Create a masqueraded guest wifi

Hi,

I'm trying to create a fully separated guest wifi with a dedicated DHCP/DNS on my wifi router while the switch ports and the normal wifi are fully integrated into my normal network. Maybe the following diagram describes it better. Sorry for the large image, but as a new user I'm not allowed to post multiple images in one post.

I've created a separate guest wifi interface with a static IP + local DHCP and in the firewall settings I enabled "masquerading":

After connecting to the "guest24" wifi I get an address from DHCP and I'm able to resolve DNS queries but I can't ping anything outside the 192.168.128.0/24 network but the wifi routers LAN IP.

Is there some setting I'm missing that prevents masquerading to work?

Thank you in advance!

Sven

You need masquerade where IP is tp be shared for outgoing traffic, i.e WAN port.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks, but if I do that would that not also mean that all devices would be masqueraded, not only the guest devices?

root@wifi:~# ubus call system board
{
	"kernel": "5.15.162",
	"hostname": "wifi",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "GL.iNet GL-A1300",
	"board_name": "glinet,gl-a1300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
root@wifi:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'net_guest24'
	option proto 'static'
	option device 'iface_guest24'
	option ipaddr '192.168.128.1'
	option netmask '255.255.255.0'
root@wifi:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'DE'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'internal24'
	option encryption 'psk2'
	option key 'internalxxxxx'
	option ifname 'internal24'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option country 'DE'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'internal5'
	option encryption 'psk2'
	option key 'internalxxxxx'
	option ifname 'internal5'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest24'
	option encryption 'psk2'
	option key 'guestwifipass'
	option network 'net_guest24'
	option isolate '1'
	option ifname 'iface_guest24'
root@wifi:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'net_guest24'
	option interface 'net_guest24'
	option start '100'
	option limit '150'
	option leasetime '12h'
root@wifi:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'net_guest24'

config rule
	option name 'Guest DHCP'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53'
	option enabled '0'

config forwarding
	option src 'guest'
	option dest 'lan'

It looks like you setup a guest wifi on a bridged AP.
You need to masquerade on the LAN interface as brada4 already said.

All other connected clients will only pass the router on its way to the main router, so will not be subjected to the masquerading

Edit : masquerading is not necessary per se, you can also set a route for return traffic on the main router, however you must make sure you will not fall into the "invalid" traffic trap

Thank you, that did the trick.

Now I need to setup some firewall rules as I can currently also ping devices from my local network from the guest wifi, but that shouldn't be an issue.

Thanks for your help @egc and @brada4.

1 Like