VLANs break DHCP?

bitdryvr · February 10, 2025, 8:13pm

Intro:

I am successfully using a GL.iNet GL-MT3000 (running generic 23.05.05 OpenWRT) to connect as a WiFi client to a "parent" ISP network. This creates a separation of "production" from my "homelab". Any configuration in the "homelab" has no impact on things "upstream".

As I work to set up my "homelab", I have a question about VLAN, DHCP, and wired vs. wireless clients. Any solution may be a simple, single issue or a collection of changes.

Goal:

I am trying to create a VLAN for trusted clients, combining both wired and wireless clients (with a specific SSID). I plan to use DHCP for both types of clients (and hopefully oonlne integrated pool of IPv4 addresses). The simplified network config shown below just tries to implement this single VLAN in addition to the default 192.168.1.1 LAN.

As GL-MT3000 is only a single LAN port travel router, my plan is to use a Unifi switch in addition to extend the LAN and VLAN configuration. The Unifi switch has the same VLANs defined as those in the router.

Problem:

I started by creating a new network interface for 'trusted’ clients (with a very different subnet) and turn on DHCP. I pointed to a new network bridge device called 'br-trusted’. Wireless network 'molasses' is then pointed to this bridge and I can connect clients to this separate subnet.

Issue #1 wireless clients - However, as soon as I define the VLANs '1’ and ’42’ in the 'br-trusted’ bridge and enable VLAN filtering on the 'br-trusted’ bridge at all makes DHCP break for the 'molasses' WiFi network.
Issue #2 wired clients - Another issue (perhaps related) is that I am not able to get DHCP to work at all for wired clients as soon as I use VLAN ’42’ on eth1 port. No VLAN and DHCP works fine for the default 192.168.1.1 pool.

Future:

I plan to extend this VLAN concept, so any advice on limits to keep in mind for the future would be appreciated.

Config:

ubus call system board:

{
	"kernel": "5.15.167",
	"hostname": "stagedoor",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT3000",
	"board_name": "glinet,gl-mt3000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '---redacted---'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option force_link '0'
	option defaultroute '0'

config interface 'wwan'
	option proto 'dhcp'

config interface 'trusted'
	option proto 'static'
	option ipaddr '10.10.42.1'
	option netmask '255.255.255.0'
	option device 'br-trusted'

config device
	option type 'bridge'
	option name 'br-trusted'
	option bridge_empty '1'
	list ports 'br-trusted.42'
	list ports 'eth1'

config bridge-vlan
	option device 'br-trusted'
	option vlan '1'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-trusted'
	option vlan '42'
	list ports 'eth1:t'

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'trusted'
	option mode 'ap'
	option ssid 'molasses'
	option encryption 'sae'
	option isolate '1'
	option key '---redacted---'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'stagedoor'
	option encryption 'sae'
	option key '---redacted---'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option ssid '---redacted---'
	option encryption 'sae'
	option key '---redacted---'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/offstage/'
	option domain 'offstage'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'
	list interface 'trusted'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'trusted'
	option interface 'trusted'
	option start '100'
	option limit '150'
	option leasetime '12h'

/etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wwan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wwan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wwan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wwan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wwan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wwan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wwan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wwan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wwan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'trusted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'trusted'

config forwarding
	option src 'trusted'
	option dest 'wwan'

config forwarding
	option src 'trusted'
	option dest 'lan'

psherman · February 10, 2025, 8:36pm

You've got a bunch of issues here with the way you've setup the VLAN.
oYu have eth1 part of multiple bridges. A raw port can only be in one single bridge. And you also are mixing DSA bridge-vlan syntax with other methods...

Since there is no switch in the MT3000, we should be able to achieve this goal without bridge vlans. Instead, we're going to use bridges with dotted notation.

Delete all of this:

bitdryvr:

config device
	option type 'bridge'
	option name 'br-trusted'
	option bridge_empty '1'
	list ports 'br-trusted.42'
	list ports 'eth1'

config bridge-vlan
	option device 'br-trusted'
	option vlan '1'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-trusted'
	option vlan '42'
	list ports 'eth1:t'

Add the following

config device
	option name 'br-trusted'
	option type 'bridge'
	list ports 'eth1.42'

I'd also recommend removing this from the dnsmasq config:

Restart the router and test again.

bitdryvr · February 11, 2025, 10:50pm

Thanks. This seems to work according to my initial tests. I will try to setup another VLAN as another test.

I only used LuCI initially to set this up, but made the edits suggested manually. Can I use LuCI going forward or do I run the risk of messing things up?

psherman · February 11, 2025, 11:23pm

As long as you create the bridges correctly, it should be fine to use LuCI.

system · February 21, 2025, 11:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.