VLANs and DHCP help

Hi folks, this is a continuation of my home networking VLAN journey. I've made some progress from my previous post.

This is the same WAX202 that runs 23.05.0. I'd like to have the following VLANs:
10: WAX202 Admin (LAN1) (10.0.10.x)
20: WiFi radio1 (WAN, LAN ok) (10.0.20.x)
30: Zerotier VPN (WAN only, no LAN) (10.0.30.x)
40: UNRAID, TV (LAN only, no WAN) (LAN2) (10.0.40.x)
50: IP Cameras (no egress) (LAN3, WiFi radio0) (10.0.50.x)
The WAN port of this WAX202 router is connected to an upstream Mikrotik router with an IP address of 10.0.0.1.

I'd like to first setup VLAN50 for the IP cameras. Here's my configuration, but I'm having issue with the DHCP server. Looks like the IP cameras are not being assigned IP addresses, even though they are DHCP clients. Under Active DHCP Leases, I only see my laptop I use to connect to LuCI, no cameras. Any help would be much appreciated.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	option ipv6 '0'

config device
	option name 'lan1'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan2'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan3'
	option macaddr '34:xx:xx:xx:xx:36'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '34:xx:xx:xx:xx:37'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan2'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan3'
	list ports 'wan:t'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config device
	option name 'br-lan.40'
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option ipv6 '0'

config device
	option name 'br-lan.50'
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option ipv6 '0'
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

this if I understood what you want to achieve (in case I misunderstood your problem I apologize in advance)

i suppose that the "Mikrotik" router you have defined the vlan 50 and that it offers a dhcp pool (this is the router that actually does the packet routing and offers the IP addresses in the various VLANs).

and that vlan 50 has been defined on the "Mikrotik" router and possibly on the management switch in between (if present) ...

and I assume that the "WAX202" is a dump-ap and the actual packet routing is done by the "Mikrotik" (so the wan port of the "WAX202" is a trunk port) ...
so the dhcp server on the "WAX202" is not needed ... (disable this)

this is assuming the other vlans are working...

in this case you just have to tag the wan port on this router:

immagine

1 Like

Thanks for the reply. The reason why I'd like to run a DHCP server on the downstream router WAX202 and not the upstream Mikrotik for VLAN 50 is because I'd like to isolate the IP cameras from all home network devices. Instead, I'd like the Zerotier VPN on the WAX202 to forward the IP camera data so that the camera streams are accessible to any WAN device in the VPN network.
The IP cameras on VLAN 50 don't need to be directly exposed to the upstream Mikrotik router, so I didn't enable the trunk port you circled.
Please let me know if this clears things up.

Firstly there is no interface defined for the vlan50. Second, there is no dhcp server definition, nor assigned to a firewall zone.
And if you don't need the vlan50 to be accessible from the mikrotik, you don't need to create another vlan there. You can remove the lan3 from the bridge and assign the interface directly on the lan3 port.

Now it's clearer ...

the lan3 port on the "WAX202" as it is connected to the various cameras switch management or not?

the first advice I give you is to remove lan3 from the br.lan bridge:

from:

to:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'
	option ipv6 '0'

create a bridge for cameras and related interface:

config device
	option name 'br-camera'
	option type 'bridge'
	list ports 'lan3'
	option ipv6 '0'

config interface 'camera'
	option device 'br-camera'
	option proto 'static'
	option ipaddr '10.0.50.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

see post at VLANs and DHCP help - #4 by trendy

1 Like

Thank you both. If the IP camera 50.x network doesn't need to communicate outside the WAX202 router directly, it does make sense to remove it from the VLAN. The network entry now looks like the following:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	option ipv6 '0'

I've added the ip-cam device and interface:

config device
	option type 'bridge'
	option name 'br-ip-cam-lan3'
	list ports 'lan3'
	option ipv6 '0'

config interface 'ip_cam_lan3'
	option proto 'static'
	option device 'br-ip-cam-lan3'
	option ipaddr '10.0.50.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

I've also enabled the DHCP server for this interface:

config dhcp 'ip_cam_lan3'
	option interface 'ip_cam_lan3'
	option start '10'
	option limit '150'
	option leasetime '12h'

When I plug in my laptop to lan port 3, it's not being assigned an IP address from the WAX202. Can you see if there's anything wrong with the setup? Thanks.

remove lan3 to br-lan

then please publish your /etc/config/network and /etc/config/firewall (I assume you have not defined a zone in the firewall...)

Whoops, it's removed now:

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

We now have:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan2'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan3'
	option macaddr '34:xx:xx:xx:xx:36'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '34:xx:xx:xx:xx:37'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan2'
	list ports 'wan:t'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config device
	option name 'br-lan.40'
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-ip-cam-lan3'
	list ports 'lan3'
	option ipv6 '0'

config interface 'ip_cam_lan3'
	option proto 'static'
	option device 'br-ip-cam-lan3'
	option ipaddr '10.0.50.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

I haven't changed any firewall rules, so this should be the default:

cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


you will need to create a new firewall zone you can do it via luci:

input = drop/reject
output = accept
forward = drop/reject

ps: you can use the reference guide for this...

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

ps: also creating firewall rules to accept dns/dhcp traffic

I assume you want to do something like this

lan --> camera ok

camera --> internet ok

other directions are denied...

I've added the DHCP firewall rule, and the IP cameras are now being assigned IP addresses. Thanks so much for your help @ncompact. :slight_smile:

I haven't added the DNS rule, as I don't need the cameras to connect directly to WAN, just via the Zerotier VPN which I've yet to set up.

The WAX202 is able to ping the cameras too:

PING 10.0.50.43 (10.0.50.43): 56 data bytes
64 bytes from 10.0.50.43: seq=0 ttl=64 time=1.083 ms
64 bytes from 10.0.50.43: seq=1 ttl=64 time=0.829 ms
64 bytes from 10.0.50.43: seq=2 ttl=64 time=0.796 ms
64 bytes from 10.0.50.43: seq=3 ttl=64 time=0.889 ms
64 bytes from 10.0.50.43: seq=4 ttl=64 time=0.835 ms

--- 10.0.50.43 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.796/0.886/1.083 ms

My laptop is under 10.0.10.x. I'd like to try connecting to the IP cameras at 10.0.50.x, so I changed the netmask to 255.255.0.0:

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.0.10.1'
	option netmask '255.255.0.0'
	option ip6assign '60'

My laptop then gets assigned an IP address of 10.0.0.x, and I can't connect to the router at 10.0.10.1 anymore. Is this expected?

What IP address does your "Mikrotik" have (just to understand)?

The Mikrotik upstream router is at 10.0.0.1. The WAX202 is not connected to the Mikrotik though, and has not been connected after the WAX202 has been factory reset, so it has no knowledge of the upstream router.

The laptop is connected to the WAX202 lan 1 port, and the IP cameras are on lan 3 via a PoE switch. Not sure why the laptop is being assigned 10.0.0.x when I change the netmask from /24 to /16.

can you post the complete and current configurations of your router "WAX202" hoping for help from the user @trendy
who is much more competent than me ...

maybe the IP address is provided by the "Mikrotik" and not by your "WAX202" however if I were you I would keep the "WAX202" with IP 10.0. 10.1/24 and not with 10.0. 10.1/16 in order to keep the two routers on different IP addresses ...

https://jodies.de/ipcalc?host=10.0.10.1&mask1=16&mask2=

Making unmanaged bridges means that the network operation depends on the Mikrotik. Replicate the VLANs on the Mikrotik and configure DHCP servers there and connect the cable.

The weird thing is, the WAX202 was factory reset after the upstream Mikrotik at 10.0.0.1 was disconnected, so from the perspective of WAX202, it has never seen the Mikrotik before. The Mikrotik is not connected now either, so it should not be able to give it IP addresses to WAX202 devices.

When I set the WAX202 lan-br to 10.0.10.1/16, the laptop connected to lan port 1 gets 10.0.0.136/16 and is not able to ping the WAX202 at 10.0.10.1. So I can't post its configuration. Let me poke around and see what I can do.

I'm planning to do that with the VLANs 10, 20, 30, and 40. VLAN 50 was supposed to be for the IP cameras, but since I don't want to expose it to other upstream Mikrotik LAN devices, I decided to remove the IP cameras from the bridge.