Belkin RT3200 - Guest WIFI No Internet Connection

Read a lot of threads here in the forum about problems with the guest network, but none helped me. I can connect to the Guest Wifi and the client gets a IP address. DHCP is working. I can ping the router on 10.15.50.1 but i can't access the internet. Hopefully someone can help me, i would really appreciate anything.

Here is my configuration.

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.15.15.1'
        option ipv6 '0'
        option delegate '0'
        list dns '10.15.15.6'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option peerdns '0'
        option ipv6 '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option ipv6 '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.15.50.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        option forward 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'OpenVPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'OpenVPN'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '2h'
        option netmask '255.255.255.0'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option band '2g'
        option cell_density '0'
        option noscan '1'
        option country 'DE'
        option channel 'auto'
        option htmode 'HT40'
        option txpower '20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Photon'
        option wpa_disable_eapol_key_retries '1'
        option encryption 'sae-mixed'
        option ieee80211w '0'
        option macfilter 'allow'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option cell_density '0'
        option country 'DE'
        option htmode 'HE160'
        option channel '100'
        option txpower '26'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option encryption 'sae-mixed'
        option network 'lan'
        option ssid 'Photon5'
        option macfilter 'allow'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guest'
        option encryption 'sae-mixed'
        option isolate '1'
        option ieee80211w '0'
        option wpa_disable_eapol_key_retries '1'
        option network 'guest'

Thanks. :slight_smile:

You list no DNS servers for WAN.

The DNS severs on the other interfaces are invalid for Internet use by the clients.

1 Like

Have to take that back. :frowning:
Doesn't work. Ping on google.com tells me "port not reachable" now.

Manually setting the DNS Server on the client doesn't work either.

in /etc/config/network in wan and wan6
is this intentional ?

option peerdns '0'

if not then set this to 1 to retrieve your ISP dns.
or add some dns in your wan section, if you don't want to use your ISP dns

list dns '1.1.1.1'
list dns '8.8.8.8'
1 Like

Yes that's intentional. I don't want to use my ISPs DNS. I have set DNS for WAN, but Clients on the Guest Network still don't have access to the internet. :frowning:

OK, but just for testing, does it work if you set the dns manually as i did ?

list dns '1.1.1.1'
list dns '8.8.8.8'

if not then it's obvious that no dns are sent to your wifi clients. can you even ping 1.1.1.1 from your guest wifi ?

in /etc/config/dnsmasq
add the setting list dhcp_option with the dns you want :

config dhcp 'guest'
         option interface 'guest'
         option start '100'
         option limit '150'
         option leasetime '2h'
         option netmask '255.255.255.0'
         list dhcp_option '6,1.1.1.1,8.8.8.8'

On an endpoint connected to guest, try to ping a site by numeric address, and also by name.

By default the DHCP server advertises the router itself as the DNS server for clients on any LAN. If properly configured, that server will recurse to an external server set up under wan.

This is not valid in the DHCP section. The DHCP advertised netmask is inherited from the network.

1 Like

this isn't from me, i just asked him to add the last line "list dhcp_option"

I just used this and it worked fine:

No specific DNS for guest - it just uses OpenWrt/DNSmasq for DNS lookups? And so in my case that goes through stubby.

1 Like

I added the list dns under network manually and they also show up in Luci, but still no internet access. I can only ping the Router anything else like 1.1.1.1 or google.com doesn't work..."Port not reachable".

If i add the list dhcp_option under guests i can't connect to any wireless networks anymore.

rules

I have the traffic rules configured for the guest network like they are shown in the guide.