OpenWrt Forum Archive

Topic: Connecting guest interface to bridged network [Solved]

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
sbinder
12 Nov 2017, 00:07

I have a bridged network (wlan and wan) working fine - devices connected through wlan get internet access through eth0 (the wlan port).

I have added a "guest" network and need to forward traffic between guest and the bridged lan (each on its own subnet). But for some reason, the forwarding rule described in the uci firewall doc just doesn't work as advertised. 

In /etc/config/network:

config interface 'br'
        option ifname 'eth0'
        option type 'bridge'
        option force_link '1'
        option proto 'dhcp'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
In /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/br/'
        option domain 'br'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '0'
        option localservice '1'

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '100'
        option leasetime '1h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'br'
        list network 'br'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'br'

config forwarding
        option src 'br'
        option dest 'guest'

config rule
        option name 'Allow Guest DNS'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest DHCP'
        option src 'guest'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

The guest network wide open at the moment (accepting input and forward requests) because I can't seem to get any traffic through the connection. I'll worry about restricting access once it's working. Pretty sure a default route is needed somewhere (since br gets its IP via DHCP and is in the 192.168.x.x range, and the guest clients are in the 10.0.0.x range) but I haven't been successful figuring out how to do that via UCI. Have spent several days pouring over docs and posts (many of which are years out of date) and have come up empty. Any help would be appreciated!

(Last edited by sbinder on 16 Nov 2017, 20:54)

Post #2
mikma
12 Nov 2017, 23:15

You should try enabling NAT on the br interface I think, and enable default route on br. If the main router recognizes 10.0.0.x, and has a static route to 10.0.0.x, then you shouldn't need NAT on br.

Post #3
sbinder
13 Nov 2017, 00:05

Thanks. I really wish I had a better handle on routing. The default route for br is assigned by DHCP and points to the Internet router. From the Openwrt device, I can reach the Internet (via the br interface) and the computers connected to the guest interface. I'm just not sure how to route packets correctly between the two.

Post #4
mikma
13 Nov 2017, 03:21
sbinder wrote:

I'm just not sure how to route packets correctly between the two.

It may already be routing packets received from the guests via br, but you won't get any replies if you don't have a static route on your main router to 10.0.0.0/24. An alternative is to add the following to the br zone in the firewall config file which enabled NAT for the guests:

    masq='1'
    mtu_fix='1'

(Last edited by mikma on 13 Nov 2017, 03:23)

Post #5
sbinder
14 Nov 2017, 03:55

Still no joy.

I have reproduced the routing table below (changed the bridge name to bc because br-br is unnecessarily confusing):

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.8.1     0.0.0.0         UG        0 0          0 br-bc
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 wlan0-1
192.168.8.0     0.0.0.0         255.255.255.0   U         0 0          0 br-bc
192.168.8.1     0.0.0.0         255.255.255.255 UH        0 0          0 br-bc

As I understand it:
Line 1 sends Internet requests to the Internet router (192.168.8.1) through the default gateway on the bridge.
Line 2 (should) send returning packets to the 10.0.0.x subnet through the guest interface (wlan0-1).
Line 3 refers to the subnet of the Internet router (reachable through br-bc).
Line 4 refers to the Internet router itself (also reachable through br-bc).

It doesn't seem to matter if I have masquerading enabled on the guest interface - I never see any return packets from the default gateway.

Post #6
WWTK
14 Nov 2017, 04:05

what does the routing table look like on the default gateway?  if you are not masq then you need some routing protocol active to let the internet router know where the 10.0.0.0 network is otherwise its going to either drop the packets or send them to its default gateway.

It is also possible your ISP is using the 10 network internall fouling up the mix.

the statements you made about your routing table are accurate EXCEPT, and this is mostly semantics, the default gateway sends all unknown addresses to the default gateway.  So if you tried to get to 192.168.33.33, it would go to the default gateway as well even though it isn't an "internet" packet.....

Post #7
sbinder
16 Nov 2017, 20:52

Thank you mikma and WWTK!

Your comments pointed me in the correct direction. I'm not sure why it didn't work the first time I tried it, but the key was mikma's idea about enabling nat on the br interface (NOT the guest interface). Since the main router (the one providing addresses on the bridge) has no knowledge of any other subnets, this is necessary. But it's also important to restrict masquerading to the 10.0.0.x guest subnet - no need to confuse main router by masquerading addresses on its own subnet. So the correct (/etc/config/firewall) zone stanza for the bridge is:

config zone
        option name  br
        list   network  'br'
        option input  ACCEPT
        option output  ACCEPT
        option forward  ACCEPT
        option masq     1
        option mtu_fix 1
        option masq_src '10.0.0.0/24'

Then the guest zone can be defined as:

config zone
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

...with appropriate firewall rules for what gets passed from guest to br.

The discussion might have continued from here.