Hello,
I want to setup Guest WLAN on my OpenWrt but I can't get it to work properly.
I've mainly followed the guide at https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap but a few modifications are required.
My goal is this:
Guest clients do get a valid DHCP address from the guest network.
They are also able to use 192.168.10.1#53 to resolve DNS queries.
Pinging resolvable hosts is not possible.
Opening a browser and navigating to resolvable hosts is not possible.
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdda:88b7:479f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.178.13'
option netmask '255.255.255.0'
list dns '192.168.178.10'
option gateway '192.168.178.1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae-mixed'
option key '88888888'
option isolate '1'
option network 'guest'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '1'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
config rule
option name 'allow_any_to_guest_gateway'
option src 'guest'
option target 'ACCEPT'
config rule
option name 'block_anything_else'
option src 'guest'
option dest 'lan'
option target 'REJECT'
/edit: Deleted firewall rule to local DNS server since it's handled by 192.168.10.1. config rule
egc
April 19, 2024, 12:36pm
2
The LAN is your way out so remove the following
Add:
config rule
option name 'allow_way_out'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
First get it working and then you can gradually restrict access to unwanted areas like your LAN
The second thing which has to be done is either MASQUERADE over the LAN zone or set a static route on the main router for your guest wifi.
Reboot and check again
1 Like
Thanks! Works indeed.
But I'm a little confused here. Since OpenWrt uses 192.168.178.1 as gateway, how is it that the following behavior occurs?
config rule
option name 'allow_any'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
Guest clients are able to use "the internet".
config rule
option name 'allow_any'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
list dest_ip '192.168.178.1'
Internet access is not working.
egc
April 19, 2024, 12:54pm
4
Because the destination is not 192.168.178.1.
I thought the "zones" include every network which is "child" of them.
My current config is now:
config rule
option name 'block_guest_to_lan'
option src 'guest'
option dest 'lan'
option target 'REJECT'
list dest_ip '192.168.178.0/24'
config rule
option name 'allow_anything_else'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
If I got it correctly, the guest -> LAN is needed for the masquerading to work properly?
Guests should be able to to anything they want but nothing with devices inside my LAN
egc
April 19, 2024, 1:15pm
6
The LAN is your only way out so you have to allow traffic over the LAN, even if you do not MASQUERADE.
A further step could be to block access to the router for your guests:option input 'REJECT'https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap#firewall_part_2_-_firewall_traffic_rules
1 Like
Okay, my firewall config now looks like this:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
config rule
option name 'allow_dhcp'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'allow_dns'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'block_guest_to_lan'
option src 'guest'
option dest 'lan'
option target 'REJECT'
list dest_ip '192.168.178.0/24'
config rule
option name 'allow_upstream_via_LAN'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
I've noticed that pinging websites does not work from my guest client:
ping openwrt.org
from 192.168.10.1 Destination port unreachable.
egc
April 19, 2024, 1:55pm
8
check if ping 8.8.8.8 works
It could be a DNS problem as your DNS server is on your local LAN and that is not allowed
If so you have to allow from guest to lan, port 53 destination 192.168.178.10
Edit: make sure this allow rule comes first!
It does not seem like an dns issue:
ping openwrt.org
From _gateway (192.168.10.1) icmp_seq=1 Destination port not reachable
From _gateway (192.168.10.1) icmp_seq=2 Destination port not reachable
^C
nslookup openwrt.org
Server: 192.168.10.1
Address: 192.168.10.1#53
Non-authoritative answer:
Name: openwrt.org
Address: 64.226.122.113
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1a51:c001
ping 64.226.122.113
PING 64.226.122.113 (64.226.122.113) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination port not reachable
From 192.168.10.1 icmp_seq=2 Destination port not reachable
From 192.168.10.1 icmp_seq=3 Destination port not reachable
^C
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination port not reachable
From 192.168.10.1 icmp_seq=2 Destination port not reachable
From 192.168.10.1 icmp_seq=3 Destination port not reachable
egc
April 22, 2024, 12:52pm
10
Lets see your current config, please connect to your OpenWRT device and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdda:88b7:479f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.178.13'
option netmask '255.255.255.0'
list dns '192.168.178.10'
option gateway '192.168.178.1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
config rule
option name 'allow_dhcp'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'allow_dns'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'block_guest_to_lan'
option src 'guest'
option dest 'lan'
option target 'REJECT'
list dest_ip '192.168.178.0/24'
config rule
option name 'allow_upstream_via_LAN'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
Aw devices on the guest network able to get a dhcp lease?
Yes, it seems like everything else besides pinging works.
egc
April 23, 2024, 7:31am
14
Although it should not interfere (unless the gateway is wrong on the clients) but can you remove the rule below, reboot and test again if this is the culprit:
Disabling this rule does not make a difference.
Still: Destination Port unreachable.
I've switched to my old AP (FritzBox) and pinging openwrt.org works. Just to make sure that my guest device is not the cause.
egc
April 23, 2024, 3:51pm
16
If you are not using the guest wifi but regular wifi or ethernet port does it work then?
At one time you had it working:
MarkAber:
Thanks! Works indeed.
Maybe go back to that situation?
As I already mentioned, pinging using the old access point (fritz box) does work.
There is no "going back", since the working condition involved the issue
Everthings is working, but manual pings fail.
