VLAN bridged/managed switch

I am setting up multiple bridged VLANs on a GL-MT6000 (OpenWrt 24.x snapshot) for use with a managed switch.
Each VLAN has:

a br-lan.X subinterface created through Bridge VLAN Filtering (DSA)

its own firewall zone

its own DHCP scope

a Wi-Fi SSID assigned directly to that interface (lan10, lan20, lan30, lan40, lan50, lan60, lan70, lan99)

The VLAN interfaces appear correctly in LuCI, and the SSIDs can be assigned to them.

However, a reproducible problem occurs:

After every reboot, none of the SSIDs attached to VLAN interfaces receive DHCP.

Windows reports "No DHCP" and self-assigns a 169.254.x.x address.

The only way to make an SSID work is to do the following trick:

Edit the VLAN interface (e.g., lan20)

Temporarily assign it to the lan firewall zone

Save & Apply

Reassign it back to its correct firewall zone (e.g., vpnonly, momnet, quarantine, mgmt99)

Save & Apply again

After this, DHCP works instantly and Wi-Fi clients get an address until the next router reboot.
On reboot, the VLAN/SSID again fails to hand out DHCP, and the entire process must be repeated.

Basically it seems like the problem is the wifi ssid doesn't stay attached to the vlan's I make. I run that little switch the firewall zone to lan then back to what it should be and everything then works but it's not a permanent fix. I'm trying to work towards setting up a vlan that uses wireguard but creating the tunnel has been impossible...I'm wondering if this issue has anything to do with it. But for now, I need to make sure the vlan's work properly at all times before I focus on getting wireguard to work. Also, look at the screenshot I'm sharing...It shows ONE vlan seems to have it's wifi ssid attached while the rest do not even though they all have a wifi ssid created for them all with the vlan selected as the device the ssid should be associated with. Also notice, Br-lan1, br-lan, br-lan.99 are all green...Those are the only ones that work through reboots. 1 and and br-lan are connected to the lan firewall zone but 99 is connected to it's own firewall zone but also seems to have it's wifi ssid permanently attached. I don't know what I did wrong here.

https://imgur.com/a/eDIQNax

https://imgur.com/a/4Keh6B5

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I assume you are missing firewall rules for these vlans. Compare them and lock out for DHCP related rules on INPUT and also on OUTPUT.

Edit ps: what switch do you use?

{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2c:2791:xxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.xxx.xx.x'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option macaddr 'xxxxxxxxxx'
        option peerdns '0'
        option dns '0.0.0.0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option dns '::'
        option peerdns '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'

config interface 'lan10'
        option proto 'static'
        option device 'br-lan.10'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan2:u*'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan3:t'

config interface 'lan30'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'
        option force_link '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '70'
        list ports 'lan3:t'

config interface 'lan70'
        option proto 'static'
        option device 'br-lan.70'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan3:t'

config interface 'lan60'
        option proto 'static'
        option device 'br-lan.60'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'lan3:t'

config interface 'lan50'
        option proto 'none'
        option device 'br-lan.50'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan3:t'

config interface 'lan20'
        option proto 'static'
        option device 'br-lan.20'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan3:t'

config interface 'lan99'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'
        option force_link '0'
        option type 'bridge'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HT40'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'HVAC-xx1'
        option encryption 'psk2+psk3'
        option key ''

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE160'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Hxxx-xx2'
        option encryption 'psk2+psk3'
        option key ''

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Hxxx-xx3'
        option encryption 'psk2'
        option key ''
        option network 'lan10'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid ' **Mxxxt-xx2**'
        option encryption 'psk2'
        option key ''
        option network 'lan30'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid '**Opx-xxA**'
        option encryption 'psk2'
        option key ''
        option network 'lan70'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid '**Diag-xxxx-9F**'
        option encryption 'psk2'
        option isolate '1'
        option key ''
        option network 'lan60'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid '**Oxx-xxB**'
        option encryption 'psk2'
        option key ''
        option network 'lan70'

config wifi-iface 'wifinet7'
        option device 'radio1'
        option mode 'ap'
        option ssid '**Hxxx-xx2**'
        option encryption 'psk2'
        option key ''
        option network 'lan20'

config wifi-iface 'wifinet8'
        option device 'radio1'
        option mode 'ap'
        option ssid '**Sxx-xxxx-x8E**'
        option encryption 'psk2'
        option key ''
        option network 'lan99'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option port '5xx3'
        option dnsforwardmax '1024'
        list server '127.0.0.1#5xx5'
        list server '::1#5xx5'
        list server '1.1.1.1'
        list server '1.0.0.1'
        option logqueries '1'
        option logdhcp '1'
        list interface 'lan'
        list interface 'lan10'
        list interface 'lan20'
        list interface 'lan30'
        list interface 'lan50'
        list interface 'lan60'
        list interface 'lan70'
        list interface 'lan99'
        option interface_done '1'

config dhcp 'lan10'
        option interface 'lan10'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan20'
        option interface 'lan20'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan30'
        option interface 'lan30'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xx.1'

config dhcp 'lan60'
        option interface 'lan60'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan70'
        option interface 'lan70'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xx.xxx.1'

config dhcp 'lan99'
        option interface 'lan99'
        option start '20'
        option limit '200'
        option leasetime '12h'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.xx.xx.1'
        list dhcp_option '3,10.xx.xx.1'
        list dns '::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lan10'
        list network 'lan30'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'momnet'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'lan70'

config forwarding
        option src 'momnet'
        option dest 'wan'

config zone
        option name 'Quarantine'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'lan60'

config forwarding
        option src 'Quarantine'
        option dest 'wan'

config zone
        option name 'vpnsendtotunnel'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan20'

config zone
        option name 'mgmt99'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan99'

config forwarding
        option src 'mgmt99'
        option dest 'wan'

I use asus ebp15 managed switch though I haven't even accessed the interface yet...Also chatgpt is telling me my firewall rules are what the issue is though chatgpt came up with those firewall rules....what i noticed is the only vlans/ssid's to survive reboots are the ones with accept, accept, reject or accept, accept, accept...Is that actually the problem? Thanks for the quick reply...just let me know if I can provide anything else that will help shed some light on this.

ok it was the firewall zones...not setting incoming as accept...duh. Sorry to bother...expect a question about wireguard possibly in the near future in a different thread though

You souldn’t simply set incoming as accept.
Create firewall rules to allow the required DHCP/DNS traffic from that subnets to the device.
Here an example for the guest zone:

config rule
option name 'Allow-Guest-DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Allow-Guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'

just did that. Thank you for the advice.