Client Internet Connectivity Issues on Raspberry Pi Guest Network

Hey there,

I installed OpenWrt on a Raspberry Pi 4 Model B yesterday. Everything seems to work fine at first, but after following the steps in this guide I recognized, that the clients connected to the guest wifi do not have any connection to the internet.

Checking the guide step by step again couldn't fix the issue. I have done a lot of research, but no solutions found. I don't know if I am blind or if I misconfigured something. Would be glad if somebody could help!

Addendum: It is possible to ping 8.8.8.8 from OpenWrt, but not from a client connected to the AP wifi.

Thanks in advance! :slight_smile:

Here are my config files:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '***********'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'guest'
	option proto 'static'
	option device 'radio0.network1'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'DROP'
root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option country '**'
	option cell_density '0'
	option txpower '20'
	option band '2g'
	option channel '1'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid '************'
	option encryption 'psk2'
	option key '************
	option network 'guest'
root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

PS. Some parts are replaced **** to keep it private.

Remove this line from the guest network config

Enable masquerading on the lan firewall zone.

Reboot and try again.

Thanks for the answer!

I enabled masquerading, still no connection to the internet.

Should I post my firewall config file again or do you have another idea what the issue could be?

This is not what the guide says.

Also I miss the configuration of wan and wan6. What IP does a client on guest get?

Let’s see the complete config

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Hi, at first I am sorry for the late reply to your answer.

I have changed the dest to wan, that does not fix the issue.

Also I am wondering about setting it to wan, there is a wan zone but the raspberry pi doesn't have a second ethernet port appended. Should I add an usb to lan adapter and then set it as wan port?

I don't have a case where I need to use a second ethernet port. The only use case is to create an AP and use to different wifi networks on it. One guest network and one normal network.

A client on the guest network gets and ip address in the range of 192.168.2.1/24, the netmask is set to 255.255.255.0.

I don't have a wan or wan6 config, because I am not using the wan zone normally. I think I should append the second ethernet adapter and use it as wan. That could fix the issue.

Can you share your config as requested earlier?

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix β€˜*******************’

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.188'
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path β€˜*******’
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path β€˜***********’
	option channel '36'
	option band '5g'
	option htmode 'HT20'

config wifi-device 'radio2'
	option type 'mac80211'
	option path β€˜***********’
	option htmode 'HT20'
	option channel 'auto'
	option country '**'
	option cell_density '0'
	option band '2g'

config wifi-iface 'wifinet0'
	option device 'radio2'
	option mode 'ap'
	option isolate '1'
	option key β€˜*************’
	option network 'guest'
	option ssid β€˜*******’
	option encryption β€˜*******’

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid β€˜*****’
	option encryption β€˜*******’

config wifi-iface 'wifinet2'
	option device 'radio2'
	option mode 'ap'
	option ssid β€˜*******’
	option encryption β€˜******’
	option key β€˜**********’
	option network 'lan'
root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option leasetime '12h'
	option limit '255'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'
	option masq '1'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block Guest Access to Private Network'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	option target 'ACCEPT'

Here are my current config files.

The issue is fixed :blush:

In conclusion the way to solve my issue was the following:

Attach an ethernet to usb adapter and configure this as WAN port and configure the new zone.

I thought it's enough to use the lan port from the raspberry pi as LAN and not attaching a second port (WAN) via USB. But that's not working, you need a second port here which should be configured as WAN.

Thanks to @psherman and @wokkocher for your help, I appreciate it.

Even though you've solved your problem using a different method, there are still issues, and you can actually revert back to your previous physical connection method if you follow my instructions:

While it won't actually be a problem in the case of a dhcp client, the lan dhcp server should be explicitly disabled (ignore '1'),

Your guest DHCP server is invalid. The limit parameter is the number of addresses in the pool. The last address in the pool is calculated by start + limit - 1 -- in the case of a /24, the max allowed value here is 254, but your value is 354. Fix this -- limit must be <=155.

Enable masquerading on the lan zone (this is assuming you go back to your original physical connection method):

Disable masquerading on the guest zone (do this regardless):

Change this to forward guest > lan (if you go back to your previous config):

And then this rule needs to be fixed.... delete it because it's wrong and won't help you:

Then, if you want to block your guest network from accessing the upstream network, you need to create a rule that blocks a subnet, not a zone.

I am sorry again for the late reply, here are the new config files. I've changed the things you wrote in your answer.

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '*************'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.143'
	option gateway '192.168.1.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.188'
root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path '**********'
	option channel 'auto'
	option txpower '20'
	option country '*******'
	option band '2g'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '********'
	option cell_density '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path '*************'
	option channel 'auto'
	option country '****'
	option band '2g'
	option htmode 'HT20'
	option txpower '23'
	option cell_density '3'

config wifi-iface 'wifinet2'
	option device 'radio2'
	option mode 'ap'
	option network 'lan'
	option ssid '*********'
	option key '*************'
	option encryption 'sae-mixed'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid '**********'
	option encryption 'sae'
	option key '************j'
	option network 'guest'
root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option leasetime '12h'
	option limit '155'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule

config rule
	option name 'Block Guests from Accessing Private Network'
	list proto 'all'
	option src 'guest'
	option dest 'wan'
	list dest_ip '192.168.1.0/24'
	option target 'REJECT'

Some parts are covered with *******

Looks fine. Does it work?

Yes, it's working very flawless!

Thanks a lot for the help!!!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.