Can't reach LuCI on dumb AP after configuring guest WiFi

Hi,

I configured a TP Link EAP245v1 running OpenWRT as dumb AP using this guide. I used a static IP of 192.168.1.2.
I added a guest WiFi using this guide, setting 192.168.2.1 for the guest WiFi.

Everything works as expected. Devices get a 192.168.1.xxx IP on the normal WiFi and a 192.168.2.xxx on the guest and can't reach each other.

But the problem is I can't reach the AP's LuCI anymore.

  • ethernet: 192.168.1.2 returns "404 Not Found".
    -- ping works
    -- ssh: connection refused
  • normal WiFi: 192.168.1.2 returns "403 forbidden"
    -- ping works
    -- ssh: connection refused
  • guest: 192.168.2.1 loads for a seconds then returns "This site can't be reached"
    -- ping: destination port unreachable
    -- ssh: connection refused

Any ideas, what to do or what logs to look at?

Kind regards!

you could try to connect to the upstream router (192.168.1.1) and try to ssh to the downstream router (192.168.1.2) to verify if you can no longer access the TP Link EAP245v1 via ssh

if this also fails unfortunately you will have to start from scratch to regain access to the TP Link EAP245v1 if I'm not mistaken there should be a reset button

oh, really? I did that already:

the pc is connected to the main router (192.168.1.1) and the ssh connection to 192.168.1.2 is refused.

can you post the router configuration 192.168.1.1 if it is Openwrt ...

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "AMD GX-415GA SOC with Radeon(tm) HD Graphics",
        "model": "FUJITSU FUTRO S920",
        "board_name": "fujitsu-futro-s920",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '62'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option port '553'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'LAMBO'
        option ip '192.168.1.100'
        option mac 'xxx'

config host
        option name 'Desktop'
        option ip '192.168.1.154'
        option mac 'xxx'

config host
        option name 'homeassistant'
        option ip '192.168.1.139'
        option mac 'xxx'

config host
        option name 'OpenAP'
        list mac 'xxx'
        option ip '192.168.1.2'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'LAMBO xxx'
        option src 'wan'
        option src_dport 'xxx'
        option dest_ip '192.168.1.100'
        option dest_port 'xxx'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'LAMBO xxx'
        option src 'wan'
        option src_dport 'xxx'
        option dest_ip '192.168.1.100'
        option dest_port 'xxx'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'LAMBO xxx'
        option src 'wan'
        option src_dport 'xxx'
        option dest_ip '192.168.1.100'
        option dest_port 'xxx'

ok this router 192.168.1.1 has no vlan and you have not applied the guide to create a guest zone here ...

I suggest you start from scratch to regain access on your TP Link EAP245v1

is your intention to create one of the distinct vlans for lan and guest or do you want to create two distinct routers?

example:

vlan
https://forum.openwrt.org/uploads/default/original/3X/1/f/1fef0ee2f8d450c9fa2e85ff1be37434e0a22e4f.png

or
https://forum.openwrt.org/uploads/default/original/3X/1/c/1c856a77ea2730cdb2cdbc1cb24021ef20dd5ae6.png

Oh, did I have to create VLANs?
My idea is to have one dumb AP with a zone connecting to my home network and a guest zone with purely internet access. No need for tweo routers I'd say.

the choice is up to you ...

before proceeding between the main router and the dump ap is there a switch on which the vlans can be created?

make a list of all the devices you have...

if you want to have vlans to separate the traffic of the lan zone from the guest zone you will have to create them on the main router (192.168.1.1)

your router 192.168.1.1 has two ethernet ports:
eth1 wan
eth0 lan

if you apply the vlan it will become like this:

eth1 wan
eth0.10 lan
eth0.20 guest
eth0.30 iot
etc

each interface will have its own ip address:

eth0.10 192.168.1.1/24
eth0.20 192.168.2.1/24
eth0.30 192.168.3.1/24
ecc

eth0 will transport the tagged traffic between your main router and the dump ac (if there are no other devices in between)

i hope it is clear enough ...

https://openwrt.org/docs/guide-user/network/switch_router_gateway_and_nat

https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

No, I only have an unmanaged PoE switch between the router and the AP.

then it is better that you create two separate routers (if you do not intend to purchase a management switch)

Thanks for your help. I will look into this.
Out of curiosity: why not just connect the AP to the router, have all devices on the same lan and create a guest WiFi on the AP for devices that shouldn't access my home network?

Sure that also is a viable option.

Working with vlans from the main router will give you one central point of administration but is a bit more complex to setup

1 Like

I was able to reset the AP and get it to work when directly connected to a PC. But I still can't access LuCI through any network connection. Only per direct connection. I feel I messed up some setting on the main router...but which one?

are you sure you have not installed a version of Openwrt without "luci", if you can access the router via ssh (192.168.1.2) you can post the command:

netstat -atnupl

I am sure since I'm looking at it when connecting directly via ethernet cable :smiley:

root@OpenAP:~# netstat -atnupl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.2.1:53          0.0.0.0:*               LISTEN      2703/dnsmasq
tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      2703/dnsmasq
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1799/uhttpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1346/dropbear
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2703/dnsmasq
tcp        0      0 192.168.1.2:80          192.168.1.100:49899     TIME_WAIT   -
tcp        0      0 192.168.1.2:53          192.168.1.100:54489     TIME_WAIT   -
tcp        0      0 192.168.1.2:22          192.168.1.100:52355     ESTABLISHED 3384/dropbear
tcp        0      0 192.168.1.2:53          192.168.1.100:55480     TIME_WAIT   -
tcp        0      0 192.168.1.2:53          192.168.1.100:52348     TIME_WAIT   -
tcp        0      0 192.168.1.2:53          192.168.1.100:56335     TIME_WAIT   -
tcp        0      0 192.168.1.2:80          192.168.1.100:52358     ESTABLISHED 1799/uhttpd
tcp        0      0 192.168.1.2:53          192.168.1.100:61895     TIME_WAIT   -
tcp        0      0 xxxx 					:::*                    LISTEN      2703/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      2703/dnsmasq
tcp        0      0 xxxx 					:::*                    LISTEN      2703/dnsmasq
tcp        0      0 xxxx 					:::*                    LISTEN      2703/dnsmasq
tcp        0      0 xxxx 					:::*                    LISTEN      2703/dnsmasq
tcp        0      0 xxxx 					:::*                    LISTEN      2703/dnsmasq
tcp        0      0 xxxx 					:::*                    LISTEN      2703/dnsmasq
tcp        0      0 :::80                   :::*                    LISTEN      1799/uhttpd
tcp        0      0 xxxx    				:::*                    LISTEN      2703/dnsmasq
tcp        0      0 :::22                   :::*                    LISTEN      1346/dropbear
udp        0      0 0.0.0.0:50405           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:37887           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:44565           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:42026           0.0.0.0:*                           2703/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2703/dnsmasq
udp        0      0 192.168.2.1:53          0.0.0.0:*                           2703/dnsmasq
udp        0      0 192.168.1.2:53          0.0.0.0:*                           2703/dnsmasq
udp        0    704 0.0.0.0:52538           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:16720           0.0.0.0:*                           1849/usteerd
udp        0      0 0.0.0.0:59740           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:55672           0.0.0.0:*                           2703/dnsmasq
udp        0    704 0.0.0.0:39077           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:41396           0.0.0.0:*                           2703/dnsmasq
udp        0      0 0.0.0.0:37843           0.0.0.0:*                           2703/dnsmasq
udp        0      0 xxxx 					:::*                                2703/dnsmasq
udp        0      0 xxxx 					:::*                                2703/dnsmasq
udp        0      0 xxxx 					:::*                                2703/dnsmasq
udp        0      0 xxxx					:::*                                2703/dnsmasq
udp        0      0 xxxx 					:::*                                2703/dnsmasq
udp        0      0 ::1:53                  :::*                                2703/dnsmasq
udp        0      0 xxxx   					:::*                                2703/dnsmasq
udp        0      0 xxxx 					:::*                                2703/dnsmasq

then it's a firewall setting... or web browser
see:

but I notice this so you managed to access "lights"

192.168.1.2:80          192.168.1.100:52358     ESTABLISHED 1799/uhttpd

I think I'm no being clear enough.

SSH and LuCI work when I connect directly. Meaning plugging a cable in the one port the AP has and the other end of the cable directly into the PC.
In that setup everything works. That's why you see the established connection in the logs.

As soon as I plug the AP into the switch I get the behavior described in post #1:

since now you can somehow connect to the dumpac 192.168.1.2 can you post the configuration thanks ...

and you can add a "traceroute" to the directions that don't work

I remind you that if you followed this guide:

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap#firewall_part_2_-_firewall_traffic_rules

you are not allowed to access luci or ssh from the guest network

Looks like I fixed it. For some reason 192.168.1.2 seemed to be occupied.

...and as I'm typing this I realise my stupid mistake. My PiHole is running on that IP...Jesus. Sorry. But thanks for your help!

I just changed the ip to 192.168.1.3 and everything's working.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.