Can't get internet connection on Guest WLAN

Hello,

I want to setup Guest WLAN on my OpenWrt but I can't get it to work properly.

I've mainly followed the guide at https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap but a few modifications are required.

My goal is this:

  • Guest clients do get a valid DHCP address from the guest network.
  • They are also able to use 192.168.10.1#53 to resolve DNS queries.
  • Pinging resolvable hosts is not possible.
  • Opening a browser and navigating to resolvable hosts is not possible.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdda:88b7:479f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.178.13'
        option netmask '255.255.255.0'
        list dns '192.168.178.10'
        option gateway '192.168.178.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae-mixed'
        option key '88888888'
        option isolate '1'
        option network 'guest'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '1'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config rule
        option name 'allow_any_to_guest_gateway'
        option src 'guest'
        option target 'ACCEPT'

config rule
        option name 'block_anything_else'
        option src 'guest'
        option dest 'lan'
        option target 'REJECT'

/edit: Deleted firewall rule to local DNS server since it's handled by 192.168.10.1.
config rule
option name 'allow_dns_to_lan_dnsServer'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.178.10'
option dest_port '53'
option target 'ACCEPT'

The LAN is your way out so remove the following

Add:

config rule
        option name 'allow_way_out'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'

First get it working and then you can gradually restrict access to unwanted areas like your LAN

The second thing which has to be done is either MASQUERADE over the LAN zone or set a static route on the main router for your guest wifi.
Easiest for now is to enable MASQUERADING on the LAN zone:

Reboot and check again

1 Like

Thanks! Works indeed.

But I'm a little confused here. Since OpenWrt uses 192.168.178.1 as gateway, how is it that the following behavior occurs?

config rule
        option name 'allow_any'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'

Guest clients are able to use "the internet".


config rule
        option name 'allow_any'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.178.1'

Internet access is not working.

Because the destination is not 192.168.178.1.
The destination is somewhere on the internet :slight_smile:

I thought the "zones" include every network which is "child" of them.

My current config is now:

config rule
        option name 'block_guest_to_lan'
        option src 'guest'
        option dest 'lan'
        option target 'REJECT'
        list dest_ip '192.168.178.0/24'

config rule
        option name 'allow_anything_else'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'

If I got it correctly, the guest -> LAN is needed for the masquerading to work properly?

Guests should be able to to anything they want but nothing with devices inside my LAN :slight_smile:

The LAN is your only way out so you have to allow traffic over the LAN, even if you do not MASQUERADE.
You block access to the LAN exactly like you did :+1:

A further step could be to block access to the router for your guests:
set option input 'REJECT'
BUT before doing that make sure you allow DNS (53) and DHCP traffic otherwise the guests will not get an IP address, see:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap#firewall_part_2_-_firewall_traffic_rules

1 Like

Okay, my firewall config now looks like this:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config rule
        option name 'allow_dhcp'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'allow_dns'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'block_guest_to_lan'
        option src 'guest'
        option dest 'lan'
        option target 'REJECT'
        list dest_ip '192.168.178.0/24'

config rule
        option name 'allow_upstream_via_LAN'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'

I've noticed that pinging websites does not work from my guest client:

ping openwrt.org

from 192.168.10.1 Destination port unreachable.

check if ping 8.8.8.8 works

It could be a DNS problem as your DNS server is on your local LAN and that is not allowed

If so you have to allow from guest to lan, port 53 destination 192.168.178.10

Edit: make sure this allow rule comes first!

It does not seem like an dns issue:

ping openwrt.org

From _gateway (192.168.10.1) icmp_seq=1 Destination port not reachable
From _gateway (192.168.10.1) icmp_seq=2 Destination port not reachable
^C

nslookup openwrt.org

Server: 192.168.10.1
Address: 192.168.10.1#53

Non-authoritative answer:
Name: openwrt.org
Address: 64.226.122.113
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1a51:c001

ping 64.226.122.113

PING 64.226.122.113 (64.226.122.113) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination port not reachable
From 192.168.10.1 icmp_seq=2 Destination port not reachable
From 192.168.10.1 icmp_seq=3 Destination port not reachable
^C

ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination port not reachable
From 192.168.10.1 icmp_seq=2 Destination port not reachable
From 192.168.10.1 icmp_seq=3 Destination port not reachable

Lets see your current config, please connect to your OpenWRT device and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdda:88b7:479f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.178.13'
        option netmask '255.255.255.0'
        list dns '192.168.178.10'
        option gateway '192.168.178.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config rule
        option name 'allow_dhcp'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'allow_dns'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'block_guest_to_lan'
        option src 'guest'
        option dest 'lan'
        option target 'REJECT'
        list dest_ip '192.168.178.0/24'

config rule
        option name 'allow_upstream_via_LAN'
        option src 'guest'
        option dest 'lan'
        option target 'ACCEPT'

Aw devices on the guest network able to get a dhcp lease?

Yes, it seems like everything else besides pinging works.

Although it should not interfere (unless the gateway is wrong on the clients) but can you remove the rule below, reboot and test again if this is the culprit:

Disabling this rule does not make a difference.

Still: Destination Port unreachable.

I've switched to my old AP (FritzBox) and pinging openwrt.org works. Just to make sure that my guest device is not the cause.

If you are not using the guest wifi but regular wifi or ethernet port does it work then?

At one time you had it working:

Maybe go back to that situation?

As I already mentioned, pinging using the old access point (fritz box) does work.

There is no "going back", since the working condition involved the issue :slight_smile:

Everthings is working, but manual pings fail.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.