Force DHCP of upper subnet?

This can be mac addresses, the exposure of your real ip, vpn endpoints and or keys of a vpn :+1:

Most are in the network configuration.

I just realized that I didn’t SSH into the second router where I want the VLAN, only the main one :confused:

As of right now, I’m still unable to get into the second router. I’m still getting the EOF error even though I installed the openssh packages for both server and client on the second router. Any suggestions? I don’t see a security tab on the older Flint 1 where I can check the box for allowing remote SSH access like there is on the Flint 2.

hmm depending your flint is downstream in your network i would suggest to only show Flint 2 configuration for now, for flint 1 you may want to delete the wan zone or set it to accept for wan in luci, that makes it easier getting in it from upstream :grin:

Since for flint 1 it is only required to use eth0.<vlanid> through luci its not super complex :grinning:, if it may not work well, then it has to be the firewall zone input which need to be set on accept.

Here is firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'block_dns'
	option name 'block_dns'
	option src '*'
	option device 'br-*'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'guest'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config redirect 'adguard_home'
	option name 'Adguard Home'
	option src 'lan'
	option src_dport '53'
	option dest 'lan'
	option dest_port '3053'
	option proto 'tcpudp'

config redirect 'adguard_home_guest'
	option name 'Adguard Home guest'
	option src 'guest'
	option src_dport '53'
	option dest 'guest'
	option dest_port '3053'
	option proto 'tcpudp'

config zone 'wgclient'
	option name 'wgclient'
	option forward 'DROP'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wgclient'
	option enabled '1'
	option input 'ACCEPT'
	option masq '1'
	option masq6 '1'

config forwarding 'wgclient2wan'
	option src 'wgclient'
	option dest 'wan'
	option enabled '1'

config forwarding 'lan2wgclient'
	option src 'lan'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'guest2wgclient'
	option src 'guest'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'wgserver2wgclient'
	option src 'wgserver'
	option dest 'wgclient'
	option enabled '1'

config forwarding 'wgserver2ovpnclient'
	option src 'wgserver'
	option dest 'ovpnclient'
	option enabled '1'

config rule 'wgserver_allow'
	option name 'wgserver_allow'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp tcp'
	option family 'ipv4'
	option dest_port '51820'
	option enabled '1'

config zone 'wgserver'
	option name 'wgserver'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wgserver'
	option input 'ACCEPT'
	option masq '1'
	option masq6 '1'
	option enabled '1'
	option forward 'REJECT'

config forwarding 'wgserver2wan'
	option src 'wgserver'
	option dest 'wan'
	option enabled '1'

config forwarding 'lan2wgserver'
	option src 'lan'
	option dest 'wgserver'
	option enabled '1'

config rule 'safe_mode_lan'
	option name 'safe_mode_lan'
	option proto 'all'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule 'safe_mode_guest'
	option name 'safe_mode_guest'
	option proto 'all'
	option src 'guest'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config rule 'safe_mode_mark'
	option name 'safe_mode_mark'
	option src '*'
	option device 'br-*'
	option dest_port '53'
	option set_xmark '0x20000/0x20000'
	option target 'MARK'
	option enabled '0'

config rule 'safe_mode_mark_save'
	option name 'safe_mode_mark_save'
	option src '*'
	option device 'br-+'
	option dest_port '53'
	option set_xmark '0x20000/0x20000'
	option extra '-j CONNMARK --save-mark --nfmask 0x20000 --ctmask 0x20000'
	option target 'MARK'
	option enabled '0'

config rule 'safe_mode_mark_drop'
	option name 'safe_mode_mark_drop'
	option dest 'wan'
	option dest_port '53'
	option mark '0x20000/0x20000'
	option target 'DROP'
	option enabled '0'

config forwarding 'wgclient2lan'
	option src 'wgclient'
	option dest 'lan'
	option enabled '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config forwarding 'wgserver2lan'
	option src 'wgserver'
	option dest 'lan'
	option enabled '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '1935'
	option dest_ip '192.168.8.100'
	option dest_port '1935'
	option name 'PS5'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'tcp'
	option src 'wan'
	option src_dport '3478-3480'
	option dest_ip '192.168.8.100'
	option dest_port '3478-3480'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'udp'
	option src 'wan'
	option src_dport '3074'
	option dest_ip '192.168.8.100'
	option dest_port '3074'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'udp'
	option src 'wan'
	option src_dport '3478-3479'
	option dest_ip '192.168.8.100'
	option dest_port '3478-3479'

config forwarding 'wgserver2wgserver'
	option src 'wgserver'
	option dest 'wgserver'
	option enabled '0'

config rule 'https_wan'
	option src 'wan'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule 'ssh_wan'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'


Here is network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd59:579c:8d55::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan3'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan4'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'lan5'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'

config device
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option metric '10'
	option disabled '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wan'

config interface 'tethering6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@tethering'

config interface 'wwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wwan'

config interface 'guest'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option metric '15'
	option device '@secondwan'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config interface 'wgclient'
	option proto 'wgclient'
	option config 'peer_2001'
	option disabled '0'

config interface 'wgserver'
	option proto 'wgserver'
	option config 'main_server'
	option disabled '0'

config route
	option interface 'wgserver'
	option type 'local'
	option target '192.168.8.1/32'


Here is dhcp:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	list server '127.0.0.1#3053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '31'
	option leasetime '720m'
	option dhcpv4 'server'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ra_slaac '1'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '31'
	option leasetime '720m'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ignore '0'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config domain
	option name 'login.router.com'
	option ip '10.10.0.1'

config host
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.8.100'
	option tag 'name'

config host
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.8.115'
	option tag 'name'


1 Like

what you can do is the following:

If you go into advanced configuration/luci → network → interfaces → devices tab.

You can edit br-lan, then click on vlan filtering.

then you click on add you see the vlan number 1 left, make it untagged on all ports.

Untagged means: that a vlan only reach the destination port, you can only have one per port (technically you can define more, but it will only sent one), you can also kinda see it as your default vlan for that port.

Tagged means: it tags a vlan and it can traverse beyond one port, you can have multiple vlans, and also combine them with untagged vlans.

So lets say you create another row with vlan 2 then you can set this one as tagged on the port to the flint 1 and choose to ignore for the rest of the other ports.

Etcetera etcetera.

But don’t save and apply yet, now you need to go back to luci → network → interfaces → interfaces tab and edit lan, then you change the device to br-lan.1 to avoid locking out :slight_smile:

For the other vlans you can create a new interface and cover the new br-lan.<vlan number> you can use any local ip you want aslong its rfc1918

subnetmask is 255.255.255.0 and gateway leave empty, also click on the tab advanced and uncheck Use default gateway checkbox this is so that traffic doesn’t orginate from different interfaces than for wan or vpn, only lan is allowed to follow it.

You can also create a new firewall zone and forward them to wan, you can do that in luci → firewall and then clicking edit on a zone.

Well let me know how far you can come :+1:, its probably a little itimidating but once you know it, it is easy, i wish i could make some screenshots but im on a phone atm :grinning:

Heres a video which can be a really good use :grin:

I will give this a try, though it is a bit overwhelming, sorry.

I only need a VLAN on one switch port of the Flint 1. I need the rest of the ports to remain on the upstream subnet. It is very important that this is the setup. I do not need WiFi or anything else, just the one switch port for the VLAN.

Am I making these changes in Luci on the Flint 2? I’m a bit confused, I can’t lie.

1 Like

Yup that is correct on the flint 2 :+1:

You also need to do some stuff on the flint 1 but that will come later, its not a huge step :slightly_smiling_face:

So essentially what I’m doing is I’m creating a VLAN on the Flint 2, sending that VLAN downstream via the port connected to the Flint 1 and then essentially ignoring that VLAN on all Flint 1 ports except for one?

on the flint 1 you receive it through wan :slight_smile:

If the vlan was untagged from the flint 2 that network is for eth0 (wan) in flint 1, if the vlan was tagged from the flint 2 the network can be found as eth0.<vlan id> in flint 1.

Then you can use it like a device for other ports in the Flint 1.

In my use case i often go for a dumbap approach which means i disable all firewall, and dhcp on the flint 1, and combine vlan devices with the br-lan bridge and turn lan into a dhcp cliënt, theres alot of ways doing this so it is what direction you want really with this vlan device. :wink:, its encouraged to check the videos in the dumbap link some can be useful maybe not directly to your use case but it will cover it from adding devices to the bridge as removing firewall zones.

^ tl;dr In case you dont get a dhcp client ip from the vlan then it might be a issue with the firewall zone for that network on the flint 2, its essential the input is set to accept since newly created firewall zones automatically copy the global firewall rules which have normally input to reject.

Since vlan acts as a tunnel it will encapsulate the network and expose clients on the flint 2 :grinning:

Edit

After reviewing this full post again, maybe you dont really need vlan, just eth0 in the bridge of br-lan and lan as dhcp client might be enough sufficient. :+1:

So I think I have most of what I need in place now. Correct me if I’m wrong on anything so far.

On Flint 2:

  1. Edit br-lan under Devices tab, go to VLAN Filtering, add VLAN 1 as untagged on all ports. Leave local box checked.
  2. Create a second VLAN (I used VLAN ID 7) and tag the port that is leading to the WAN port on Flint 1. Do I leave the local box checked?
  3. Switch br-lan to br-lan.1 in the Interfaces tab.
  4. Create new interface for the second VLAN. I created br-lan.7
  5. Set protocol as static address. Chose IP address of 192.168.11.1. Chose subnet mask 255.255.255.0 and left gateway empty. Unchecked default gateway option.
  6. Created a new firewall zone named vlan7, with forward destination to WAN. Under covered network option I chose vlan.7. I also set input and output to accept. Do I need to set forward to accept?

Thank you for all of your help with this!! I think I’m much closer to setting this up than before.

yes :slight_smile:

you can leave it on reject only if you choose to have multiple subnets you can use the traffic rules to forward very specific devices to talk to each other via different firewall zones, setting this to accept for the zone will mean for all devices can talk to other zones which also have it to accept, which ideally is not really what you want :slight_smile:

Sounds good, I have all of that in place now.

How do I now see the VLAN 7 on the Flint 1? Is it supposed to show up as a network device, or do I first have to make the Flint 1 aware of the tagged packets?

When you go into Luci → network → interfaces (also click interfaces tab)

you can temporarily create a new interface to see if the vlan receives as expected like so:

if you see a ip like this:

then you can change the device for lan interface to eth0.7 :slight_smile:
don’t get confused with eth1.50 for me eth1 is wan on the flint 2, for flint 1 it’s eth0.

optionally i think for your use case vlan might not be necessary after reviewing all posts, but its still a handy to know :slight_smile:

On the Flint 1 I am not automatically seeing the tagged VLAN network device when I try adding a new interface. Would the Flint 1 have to be set up for the tagged packets beforehand?

My understanding is that the Flint 1 will drop all frames with a VLAN tag that hasn’t already been defined on the Flint 1.

no no, you have to create one first :slight_smile:

this happens automaticly if you type eth0.7 in the interface thingy.

if it doesn’t show an ip, make sure the firewall zone input rule is set on allow either on flint 1 (for wan) as the flint 2 (for the network zone)

I created the eth0.7 interface as a DHCP client on Flint 1, but I’m not receiving an IP address. I checked the firewall zone that is associated with the interface and confirmed that it is the WAN zone, with input and output set to accept.

Do I need to set up the VLAN filtering on the Flint 1 as well? I feel like I’m so close but I’m missing something small.

this is not needed :slight_smile:

can you show the zone for Flint 2 ? :slight_smile:

Okay, just checking. Sure. This is how I have it set up:

1 Like

thats fine :+1:

can you show all zones for flint 1?

Yes. These are the Flint 1 zones: