Handling Tagged VLAN on a AC86U

[macexx]

Just upgraded to 386.5(beta).


Life just got a lot easier with vlans, finally its just as easy as any other Linux dist.

#!/bin/sh

# Should be put in /jffs/scripts/init-start
# (First script to run so other services can bind to vlan interfaces and well less issues...)

# For some strange reason interfaces needs to be brought up by ifconfig
# Works just fine with IP, but ifconfig cant see interfaces so some cosmetic(webui) issues if ifconfig isen´t used.


#--- Sample vlan Interface config ---#

ip link add link eth1 name eth1.200 type vlan id 200
ifconfig eth1.200 allmulti up

brctl addbr br200
brctl stp br200 on
brctl addif br200 eth1.200

ifconfig br200 192.168.200.1 netmask 255.255.255.0 broadcast 192.168.200.255 allmulti up

#--- Sample vlan Interface config ---#

Works straight away, not even a reboot is needed(but you should =P)

Tried it on rt-ax56u and rt-ac66u_B1.
(vlan 501,502 doesn't matter if enabled or not(guest-wlan,mesh))

 

[rumi409]

Just upgraded to 386.5(beta).


Life just got a lot easier with vlans, finally its just as easy as any other Linux dist.

#!/bin/sh

# Should be put in /jffs/scripts/init-start
# (First script to run so other services can bind to vlan interfaces and well less issues...)

# For some strange reason interfaces needs to be brought up by ifconfig
# Works just fine with IP, but ifconfig cant see interfaces so some cosmetic(webui) issues if ifconfig isen´t used.


#--- Sample vlan Interface config ---#

ip link add link eth1 name eth1.200 type vlan id 200
ifconfig eth1.200 allmulti up

brctl addbr br200
brctl stp br200 on
brctl addif br200 eth1.200

ifconfig br200 192.168.200.1 netmask 255.255.255.0 broadcast 192.168.200.255 allmulti up

#--- Sample vlan Interface config ---#

Works straight away, not even a reboot is needed(but you should =P)

Tried it on rt-ax56u and rt-ac66u_B1.
(vlan 501,502 doesn't matter if enabled or not(guest-wlan,mesh))

Were you able to setup multiple tagged VLANs on one port?

 

[rumi409]

Just upgraded to 386.5(beta).


Life just got a lot easier with vlans, finally its just as easy as any other Linux dist.

#!/bin/sh

# Should be put in /jffs/scripts/init-start
# (First script to run so other services can bind to vlan interfaces and well less issues...)

# For some strange reason interfaces needs to be brought up by ifconfig
# Works just fine with IP, but ifconfig cant see interfaces so some cosmetic(webui) issues if ifconfig isen´t used.


#--- Sample vlan Interface config ---#

ip link add link eth1 name eth1.200 type vlan id 200
ifconfig eth1.200 allmulti up

brctl addbr br200
brctl stp br200 on
brctl addif br200 eth1.200

ifconfig br200 192.168.200.1 netmask 255.255.255.0 broadcast 192.168.200.255 allmulti up

#--- Sample vlan Interface config ---#

Works straight away, not even a reboot is needed(but you should =P)

Tried it on rt-ax56u and rt-ac66u_B1.
(vlan 501,502 doesn't matter if enabled or not(guest-wlan,mesh))

I tried this script but was unable to get the DHCP to assign IP addresses to the VLANs. I did add the addresses to the DNSMASQ.conf.add. Not sure what else I'm missing.

Here are my outputs for the script:

rumi@KaziGT:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.04d4c4d23300 yes eth1
eth2
eth3
eth4
eth5
eth6
eth7
eth8
br172 8000.04d4c4d23300 yes eth1.172
br200 8000.04d4c4d23300 yes eth1.200

rumi@KaziGT:/tmp/home/root# ifconfig br200
br200 Link encap:Ethernet HWaddr 044:C42:33:00
inet addr:192.168.200.1 Bcast:192.168.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:263 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:91804 (89.6 KiB) TX bytes:107 (107.0 B)



DNSMASQ.conf.add:

interface=br172
# DHCPv4 range: 192.168.50.2 - 192.168.50.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br172,172.0.0.100,172.0.0.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.50.1
dhcp-option=br172,3,172.0.0.1

interface=br200
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br200,192.168.200.100,192.168.200.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.50.1
dhcp-option=br200,3,192.168.200.1

 

[macexx]

I tried this script but was unable to get the DHCP to assign IP addresses to the VLANs. I did add the addresses to the DNSMASQ.conf.add. Not sure what else I'm missing.

Here are my outputs for the script:

rumi@KaziGT:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.04d4c4d23300 yes eth1
eth2
eth3
eth4
eth5
eth6
eth7
eth8
br172 8000.04d4c4d23300 yes eth1.172
br200 8000.04d4c4d23300 yes eth1.200

rumi@KaziGT:/tmp/home/root# ifconfig br200
br200 Link encap:Ethernet HWaddr 044:C42:33:00
inet addr:192.168.200.1 Bcast:192.168.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:263 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:91804 (89.6 KiB) TX bytes:107 (107.0 B)



DNSMASQ.conf.add:

interface=br172
# DHCPv4 range: 192.168.50.2 - 192.168.50.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br172,172.0.0.100,172.0.0.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.50.1
dhcp-option=br172,3,172.0.0.1

interface=br200
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br200,192.168.200.100,192.168.200.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.50.1
dhcp-option=br200,3,192.168.200.1

Looks about right,

Here is mine:

interface=br200
dhcp-range=br200,192.168.200.180,192.168.200.230,255.255.255.0,86400s
dhcp-option=br200,3,192.168.200.1
dhcp-option=br200,6,192.168.200.1
dhcp-option=br200,15,mydomain.com

Though dhcp wont work until firewall rules are up(first rule in this case would allow dhcp), for example:

# /jffs/scripts/firewall-start
#!/bin/sh
# Allow new incoming connections from bridges
iptables -D INPUT -i br200 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -m state --state NEW -j ACCEPT

# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br200 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br200 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br200 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o br200 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br200 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br200 -j ACCEPT
iptables -I FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br200 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br200 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 22 -j DROP

# Sample for allowing specific traffic from vlan to br0(lan)
# Jellyfin
iptables -D FORWARD -p tcp -s 192.168.200.0/24 -d 192.168.12.10 --dport 8920 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -p tcp -s 192.168.200.0/24 -d 192.168.12.10 --dport 8920 -j ACCEPT

And then NAT:

cat #/jffs/scripts/nat-start
#!/bin/sh

# NAT inside vlans
iptables -t nat -D POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE

The "delete rules" are there so I can just add something and rerun the scripts without the need to reboot, to keep the order of the rules.

Scripts like these will add the rules from bottom going up, so the last rule in the script will be the top rule in "iptables/netfilter".
So it´s very important that the order is correct and you check how other scripts place their rules.

Should tbh probably place all these rules in an ipset or two for INPUT and FORWARD to keep it simpler with other scripts and insert them in the correct spot.

But a good starting point is to install all the addons you want then do a reboot and run

 iptables-save > /tmp/iptables.txt

and check the order of the rules.

This is the "BIG" cumber stone imho of trying to run custom rules/vlans on asus routers(with addons).

BTW, dhcp leases can be checked in

cat /var/lib/misc/dnsmasq.leases

 

[rumi409]

Looks about right,

Here is mine:

interface=br200
dhcp-range=br200,192.168.200.180,192.168.200.230,255.255.255.0,86400s
dhcp-option=br200,3,192.168.200.1
dhcp-option=br200,6,192.168.200.1
dhcp-option=br200,15,mydomain.com

Though dhcp wont work until firewall rules are up(first rule in this case would allow dhcp), for example:

# /jffs/scripts/firewall-start
#!/bin/sh
# Allow new incoming connections from bridges
iptables -D INPUT -i br200 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -m state --state NEW -j ACCEPT

# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br200 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br200 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br200 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o br200 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br200 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br200 -j ACCEPT
iptables -I FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br200 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br200 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 22 -j DROP

# Sample for allowing specific traffic from vlan to br0(lan)
# Jellyfin
iptables -D FORWARD -p tcp -s 192.168.200.0/24 -d 192.168.12.10 --dport 8920 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -p tcp -s 192.168.200.0/24 -d 192.168.12.10 --dport 8920 -j ACCEPT

And then NAT:

cat #/jffs/scripts/nat-start
#!/bin/sh

# NAT inside vlans
iptables -t nat -D POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE

The "delete rules" are there so I can just add something and rerun the scripts without the need to reboot, to keep the order of the rules.

Scripts like these will add the rules from bottom going up, so the last rule in the script will be the top rule in "iptables/netfilter".
So it´s very important that the order is correct and you check how other scripts place their rules.

Should tbh probably place all these rules in an ipset or two for INPUT and FORWARD to keep it simpler with other scripts and insert them in the correct spot.

But a good starting point is to install all the addons you want then do a reboot and run

 iptables-save > /tmp/iptables.txt

and check the order of the rules.

This is the "BIG" cumber stone imho of trying to run custom rules/vlans on asus routers(with addons).

BTW, dhcp leases can be checked in

cat /var/lib/misc/dnsmasq.leases

I'm not sure why, but I still can't get the router to give VLAN 200 devices an IP address. I've added the rules you mentioned. Here are my firewall-start and nat-start scripts. Is your router a HND router with a Broadcom chip?

# /jffs/scripts/firewall-start
#!/bin/sh

# Allow new incoming connections from bridges
iptables -D INPUT -i br172 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br172 -m state --state NEW -j ACCEPT

# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br172 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br172 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br172 -o br172 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br172 -o br172 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br172 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br172 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br172 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br172 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br172 -j ACCEPT
iptables -I FORWARD -i br172 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br172 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br172 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br172 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br172 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br172 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br172 -p tcp --dport 22 -j DROP



#VLAN 200  Home User

# Allow new incoming connections from bridges
iptables -D INPUT -i br200 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -m state --state NEW -j ACCEPT

# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br200 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br200 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br200 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o br200 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br200 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br200 -j ACCEPT
iptables -I FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br200 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br200 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 22 -j DROP

# /jffs/scripts/nat-start
#!/bin/sh
# NAT inside vlans
iptables -t nat -D POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE

# NAT inside vlans
iptables -t nat -D POSTROUTING -s 172.0.0.0/24 -d 172.0.0.0/24 -o br172 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.0.0.0/24 -d 172.0.0.0/24 -o br172 -j MASQUERADE

 

[Jeffrey Young]

@rumi409, post your /jffs/configs/dnsmasq.conf.add file as well

 

[rumi409]

@rumi409, post your /jffs/configs/dnsmasq.conf.add file as well

Sure. Here's what mine looks like.

interface=br200
dhcp-range=br200,192.168.200.100,192.168.200.250,255.255.255.0,86400s
dhcp-option=br200,3,192.168.200.1
dhcp-option=br200,6,192.168.200.1

interface=br172
dhcp-range=br172,172.0.0.100,172.0.0.250,255.255.255.0,86400s
dhcp-option=br172,3,172.0.0.1
dhcp-option=br172,6,172.0.0.1

 

[Jeffrey Young]

Hmm, that looks right. Does the br172 bridge get IP's assigned?

 

[rumi409]

Hmm, that looks right. Does the br172 bridge get IP's assigned?

It does and I see traffic. My Unifi AP is setup with networks for VLAN ID 172 and 200. The devices on those networks doesn't get any IPs assigned by the Asus router.

When I use the same setup with the Edgerouter X, the networks setup on the unifi AP get IPs assigned, so I know it should work.

 

[macexx]

It does and I see traffic. My Unifi AP is setup with networks for VLAN ID 172 and 200. The devices on those networks doesn't get any IPs assigned by the Asus router.

When I use the same setup with the Edgerouter X, the networks setup on the unifi AP get IPs assigned, so I know it should work.

Seems like tagging isn't working correctly? Might wanna check if vlan module is loaded.

lsmod | grep vlan

If not try to see if you can load it.

modprobe bcmvlan

Another thing to check might be to enable guest wifi on the router, when I do this all lan ports get tagged with vlan501 by default just to check so that Asus doesn't do something different on their models.

 

[macexx]

Hmm, guess you are connecting your Unifi-ap straight to the router and don't use a managed switch?

Moved my Unifi-ap to a tagged port on the router instead of my switch and cant get an IP(dhcp) either.
However if I set an static ip on my phone for example(when connected to the tagged vlan network) it all works so there seems to be an issue with dnsmasq.

Tried with enabling guest network(that auto enables vlan 501 on all router ports) then setting up vlan 501 on the unifi while the AP still is connected to the router then dhcp works just fine.
Just have to figure out why =P

 

[macexx]

Right..... so you need to set guest network enabled and "Access Intranet" to disabled for the router to turn on vlan 501.

Regular wifi / guest wifi ssid´s can be hidden and "radios" turned off in "Wireless - Professional" settings , vlan501 will still be enabled.
(with a standalone ap it might be a good idea to turn of radios anyways, on my 56ax I save about 50MB ram and cpu goes from 60c to 45c).

Strange thing is that doing this will make dhcp start working for the manually created vlans/bridges, when useing a router port as vlan trunk.

So guess this is a workaround or use a managed switch.
Will try to figure out why enabling guest wifi makes dhcp requests start working when trunking directly with an ap on the router ports....

 

[macexx]

So, this was an odd one.

First of the reason why it works when enabling guest network with "Access Intranet" disabled.
It enables two important INPUT rules port 67,68(dhcp)(which should be covered by).

A INPUT -i br200 -m state --state NEW -j ACCEPT
A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT(asus default)

But clearly isn't, and if you backup the tables with iptables-save it shows that the rules added is only for br1 which guest vlan enables.
But if you print netfilter it actually enables "-s any -d any -p udp --dport 67,68"

Then the super wierd one was that if you disable guest network and the rules are removed(rebooted).
It still works, thou takes some extra time/a second dhcp request attempt.

Which made me believe there was something cached so that the packets finally hit the:

A INPUT -i br200 -m state --state NEW -j ACCEPT)

Rule which it should, unless udp doesn't count as a "state" in iptables but then it doesn't explain why it woks with a managed switch.


Cant for the life of me figure out why this is.

However adding:

iptables -D INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT
iptables -i INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT

Solved it straight away(reset the router to try it and worked super quick on first attempt).

 

[rumi409]

So, this was an odd one.

First of the reason why it works when enabling guest network with "Access Intranet" disabled.
It enables two important INPUT rules port 67,68(dhcp)(which should be covered by).

A INPUT -i br200 -m state --state NEW -j ACCEPT
A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT(asus default)

But clearly isn't, and if you backup the tables with iptables-save it shows that the rules added is only for br1 which guest vlan enables.
But if you print netfilter it actually enables "-s any -d any -p udp --dport 67,68"

Then the super wierd one was that if you disable guest network and the rules are removed(rebooted).
It still works, thou takes some extra time/a second dhcp request attempt.

Which made me believe there was something cached so that the packets finally hit the:

A INPUT -i br200 -m state --state NEW -j ACCEPT)

Rule which it should, unless udp doesn't count as a "state" in iptables but then it doesn't explain why it woks with a managed switch.


Cant for the life of me figure out why this is.

However adding:

iptables -D INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT
iptables -i INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT

Solved it straight away(reset the router to try it and worked super quick on first attempt).

I checked to see if the VLAN module was loaded, the output of the command showed the following. Not sure what that means.

lsmod | grep vlan
bcmvlan               109163  0
rdpa_mw                29488  2 bcmvlan,rdpa_cmd

I did configure the managed switch to use VLAN 802.1Q. Made sure it worked with the Edgerouter before proceeding with the Asus AX11000. Once I made the suggested changes to the firewall-start. I was at the same position. The VLAN traffic didn't get an IP assigned. What was worse is that I could no longer access the web interface. Here is the firewall-start script

# /jffs/scripts/firewall-start
#!/bin/sh

#VLAN 172 IOT Rules

#Allow DHCP and DNS
iptables -D INPUT -i br172 -p udp -m udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br172 -p udp -m udp --dport 67 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br172 -p udp -m udp --dport 68 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br172 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br172 -p udp -m udp --dport 67 -j ACCEPT
iptables -i INPUT -i br172 -p udp -m udp --dport 68 -j ACCEPT

# Allow new incoming connections from bridges
iptables -D INPUT -i br172 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br172 -m state --state NEW -j ACCEPT

# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br172 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br172 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br172 -o br172 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br172 -o br172 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br172 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br172 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br172 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br172 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br172 -j ACCEPT
iptables -I FORWARD -i br172 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br172 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br172 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br172 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br172 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br172 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br172 -p tcp --dport 22 -j DROP

#VLAN 10 Tenant Rules

#Allow DHCP and DNS
iptables -D INPUT -i br10 -p udp -m udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br10 -p udp -m udp --dport 67 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br10 -p udp -m udp --dport 68 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br10 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br10 -p udp -m udp --dport 67 -j ACCEPT
iptables -i INPUT -i br10 -p udp -m udp --dport 68 -j ACCEPT

# Allow new incoming connections from bridges
iptables -D INPUT -i br10 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br10 -m state --state NEW -j ACCEPT

# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br10 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br10 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br10 -o br10 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br10 -o br10 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br10 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br10 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br10 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br10 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br10 -j ACCEPT
iptables -I FORWARD -i br10 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br10 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br10 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br10 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br10 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br10 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br10 -p tcp --dport 22 -j DROP

#VLAN 200  Home User

#Allow DHCP and DNS
iptables -D INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT
iptables -i INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT

# Allow new incoming connections from bridges
iptables -D INPUT -i br200 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -m state --state NEW -j ACCEPT


# Forbid packets from bridges to be forwarded to other interfaces
iptables -D FORWARD -i br200 -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br200 -j DROP

# But allow packet forwarding inside bridges
iptables -D FORWARD -i br200 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o br200 -j ACCEPT

# Allow packet forwarding between bridges and eth0 (WAN)
iptables -D FORWARD -i br200 -o eth0 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br200 -o eth0 -j ACCEPT

# Allow one-way traffic from br0(lan) to bridges
iptables -D FORWARD -i br0 -o br200 -j ACCEPT >/dev/null 2>&1
iptables -D FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br200 -j ACCEPT
iptables -I FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Block webui/ssh from vlans
iptables -D INPUT -i br200 -p tcp --dport 8443 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 80 -j DROP >/dev/null 2>&1
iptables -D INPUT -i br200 -p tcp --dport 22 -j DROP >/dev/null 2>&1
iptables -I INPUT -i br200 -p tcp --dport 8443 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br200 -p tcp --dport 22 -j DROP

 

[rumi409]

Below is the output of the iptables after the new firewall rules and reboot.

/tmp/iptables.txt
# Generated by iptables-save v1.4.15 on Sun Mar  6 19:03:09 2022
*raw
:PREROUTING ACCEPT [28862:5482835]
:OUTPUT ACCEPT [28993:20592444]
COMMIT
# Completed on Sun Mar  6 19:03:09 2022
# Generated by iptables-save v1.4.15 on Sun Mar  6 19:03:09 2022
*nat
:PREROUTING ACCEPT [2093:307793]
:INPUT ACCEPT [617:52622]
:OUTPUT ACCEPT [106:12584]
:POSTROUTING ACCEPT [95:9453]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:PUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A PREROUTING -d 138.88.81.133/32 -j GAME_VSERVER
-A PREROUTING -d 138.88.81.133/32 -j VSERVER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s 138.88.81.133/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -o br200 -j MASQUERADE
-A POSTROUTING -s 172.0.0.0/24 -d 172.0.0.0/24 -o br172 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -o br10 -j MASQUERADE
-A VSERVER -j VUPNP
COMMIT
# Completed on Sun Mar  6 19:03:09 2022
# Generated by iptables-save v1.4.15 on Sun Mar  6 19:03:09 2022
*mangle
:PREROUTING ACCEPT [5617:1189235]
:INPUT ACCEPT [3167:682857]
:FORWARD ACCEPT [1564:374557]
:OUTPUT ACCEPT [2172:1647191]
:POSTROUTING ACCEPT [3793:2029956]
COMMIT
# Completed on Sun Mar  6 19:03:09 2022
# Generated by iptables-save v1.4.15 on Sun Mar  6 19:03:09 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2141:1642326]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:IControls - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:NSFW - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:OVPN - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:WGNPControls - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
:other2wan - [0:0]
-A INPUT -i br200 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i br200 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i br200 -p tcp -m tcp --dport 8443 -j DROP
-A INPUT -i br200 -m state --state NEW -j ACCEPT
-A INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br10 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i br10 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i br10 -p tcp -m tcp --dport 8443 -j DROP
-A INPUT -i br10 -m state --state NEW -j ACCEPT
-A INPUT -i br10 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br10 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br172 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i br172 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i br172 -p tcp -m tcp --dport 8443 -j DROP
-A INPUT -i br172 -m state --state NEW -j ACCEPT
-A INPUT -i br172 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br172 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT ! -i lo -p tcp -m tcp --dport 5152 -j logdrop
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -i br2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i br2 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i br2 -j DROP
-A INPUT -j logdrop
-A FORWARD -i br200 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br200 -j ACCEPT
-A FORWARD -i br200 -o eth0 -j ACCEPT
-A FORWARD -i br200 -o br200 -j ACCEPT
-A FORWARD -i br200 -j DROP
-A FORWARD -i br10 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br10 -j ACCEPT
-A FORWARD -i br10 -o eth0 -j ACCEPT
-A FORWARD -i br10 -o br10 -j ACCEPT
-A FORWARD -i br10 -j DROP
-A FORWARD -i br172 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br172 -j ACCEPT
-A FORWARD -i br172 -o eth0 -j ACCEPT
-A FORWARD -i br172 -o br172 -j ACCEPT
-A FORWARD -i br172 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop
-A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
-A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
-A OUTPUT -j OUTPUT_IP
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A OUTPUT_DNS -m string --hex-string "|10706f697579747975696f706b6a666e6603636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0d72666a656a6e666a6e65666a6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|1131306166646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f376d667364666173646d6b676d726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0d386d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f3966646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|086861636b7563647403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|076c696e77756469056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f6c6b6a68676664736174727975696f03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0b6d6e627663787a7a7a313203636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|077131313133333303746f7000|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|057371353230056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|077563746b6f6e6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0e7a786376626d6e6e666a6a66777103636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0a65756d6d6167766e627003636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_IP -d 193.201.224.0/24 -j logdrop_ip
-A OUTPUT_IP -d 51.15.120.245/32 -j logdrop_ip
-A OUTPUT_IP -d 45.33.73.134/32 -j logdrop_ip
-A OUTPUT_IP -d 190.115.18.28/32 -j logdrop_ip
-A OUTPUT_IP -d 51.159.52.250/32 -j logdrop_ip
-A OUTPUT_IP -d 190.115.18.86/32 -j logdrop_ip
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_dns -j DROP
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_ip -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop
COMMIT
# Completed on Sun Mar  6 19:03:09 2022

 

[rumi409]

It looks like there are some traffic that is tagged coming into the router, but not sure what they are.

rumi@KaziGT:/tmp/home/root# ifconfig br200
br200     Link encap:Ethernet  HWaddr 04:D4:C4:D2:33:00
          inet addr:192.168.200.1  Bcast:192.168.200.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:711 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:137279 (134.0 KiB)  TX bytes:0 (0.0 B)

rumi@KaziGT:/tmp/home/root# ifconfig br10
br10      Link encap:Ethernet  HWaddr 04:D4:C4:D2:33:00
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:393 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:88749 (86.6 KiB)  TX bytes:2238 (2.1 KiB)

rumi@KaziGT:/tmp/home/root# ifconfig br172
br172     Link encap:Ethernet  HWaddr 04:D4:C4:D2:33:00
          inet addr:172.0.0.1  Bcast:172.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:5381 errors:0 dropped:0 overruns:0 frame:0
          TX packets:895 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1055776 (1.0 MiB)  TX bytes:99682 (97.3 KiB)

 

[rumi409]

So, this was an odd one.

First of the reason why it works when enabling guest network with "Access Intranet" disabled.
It enables two important INPUT rules port 67,68(dhcp)(which should be covered by).

A INPUT -i br200 -m state --state NEW -j ACCEPT
A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT(asus default)

But clearly isn't, and if you backup the tables with iptables-save it shows that the rules added is only for br1 which guest vlan enables.
But if you print netfilter it actually enables "-s any -d any -p udp --dport 67,68"

Then the super wierd one was that if you disable guest network and the rules are removed(rebooted).
It still works, thou takes some extra time/a second dhcp request attempt.

Which made me believe there was something cached so that the packets finally hit the:

A INPUT -i br200 -m state --state NEW -j ACCEPT)

Rule which it should, unless udp doesn't count as a "state" in iptables but then it doesn't explain why it woks with a managed switch.


Cant for the life of me figure out why this is.

However adding:

iptables -D INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT >/dev/null 2>&1
iptables -D INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br200 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br200 -p udp -m udp --dport 67 -j ACCEPT
iptables -i INPUT -i br200 -p udp -m udp --dport 68 -j ACCEPT

Solved it straight away(reset the router to try it and worked super quick on first attempt).

BTW, Are you still on the 386.5 Beta or did you upgrade to the release version?