Vlan on ap does not get ip from dhcp server

It's about 2 hours, and it doesn't work. And I can't understand why.
Please someone help me.

I'd like to configure a guest wireless lan on tagged vlan 20. I have a working main wlan configured, with untagged traffic, that is bridged with eth0.

the clients connect to the ap on MiPiaceLaPizza:

Feb 24 20:36:38 ap hostapd: wlan0: STA 34:02:86:cf:75:8d IEEE 802.11: authenticated
Feb 24 20:36:38 ap hostapd: wlan0: STA 34:02:86:cf:75:8d IEEE 802.11: associated (aid 3)
Feb 24 20:36:38 ap hostapd: wlan0: AP-STA-CONNECTED 34:02:86:cf:75:8d
Feb 24 20:36:38 ap hostapd: wlan0: STA 34:02:86:cf:75:8d WPA: pairwise key handshake completed (RSN)

but the dhcp requests seem to never get to the dhcp server on the router.

I know the router is configured correctly, because all this worked fine with the ap I used before the new openwrt ap.

Config files follow:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/soc/a000000.wifi'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MiPiaceLaPizza'
        option key '<redacted>'
        option encryption 'psk2'
        option network 'vlan_20'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'platform/soc/a800000.wifi'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option key '<redacted>'
        option ssid 'SurveillanceVan38'
        option encryption 'psk2'
        option network 'eth0'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:987f:31a2::/48'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr '10:62:eb:a7:c0:90'

config interface 'vlan_20'
        option proto 'none'
        option type 'bridge'
        option stp '1'
        option ifname 'eth0.20'

config interface 'eth0'
        option ifname 'eth0'
        option proto 'dhcp'
        option type 'bridge'

Change to type dhcp, it should then get an IP.

I don't know what happens when you declare an OpenWrt abstracted network named eth0 (which will become br-eth0). It seems best to use a name such as lan or vlan1 that wouldn't conflict with the hardware named eth0.

Tagged and untagged packets on the same Ethernet cable is something that really really really should be avoided unless you must interoperate with some device on the other end of the cable that must operate that way and you can't control it. It doesn't always work with consumer grade hardware and OpenWrt. Either tag everything or have one untagged network and nothing tagged.

type bridge is correct if you have an AP and and Ethernet port in the same network. proto should be dhcp to obtain a DHCP address. option hostname is useful in conjunction with dhcp so that your main router knows your AP by name, with an OpenWrt main router and many others that work according to standards you can then access the AP as itshostname.lan.

Thanks for the reply. I renamed the eth0 interface to lan, but lan works fine, no problems on the untagged traffic. I tried to remove lan altogether to see if tagged and untagged traffic was a problem, but no change.
What I would like is for clients connected to wlan1 to get on vlan20 and get an ip address from the dhcp server on the router connected to the ap.
My config now looks like this:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:987f:31a2::/48'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr '10:62:eb:a7:c0:90'

config interface 'vlan_20'
        option ifname 'eth0.20'
        option proto 'none'
        option type 'bridge'

config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'
        option type 'bridge'

does the vlan_20 interface need an ip address? I need an ip on lan to access the web interface of the ap, but I don't think I need one on vlan_20, right? It should just be a bridge between wlan0 and eth0.20.
Anyway, a tcpdump in eth0 on the ap shows dhcprequests are correctly tagged with vlan id 20, but dumping packets on the connected switch with a port mirror, the vlan id is missing, so it seems the vlan id 20 gets lost before being put on the cable somehow?
Any clues?

You are correct that something like vlan20 doesn't need an IP address when it's just converting packets from wifi to wired. Use proto none (Unmanaged in LuCI) to make such a bridge.

I think if you have anything attached to plain eth0, it will end up receiving all incoming packets regardless of the tag. So tagged and untagged mixed isn't going to work.

Thanks for the help. I tried to simplify everything, and configure the ap with a single interface:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:987f:31a2::/48'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr '10:62:eb:a7:c0:90'

config interface 'vlan20'
        option type 'bridge'
        option proto 'dhcp'
        option ifname 'eth0.20'

the vlan20 interface is not able to obtain an ip from the dhcp.
I started a tcpdump on the ap, and I can see vlan20 tagged dhcprequest packets on eth0.
Then I connected the ap to a switch, activated a port mirror, and tcpdumped what exited the wire of the ap, but there where no dhcprequests with vlan id 20.
This is my ap: https://openwrt.org/toh/hwdata/d-link/d-link_dap-2610

Any hints on why vlan tagged packets don't seem to exit the wire?

• It's an IPQ4018. VLANs on those are not straightforward. I don't have any direct experience with one but it is written up somewhere.
• You're making it even more complicated by trying to run tagged and untagged on the same port. You'll be a lot happier not doing that.

It's an IPQ4018. VLANs on those are not straightforward. I don't have any direct experience with one but it is written up somewhere.

I'm searching the forum and reading, and there is a lot of examples with switches, but my device has a single ethernet port. I'm confused and a bit lost.

You're making it even more complicated by trying to run tagged and untagged on the same port. You'll be a lot happier not doing that.

Yes, I removed that part.

Can you post the network and firewall config from your main router?

sure:

$ ssh root@rutter


BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07-SNAPSHOT, r10935+2-21bf718b8c
 -----------------------------------------------------
root@rutter:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1d:a7ea:5131::/48'

config interface 'wan'
        option ifname 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.100'
        option gateway '192.168.1.1'
        option metric '10'

config interface 'wan6'
        option ifname 'wan'
        option proto 'dhcpv6'

config interface 'lan0'
        option ifname 'lan0'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option macaddr '94:83:c4:00:f7:ef'

config interface 'vlan_200'
        option proto 'static'
        option ipaddr '192.168.200.1'
        option netmask '255.255.255.0'
        option ifname 'lan0.200'

config interface 'vlan_20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ifname 'lan0.20'

config interface 'vlan_40'
        option proto 'static'
        option ifname 'lan0.40'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<redacted>'
        option listen_port '<redacted>'
        list addresses '192.168.250.0/24'

config wireguard_vpn
        option public_key '<redacted>'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.250.10/32'

root@rutter:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan0 vpn'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '<redacted>'
        option dest_ip '192.168.0.2'
        option dest_port '<redacted>'
        option name 'ssh'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '80'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option name 'http'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '443'
        option dest_ip '192.168.0.2'
        option dest_port '443'
        option name 'https'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '<redacted>'
        option dest_ip '192.168.0.2'
        option dest_port '<redacted>'
        option name 'imaps'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '<redacted>'
        option dest_ip '192.168.0.2'
        option dest_port '<redacted>'
        option name 'torrent'

config zone
        option name 'vlan_200'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vlan_200'
        option forward 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'vlan_200'

config zone
        option name 'untrusted'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vlan_20'
        option forward 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'untrusted'

config zone
        option name 'nowan'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'vlan_40'

config forwarding
        option dest 'nowan'
        option src 'lan'

config forwarding
        option dest 'untrusted'
        option src 'lan'

config forwarding
        option dest 'vlan_200'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '<redacted>'
        option dest_ip '192.168.0.1'
        option dest_port '<redacted>'
        option name 'WireGuard'

config redirect
        option dest_port '5201'
        option src 'wan'
        option name 'iperf3'
        option src_dport '5201'
        option target 'DNAT'
        option dest 'lan'
        option dest_ip '192.168.0.2'

root@rutter:~#

Could you also post /etc/config/dhcp?

here it is:

root@rutter:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option local '/internal/'
        option domain 'internal'
        option localservice '1'
        list server '1.1.1.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain 'localhost'
        option name 'jenkins.internal'
        option ip '192.168.0.2'

config dhcp 'lan0'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'lan0'

config host
        option name 'silver'
        option dns '1'
        option mac '<redacted>'
        option ip '192.168.0.5'
        option leasetime 'infinite'

config host
        option name 'home'
        option dns '1'
        option mac '<redacted>'
        option ip '192.168.0.2'
        option leasetime 'infinite'

config domain
        option ip '192.168.0.2'
        option name 'bookmarks.internal'

config dhcp 'vlan_200'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'vlan_200'

config host
        option mac '<redacted>'
        option ip '192.168.200.15'
        option leasetime 'infinite'
        option name 'replica-31337'
        option dns '1'

config host
        option name 'black'
        option dns '1'
        option mac '<redacted>'
        option ip '192.168.0.4'
        option leasetime 'infinite'

config host
        option name 'ap'
        option dns '1'
        option mac '<redacted>'
        option ip '192.168.0.50'
        option leasetime 'infinite'

config dhcp 'vlan_20'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'vlan_20'

config dhcp 'vlan_40'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'vlan_40'

config host
        option name 'wc-lr'
        option dns '1'
        option mac '<redacted>'
        option ip '192.168.40.8'
        option leasetime 'infinite'

config host
        option name 'netgear-sw'
        option dns '1'
        option mac '<redacted>'
        option leasetime 'infinite'
        option ip '192.168.0.80'

config host
        option name 'netgear-sw-main'
        option dns '1'
        option mac '<redacted>'
        option leasetime 'infinite'
        option ip '192.168.0.85'

config dhcp 'lan1'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'lan1'

config domain
        option name 'modem.internal'
        option ip '192.168.1.1'

doing a tcpdump -i eth0 -pvne port 67 and port 68 I can see the tagged dhcp traffic on eth0 on the ap, but it does not exit the interface: the packets never show outside the ap on the connected router.

17:52:18.007874 10:62:eb:a7:c0:90 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 20, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 10:62:eb:a7:c0:90, length 300, xid 0x6533a468, secs 1836, Flags [none]
          Client-Ethernet-Address 10:62:eb:a7:c0:90
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            MSZ Option 57, length 2: 576
            Parameter-Request Option 55, length 8:
              Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
              Domain-Name, BR, NTP, Classless-Static-Route
            Vendor-Class Option 60, length 12: "udhcp 1.31.1"
            Hostname Option 12, length 13: "ap.internal"

I got it to work.
Adding

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '20'
        option vid '20'
        option ports '0t 1t 2t 3t 4t 5t'

config interface 'vlan_20'
        option ifname 'eth0.20'
        option proto 'dhcp'

to /etc/config/network makes the vlan tagged traffic appear on the eth0 port.

Took me only a week to find out

With the latest config tagged and untagged traffic go along just fine, or at least it seems. Have any pointers on why I should not do that?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.