rokimuc
September 17, 2023, 4:03pm
1
Hey there,
I installed OpenWrt on a Raspberry Pi 4 Model B yesterday. Everything seems to work fine at first, but after following the steps in this guide I recognized, that the clients connected to the guest wifi do not have any connection to the internet.
Checking the guide step by step again couldn't fix the issue. I have done a lot of research, but no solutions found. I don't know if I am blind or if I misconfigured something. Would be glad if somebody could help!
Addendum: It is possible to ping 8.8.8.8 from OpenWrt, but not from a client connected to the AP wifi.
Thanks in advance!
Here are my config files:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '***********'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option peerdns '0'
config interface 'guest'
option proto 'static'
option device 'radio0.network1'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'DROP'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option country '**'
option cell_density '0'
option txpower '20'
option band '2g'
option channel '1'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid '************'
option encryption 'psk2'
option key '************
option network 'guest'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra 'hybrid'
option dhcpv6 'hybrid'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
PS. Some parts are replaced **** to keep it private.
Remove this line from the guest network config
Enable masquerading on the lan firewall zone.
Reboot and try again.
rokimuc
September 18, 2023, 5:37pm
3
Thanks for the answer!
I enabled masquerading, still no connection to the internet.
Should I post my firewall config file again or do you have another idea what the issue could be?
This is not what the guide says.
Also I miss the configuration of wan and wan6. What IP does a client on guest get?
Letβs see the complete config
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
rokimuc
September 24, 2023, 8:40am
6
Hi, at first I am sorry for the late reply to your answer.
I have changed the dest to wan, that does not fix the issue.
Also I am wondering about setting it to wan, there is a wan zone but the raspberry pi doesn't have a second ethernet port appended. Should I add an usb to lan adapter and then set it as wan port?
I don't have a case where I need to use a second ethernet port. The only use case is to create an AP and use to different wifi networks on it. One guest network and one normal network.
A client on the guest network gets and ip address in the range of 192.168.2.1/24, the netmask is set to 255.255.255.0.
I don't have a wan or wan6 config, because I am not using the wan zone normally. I think I should append the second ethernet adapter and use it as wan. That could fix the issue.
Can you share your config as requested earlier?
rokimuc
September 24, 2023, 3:16pm
8
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix β*******************β
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
list dns '192.168.1.188'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path β*******β
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path β***********β
option channel '36'
option band '5g'
option htmode 'HT20'
config wifi-device 'radio2'
option type 'mac80211'
option path β***********β
option htmode 'HT20'
option channel 'auto'
option country '**'
option cell_density '0'
option band '2g'
config wifi-iface 'wifinet0'
option device 'radio2'
option mode 'ap'
option isolate '1'
option key β*************β
option network 'guest'
option ssid β*******β
option encryption β*******β
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid β*****β
option encryption β*******β
config wifi-iface 'wifinet2'
option device 'radio2'
option mode 'ap'
option ssid β*******β
option encryption β******β
option key β**********β
option network 'lan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra 'hybrid'
option dhcpv6 'hybrid'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option leasetime '12h'
option limit '255'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option input 'REJECT'
option masq '1'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Block Guest Access to Private Network'
list proto 'all'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
Here are my current config files.
rokimuc
September 24, 2023, 3:22pm
9
The issue is fixed
In conclusion the way to solve my issue was the following:
Attach an ethernet to usb adapter and configure this as WAN port and configure the new zone.
I thought it's enough to use the lan port from the raspberry pi as LAN and not attaching a second port (WAN) via USB. But that's not working, you need a second port here which should be configured as WAN.
Thanks to @psherman and @wokkocher for your help, I appreciate it.
Even though you've solved your problem using a different method, there are still issues, and you can actually revert back to your previous physical connection method if you follow my instructions:
While it won't actually be a problem in the case of a dhcp client, the lan dhcp server should be explicitly disabled (ignore '1'),
Your guest DHCP server is invalid. The limit parameter is the number of addresses in the pool. The last address in the pool is calculated by start + limit - 1 -- in the case of a /24, the max allowed value here is 254, but your value is 354. Fix this -- limit must be <=155.
Enable masquerading on the lan zone (this is assuming you go back to your original physical connection method):
Disable masquerading on the guest zone (do this regardless):
Change this to forward guest > lan (if you go back to your previous config):
And then this rule needs to be fixed.... delete it because it's wrong and won't help you:
Then, if you want to block your guest network from accessing the upstream network, you need to create a rule that blocks a subnet, not a zone.
