Using a SamKnows Whitebox 8 as a managed switch

Hey all!
I have a raspberry pi 4 with an extra USB dongle serving as my router and I wanted to use my SamKnows Whitebox 8 as a managed switch (both running OpenWRT). I just need one of the ports of the SamKnows Whitebox 8 to connect to a VPN instead of my main VLAN and that is exactly what is not working for me.

I’ve tried to configure the WAN port as trunk and also one of the lan ports, but when I connect a device to the VPN port I never get and IP, so I have no internet at all.

This is my raspberry pi:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc3:a5f5:27de::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.28.1'
        option netmask '255.255.255.0'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'vpn_lan'
        option proto 'static'
        option device 'br-lan.38'
        option ipaddr '192.168.38.1'
        option netmask '255.255.255.0'

config interface 'pia_tun'
        option proto 'none'
        option device 'tun0'

and this is my SamKnows Whitebox 8:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:e34:f::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        option vlan_filtering '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.28.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.28.1'
        list dns '192.168.28.1'

config device 'brlan38_dev'
        option name 'br-lan.38'
        option type '8021q'
        option ifname 'br-lan'
        option vid '38'

config device 'vpn_dev'
        option name 'br-vpn'
        option type 'bridge'
        list ports 'br-lan.38'
        list ports 'wan'

config interface 'vpn'
        option device 'br-vpn'
        option proto 'none'
        option auto '1'
        option force_link '1'

the firewall on my raspberry pi:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config zone
        option name 'tailscale_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'tailscale_fw'
        option dest 'lan'

config forwarding
        option src 'tailscale_fw'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'tailscale_fw'

config zone
        option name 'vpn_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn_lan'

config zone
        option name 'vpn_wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'pia_tun'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'vpn_fw'
        option dest 'vpn_wan'

Do you need to see anything else?
Thank you so much in advance!

On the Pi...

Change the device to eth0.38:

On the SK Whitebox 8, add the wan port to br-lan and remove the vlan_filtering line. It will look like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

Next, delete this:

Now, create bridge-vlans. I'll make the wan port the trunk and port 4 will be untagged for your VPN:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '38'
        list ports 'lan4:u*'
        list ports 'wan:t'

Now you can edit your interfaces to use device br-lan.x where x is the VLAN ID. It will look like this:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.28.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.28.1'
        list dns '192.168.28.1'

...

config interface 'vpn'
        option device 'br-lan.38'
        option proto 'none'

With those changes, things should at least connect to the right VLANs. There are other files we have not seen, so you could have other errors. If that doesn't fix the issue, please post the following (latest/updated) from each device:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Unfortunately, applying those changes didn't do the trick. The trunk is physically moved to the WAN port, and the Pi is set to eth0.38, but a device plugged into LAN 4 still gets no IPV4 address.

Here's those ssh commands:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.1",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc3:a5f5:27de::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.28.1'
        option netmask '255.255.255.0'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'vpn_lan'
        option proto 'static'
        option device 'eth0.38'
        option ipaddr '192.168.38.1'
        option netmask '255.255.255.0'

config interface 'pia_tun'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host

I then have a bunch of static leases which I'll omit for brevity and then:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config zone
        option name 'tailscale_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'tailscale_fw'
        option dest 'lan'

config forwarding
        option src 'tailscale_fw'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'tailscale_fw'

config zone
        option name 'vpn_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn_lan'

config zone
        option name 'vpn_wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'pia_tun'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'vpn_fw'
        option dest 'vpn_wan'

on the whitebox8:

root@OpenWrt-Whitebox8:~# ubus call system board
hcp
cat /etc/config/firewall{
        "kernel": "6.6.119",
        "hostname": "OpenWrt-Whitebox8",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "SamKnows Whitebox 8",
        "board_name": "samknows,whitebox-v8",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}
root@OpenWrt-Whitebox8:~# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:e34:f::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '38'
        list ports 'lan4:u*'
        list ports 'wan:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.28.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.28.1'
        list dns '192.168.28.1'

config interface 'vpn'
        option device 'br-lan.38'
        option proto 'none'
root@OpenWrt-Whitebox8:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

root@OpenWrt-Whitebox8:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Thank you once again for the help!

You don't have a DHCP server for the vpn_lan interface, so it makes sense that you wouldn't get an IP. Add this to the dhcp file on the Pi:

config dhcp 'vpn_lan'
        option interface 'vpn_lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

On the SamKnows device, you need to disable the DHCP server on lan. It should look like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Reboot both devices and test again.

Strangely, I still don't get an IP at all (and no internet) when connected to LAN4 on the whitebox8. I think I applied all commands correctly.
Here's the raspberry pi:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.1",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc3:a5f5:27de::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.28.1'
        option netmask '255.255.255.0'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'vpn_lan'
        option proto 'static'
        option device 'eth0.38'
        option ipaddr '192.168.38.1'
        option netmask '255.255.255.0'

config interface 'pia_tun'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host

Then I have a bunch of static IPs. Deleting for brevity and then:

config dhcp 'vpn_lan'
        option interface 'vpn_lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1,1.0.0.1'
        option dhcpv4 'server'

config host
        option name 'OpenWrt-Whitebox8'
        option mac 'xxxxx'
        option ip '192.168.28.254'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config zone
        option name 'tailscale_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'tailscale_fw'
        option dest 'lan'

config forwarding
        option src 'tailscale_fw'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'tailscale_fw'

config zone
        option name 'vpn_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn_lan'

config zone
        option name 'vpn_wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'pia_tun'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'vpn_fw'
        option dest 'vpn_wan'

root@OpenWrt:~#

and the Whitebox8:

root@OpenWrt-Whitebox8:~# ubus call system board
hcp
cat /etc/config/firewall{
        "kernel": "6.6.119",
        "hostname": "OpenWrt-Whitebox8",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "SamKnows Whitebox 8",
        "board_name": "samknows,whitebox-v8",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}
root@OpenWrt-Whitebox8:~# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:e34:f::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '38'
        list ports 'lan4:u*'
        list ports 'wan:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.28.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.28.1'
        list dns '192.168.28.1'

config interface 'vpn'
        option device 'br-lan.38'
        option proto 'none'
root@OpenWrt-Whitebox8:~# cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'
root@OpenWrt-Whitebox8:~# cat /etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

What could be happening? Thank you so much in advance!

I'm not seeing any specific issues, but maybe try removing the underscore (_) -- make the name here just vpnlan:

Do the same here:

and here:

and of course here:

that also didn't work. I still get no IP and no internet on lan 4. do you have any tips on what I can do to test this and find where the problem comes from? thanks in advance!

Let's try using port lan1 as the trunk (uplink to the router) instead.

remove the wan from br-lan and then change the bridge-vlans to look like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '38'
        list ports 'lan1:t'
        list ports 'lan4:u*'

Then reboot and test again.

Also, just to make sure....

It is expected that the Ethernet port on the Pi connects directly to the SamKnows box. Please confirm that this is the case (no other things between the two devices).

ugh, I'm so sorry. I did have a device between the pi and the whitebox. With that out of the way, I didn't change the trunk to lan1 it's still on WAN.
With that I get an IP in LAN4 (192.168.38.xx) and I can reach my router at 192.168.28.1. I just don't have internet. Does the below tell you anything useful?

root@OpenWrt:~# logread | grep -i openvpn
Sun Apr 19 14:31:49 2026 daemon.err openvpn(pia)[2509]: write UDPv4 []: Network unreachable (fd=5,code=101)
Sun Apr 19 14:31:49 2026 daemon.err openvpn(pia)[2509]: write UDPv4 []: Network unreachable (fd=5,code=101)
Sun Apr 19 14:31:50 2026 daemon.err openvpn(pia)[2509]: write UDPv4 []: Network unreachable (fd=5,code=101)
Sun Apr 19 14:31:50 2026 daemon.err openvpn(pia)[2509]: write UDPv4 []: Network unreachable (fd=5,code=101)
Sun Apr 19 14:49:25 2026 daemon.err openvpn(pia)[2509]: event_wait : Interrupted system call (fd=-1,code=4)
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[2509]: /usr/libexec/openvpn-hotplug route-pre-down pia tun0 1500 0 10.243.0.70 255.255.0.0 init
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[2509]: net_addr_v4_del: 10.243.0.70 dev tun0
Sun Apr 19 14:49:25 2026 daemon.warn openvpn(pia)[2509]: sitnl_send: rtnl: generic error (-99): Address not available
Sun Apr 19 14:49:25 2026 daemon.warn openvpn(pia)[2509]: Linux can't del IP from iface tun0
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[2509]: /usr/libexec/openvpn-hotplug down pia tun0 1500 0 10.243.0.70 255.255.0.0 init
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[2509]: SIGTERM[hard,] received, process exiting
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: OpenVPN 2.6.14 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: library versions: OpenSSL 3.0.18 30 Sep 2025, LZO 2.10
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: DCO version: N/A
Sun Apr 19 14:49:25 2026 daemon.warn openvpn(pia)[28318]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: TCP/UDP: Preserving recently used remote address: [AF_INET]196.245.54.136:1198
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: UDPv4 link local: (not bound)
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: UDPv4 link remote: [AF_INET]196.245.54.136:1198
Sun Apr 19 14:49:25 2026 daemon.warn openvpn(pia)[28318]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: [Server-12460-0a] Peer Connection Initiated with [AF_INET]196.245.54.136:1198
Sun Apr 19 14:49:25 2026 daemon.err openvpn(pia)[28318]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Sun Apr 19 14:49:25 2026 daemon.err openvpn(pia)[28318]: Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Sun Apr 19 14:49:25 2026 daemon.err openvpn(pia)[28318]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: TUN/TAP device tun0 opened
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: net_iface_mtu_set: mtu 1500 for tun0
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: net_iface_up: set tun0 up
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: net_addr_v4_add: 10.243.0.46/16 dev tun0
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: /usr/libexec/openvpn-hotplug up pia tun0 1500 0 10.243.0.46 255.255.0.0 init
Sun Apr 19 14:49:25 2026 daemon.notice openvpn(pia)[28318]: Initialization Sequence Complete

Thank you in advance and apologies once again!

What was it? Was it an unmanaged switch?

These look suspect:

But this is really a topic for a new thread. You may also need to use policy based routing.

With that in mind, create a new thread to deal with the remaining issue and, if this one is solved (which it seems to be)...

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

It was an actual router with dhcp and all settings turned off so it could act as a dumb AP and switch. Super noob mistake of mine not thinking of it! In my defense I initially did try to connect the whitebox directly to the raspberry pi but it wasn't working (cause it was misconfigured as you kindly pointed out in your first message)

Fair enough! You have already provided a lot of valuable info. Thank you once again! I'll mark your first message as the solution!