After upgrade from 22.03.2 to 23.05.0 Guest does not get an IP [Solved]

Hi,

I recently upgraded my Linksys WRT1900ACS v2 from 22.03 to 23.05 and noticed that my guest wifi network doesn't appear to be handing out ip addresses. It was working fine before the upgrade. I have not changed any configuration since the upgrade. I confirmed the content of the config files were still the same before and after the upgrade. I only noticed the guest network wasn't working when I had a friend come over.

Here are some relevant config files:

dhcp:

type config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.0.192,192.168.0.192,192.168.0.189'
	option start '190'
	option limit '50'
	option leasetime '24h'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,8.8.8.8'
	list ra_flags 'none'

firewall:

	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '53'
	option src 'lan'
	option name 'Force DNS'
	option src_dport '53'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.0.192'
	option src_port '53'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config rule
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'Guest DNS'

config rule
	option name 'Guest DHCP'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Block Guest from Local Network'
	option src 'guest'
	option dest 'lan'
	option target 'DROP'
	list dest_ip '192.168.0.1/24'

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:0000:0000::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'ab:cd:ef:gh:ij:kl'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option device 'wlan1-1'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'thisisok'
	option band '5g'
	option country 'US'
	option htmode 'VHT80'
	option cell_density '2'
	option channel '36'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'ab:cd:ef:gh:ij:kl'
	option ssid 'MY5G'
	option key 'mykey'
	option short_preamble '0'
	option dtim_period '1'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'nothingtoseehere'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'US'
	option cell_density '0'
	option legacy_rates '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr 'ab:cd:ef:gh:ij:kl'
	option ssid 'MY24'
	option key 'mykey'
	option ieee80211w '0'
	option encryption 'psk2'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option key 'guestkey'
	option ieee80211w '0'
	option network 'guest'
	option ssid 'MYGUEST'
	option encryption 'psk2'

Remove this rule:

And then remove the device line from the guest interface stanza:

Reboot and try again.

That worked!!! Thank you!!

Can you explain why I needed to do those steps? Also, since I removed the firewall rule that blocked guest clients from connecting to my non-guest hosts, do I need to add something that makes sure the guest clients cant see the non-guest hosts?

Actually, this rule was not doing what you thought. It was only blocking access to the router because you specified an address (192.168.0.1/24) not a subnet (192.168.0.0/24).

Nope. You don't allow guest > lan forwarding, so your guest network cannot see your lan.

I think that the primary reason it didn't work was related to the device in the network interface stanza... the wireless devices should never be included in the /etc/config/network file, only in the wireless file. And the syntax for the radio definition likely changed, causing the problem you experienced.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

Just as loosely related advice, avoid DROP rules for internal or at least semi-trusted networks (use REJECT instead), it just hurts your debugging without gaining you security and often causes timeouts on things.

Or to explain it a little more.
DROP entails the hope to hide the existence of device, which is kind of questionable to begin with. But if the potential attacker already knows that there is a system at that IP (because it's the IP of their AP or router), there's nothing to be gained anymore, they can just as well do a parallel portscan on the IP to get the full picture. The important bit is for the router to prevent unauthorized access, something DROP and REJECT do alike, except that REJECT is a lot easier to debug.

The same might also apply to WAN side policies, the moment you do open ports to the outside, the hiding behind DROP is out of the window anyways and you can make it easier on yourself and your genuine users to politely REJECT, instead of DROPping.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.