VLAN devices didnt get DHCP IP

Gerber_T · March 9, 2025, 12:28pm

Hello together,

Im a OpenWRT beginner and need some help for my VLAN configuration.
I have an EAP228 AP directly connected to BPI-R4.
I activated diffrent SSID with dedicated VLAN numbers.

I only want configure a separate VLAN with an DHCP.
Later, i want to grant access to the internet.

Problem is, my WLAN devices didnt get an IP from OpenWRT.
Could somebody help me?

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6c:c520:de7a::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '192.168.10.5'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.10.1'
        list dns '192.168.10.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config interface 'Gast'
        option proto 'static'
        option device 'br-lan.60'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'
        option defaultroute '0'

config interface 'Technik'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '10.1.30.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config interface 'Management'
        option proto 'static'
        option device 'br-lan.1'

package firewall


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'Internet'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'Gast'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Gast'

config forwarding
        option src 'Gast'
        option dest 'Internet'

config forwarding
        option src 'Gast'
        option dest 'lan'

config forwarding
        option src 'Internet'
        option dest 'Gast'

config forwarding
        option src 'lan'
        option dest 'Gast'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Gast'
        option interface 'Gast'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

config dhcp 'Technik'
        option interface 'Technik'
        option start '100'
        option limit '150'
        option leasetime '12h'

OpenWrt 24.10.0

BusyBox v1.36.1 (2025-02-03 23:09:37 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.0, r28427-6df0e3d02a
 -----------------------------------------------------

pavelgl · March 9, 2025, 1:13pm

I don't see any firewall rules allowing DHCP and DNS traffic originating from the Gast zone.

Gerber_T · March 10, 2025, 9:19pm

Thank you Pavel to point me to the right direction!

Next step is to route or allow Internet traffic from Guest Zone to my Fritz.Box Router. But i have no idea how to do it. I will find some examples...

My DHCP and DNS Traffic Rule:

package firewall

config rule
        option name 'Gast DHCP Any'
        list proto 'udp'
        option src 'Gast'
        option src_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Gast DNS Any'
        option src_port '53'
        option target 'ACCEPT'
        option src 'Gast'

mattimat · March 10, 2025, 9:38pm

The first rule seems to be good. The second one need to be thought of, the direction or something near it ?

andyboeh · March 10, 2025, 10:02pm

You need to replace src_port by dest_port (the source port is usually a random port, but the target port on OpenWrt is fixed):

config rule
        option name 'Gast DHCP Any'
        list proto 'udp'
        option src 'Gast'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Gast DNS Any'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'Gast'

To allow Gast -> wan routing, you have to add the following:

config forwarding
	option src 'Gast'
	option dest 'wan'

Gerber_T · March 11, 2025, 11:28am

I dint have an dedicated WAN port. I want to use a modem (fritzbox 192.168.10.1) on the same net, but this modem is not connected to the OpenWRT router directly. Its a member of the network.
I dont want to cut access to the fritzbox at this moment. Later, when we are equipped with fiber, I will use the WAN port.

I think i have to do some NAT?

btw: I will bugfix the DNS Firewall entry

andyboeh · March 11, 2025, 11:46am

I didn't fully read your first post, sorry.

While this setup is certainly possible, it's not so easy to set up. You have to disable DHCP on the LAN side of the OpenWrt router. And yes, you need NAT unless you set up a static route at the Fritz.

My suggestion: configure the Fritz in bridge mode and let OpenWrt do the routing. This saves you a lot of reconfiguration once you have fiber.

Gerber_T · March 11, 2025, 1:28pm

Thank you for your recommendation, which I also favor.

But I would then have to change everything I have at once and I cannot afford that amount of time at the moment.

For example, I have DDNS and VPN, MQTT connections running from external sources to my servers, a private NAS as a media server, and the Fritz DECT phones would no longer work with the bridge mode.

That's why I would like to move step by step and build up my knowledge. I might get a separate DSL modem and connect it to the WAN connection.