WAN doesn't receive IP via DHCP when part of VLAN bridge

Hi folks, I have a WAX202 that runs 23.05.3. I when I have lan1, lan2, lan3 in br-lan and Bridge VLAN filtering on, the WAN port is able to get an IP from my Mikrotik router.

When I add the WAN port to br-lan, it's not able to get an IP. I'd like to have lan1, lan2, lan3 to each have their own VLAN IDs, and the WAN port to be a trunk port to my Mikrotik router. Not sure if this is the best way to go about this though.

Here's my config:

#cat /etc/config/firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'
# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan2'
	option macaddr '34:xx:xx:xx:xx:36'

config device
	option name 'lan3'
	option macaddr '34:xx:xx:xx:xx:36'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.194.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '34:xx:xx:xx:xx:37'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'ZeroTier'
	option proto 'none'
	option device 'ztxxxxxxxx'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'ztxxxxxxxx'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'

Thanks in advance.

You don't have the bridge vlans setup correctly. They can be fixed... but we need to know the details of the goals.

Please provide:

  • the port-vlan membership intent
    • tag/untag status for each vlan on each port
  • VLAN used for managing the device
    • IP address for managing the device or obtained by DHCP
  • Is the upstream router establishing the VLANs and doing all the routing already?
  • Do you still have a VPN (zerotier) on this device?
1 Like

Thanks for your reply. I'm dipping my toes into homelabbing and networking, so I appreciate your help.

Just for context, here's what I had working previously.

  • No VLANs
  • LAN1: A POE switch to multiple IP cameras.
  • Zerotier VPN that sent IP camera traffic to WLAN.
  • Firewall rules to prevent IP camera directly talking to WAN via WLAN.
  • LAN2, LAN3, WAN disconnected.

Here's what I'd like to set up:

  • WAN port (10.0.0.50) connected to Mikrotik router (10.0.0.1)
    • Trunk port for VLAN10/20.
  • VLAN10 via LAN1 for Zerotier VPN. (Full internet access)
  • VLAN20 via LAN2 for TV (10.0.0.61). (LAN access only, eg. streaming from NAS at 10.0.0.60)
  • VLAN30 via LAN3 for IP cameras (10.0.0.70-75). (No WAN or LAN access. Only accessible via Zerotier VPN.)

Would like the Mikrotik router to assign 10.0.0.50 to this WAX202 router via DHCP through the WAN port. Does VLAN20 make sense for this?

The upstream Mikrotik router at (10.0.0.1) will connect to the WAX202's trunked WAN port and will route VLAN10 to the ISP, VLAN20 to LAN only, and hopefully not receive any VLAN30 packets.

Yes, would like to have Zerotier encrypt and send IP camera (VLAN30) traffic to the WAN with a VLAN10 tag.

Please let me know if this configuration is doable and reasonable. Thanks for your time!

I have more questions...

  • Do VLANs 10 and 20 exist on the main router already?
  • Is VLAN 20 a /24 network?
  • VLAN 30 appears to overlap the subnet used for VLAN 20 (assuming that VLAN 20 is a /24 network), so that won't work...
    • does VLAN 30 exist on the main router? or will it be routed locally on this one?

Not yet.

That was the plan, but I don't mind reducing it to /26-28.

VLAN 30 doesn't need to exist in the upstream router, since I'll be accessing the IP cameras in the VLAN via the Zerotier VPN (VLAN10).

Do VLANs need to be in their own subnets? If they don't have to talk to each other across VLANs, looks like being in the same subnet is acceptable.

Do this first. Otherwise, the downstream doesn't work.

Use /24 networks.

yes

No, it's not because the routing breaks if 2 or more subnets are the same. Each VLAN must have its own subnet.

1 Like