Dhcp Relay on a vlan

vespa70 · February 5, 2026, 12:51pm

To explain properly, I need to tell you the scenario:
LAN network: vlan1
Phone LAN: vlan20
Vlan1 and vlan20 on the same nethsecurity port, vlan1 untagged, vlan20 tagged.
PBX: on vlan20 untagged on the switch
Vlan20 tagged phones on the switch ports.
PBX DHCP server, is it not possible to configure the DHCP relay on the firewall? I tried with uci but I don’t see the dhcp relay daemon.
The phones send discover, but nethsecurity doesn’t pass anything to the PBX.
I tried to be brief and quick; I hope I explained myself well.

jgjimenezs · February 5, 2026, 8:28pm

Hi @vespa70

Yes, NethSecurity supports DHCP relay, but only via terminal/ICU and with a very specific syntax. In addition, in the documentation it is indicated that the relay exists, so the demon is integrated even if there is no graphical interface. [DHCP relay]

According to the documentation, the basic configuration is:

Uci add dhcp relay

Uci set dhcp.@relay[-1].interface=‘<INTERFACE_NAME>’

Uci set dhcp.@relay[-1].local_addr=‘<LOCAL_ADDR>’

Uci set dhcp.@relay[-1].server_add=‘<SERVER_ADDR>’

Uci commit dhcp

Reload_config

Example adapted to your case (adjust real interface names and addresses):

<INTERFACE_NAME>: the logical interface where the phones arrive (for example vlan20 or the name it has in network/UI).

<LOCAL_ADDR>: NethSecurity IP in that VLAN (for example 192.168.20.1).

<SERVER_ADDR>: IP of the PBX (DHCP server) in VLAN 20 (e.g. 192.168.20.10). [DHCP relay]

Concrete example:

Uci add dhcp relay

Uci set dhcp.@relay[-1].interface=‘vlan20’

Uci set dhcp.@relay[-1].local_addr=‘192.168.20.1’

Uci set dhcp.@relay[-1].server_add=‘192.168.20.10’

Uci commit dhcp

Reload_config

Points to verify in your scenario:

Correct interface name

Use uci show network or the UI to see what exactly the VLAN 20 interface is called in NethSecurity (e.g. blue, lan2, eth0.20, etc.) and use that name in interface. [UCI overview]

VLAN TRAFFIC

Make sure the switch is configured correctly:

Port to NethSecurity: vlan1 untagged, vlan20 tagged (as you already indicated).

Port to PBX: vlan20 untagged.

Telephone ports: vlan20 tagged (or VLAN voice if the switch supports it).

giacomo · February 6, 2026, 9:51am

You can find the commands here:

If you experience any issue, please report the commands you typed and the relevant error log.

jgjimenezs · February 7, 2026, 1:18pm

@vespa70 Good morning, were you able to resolve this?