WiFi not working after VLAN Implementation

Installing and Using OpenWrt Network and Wireless Configuration
1

I am trying to implement VLANs across my network. Two out of three VLANs are working. My new default VLAN is giving me problems. I had a working network prior to this :slight_smile:

IOT - 2 - 192.168.2.1/24
Guest - 3 - 192.168.3.1/24
LAN - 4 - 192.168.4.1/24

GW - 192.168.4.1
AP - 192.168.4.3

I have changed the PVID from 1 to 4 on my switch port for the AP.
I have removed the default vlan 1 untagged membership on my switch port for the AP.
The switch port for the AP is trunked to 2, 3, 4.
The switch port for the GW is trunked to 2, 3, 4. *NOTE Because I have not fully cutover all devices to PVID 4, I have left PVID 1 on the GW and it is Untagged.

traffic flows in both directions from AP<->GW (tested ssh and ping, both directions).

VLAN IOT/2 wireless works.
VLAN Guest/3 wireless works.
VLAN LAN/4 wireless does NOT work.

VLAN LAN/4 tests ran on radio1, wifinet5, SSID wifi-test.

My wireless clients can connect to the wifi-test, however, only by hard-coding the IP information. DHCP is not working because wireless client traffic is not leaving the radio interface. Wireless clients cannot ping the AP. The AP cannot ping wireless clients. I do see a successful authentication and handshake in the system log when hard-coding the IP information.

I am at a loss, how traffic between devices work but wireless clients do not.

Here is my configuration:

GW
ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "gw",
	"system": "Intel(R) N100",
	"model": "Protectli VP3210",
	"board_name": "protectli-vp3210",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "x86/64",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd72:fb9f:febc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1'
	list ports 'eth1.4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipv6 '0'
	list dns '192.168.4.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list ipaddr '192.168.4.1/24'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'eth1.2'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'
	option bridge_empty '1'
	list ports 'eth1.3'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '2'
	option name 'eth1.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'eth2'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	list ipaddr '192.168.1.2/24'
	list ipaddr '192.168.4.2/24'
	option disabled '1'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '101'
	option name 'eth1.101'
	option ipv6 '0'

config interface 'vpn'
	left here purely for awareness

config wireguard_vpn
	left here purely for awareness

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option name 'eth1.4'
	option ipv6 '0'

This device does not have wireless so no /etc/config/wireless to show

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'plex.direct' #whitelisted to prevent log spamming

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'
	list dhcp_option '6,192.168.4.31,1.1.1.1,1.0.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	list dhcp_option '6,192.168.4.31,1.1.1.1,1.0.0.1'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'mgmt'
	list network 'vpn'
	option log '1'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-Guest-DHCP-and-DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-IOT-DHCP-and-DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.4.37'
	option dest_port '32400'

config zone
	option name 'mgmt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mgmt'

config forwarding
	option src 'mgmt'
	option dest 'guest'

config forwarding
	option src 'mgmt'
	option dest 'iot'

config forwarding
	option src 'mgmt'
	option dest 'lan'

config forwarding
	option src 'mgmt'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

/proc/net/vlan/config

VLAN Dev name	 | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
eth1.2         | 2  | eth1
eth1.3         | 3  | eth1
eth1.4         | 4  | eth1

AP
ubus call system board

{
	"kernel": "5.15.167",
	"hostname": "ap",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Google WiFi (Gale)",
	"board_name": "google,wifi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ipq40xx/chromium",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:14ff:bbda::/48'
	option packet_steering '1'

config device
	option name 'wan'
	option macaddr '88:3d:24:ae:40:27'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'wan'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	option defaultroute '0'
	list ipaddr '192.168.4.4/24'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'lan.2'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'
	list ports 'lan.3'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-iot'

config interface 'guest'
	option proto 'dhcp'
	option device 'br-guest'

config device
	option name 'lan'
	option ipv6 '1'

config device
	option type 'bridge'
	option name 'br-lan'
	option ipv6 '0'
	list ports 'lan.4'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	list ipaddr '192.168.4.3/24'
	option gateway '192.168.4.1'
	list dns '192.168.4.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '2'
	option name 'lan.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '4'
	option name 'lan.4'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '3'
	option name 'lan.3'
	option ipv6 '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'iot-wifi'
	option encryption 'sae-mixed'
	option key 'iot'
	option ieee80211r '1'
	option mobility_domain 'ffff'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'iot'
	option mode 'ap'
	option ssid 'iot-wifi'
	option encryption 'sae-mixed'
	option key 'iot'
	option ieee80211r '1'
	option mobility_domain 'ffff'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option ieee80211w '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest-wifi'
	option encryption 'sae'
	option key 'guest'
	option ieee80211r '1'
	option mobility_domain '4f57'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'
	option network 'guest'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'prod-wifi'
	option encryption 'sae-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain '1b29'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'lan'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'test-wifi
	option encryption 'psk2'
	option key 'password'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'lan'

/etc/config/ dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

/proc/net/vlan/config

VLAN Dev name	 | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
lan.2          | 2  | lan
lan.3          | 3  | lan
lan.4          | 4  | lan
2

In my brief review of your config, there is a lot that is wrong. So much, in fact, that it will likely be more time consuming to try to fix it than to start from scratch.

I'd recommend that you make a backup and reset to defaults, starting with your main router. We can then setup the router such that it is configured properly for VLANs and then move onto your switch and your AP. The backup will probably not be needed given that there are so many errors, but at least you'll know that you can easily restore back to your current state if anything else comes up along the way.

3

Well, I wasn't expecting that, lol. But ok. Do you have a minimal configuration guide you'd suggest? I haven't been supper happy with LuCI and I am comfortable using command line.

And reset to defaults I assume means?

firstboot && reboot

And just so I have something to compare against with what not to do, can you elaborate on a few settings that are wrong?

Thank you.

4

You have multiple bridges that are bridging the VLANs together... defeating the purpose of VLANs in the first place. For example.

You've got a management interface (although apparently disabled??) that both overlaps existing subnets and actually contains two subnets wthin it... this will break things:

We'll need to get into the VPN that exists here -- if it is inbound or outbound and what subnet(s) are used/allowed...

The forcing of your DHCP servers may indicate other issues if you did this out of a trial-an-error "necessity":

The management network exists in 2 firewall zones

And a handful of other things...

I didn't review your AP config in any detail yet, but I suspect there will be quite a few things to fix there, too.. but we need to start with the main router in a known working state.

I'd recommend starting with a default configuration and then adding just one new network. Use the guest network guide (you can do this with CLI or with LuCI), but ignore the wifi elements for now. Once you've got a clean config with just that single new network added, I'll show you how we'll setup the VLANs on your x86 main router. From there, you can apply the same recipe for adding the iot network.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start

1 Like
5

My apologies for not explaining my situation better. After reading my updates, if you still believe I should reset to defaults, let me know and I can reset this weekend, when my wife isn't working from home.

Before attempting VLANs, I had a previous working main router and dumb access points. The LAN was previously 192.168.1.1/24. When I implemented the VLANs I introduced the new VLAN/network 4/192.168.4.1/24 to replace my previous default VLAN/network.

What I was attempting to do, was move over one AP at a time to the new VLAN of 4, by removing the default VLAN (1) membership on the single switch port (7) and changing its PVID to 4. That switch port also is trunked with IOT, Guest, and LAN, VLANs 2, 3 and 4 respectively.

Today, I removed the wrong configurations you previously mentioned, updates below, except for br-lan that spans the default VLAN 1/eth1 and my new VLAN 4/eth1.4. This is because, when I remove eth1 from the bridge and apply changes, I loose connectivity to my router over the LAN interface. Which is why I added a MGMT interface so that I could access the router remotely and not just via console.

Because I lose connectivity, it leads me to believe the VLAN and PVID on the switch has something to do with it. It is very possible I am wrong. I don't know how to prove it.

I made some progress on the AP, I think?
The wireless client (android-phone) can connect to the AP by hard coding IP information. The android-phone can now load LuCI on the AP https://192.168.4.3. The AP can now ping the android-phone. I cannot ping the android-phone from a laptop, even though it is on a switch port with only VLAN/PVID 4. I can still ping/ssh back and forth to/from AP<->GW.

AP log showing android-phone handshake

root@ap:~# logread -f -e 93:ae

Wed Feb 26 21:51:06 2025 daemon.info hostapd: phy1-ap2: STA 8e:2b:e5:5c:93:ae IEEE 802.11: authenticated
Wed Feb 26 21:51:06 2025 daemon.info hostapd: phy1-ap2: STA 8e:2b:e5:5c:93:ae IEEE 802.11: associated (aid 1)
Wed Feb 26 21:51:06 2025 daemon.notice hostapd: phy1-ap2: AP-STA-CONNECTED 8e:2b:e5:5c:93:ae auth_alg=open
Wed Feb 26 21:51:06 2025 daemon.info hostapd: phy1-ap2: STA 8e:2b:e5:5c:93:ae RADIUS: starting accounting session 2D4173D05A092E3A
Wed Feb 26 21:51:06 2025 daemon.info hostapd: phy1-ap2: STA 8e:2b:e5:5c:93:ae WPA: pairwise key handshake completed (RSN)
Wed Feb 26 21:51:06 2025 daemon.notice hostapd: phy1-ap2: EAPOL-4WAY-HS-COMPLETED 8e:2b:e5:5c:93:ae
Wed Feb 26 21:51:06 2025 daemon.notice hostapd: phy1-ap2: BSS-TM-QUERY 8e:2b:e5:5c:93:ae reason=6(null)
Wed Feb 26 21:51:06 2025 daemon.notice hostapd: phy1-ap2: BSS-TM-RESP 8e:2b:e5:5c:93:ae status_code=1 bss_termination_delay=0

ping android-phone 192.168.4.88 from AP LuCI > Network > Diagnostics

PING 192.168.4.88 (192.168.4.88): 56 data bytes
64 bytes from 192.168.4.88: seq=0 ttl=64 time=85.914 ms
64 bytes from 192.168.4.88: seq=1 ttl=64 time=199.664 ms
64 bytes from 192.168.4.88: seq=2 ttl=64 time=67.612 ms
64 bytes from 192.168.4.88: seq=3 ttl=64 time=96.136 ms
64 bytes from 192.168.4.88: seq=4 ttl=64 time=99.061 ms

--- 192.168.4.88 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 67.612/109.677/199.664 ms

AP ARP table showing android-client and on br-lan

root@ap:~# arp
IP address       HW type     Flags       HW address            Mask     Device
192.168.4.88     0x1         0x0         8e:2b:e5:5c:93:ae     *        br-lan

In summary, I'm having two different issues. Is 2 a result of 1?

  1. I can't cut over my router(GW) lan interface to VLAN 4 (eth1.4)
  2. AP cannot send/receive wireless connectivity to/from GW

GW
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd72:fb9f:febc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1'
	list ports 'eth1.4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipv6 '0'
	list dns '192.168.4.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list ipaddr '192.168.4.1/24'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'eth1.2'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'
	option bridge_empty '1'
	list ports 'eth1.3'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '2'
	option name 'eth1.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'eth2'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	list ipaddr '192.168.4.2/24'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'vprivkey
	option listen_port '51820'
	list addresses '172.16.0.1/24'

config wireguard_vpn
	option description 'Pixel'
	option public_key 'pubkey'
	option private_key 'privkey'
	option preshared_key 'psk
	option persistent_keepalive '25'
	list allowed_ips '172.16.0.2/32'
	option route_allowed_ips '1'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option name 'eth1.4'
	option ipv6 '0'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'plex.direct'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.4.31,1.1.1.1,1.0.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-Guest-DHCP-and-DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-IOT-DHCP-and-DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.4.37'
	option dest_port '32400'

config zone
	option name 'mgmt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mgmt'

config forwarding
	option src 'mgmt'
	option dest 'guest'

config forwarding
	option src 'mgmt'
	option dest 'iot'

config forwarding
	option src 'mgmt'
	option dest 'lan'

config forwarding
	option src 'mgmt'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

AP
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:14ff:bbda::/48'
	option packet_steering '1'

config device
	option name 'wan'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'wan'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	list ipaddr '192.168.4.4/24'
	option gateway '192.168.4.1'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'lan.2'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'
	list ports 'lan.3'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-iot'

config interface 'guest'
	option proto 'dhcp'
	option device 'br-guest'

config device
	option name 'lan'
	option ipv6 '1'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '2'
	option name 'lan.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '4'
	option name 'lan.4'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '3'
	option name 'lan.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'lan.4'
	option ipv6 '0'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.4.3'
	option netmask '255.255.255.0'
	option gateway '192.168.4.1'
	list dns '192.168.1.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain 'ffff'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'iot'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain 'ffff'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option ieee80211w '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'sae'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain '4f57'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'
	option network 'guest'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain '1b29'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'wifi-vlan4-test'
	option encryption 'psk2'
	option key 'password'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'lan'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
6

I noticed AP was unable to reach the internet. It could ping the router/gateway just fine. And after a reboot of AP, LAN interface is not responding. :rage:

After physically connecting the MGMT interface (192.168.4.4), a ping that was not responding to 192.168.4.3 started responding. It can also now ping the internet.

Default gateway does not look right.

root@ap:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 br-iot
192.168.2.0     *               255.255.255.0   U     0      0        0 br-iot
192.168.3.0     *               255.255.255.0   U     0      0        0 br-guest
192.168.4.0     *               255.255.255.0   U     0      0        0 br-mgmt
192.168.4.0     *               255.255.255.0   U     0      0        0 br-lan
7

I don't have time to review this in detail now, but I do think that starting from scratch is really the best way to ensure that you get all the gremlins out.

My recommendation is simple:

  • start with the router, add one network.
  • Next move to the switch and make sure that it is configured properly for the trunk to the router; setup one access port (i.e. 'normal' untagged+PVID) for each network and then plug your computer into those ports in turn... this will help verify that everything is working.
  • Then go back to the router, add any additional networks using the same recipe as you used to add the first
  • Complete the process with the switch, proving out each network as above.
  • Configure a trunk port for the AP on the switch
  • Start with just the first network on the AP and then build a second, and so on. testing each time.
8

When setting up a trunk port, everything is tagged. Don't leave a plain eth1 in the configuration.

Also you can't have the same IP subnet on two interfaces.

These are the two major problems preventing it from working. There is also a lot of stuff like the usual newbies thinking that another option gateway or list dns is going to help. They really aren't. You only need at most one of them, not on every interface.

The PVID is what a switch will do with untagged packets that arrive at a trunk port. Since there should be no untagged packets on a trunk cable, it is not important here. For security some people set up "blackhole" VLANs to drop untagged packets that unintentionally or maliciously arrive.

1 Like
9

I've made great progress. Thank you @psherman, and thank you @mk24 as I did not realize interface devices on routers/dumb access points cannot be members of the same subnet. I introduced a true management network on all devices and it seems to have made a dramatic impact in stability.

I also was able to slowly, migrate all the PVID's to 4, removed the default Untagged VLAN 1 from all port membership. I already had my trunked VLANs (2, 3, 4) on my router/dummy access points. So from the switch(s) point of view (4 total) I believe I have a proper VLAN configuration.

After migrating PVID, removing the default Untagged VLAN on the router/GW switch port, I was able to change 'br-lan' to listen purely on 'eth1.4' on the router/GW interface.

My only remaining issue is reliable DHCP IP configuration on clients

I am having some issue for DHCP properly handing out IPs. I haven't tried at the moment to hard code an IP, because eventually the issue works itself out. For troubleshooting, it is proving difficult. Here is about the only log I can find that shows a device (192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro) repeatedly asking for a DHCP address, and eventually is successful (some 6min later):

Sat Mar  1 21:19:22 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:22 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:24 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:24 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:29 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:29 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:39 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:39 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro
Sat Mar  1 21:19:40 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:40 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro
Sat Mar  1 21:19:42 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:42 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro
Sat Mar  1 21:19:44 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:44 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:45 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:45 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:47 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:47 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:19:51 2025 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sat Mar  1 21:19:51 2025 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:22:19 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.4.195 36:47:ca:e7:27:f8
Sat Mar  1 21:22:19 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.4.195 36:47:ca:e7:27:f8 iPhone
Sat Mar  1 21:25:44 2025 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sat Mar  1 21:25:44 2025 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro

In writing this post, I did find some additional DNS logging which I turned on. Will report back any useful logs.

Being new to this forum, is using https://0x0.st frowned upon or not? I have a script that can generate the configs, scrub passwords, far easier than manual formatting. Just a thought.

Thank you all !!

GW
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd72:fb9f:febc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1.4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipv6 '0'
	list dns '192.168.4.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list ipaddr '192.168.4.1/24'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'eth1.2'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'
	option bridge_empty '1'
	list ports 'eth1.3'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '2'
	option name 'eth1.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'eth2'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	list ipaddr '192.168.5.1/24'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'privkey1'
	option listen_port '51820'
	list addresses '172.16.0.1/24'

config wireguard_vpn
	option description 'Pixel'
	option public_key 'pubkey'
	option private_key 'privkey2'
	option preshared_key 'prekey'
	option persistent_keepalive '25'
	list allowed_ips '172.16.0.2/32'
	option route_allowed_ips '1'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option name 'eth1.4'
	option ipv6 '0'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'plex.direct'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.4.31,1.1.1.1,1.0.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-Guest-DHCP-and-DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-IOT-DHCP-and-DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.4.37'
	option dest_port '32400'

config zone
	option name 'mgmt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mgmt'

config forwarding
	option src 'mgmt'
	option dest 'guest'

config forwarding
	option src 'mgmt'
	option dest 'iot'

config forwarding
	option src 'mgmt'
	option dest 'lan'

config forwarding
	option src 'mgmt'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

AP
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd47:5997:0040::/48'
	option packet_steering '1'

config device
	option name 'lan'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipv6 '0'
	option gateway '192.168.4.1'
	list dns '192.168.4.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list ipaddr '192.168.4.3/24'

config device
	option name 'wan'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	option gateway '192.168.5.1'
	list ipaddr '192.168.5.3/24'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option gateway '192.168.2.1'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.3'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '2'
	option name 'lan.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '3'
	option name 'lan.3'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.3'
	option netmask '255.255.255.0'
	option gateway '192.168.3.1'
	option device 'br-guest'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '4'
	option name 'lan.4'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'wan'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan.4'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'lan.2'
	option ipv6 '0'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'lan.3'
	option ipv6 '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'psk-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain 'ffff'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option ieee80211w '1'
	option network 'iot'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option bss_transition '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain '1b39'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'psk-mixed'
	option key 'password
	option ieee80211r '1'
	option mobility_domain 'ffff'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'iot'
	option ft_psk_generate_local '1'
	option ieee80211w '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'sae-mixed'
	option key 'password'
	option ieee80211r '1'
	option mobility_domain '4f57'
	option ft_over_ds '0'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'guest'
	option wpa_disable_eapol_key_retries '1'

/etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option dynamicdhcp '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
10

Your gateway looks fine except for the 802.1q stanzas which can be deleted:

The AP should use unmanaged interfaces for all but the management network. So, for example, since the main lan is not used for management, it should look like this:

config interface 'lan'
	option device 'br-lan'
	option proto 'none'

Repeat for all the other interfaces, other than mgmt

And like the gateway, remove the 802.1q stanzas.

With respect to your AP, you should use WPA2 or WPA3. Do not use psk-mixed (which is WPA1/WPA2 mixed mode) and don't use sae-mixed (which is WPA2/3). Remove all of the 802.11r and k stuff, as well as w unless you are using wpa3.

In other words... make delete all of this

And repeat for all the SSIDs defined in the AP.

Remove the DHCPv6 related items from the lan DHCP server... so delete this:

And critically, create a firewall zone with input=accept for your management network... it'll look like this:

config zone
	option name 'mgmt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mgmt'
11

All updates made to GW and AP. Still having the same inconsistent IP configuration results via DHCP. The only consistent piece is its on ALL networks/VLANs (2-4) and APs. Possibly the GW? Help?

I did grab the authentication session from the GW and AP. It looks the authenticate just fine, then makes/gets multiple requests/responses.

Same client as before: 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro

GW
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 vendor class: android-dhcp-15
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 tags: lan, br-lan
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 next server: 192.168.4.1
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  1 option: 53 message-type  5
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:24 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 vendor class: android-dhcp-15
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 tags: lan, br-lan
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 next server: 192.168.4.1
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  1 option: 53 message-type  5
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:25 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 vendor class: android-dhcp-15
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 DHCPREQUEST(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 tags: lan, br-lan
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 DHCPACK(br-lan) 192.168.4.201 94:45:60:5c:b9:65 Pixel-8-Pro
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 next server: 192.168.4.1
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  1 option: 53 message-type  5
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:27 2025 daemon.info dnsmasq-dhcp[1]: 1225760781 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 vendor class: android-dhcp-15
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 tags: lan, br-lan
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 next server: 192.168.4.1
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  1 option: 53 message-type  2
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:29 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 vendor class: android-dhcp-15
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 tags: lan, br-lan
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 next server: 192.168.4.1
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  1 option: 53 message-type  2
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:30 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 client provides name: Nest-Audio
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 DHCPDISCOVER(br-lan) d8:8c:79:2e:8a:4d
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 tags: lan, br-lan
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 DHCPOFFER(br-lan) 192.168.4.112 d8:8c:79:2e:8a:4d
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 requested options: 1:netmask, 33:static-route, 3:router, 6:dns-server,
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 requested options: 15:domain-name, 28:broadcast, 51:lease-time,
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 requested options: 58:T1, 59:T2
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 next server: 192.168.4.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  1 option: 53 message-type  2
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 1373137442 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 vendor class: android-dhcp-15
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 tags: lan, br-lan
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 next server: 192.168.4.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  1 option: 53 message-type  2
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:32 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 vendor class: android-dhcp-15
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 client provides name: Pixel-8-Pro
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPDISCOVER(br-lan) 94:45:60:5c:b9:65
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 tags: lan, br-lan
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 DHCPOFFER(br-lan) 192.168.4.201 94:45:60:5c:b9:65
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 1:netmask, 3:router, 6:dns-server, 15:domain-name,
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 26:mtu, 28:broadcast, 51:lease-time, 58:T1,
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 requested options: 59:T2, 43:vendor-encap, 114, 108:ipv6-only
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 next server: 192.168.4.1
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  1 option: 53 message-type  2
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 58 T1  6h
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 12:15:36 2025 daemon.info dnsmasq-dhcp[1]: 565171419 sent size: 12 option:  6 dns-server  192.168.4.31, 1.1.1.1, 1.0.0.1


AP
Sun Mar  2 12:15:24 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 IEEE 802.11: authenticated
Sun Mar  2 12:15:24 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 IEEE 802.11: associated (aid 2)
Sun Mar  2 12:15:24 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 94:45:60:5c:b9:65 auth_alg=open
Sun Mar  2 12:15:24 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 RADIUS: starting accounting session B065132D887E724B
Sun Mar  2 12:15:24 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 WPA: pairwise key handshake completed (RSN)
Sun Mar  2 12:15:24 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 94:45:60:5c:b9:65
Sun Mar  2 12:15:24 2025 daemon.notice hostapd: phy1-ap0: BSS-TM-QUERY 94:45:60:5c:b9:65 reason=6(null)
Sun Mar  2 12:15:24 2025 daemon.notice hostapd: phy1-ap0: BSS-TM-RESP 94:45:60:5c:b9:65 status_code=1 bss_termination_delay=0
Sun Mar  2 12:15:42 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 94:45:60:5c:b9:65
Sun Mar  2 12:15:42 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 IEEE 802.11: disassociated
Sun Mar  2 12:15:42 2025 kern.info kernel: [64671.929215] ath10k_ahb a800000.wifi: mac flush vdev 0 drop 0 queues 0x1 ar->paused: 0x0  arvif->paused: 0x0
Sun Mar  2 12:15:43 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

This time I did test/confirm, that if I set a static IP address on my wireless client, it authenticates and I can reach the internet.

*AP log showing authentication via static IP

Sun Mar  2 12:38:50 2025 daemon.info hostapd: phy1-ap1: STA 94:45:60:5c:b9:65 IEEE 802.11: authenticated
Sun Mar  2 12:38:50 2025 daemon.info hostapd: phy1-ap1: STA 94:45:60:5c:b9:65 IEEE 802.11: associated (aid 2)
Sun Mar  2 12:38:50 2025 daemon.notice hostapd: phy1-ap1: AP-STA-CONNECTED 94:45:60:5c:b9:65 auth_alg=open
Sun Mar  2 12:38:50 2025 daemon.info hostapd: phy1-ap1: STA 94:45:60:5c:b9:65 RADIUS: starting accounting session A3751850B1A32F7C
Sun Mar  2 12:38:50 2025 daemon.info hostapd: phy1-ap1: STA 94:45:60:5c:b9:65 WPA: pairwise key handshake completed (RSN)
Sun Mar  2 12:38:50 2025 daemon.notice hostapd: phy1-ap1: EAPOL-4WAY-HS-COMPLETED 94:45:60:5c:b9:65
Sun Mar  2 12:38:51 2025 daemon.notice hostapd: phy1-ap1: BSS-TM-QUERY 94:45:60:5c:b9:65 reason=6(null)
Sun Mar  2 12:38:51 2025 daemon.notice hostapd: phy1-ap1: BSS-TM-RESP 94:45:60:5c:b9:65 status_code=1 bss_termination_delay=0

The GW can ping the wireless client, but the AP its connected to cannot. And I am seeing odd/large alternating response times?

gw:~# ping 192.168.2.111
PING 192.168.2.111 (192.168.2.111): 56 data bytes
64 bytes from 192.168.2.111: seq=0 ttl=64 time=385.436 ms
64 bytes from 192.168.2.111: seq=1 ttl=64 time=203.204 ms
64 bytes from 192.168.2.111: seq=2 ttl=64 time=840.144 ms
64 bytes from 192.168.2.111: seq=3 ttl=64 time=6.612 ms
64 bytes from 192.168.2.111: seq=4 ttl=64 time=482.382 ms
64 bytes from 192.168.2.111: seq=5 ttl=64 time=503.015 ms
64 bytes from 192.168.2.111: seq=6 ttl=64 time=319.905 ms
64 bytes from 192.168.2.111: seq=7 ttl=64 time=140.070 ms
64 bytes from 192.168.2.111: seq=8 ttl=64 time=4.282 ms
64 bytes from 192.168.2.111: seq=9 ttl=64 time=801.833 ms
64 bytes from 192.168.2.111: seq=10 ttl=64 time=7.432 ms
64 bytes from 192.168.2.111: seq=11 ttl=64 time=442.463 ms
64 bytes from 192.168.2.111: seq=12 ttl=64 time=463.411 ms

GW ARP Table

gw:~# arp
IP address       HW type     Flags       HW address            Mask     Device
...
192.168.2.111    0x1         0x2         94:45:60:5c:b9:65     *        br-iot

GW
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd72:fb9f:febc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1.4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipv6 '0'
	list dns '192.168.4.31'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list ipaddr '192.168.4.1/24'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'eth1.2'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'
	option bridge_empty '1'
	list ports 'eth1.3'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'eth2'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	list ipaddr '192.168.5.1/24'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'privkey1'
	option listen_port '51820'
	list addresses '172.16.0.1/24'

config wireguard_vpn
	option description 'Pixel'
	option public_key 'pubkey'
	option private_key 'privkey'
	option preshared_key 'pskey'
	option persistent_keepalive '25'
	list allowed_ips '172.16.0.2/32'
	option route_allowed_ips '1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'plex.direct'
	option logdhcp '1'
	option logfacility 'DAEMON'
	list interface 'lan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.4.31,1.1.1.1,1.0.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '6'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-Guest-DHCP-and-DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-IOT-DHCP-and-DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.4.37'
	option dest_port '32400'

config zone
	option name 'mgmt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mgmt'

config forwarding
	option src 'mgmt'
	option dest 'guest'

config forwarding
	option src 'mgmt'
	option dest 'iot'

config forwarding
	option src 'mgmt'
	option dest 'lan'

config forwarding
	option src 'mgmt'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

AP
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd47:5997:0040::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan.4'

config device
	option name 'lan'
	option ipv6 '0'

config interface 'lan'
	option proto 'none'
	option device 'br-lan'

config device
	option name 'wan'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	option gateway '192.168.5.1'
	list ipaddr '192.168.5.4/24'

config device
	option type 'bridge'
	option name 'br-iot'
	option ipv6 '0'
	list ports 'lan.2'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'wan'
	option ipv6 '0'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'lan.3'
	option ipv6 '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option channel 'auto'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option channel 'auto'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'psk2'
	option key 'pw'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option ieee80211w '2'
	option network 'iot'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option bss_transition '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'psk2'
	option key 'pw'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'lan'
	option ieee80211w '2'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'psk2'
	option key 'pw'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'iot'
	option ieee80211w '2'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'psk2'
	option key 'pw'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option network 'guest'
	option ieee80211w '2'

/etc/config/dhcp

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	option dynamicdhcp '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '6'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
12

And just talking this through. Since I can see the DHCP requests on the GW, and DNS is working on the client when setting static IP and DNS to the appropriate GW interface, test w IOT and 192.168.2.1, the Allow-*-DHCP-and-DNS firewall traffic rules are working.

13

Remove all of the lines with (-) at the beginning:

Remove all of this

Repeat for all the SSIDs.

14

When setting a static IP and DNS for LAN on my wireless client, I cannot reach the internet nor can I load LuCI on the GW.

I do see the authentication handshake

Sun Mar  2 13:48:06 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 IEEE 802.11: authenticated
Sun Mar  2 13:48:06 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 IEEE 802.11: associated (aid 3)
Sun Mar  2 13:48:06 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 94:45:60:5c:b9:65 auth_alg=open
Sun Mar  2 13:48:06 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 RADIUS: starting accounting session 0879468C096D06AE
Sun Mar  2 13:48:06 2025 daemon.info hostapd: phy1-ap0: STA 94:45:60:5c:b9:65 WPA: pairwise key handshake completed (RSN)
Sun Mar  2 13:48:06 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 94:45:60:5c:b9:65
Sun Mar  2 13:48:06 2025 daemon.notice hostapd: phy1-ap0: BSS-TM-QUERY 94:45:60:5c:b9:65 reason=6(null)
15

I removed all the wireless settings on all SSIDs. Same issue, cannot reach GW or WAN on wireless client, now on LAN and IOT when setting static IP. I'm guessing connectivity is intermittent as nothing has changed to prevent my previous IOT test from working.

16

Is the problem isolated to that singular device? Or are other devices showing similar issues?

17

Other devices are showing the similar issues. The issue goes back n forth between SSIDs.

Just to note, I've seen these show up, but because the MAC address is the same by default on all like-devices, I ignored it. You can see that da:7d:43:62:2a:8e is the base MAC for the ethernet devices. Why the two physical ports (WAN & LAN) share the same MAC I have no idea. And why they appear as a single eth0 I also have no idea.

Sun Mar  2 14:00:04 2025 kern.warn kernel: [70933.480008] br-lan: received packet on lan.4 with own address as source address (addr:da:7d:43:62:2a:8e, vlan:0)
Sun Mar  2 14:00:05 2025 kern.warn kernel: [70934.519706] br-lan: received packet on lan.4 with own address as source address (addr:da:7d:43:62:2a:8e, vlan:0)
Sun Mar  2 14:00:06 2025 kern.warn kernel: [70935.559705] br-lan: received packet on lan.4 with own address as source address (addr:da:7d:43:62:2a:8e, vlan:0)
Sun Mar  2 14:00:21 2025 kern.warn kernel: [70950.497457] br-lan: received packet on lan.4 with own address as source address (addr:da:7d:43:62:2a:8e, vlan:0)
Sun Mar  2 14:00:22 2025 kern.warn kernel: [70951.559645] br-lan: received packet on lan.4 with own address as source address (addr:da:7d:43:62:2a:8e, vlan:0)
Sun Mar  2 14:00:23 2025 kern.warn kernel: [70952.599657] br-lan: received packet on lan.4 with own address as source address (addr:da:7d:43:62:2a:8e, vlan:0)

Screenshot From 2025-03-02 15-21-22
Screenshot From 2025-03-02 15-21-22516×722 47.9 KB

18

Also to note, I don't seem to see any DHCP issues with ethernet client devices on LAN (PVID 4 and Untagged).

Also to note, devices will drop off, e.g. security cameras, stationary devices, and I assume has to do with expiring lease? And eventually come back online.

And I am seeing constant DHCPDICOVER, DHCPOFFER, DHCPREQUEST, DHCPACK traffic on the GW.

20

Shouldn't there be an immediate DHCPACK following a DHCPOFFER?

21

Here is a tcpdump from a linux laptop DHCP request:

@xps ~ $ sudo tcpdump -v -i wlp2s0
tcpdump: listening on wlp2s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:11:46.392130 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 315)
    0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 9c:b6:d0:8a:58:a5 (oui Unknown), length 287, xid 0x2e8489dd, secs 1, Flags [none]
	  Client-Ethernet-Address 9c:b6:d0:8a:58:a5 (oui Unknown)
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Request
	    Client-ID (61), length 7: ether 9c:b6:d0:8a:58:a5
	    Parameter-Request (55), length 17: 
	      Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
	      Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
	      Default-Gateway (3), Static-Route (33), YD (40), YS (41)
	      NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
	      RP (17)
	    MSZ (57), length 2: 576
	    Requested-IP (50), length 4: 192.168.4.239
	    Hostname (12), length 3: "xps"
22:11:46.801086 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42
22:11:47.005895 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.149, length 42
22:11:47.125974 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
    0.0.0.0 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.251 to_ex, 0 source(s)]
22:11:47.620297 IP (tos 0x0, ttl 1, id 4257, offset 0, flags [DF], proto UDP (17), length 129)
    192.168.4.37.52907 > 239.255.255.250.ssdp: UDP, length 101
22:11:47.825365 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42
22:11:48.034438 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.149, length 42
22:11:48.392163 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 315)
    0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 9c:b6:d0:8a:58:a5 (oui Unknown), length 287, xid 0x795e228e, secs 1, Flags [none]
	  Client-Ethernet-Address 9c:b6:d0:8a:58:a5 (oui Unknown)
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Discover
	    Client-ID (61), length 7: ether 9c:b6:d0:8a:58:a5
	    Parameter-Request (55), length 17: 
	      Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
	      Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
	      Default-Gateway (3), Static-Route (33), YD (40), YS (41)
	      NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
	      RP (17)
	    MSZ (57), length 2: 576
	    Requested-IP (50), length 4: 192.168.4.239
	    Hostname (12), length 3: "xps"
22:11:48.402032 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.239 tell 192.168.4.1, length 42
22:11:48.849359 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42
22:11:49.056607 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.149, length 42
22:11:49.463524 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.239 tell 192.168.4.1, length 42
22:11:49.873044 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42
22:11:50.398527 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 315)
    0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 9c:b6:d0:8a:58:a5 (oui Unknown), length 287, xid 0x6737560e, secs 2, Flags [none]
	  Client-Ethernet-Address 9c:b6:d0:8a:58:a5 (oui Unknown)
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Discover
	    Client-ID (61), length 7: ether 9c:b6:d0:8a:58:a5
	    Parameter-Request (55), length 17: 
	      Subnet-Mask (1), Time-Zone (2), Domain-Name-Server (6), Hostname (12)
	      Domain-Name (15), MTU (26), BR (28), Classless-Static-Route (121)
	      Default-Gateway (3), Static-Route (33), YD (40), YS (41)
	      NTP (42), Unknown (119), Classless-Static-Route-Microsoft (249), Unknown (252)
	      RP (17)
	    MSZ (57), length 2: 576
	    Requested-IP (50), length 4: 192.168.4.239
	    Hostname (12), length 3: "xps"
22:11:50.453300 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.239 tell 192.168.4.1, length 42
22:11:50.693107 IP (tos 0x0, ttl 64, id 4626, offset 0, flags [DF], proto UDP (17), length 49)
    192.168.4.37.40738 > 192.168.4.255.32414: UDP, length 21
22:11:50.693169 IP (tos 0x0, ttl 64, id 1624, offset 0, flags [DF], proto UDP (17), length 49)
    192.168.4.37.36066 > 192.168.4.255.32412: UDP, length 21
22:11:50.897036 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42
22:11:51.718763 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 8.8.8.8 tell 192.168.255.249, length 28
22:11:51.921075 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42
22:11:52.126134 IP6 (flowlabel 0xe3c02, hlim 1, next-header UDP (17) payload length: 59) fdf1:25b0:600f:1:f1ce:c2a:418:ccac.ezmeeting-2 > ff05::c0c.ezmeeting-2: [udp sum ok] UDP, length 51
22:11:52.126470 IP6 (flowlabel 0x693d9, hlim 1, next-header UDP (17) payload length: 59) fe80::da8c:79ff:fe2e:8a4d.ezmeeting-2 > ff02::c:c.ezmeeting-2: [udp sum ok] UDP, length 51
22:11:52.740297 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 8.8.8.8 tell 192.168.255.249, length 28
22:11:52.945270 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.133 tell 192.168.4.1, length 42

And here are two of the GW replies:

Sun Mar  2 22:11:48 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 22:11:48 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 client provides name: xps
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 DHCPDISCOVER(br-lan) 192.168.4.239 9c:b6:d0:8a:58:a5
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 tags: lan, br-lan
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 DHCPOFFER(br-lan) 192.168.4.239 9c:b6:d0:8a:58:a5
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 requested options: 1:netmask, 2:time-offset, 6:dns-server, 12:hostname,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 requested options: 15:domain-name, 26:mtu, 28:broadcast, 121:classless-static-route,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 requested options: 3:router, 33:static-route, 40:nis-domain,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 requested options: 41:nis-server, 42:ntp-server, 119:domain-search,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 requested options: 249, 252, 17:root-path
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 next server: 192.168.4.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  1 option: 53 message-type  2
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option: 58 T1  6h
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 2036212366 sent size:  8 option:  6 dns-server  1.1.1.1, 1.0.0.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 available DHCP range: 192.168.4.100 -- 192.168.4.249
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 client provides name: xps
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 DHCPDISCOVER(br-lan) 192.168.4.239 9c:b6:d0:8a:58:a5
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 tags: lan, br-lan
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 DHCPOFFER(br-lan) 192.168.4.239 9c:b6:d0:8a:58:a5
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 requested options: 1:netmask, 2:time-offset, 6:dns-server, 12:hostname,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 requested options: 15:domain-name, 26:mtu, 28:broadcast, 121:classless-static-route,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 requested options: 3:router, 33:static-route, 40:nis-domain,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 requested options: 41:nis-server, 42:ntp-server, 119:domain-search,
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 requested options: 249, 252, 17:root-path
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 next server: 192.168.4.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  1 option: 53 message-type  2
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option: 54 server-identifier  192.168.4.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option: 51 lease-time  12h
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option: 58 T1  6h
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option: 59 T2  10h30m
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option:  1 netmask  255.255.255.0
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option: 28 broadcast  192.168.4.255
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  4 option:  3 router  192.168.4.1
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  3 option: 15 domain-name  lan
Sun Mar  2 22:11:51 2025 daemon.info dnsmasq-dhcp[1]: 1731679758 sent size:  8 option:  6 dns-server  1.1.1.1, 1.0.0.1