Access Point with different guest Networks and DNS Servers

Dear all,
I am a newbie and are beginning to work with openwrt and my Devolo 1750i

The first step of the setup I want to realize is shown in the picture.

I used the following guidance:

whereas I changed the IP Adresses and changed everything from "WAN" to "LAN", because I have only one ethernet port and no WAN port.
The problem is, that I don´t have internet access in both Wifi networks guest and kids.

I tried before this tutorial

but with no success as well.

Any ideas, what I am doing wrong ?
Thanks a lot for your support.
Hugo

1 Like

I would reset to defaults and then start with setting up as a dumb AP

If that works then proceed to adding a guest wifi to this dumb AP

3 Likes

On a dumb AP run the following:

3 Likes

Many thanks for your reply. That is excactly , what I tried to do. The dump AP is working without problems.
Only the guest network is not easy to configure with the firewall zones. I got guest network running by accepting everything - but that is not the intention. I will play a litte bit this evening and make screenshots of my configuration.
Maybe you see my problems directly.
Last question: Because I only have one LAN port: Should I substitute everything with "wan" to "lan" in the tutorials ?
Or should I define a WAN separately?

Many thanks in advance.
Hugo

Dear all,
I made some tests and here are my results.


First of all, that is my configuration.
As I said, I updated my firewall parameters according to the tutorials:

The result is:
KIDS has internet access but guest with that configuration not.
If "mascquerading" box is checked, it doesn´t work, neither if "masquerading" is unchecked and the "forward" zone is on reject. The only way to get it working is the configuration as in kids.

But "kids" don´t uses the wished DNS servers but the dns servers of the router.

 uci show network
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fd98:f5d8:0d02::/48'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='dhcp'
network.lan.delegate='0'
network.@device[0]=device
network.@device[0].type='8021q'
network.@device[0].ifname='eth0'
network.@device[0].vid='002'
network.@device[0].name='eth0.2'
network.@device[0].ipv6='0'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='eth0'
network.@device[1].vid='003'
network.@device[1].name='eth0.3'
network.@device[1].ipv6='0'
network.@device[2]=device
network.@device[2].name='br-lan'
network.@device[2].type='bridge'
network.@device[2].ports='eth0'
network.@device[2].ipv6='0'
network.@device[3]=device
network.@device[3].name='wlan1'
network.@device[3].ipv6='0'
network.@device[4]=device
network.@device[4].name='wlan1-1'
network.@device[4].ipv6='0'
network.kids_dev=device
network.kids_dev.type='bridge'
network.kids_dev.name='br-kids'
network.kids=interface
network.kids.proto='static'
network.kids.device='br-kids'
network.kids.ipaddr='192.168.42.1'
network.kids.netmask='255.255.255.0'
network.kids.dns='49.12.43.208' '49.12.223.2'
network.guest_dev=device
network.guest_dev.type='bridge'
network.guest_dev.name='br-guest'
network.guest=interface
network.guest.proto='static'
network.guest.device='br-guest'
network.guest.ipaddr='192.168.41.1'
network.guest.netmask='255.255.255.0'
network.guest.dns='9.9.9.9' '149.112.112.112'

cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd98:f5d8:0d02::/48'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option delegate '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '002'
        option name 'eth0.2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '003'
        option name 'eth0.3'
        option ipv6 '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device 'kids_dev'
        option type 'bridge'
        option name 'br-kids'

config interface 'kids'
        option proto 'static'
        option device 'br-kids'
        option ipaddr '192.168.42.1'
        option netmask '255.255.255.0'
        list dns '49.12.43.208'
        list dns '49.12.223.2'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.41.1'
        option netmask '255.255.255.0'
        list dns '9.9.9.9'
        list dns '149.112.112.112'

Can anybody tell me, what I did wrong ?
Thanks a lot in advance.
Hugo

madquerading should be enabled on the lan and disabled on the kids network.

let's see the remainder of your config files...

cat /etc/config/firewall
cat /etc/config/dhcp
cat /etc/config/wireless

Hi psherman,
here come the results:

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'lan'
        option dest_port '67'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'lan'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'lan'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'lan'
        list src_ip 'fc00::/6'
        list dest_ip 'fc00::/6'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'lan'
        list src_ip 'fe80::/10'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src 'lan'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src 'lan'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule 'guest_fwd'
        option name 'Allow-Guest-Forward'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'all'
        list dest_ip '!192.168.111.201/24'

config rule
        option name 'Fritzbox'
        list src_ip '192.168.13.0/24'
        option src '*'
        option dest 'lan'
        option target 'REJECT'
        list proto 'all'
        list dest_ip '192.168.0.0/24'
        list dest_ip '192.168.2.0/24'
        list dest_ip '192.168.1.0/24'
        list dest_ip '192.168.111.0/24'

config rule
        option name 'DNS'
        option src 'lan'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'dnssec'
        option src 'lan'
        option dest '*'
        option dest_port '853'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone 'kids'
        option name 'kids'
        option network 'kids'
        option input 'REJECT'
        option output 'ACCEPT'
        list device 'tun0'
        option forward 'ACCEPT'
        option masq '1'

config forwarding 'kids_'
        option src 'kids'

config rule 'kids_dns'
        option name 'Allow-DNS-kids'
        option src 'kids'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'kids_dhcp'
        option name 'Allow-DHCP-kids'
        option src 'kids'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding 'guest_'
        option src 'guest'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        list device 'tun0'
        option masq '1'
        option forward 'ACCEPT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'lan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option src 'kids'
        option dest 'lan'
cat /etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option rebind_protection '0'
        option localservice '0'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra_management '1'
        option dynamicdhcp '0'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'kids'
        option interface 'kids'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option netmask '255.255.255.0'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option netmask '255.255.255.0'


cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option channel 'auto'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option cell_density '1'
        option htmode 'HT20'

config wifi-iface 'wifinet3'
        option ssid 'YYYYYYYY'
        option device 'radio1'
        option mode 'ap'
        option key 'XXXXXXXXXXXX'
        option wpa_disable_eapol_key_retries '1'
        option network 'lan'
        option ieee80211w '1'
        option encryption 'psk2'
        option skip_inactivity_poll '1'
        option disassoc_low_ack '0'

config wifi-iface 'wifinet4'
        option ssid 'YYYYYYYYYY'
        option device 'radio0'
        option mode 'ap'
        option wpa_disable_eapol_key_retries '1'
        option key 'XXXXXXXXXXXX'
        option disabled '1'
        option network 'lan'
        option ieee80211w '1'
        option encryption 'sae-mixed'

config wifi-iface 'wifinet2'
        option ssid 'YYYYYY'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option wpa_disable_eapol_key_retries '1'
        option key 'XXXXXXXXXXXXXXXXX'
        option disabled '1'

config wifi-iface 'wifinet5'
        option ssid 'YYYYYYYYY'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option wpa_disable_eapol_key_retries '1'
        option key 'XXXXXXXXXXXXXXXXX'
        option disabled '1'

config wifi-iface 'kids'
        option device 'radio1'
        option mode 'ap'
        option network 'kids'
        option ssid 'YYYYYYY'
        option encryption 'sae-mixed'
        option key 'xxxxxxxxxx'
        option wpa_disable_eapol_key_retries '1'

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'YYYYYYYYYY'
        option encryption 'sae-mixed'
        option key 'XXXXXXXXX'
        option wpa_disable_eapol_key_retries '1'

Tun0 is a openvpn device where the traffic of both should be routed according to this tutorial:

Do these information help you?
Thanks a lot for your effort.

madquerading should be enabled on the lan and disabled on the kids network.

I tried that, but then I don´t have internet connection.

Hugo

Let's start with this:

uci rename firewall.@zone[1]="vpn"
uci rename firewall.kids_="kids_vpn"
uci -q delete firewall.guest_
uci -q delete firewall.guest_wan
uci -q delete firewall.guest_dns
uci -q delete firewall.kids_dns
uci -q delete firewall.kids.masq
uci -q delete firewall.kids.device
uci -q delete firewall.vpn.device
uci add_list firewall.vpn.device="tun0"
uci set firewall.vpn.name="vpn"
uci set firewall.kids_vpn.dest="vpn"
uci set firewall.lan.masq="1"
uci set firewall.lan.masq_src="!192.168.111.0/24"
uci commit firewall
/etc/init.d/firewall enable
/etc/init.d/firewall restart
uci -q delete dhcp.guest.dhcp_option
uci add_list dhcp.guest.dhcp_option="6,9.9.9.9,149.112.112.112"
uci -q delete dhcp.kids.dhcp_option
uci add_list dhcp.kids.dhcp_option="6,49.12.43.208,49.12.223.2"
uci commit dhcp
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq restart
uci -q delete network.guest.dns
uci -q delete network.kids.dns
uci commit network
/etc/init.d/network restart

Make sure to reconnect the clients to apply the changes.

Hi Vgaetera,
I used your configuration and it seem to work. Both (guest and kids) have internet.
what suprised me , that in the firewall section kids and guest are configured differently.

Why is guest not equal to kids ?
Should I change that ?

Last question: The openvpn server always push his own DNS servers. My kids dns servers were added, but the "adult" filter is not active on the commercial vpn server.

I tried to use:
pull-filter ignore "block-outside-dns"
pull-filter ignore "dhcp-option DNS"
in the Openvpn section, but without any effect.

Many thanks in advance.
Hugo

1 Like

That's great!

The same result can be achieved in different ways:

  • Permit transit traffic except specific destinations with a single rule.
  • Prohibit specific destinations with a rule and allow the rest with a forwarding.

You can change anything you want as long as it works for you.

OpenWrt ignores DNS servers pushed by OpenVPN.
It sounds like your VPN provider is hijacking DNS on the server side.

2 Likes

Many thanks for your great support.
Now I have a basic configuration with that I can "play" a litle bit. Regarding the DNS Servers I have an idea, which I want to test.
For that reason I want to route kids and guest not over VPN directly in the AP but through the VPN on the router itself. On the asus router I have an option to kick off the DNS Servers from the VPN provider.

So I have to restrict the access from guest/kids to the devices on the other LAN clients on the 192.168.111.0/24 network, but allow route the traffic over the gateway 192.168.111.1, correct?

My understanding is, that I have to subsitute tun0 through LAN in the firewall setting, is that right ?
Is that the only thing I have to made ? If not, it would be very kind if you could provide me the information.

Many thanks in advance.

Hugo

3 Likes

Remember to disable and stop the VPN and PBR services.
Then adjust the firewall configuration as necessary.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.