outi
August 19, 2024, 7:26am
1
Hi,
I configured a TP Link EAP245v1 running OpenWRT as dumb AP using this guide . I used a static IP of 192.168.1.2.
I added a guest WiFi using this guide , setting 192.168.2.1 for the guest WiFi.
Everything works as expected. Devices get a 192.168.1.xxx IP on the normal WiFi and a 192.168.2.xxx on the guest and can't reach each other.
But the problem is I can't reach the AP's LuCI anymore.
ethernet : 192.168.1.2 returns "404 Not Found".
-- ping works
-- ssh: connection refused
normal WiFi: 192.168.1.2 returns "403 forbidden"
-- ping works
-- ssh: connection refused
guest : 192.168.2.1 loads for a seconds then returns "This site can't be reached"
-- ping: destination port unreachable
-- ssh: connection refused
Any ideas, what to do or what logs to look at?
Kind regards!
you could try to connect to the upstream router (192.168.1.1) and try to ssh to the downstream router (192.168.1.2) to verify if you can no longer access the TP Link EAP245v1 via ssh
if this also fails unfortunately you will have to start from scratch to regain access to the TP Link EAP245v1 if I'm not mistaken there should be a reset button
outi
August 19, 2024, 8:25am
3
oh, really? I did that already:
the pc is connected to the main router (192.168.1.1) and the ssh connection to 192.168.1.2 is refused.
can you post the router configuration 192.168.1.1 if it is Openwrt ...
outi
August 19, 2024, 8:42am
5
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "AMD GX-415GA SOC with Radeon(tm) HD Graphics",
"model": "FUJITSU FUTRO S920",
"board_name": "fujitsu-futro-s920",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "x86/64",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '62'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option port '553'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'LAMBO'
option ip '192.168.1.100'
option mac 'xxx'
config host
option name 'Desktop'
option ip '192.168.1.154'
option mac 'xxx'
config host
option name 'homeassistant'
option ip '192.168.1.139'
option mac 'xxx'
config host
option name 'OpenAP'
list mac 'xxx'
option ip '192.168.1.2'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'LAMBO xxx'
option src 'wan'
option src_dport 'xxx'
option dest_ip '192.168.1.100'
option dest_port 'xxx'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'LAMBO xxx'
option src 'wan'
option src_dport 'xxx'
option dest_ip '192.168.1.100'
option dest_port 'xxx'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'LAMBO xxx'
option src 'wan'
option src_dport 'xxx'
option dest_ip '192.168.1.100'
option dest_port 'xxx'
ok this router 192.168.1.1 has no vlan and you have not applied the guide to create a guest zone here ...
I suggest you start from scratch to regain access on your TP Link EAP245v1
is your intention to create one of the distinct vlans for lan and guest or do you want to create two distinct routers?
example:
vlan
https://forum.openwrt.org/uploads/default/original/3X/1/f/1fef0ee2f8d450c9fa2e85ff1be37434e0a22e4f.png
or
https://forum.openwrt.org/uploads/default/original/3X/1/c/1c856a77ea2730cdb2cdbc1cb24021ef20dd5ae6.png
outi
August 19, 2024, 8:59am
7
Oh, did I have to create VLANs?
My idea is to have one dumb AP with a zone connecting to my home network and a guest zone with purely internet access. No need for tweo routers I'd say.
outi:
Oh, dovevo creare VLAN?
La mia idea è quella di avere un AP stupido con una zona che si connette alla mia rete domestica e una zona ospite con accesso puramente a Internet. Non c'è bisogno di due router, direi.
the choice is up to you ...
before proceeding between the main router and the dump ap is there a switch on which the vlans can be created?
make a list of all the devices you have...
if you want to have vlans to separate the traffic of the lan zone from the guest zone you will have to create them on the main router (192.168.1.1)
your router 192.168.1.1 has two ethernet ports:
eth1 wan
eth0 lan
if you apply the vlan it will become like this:
eth1 wan
eth0.10 lan
eth0.20 guest
eth0.30 iot
etc
each interface will have its own ip address:
eth0.10 192.168.1.1/24
eth0.20 192.168.2.1/24
eth0.30 192.168.3.1/24
ecc
eth0 will transport the tagged traffic between your main router and the dump ac (if there are no other devices in between )
i hope it is clear enough ...
https://openwrt.org/docs/guide-user/network/switch_router_gateway_and_nat
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
outi
August 19, 2024, 9:24am
9
No, I only have an unmanaged PoE switch between the router and the AP.
then it is better that you create two separate routers (if you do not intend to purchase a management switch)
I just purchased two TP-Link EAP615-wall devices and successfully flashed with OpenWRT. My intention is to use these two APs as dumb access points with three SSIDs, using VLANs. However, the two EAP615-wall APs are powered by PoE and I am using an unmanaged TrendNet TPE-TG44g to provide power and connect them to my main router.
Am I able to use two (or more) of these EAP615-wall APs, all connected via ethernet to the unmanaged TPE-TG44g switch, the switch connected with one ethernet cable to …
Hello - New to this community. My company uses Cisco (changing to Aruba) managed switches and structured VLANs in our network. We “traditionally” run network cable drops to each client location throughout the warehouse building. This, very often,...
Reading time: 5 mins đź•‘
Spice ups: 67 ❤
outi
August 19, 2024, 9:49am
11
Thanks for your help. I will look into this.
Out of curiosity: why not just connect the AP to the router, have all devices on the same lan and create a guest WiFi on the AP for devices that shouldn't access my home network?
egc
August 19, 2024, 12:47pm
12
Sure that also is a viable option.
Working with vlans from the main router will give you one central point of administration but is a bit more complex to setup
1 Like
outi
August 19, 2024, 1:28pm
13
I was able to reset the AP and get it to work when directly connected to a PC. But I still can't access LuCI through any network connection. Only per direct connection. I feel I messed up some setting on the main router...but which one?
are you sure you have not installed a version of Openwrt without "luci", if you can access the router via ssh (192.168.1.2) you can post the command:
netstat -atnupl
outi
August 20, 2024, 8:58am
15
I am sure since I'm looking at it when connecting directly via ethernet cable
root@OpenAP:~# netstat -atnupl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.2.1:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1799/uhttpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1346/dropbear
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2703/dnsmasq
tcp 0 0 192.168.1.2:80 192.168.1.100:49899 TIME_WAIT -
tcp 0 0 192.168.1.2:53 192.168.1.100:54489 TIME_WAIT -
tcp 0 0 192.168.1.2:22 192.168.1.100:52355 ESTABLISHED 3384/dropbear
tcp 0 0 192.168.1.2:53 192.168.1.100:55480 TIME_WAIT -
tcp 0 0 192.168.1.2:53 192.168.1.100:52348 TIME_WAIT -
tcp 0 0 192.168.1.2:53 192.168.1.100:56335 TIME_WAIT -
tcp 0 0 192.168.1.2:80 192.168.1.100:52358 ESTABLISHED 1799/uhttpd
tcp 0 0 192.168.1.2:53 192.168.1.100:61895 TIME_WAIT -
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 :::80 :::* LISTEN 1799/uhttpd
tcp 0 0 xxxx :::* LISTEN 2703/dnsmasq
tcp 0 0 :::22 :::* LISTEN 1346/dropbear
udp 0 0 0.0.0.0:50405 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:37887 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:44565 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:42026 0.0.0.0:* 2703/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 2703/dnsmasq
udp 0 0 192.168.2.1:53 0.0.0.0:* 2703/dnsmasq
udp 0 0 192.168.1.2:53 0.0.0.0:* 2703/dnsmasq
udp 0 704 0.0.0.0:52538 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:16720 0.0.0.0:* 1849/usteerd
udp 0 0 0.0.0.0:59740 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:55672 0.0.0.0:* 2703/dnsmasq
udp 0 704 0.0.0.0:39077 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:41396 0.0.0.0:* 2703/dnsmasq
udp 0 0 0.0.0.0:37843 0.0.0.0:* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
udp 0 0 ::1:53 :::* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
udp 0 0 xxxx :::* 2703/dnsmasq
then it's a firewall setting... or web browser
see:
Hi,
I'm quite new to openWRT, I just reseted my router to start fresh, entered a new password, and now I can't login on a normal browser tab, no "wrong password" prompt or anything it just goes back to the password prompt but on a Private browsing tab it works just fine..works ok with SSH as well... I tried reseting my router twice already and still have the same issue ...
I'm running a YouHua WR1200JS (also known as MTK MT7621A with a fresh install of the 19.07 firmware ...
So if you know wh…
Thank you guys.
@lleachii you were right from the beginning the problem was that I didn't properly understand.
After applying the steps given by @DjiPi it was clear for me what was wrong: it's not the same a WAN port than a LAN port. So my bad for not getting @lleachii 's answer from the beginning.
Still I prefer @DjiPi 's answer because it's more explicit, and contains more info for newbies like me, that's why I marked it as the solution.
Now LuCI is working for me again. My first problem is…
but I notice this so you managed to access "lights"
192.168.1.2:80 192.168.1.100:52358 ESTABLISHED 1799/uhttpd
outi
August 20, 2024, 9:22am
17
I think I'm no being clear enough.
SSH and LuCI work when I connect directly. Meaning plugging a cable in the one port the AP has and the other end of the cable directly into the PC.
In that setup everything works. That's why you see the established connection in the logs.
As soon as I plug the AP into the switch I get the behavior described in post #1:
ethernet : 192.168.1.2 returns "404 Not Found".
-- ping works
-- ssh: connection refused
normal WiFi: 192.168.1.2 returns "403 forbidden"
-- ping works
-- ssh: connection refused
guest : 192.168.2.1 loads for a seconds then returns "This site can't be reached"
-- ping: destination port unreachable
-- ssh: connection refused
since now you can somehow connect to the dumpac 192.168.1.2 can you post the configuration thanks ...
and you can add a "traceroute" to the directions that don't work
I remind you that if you followed this guide:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap#firewall_part_2_-_firewall_traffic_rules
you are not allowed to access luci or ssh from the guest network
outi
August 20, 2024, 2:52pm
19
Looks like I fixed it. For some reason 192.168.1.2 seemed to be occupied.
...and as I'm typing this I realise my stupid mistake. My PiHole is running on that IP...Jesus. Sorry. But thanks for your help!
I just changed the ip to 192.168.1.3 and everything's working.
1 Like
system
Closed
August 30, 2024, 2:53pm
20
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.