022, 2:40am

You are mixing swconfig and DSA syntax, and that will not work.

Reset your device to defaults and then post the network file again (in its default state).

pcampan · November 13, 2022, 2:49am

Really appreciate the quick response!

TP Link Archer C7 v2

 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~#  cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf3:c6f4:46b0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

psherman · November 13, 2022, 3:01am

Add the following:

config device
        option name 'br-vlan20'
        option type 'bridge'
        list ports 'eth1.20'

config interface 'vlan20'
        option device 'br-vlan20'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '20'
        option ports '2t 3 0t'

and then edit the vlan1 switch config to look like this:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 4 5 0t'

Now, I can't guarantee that the logical ports <-> pyhsical ports are correct for what you have specified. But give it a shot and see if it works -- this hopefully will provide VLAN 20 on LAN 2 as an untagged network, VLAN 1 on port 3, and the trunk port on port 1.

Edit: after this is proven to work, we can get WiFi configured.

pcampan · November 13, 2022, 3:28am

and then edit the vlan1 switch config

Not exactly sure where you are asking to change. On my managed switch?

psherman · November 13, 2022, 3:40am

Oh. Those ports (shown below) were for a separate managed switch? please confirm that this is between the pfsense router and the OpenWrt dumb AP:

Also, port LAN1 doesn't make sense -- you can't have a VLAN tagged and pvid on the same physical port.. it is one or the other. Tagged is often recommended for all networks on a trunk port.

Can you confirm that LAN2 and LAN3 from your managed switch work as expected?

pcampan · November 13, 2022, 3:46am

Yes, I have a managed switch between pfsense and openwrt. The LAN1..3 are on openwrt. The managed switch has 1,20 tagged, pvid 1 going into LAN 1.

yes, LAN 2 and LAN 3 worked prior to the change. It was just the wifi that I created on VL20 that wasn't working grabbing a DHCP lease.

It is a cheap managed switch currently I have PVID set to 1; do you think I should change it to something used (4093 or similar)?

psherman · November 13, 2022, 3:50am

ok... so what I recommended is how you should setup OpenWrt, except for one tweak here:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2t 4 5 0t'

Then verify that the physical ethernet ports on your OpenWrt box are working as expected.

If it is working, no need to mess with it.

pcampan · November 13, 2022, 3:56am

Not exactly sure where to make the change you are suggesting.

I did this in luci, maybe this was what you wanted me to test?

I am also testing the following, it seems to be working but I'm going to continue testing.

root@WifiAP:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'VL1'
        option encryption 'sae-mixed'
        option key 'REDACTED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'vl20'
        option encryption 'sae-mixed'
        option key 'REDACTED'
        option network 'vlan20'

pcampan · November 13, 2022, 4:03am

with the above I tested wifi (VL1) and LAN2 both seemed to give me 192.168.1.0/24 and wifi (VL20) and LAN3 both seemed to give me 192.168.20.0/24 IPs as expected.

@psherman I appreciate your help, if you think I followed your instructions.

Not sure I understand though what changed from my base configuration. I'd appreciate if you explain what changed? I have been most of my changes inside luci, is this something that I would have had to do in the configuraton.

Really appreciate it!

psherman · November 13, 2022, 4:11am

Somehow there was mixed configuration syntax in your original file.

You will need to add a network interface and bridge for vlan20 (it will be an unmanaged interface)

pcampan · November 13, 2022, 12:19pm

@psherman appreciate your help!

system · November 23, 2022, 12:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.