17.01 guest WLAN client Failed to obtain IP address

Hi,

Can someone point me to right direction with debugging an issue with the guest WLAN setup. I follow the instruction at https://wiki.openwrt.org/doc/recipes/guest-wlan-webinterface. However, when I try to connect to the guest network using my Android phone, I am getting the "Failed to obtain IP address" message. Also, I am seeing this message on the router log.

Sat Feb 4 18:03:20 2017 daemon.warn dnsmasq-dhcp[18225]: DHCP packet received on wlan0-2 which has no address

I triple check all the configuration and firewall setting. They seems to be correct. So any idea what I did wrong and how I can fix this problem? I try stopping firewall to see if it's firewall related. That didn't help, same message on the phone and router.

BTW, I also have a WLAN set on the same router for LAN access working fine with radius auth using EPA-TLS. I can get an IP and access the LAN and Internet no problem.

Here's the wlan0-2 interface.

gw:/etc/config# ifconfig wlan0-2

wlan0-2   Link encap:Ethernet  HWaddr 86:xx:73:xx:A5:xx  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:126 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:17752 (17.3 KiB)  TX bytes:20286 (19.8 KiB)

gw:/etc/config# ip addr list wlan0-2

34: wlan0-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 86:xx:73:xx:a5:xx brd ff:ff:ff:ff:ff:ff

It seems your wlan0-2 interface has no IP address. And thus dnsmasq cannot do DHCP.

My configuration for guest wlan is the following. I am not using luci.

/etc/config/wireless

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option maxassoc '14'
	option encryption 'none'
	option ssid 'Guest'
	option ifname 'guest'
	option network 'guest'
	option max_inactivity '100'
	option isolate '1'

/etc/config/network

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.254'

/etc/config/firewall

config zone
	option name 'guest'
	option network 'guest'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

I suggest you follow this recipe.

I just configured a Guest LAN on a HooToo TM-02 using the GUI method in 17.01 and have it working. I have tested with an iPhone and PC. Granted the directions are not extremely clear mostly regarding when to save and edit a page.

You do not say if you can connect with other devices to your Guest. I recall seeing some complaints about issues with Android phones but not sure about the application.

I am not able to see any other devices on my LAN, including the router, under Windows Vista.

I do have the additional firewall rules not included above

 config rule
    	option target 'ACCEPT'
    	option proto 'tcp udp'
    	option dest_port '53'
    	option name 'Guest DNS'
    	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

and a DHCP section

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option interface 'guest'
	option limit '110'

I also do not have the isolate statement in the wireless, but this is not something one can config in Luci. It's manual.

Thanks for your reply @jimzhong. Here is my current running configs for the guest (open) WLAN. I did double check my settings with the link on you post.

/etc/config/wireless

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'open'
        option network 'open'
        option encryption 'psk2+ccmp'
        option key 'xxxxxxx'

/etc/config/network

config interface 'open'
        option ifname 'open'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.10.10.1'

/etc/config/firewall

config zone
        option name 'open'
        option network 'open'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'open'

config rule
        option src 'open'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option name 'Allow Open DNS Queries'

config rule
        option src 'open'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'Allow Open DHCP request'

config rule
        option name 'Drop open  broadcast'
        option src 'open'
        option dest_ip '172.16.62.255'
        option target 'DROP'

config rule
        option name 'Deny open -> WAN'
        option src 'open'
        option dest 'wan'
        option proto 'all'
        option target 'REJECT'

/etc/config/dhcp

config dhcp 'open'
        option interface 'open'
        option leasetime '1h'
        option start '97'
        option limit '30'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

Hi @RangerZ,

I did test to connect to my guest (open) WLAN using my MacBook pro. Same result, unable to obtain an IP from my guest network/dhcp defined subnet. Again, I have no problem connecting to other WLANs configured on the same router from both devices.

Let me know if any other debug information required. I am pretty familiar with the uci command and I can get shell on the router.

For the "allow Open DHCP request" I do not have the src_port line. It's in the CLi wiki, not in the GUI wiki.

I do not think you need the last 2 rules. They are for a special case described in 4b in the cli wiki. I would at least try with out them.

I remove the src_port line under the "allow Open DHCP request" rule and the last 2 rules for dropping broadcast and deny to WAN. Clients connected to the guest (open) WLAN still not getting an IP. I also tested with an iPhone and the DHCP request eventually timed out and not get a valid IP. As I also mention in my original post that I have completely stopped firewall and the result remains the same. I think it's something to do with the DHCP server. I am going to try to delete all guest (open) WLAN settings and start over to see if that helps.

I remove all settings and start fresh with Configuration by shell script and everything works now. Thank you for the support.

In my case neither solution worked on lede 17.01.4

https://lede-project.org/docs/user-guide/guestwifi_configuration
https://wiki.openwrt.org/doc/recipes/guest-wlan#configuration_by_shell_script

because the "guest" network interface was always down. On the web interface I was able to see the "guest" network connected to a "guest" interface that was greyed out.

I fixed it by changing it to bridge with the two wifi interfaces

 set network.${NETWORKID}.ifname='wlan0-1 wlan1-1'
 set network.${NETWORKID}.type=bridge

@rodrigoaguilera -

I have not tested a guest network in such a bridge config, but I would think it would defeat the purpose by bypassing the network isolation. Can you test and confirm that the guest network cannot access the main lan?

FWIW, I have successfully set up guest network config son 17.01.4, so I’m guessing there is a config error in your setup. Also, the guest network might actually be fine - check ifconfig to see the real status- sometimes the color coding for the LuCI interfaces can give the illusion that the network is down.

@psherman Thank you for taking the time to read :slight_smile:

Do you mean the LEDE user guide for a guest network in the docs worked?

The isolation should because wlan0-1 wlan1-1 are separate wifi interfaces. The two lines I posted are the only changes I made to the config. I read that wlanX-X might not be constant between reboots but everything seems fine so far.

I mainly have a confusion with what is "guest" referenced in a ifname option and what is "guest" as an interface inside /etc/config/network. Is an interface connected to itself? can someone clarify?

FWIW, I have successfully set up guest network config son 17.01.4, so I’m guessing there is a config error in your setup. Also, the guest network might actually be fine - check ifconfig to see the real status- sometimes the color coding for the LuCI interfaces can give the illusion that the network is down.

I also checked with "ifstatus guest"
I didn't know how bring it up since I expect to script to work out-of-the-box

I will have a router to play soon and can check again. I had this problem on a R7800

I 'm new to LEDE/*WRT world but I noticed that a master wifi is greyed till someone connects to it. So it's not a problem. After creating a SSID and a corresponding interface, with static IP and with DHCP service enabled on it, you have to create some firewall rules for DNS and DHCP on that interface so that clients can obtain IP from the DHCP server of the router. After you can successfully connect to the SSID and get an IP you have to set the firewall zone forwarding so the clients can connectto the internet through the WAN interface.
Let me know if there's something difficult to understand. :wink:

@rodrigoaguilera - I created the guest network on my own, not following a recipe (I've done it enough times now that I am pretty familiar with the process). Looking at the guide, the only major difference in my config is that I setup a VLAN under the switch to use as the Guest network, making it easy to assign to the wired interfaces. Otherwise, everything seems pretty much the same.

If you have the ability to create a VLAN on the ethernet switch, it can go a long way to verify that your network, DHCP, and firewall configurations are working properly without any additional complications of wireless. Once that is working, you can then make a bridge to tie together the wired VLAN (if desired) and the wireless configuration with your guest SSID.

Going back to the bridge question -- I haven't really used the network bridge features of LEDE much (beyond bridging the same network together), so I'm not exactly sure what it does in terms of network isolation. My concern is that by bridging the networks, it will establish some level of inter-VLAN routing by the nature of the bridge... but I might be wrong. This is why I would suggest that you check to verify that the two networks are indeed still isolated.

It is a little difficult to describe the way that interfaces work, and I may be incorrect in some of my explanation. An interface defines a place where network segments can 'interface' with each other, describing network characteristics that may include addresses, protocols, and other things that affect connectivity. Typically they are assigned a name and number like eth0 or wlan-1, tun0, or something like that. Interfaces themselves do not always need to be tied to a physical interface -- take for example a VPN 'tun' interface -- it is purely virtual. The names (LAN, Guest) are mostly there to make it more human readable, although it does nicely reference through to things like the firewall rules. You can think of it as a symbolic link, in a way.

Anyway, all of that said, if you post your config files (network, dhcp, firewall, wireless), and a description of what you are trying to achieve, the community can give you more targeted advice about how to get it working.

@rodrigoaguilera - I did some tests with bridging the networks... adding the bridge can compromise the security of your isolated network(s).

My starting point was the following:
2 VLANs: LAN and Guest
default firewall rules for LAN.
Guest has firewall zone settings input=accept output=accept, forward=reject. Forwarding allowed to WAN. Also added traffic rules to allow input to router on ports 67-68 (DHCP) and 53 (DNS) from Guest zone.

My computer was connected to the Guest network (ethernet) and another device was connected to LAN.

Without the bridge, I was not able to ping across VLANs.

In the interface definition, I added the bridge to the LAN interface, bridging the LAN with the Guest VLAN. I found that this resulted in non-optimal behavior: my router/gateway and DNS servers and IP address (assigned via DHCP) were from the LAN network despite the physical connection to the port assigned to the Guest VLAN. This means, by definition, that my guest network was now one and the same as my trusted LAN.

Undoing the LAN bridge and adding the bridge to the Guest interface (Guest VLAN + LAN) did not seem to be a problem, but I wouldn't assume that it is safe given the above test.

I would avoid using a bridge across networks that are supposed to be isolated. Instead, try to solve the fundamental issue.

Woah. Thank you @psherman for being so detailed.

I want to clarify a some things.

In my modification of the script I'm just bridging the 5Ghz and and 2.4Ghz wifi interfaces that carry the guest SSID. So AFAIK my bridge doesn't mix "lan" with "guest". Maybe what is missing from the wiki script is a VLAN called "guest".

The line I replaced was this one:
set network.${NETWORKID}.ifname=${NETWORKID}
With
set network.${NETWORKID}.ifname='wlan0-1 wlan1-1'
set network.${NETWORKID}.type=bridge

I am scripting everything executing it from ansible. Right now I can't mess a lot with my only lede router (gives me connection to the internet) but I will have one for tests soon and research more. Would be great for someone to test the wiki script from a clean lede install.

My main motivation to write here is that people can easily setup a guest network following the guide copypasting that script from the lede wiki (I can't find any difference with the openwrt wiki except for variable names and minor differences).