VLAN on Dumb Access Point not Routing to Internet

thancocksw1 · July 26, 2023, 3:59am

If this is possible, can you help me fix my config: My goal is to make a router a dumb wired access point, and use VLANS to separate traffic from different wired switch ports. I have the LAN interface as a DHCP client, and a VLAN Interface uses it's own DHCP Server to assign a different set of IPs on a specific port. This all works in terms of separating the traffic between the LAN and VLAN, but when pinging the Internet from a device on the VLAN, I'm getting Destination port Unreachable. Thank you in advance.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd29:21e5:36ba::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option name 'eth0.2'
	option macaddr '94:a6:7e:ea:29:08'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 3 2 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option name 'eth0.3'

config device
	option type 'bridge'
	option name 'br-vlan3'
	list ports 'eth0.3'

config interface 'vlan3_interface'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'br-vlan3'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option description 'vlan3'
	option ports '6t 1'

/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vlan3'
	option output 'ACCEPT'
	list network 'vlan3_interface'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vlan3'
	option dest 'wan'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan3_interface'
	option interface 'vlan3_interface'
	option leasetime '12h'
	option start '2'
	option limit '35'

psherman · July 26, 2023, 5:30am

Enable masquerading on your lan zone. It should look like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

Then add forwarding from vlan3 zone to lan zone.

config forwarding
	option src 'vlan3'
	option dest 'lan'

Restart the network and firewall services, or restart the whole router. Test again and let me know if that fixes the issue.

thancocksw1 · July 26, 2023, 11:34pm

I think that fixed it. Thank you so much! Had enabled masquerading previously, but hadn't forwarded vlan interface to lan interface. Much appreciated!

Normally, adding a second DHCP server to a network is frowned upon, I believe, but activating the second DHCP server from within a VLAN on a dumb access point seems like a slick way of separating network traffic. It integrates smoothly with existing DHCP, and doesn't require any reconfiguration of the main router. Any thoughts? Will see how it goes.

psherman · July 27, 2023, 6:55am

Glad it solved the problem.

As for dhcp, the new dhcp server is behind a NAT masquerading layer and is in an entirely different network segment, so there is no interaction with the existing one. That is why it is okay to have dhcp on the new network.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!