Cannot ping outside guest network

After following instructions here I connected to the guest network WiFi AP, obtain an ipaddress, but unable to connect to anything. I can ping myself, but not the default gateway or connect to the internet. I've tried to troubleshoot, but reach the limit of my skills. Any help greatly appreciated. Included what I thought relevant below.

Some details:
Primary router: Mikrotik hAP ac2 running OpenWrt 192.168.0.1 (WAN on 192.168.1.2)
Guest WiFi AP Mikrotik wAP running OpenWrt 192.168.0.3 on ethernet, 192.168.3.1 WiFi
The wAP only has 1 ethernet port which gave me some warnings regarding WAN cannot resolve.

EDIT: I have just realised that I am using the wrong image. I am using https://openwrt.org/toh/mikrotik/rbwapr-2nd_wap_r

It is working, but maybe this is causing the problem.

Some troubleshooting
Restart services

root@OpenWrt:~# /etc/init.d/network reload
root@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) has no device, network, subnet or extra options

ip address show; ip route show table all

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether dc:2c:6e:23:9b:b2 brd ff:ff:ff:ff:ff:ff
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether dc:2c:6e:23:9b:b2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.3/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdb7:b542:386b::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::de2c:6eff:fe23:9bb2/64 scope link 
       valid_lft forever preferred_lft forever
9: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether de:2c:6e:23:9b:b3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::dc2c:6eff:fe23:9bb3/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether dc:2c:6e:23:9b:b3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::de2c:6eff:fe23:9bb3/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP qlen 1000
    link/ether de:2c:6e:23:9b:b3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dc2c:6eff:fe23:9bb3/64 scope link 
       valid_lft forever preferred_lft forever
192.168.0.0/24 dev br-lan scope link  src 192.168.0.3 
192.168.3.0/24 dev br-guest scope link  src 192.168.3.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.0.0 dev br-lan table local scope link  src 192.168.0.3 
local 192.168.0.3 dev br-lan table local scope host  src 192.168.0.3 
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.3 
broadcast 192.168.3.0 dev br-guest table local scope link  src 192.168.3.1 
local 192.168.3.1 dev br-guest table local scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev br-guest table local scope link  src 192.168.3.1 
fdb7:b542:386b::/64 dev br-lan  metric 1024 
unreachable fdb7:b542:386b::/48 dev lo  metric 2147483647 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev br-guest  metric 256 
fe80::/64 dev wlan0-1  metric 256 
local ::1 dev lo table local  metric 0 
anycast fdb7:b542:386b:: dev br-lan table local  metric 0 
local fdb7:b542:386b::1 dev br-lan table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev wlan0-1 table local  metric 0 
anycast fe80:: dev br-guest table local  metric 0 
local fe80::dc2c:6eff:fe23:9bb3 dev wlan0-1 table local  metric 0 
local fe80::dc2c:6eff:fe23:9bb3 dev br-guest table local  metric 0 
local fe80::de2c:6eff:fe23:9bb2 dev br-lan table local  metric 0 
local fe80::de2c:6eff:fe23:9bb3 dev wlan0 table local  metric 0 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev wlan0 table local  metric 256 
multicast ff00::/8 dev br-guest table local  metric 256 
multicast ff00::/8 dev wlan0-1 table local  metric 256

ip rule show; iptables-save -c

0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
# Generated by iptables-save v1.8.7 on Sat Apr 16 13:57:57 2022
*nat
:PREROUTING ACCEPT [421:112069]
:INPUT ACCEPT [181:19697]
:OUTPUT ACCEPT [20:1680]
:POSTROUTING ACCEPT [20:1680]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[421:112069] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[202:89007] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[219:23062] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[19:1560] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:52] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[1:332] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[1:332] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[219:23062] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[1:52] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[202:89007] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Apr 16 13:57:57 2022
# Generated by iptables-save v1.8.7 on Sat Apr 16 13:57:57 2022
*mangle
:PREROUTING ACCEPT [1773:210433]
:INPUT ACCEPT [1560:124703]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1443:242633]
:POSTROUTING ACCEPT [1443:242633]
COMMIT
# Completed on Sat Apr 16 13:57:57 2022
# Generated by iptables-save v1.8.7 on Sat Apr 16 13:57:57 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[136:9608] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1394:113535] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1151:79254] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:360] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[54:14836] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[189:19445] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[136:9608] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1277:230185] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1274:229681] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:172] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1:332] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[27:6642] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[6:360] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:332] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to * forwarding policy" -j ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[189:19445] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-guest" -j ACCEPT
[161:12486] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-guest" -j ACCEPT
[1:317] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[27:6642] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[1:332] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[1:332] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[27:6642] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[2:172] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[54:14836] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[54:14836] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:172] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:172] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[54:14836] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Sat Apr 16 13:57:57 2022

cat /etc/config/wireless

0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
# Generated by iptables-save v1.8.7 on Sat Apr 16 13:57:57 2022
*nat
:PREROUTING ACCEPT [421:112069]
:INPUT ACCEPT [181:19697]
:OUTPUT ACCEPT [20:1680]
:POSTROUTING ACCEPT [20:1680]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[421:112069] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[202:89007] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[219:23062] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[19:1560] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:52] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[1:332] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[1:332] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[219:23062] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[1:52] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[202:89007] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Apr 16 13:57:57 2022
# Generated by iptables-save v1.8.7 on Sat Apr 16 13:57:57 2022
*mangle
:PREROUTING ACCEPT [1773:210433]
:INPUT ACCEPT [1560:124703]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1443:242633]
:POSTROUTING ACCEPT [1443:242633]
COMMIT
# Completed on Sat Apr 16 13:57:57 2022
# Generated by iptables-save v1.8.7 on Sat Apr 16 13:57:57 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[136:9608] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1394:113535] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1151:79254] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:360] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[54:14836] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[189:19445] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[136:9608] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1277:230185] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1274:229681] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:172] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1:332] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[27:6642] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[6:360] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:332] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to * forwarding policy" -j ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[189:19445] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-guest" -j ACCEPT
[161:12486] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-guest" -j ACCEPT
[1:317] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[27:6642] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[1:332] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[1:332] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[27:6642] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[2:172] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[54:14836] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[54:14836] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:172] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:172] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[54:14836] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Sat Apr 16 13:57:57 2022

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_'
        option src 'guest'

config rule 'guest_dns'
        option name 'Allow-DNS-guest'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

In your firewall configuration, you have not defined a GUEST zone. Also, you are forwarding from the (inexistent) GUEST zone to nowhere.

1 Like

Thanks @eduperez

Near the bottom there is a zone for guest, but it was going nowhere. I've added forward to Lan, through the gui, but it still fails.

Now added:

config forwarding
        option src 'guest'
        option dest 'lan'

I am thinking that maybe the fact I have the wrong image flashed could be causing some issues. Is this likely?

Forwarding should be to WAN if I'm not mistaken. You're now effectively pushing guest traffic into the LAN despite wanting to separate it.

4 Likes

Thanks @Borromini
I had a bee in my bonnet about running the wrong image, so I've flashed the supported 19.07.10 release, recreated the guest WiFi as instructed, changed LAN interface to 192.168.0.3 to connect to my LAN, run the guest script and changed the Firewall guest destination to WAN. I am still getting the same issue. The client gets an IP address, but I cannot ping anything or get on to the internet when I connect to guest wifi. Here is my current firewall config.

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_'
        option src 'guest'

config rule 'guest_dns'
        option name 'Allow-DNS-guest'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'guest'

There is no supported 19.07.x release, that branch went EOL two months ago.

1 Like
  • Change "input" and "forward" to "accept" on the "guest" zone.
  • Remove the "guest_" forwarding rule.

OK, yes, I see that now. It looks like there is no support for this device at the moment. This page still has 19.07.x as current supported.

Changes made, new firewall settings below. The problem persists.

Changes made, new firewall settings below. The problem persists with no internet access. Just to check DNS, what IP's should I be able to ping when connected to guest AP? DHCP has allocated 192.168.3.102 and 192.168.3.1 as a default gateway which I can ping. The primary subnet gateway is 192.168.0.1 which I cannot ping.
cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config rule 'guest_dns'
        option name 'Allow-DNS-guest'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'guest'

Adding network config here:
cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde4:1975:0f80::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.3'
        option gateway '192.168.0.1'
        list dns '9.9.9.9'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option type 'bridge'

This is a dumb AP without a wan interface and you need to follow another guide.

Change this to:

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

Change it to

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

Change it to

config forwarding
        option dest 'lan'
        option src 'guest'

Add a traffic rule to block the guest access to lan

config rule
        option src 'guest'
        option name 'block-guest-to-lan'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'REJECT'
        list proto 'all'

Enable masquerading on the lan zone

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
		option masq '1'

I guess the DHCP and wireless settings are correct, because you are getting an IP address.

3 Likes

This worked, thank you so much.
Also thank you @eduperez @slh and @Borromini

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config rule 'guest_dns'
        option name 'Allow-DNS-guest'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'guest'


config rule
        option src 'guest'
        option name 'block-guest-to-lan'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'REJECT'
        list proto 'all'

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde4:1975:0f80::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.3'
        option gateway '192.168.0.1'
        list dns '9.9.9.9'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/qca953x_wmac'
        option htmode 'HT20'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'none'

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.