nitinjs
September 21, 2024, 1:46pm
1
I am using wireguard on my openwrt (related thread here Openwrt as a wifi repeater and wireguard setup )
Is it possible to make isolated wifi networks with wireguard?
Pristine wan interface wifi access point (by default openwrt creates this which emits internet through lan interface)
Access point connecting through the wireguard interface (need to create one more access point which which emits internet through wireguard interface)
My interfaces
I tried to point wifi access point to the wan/wwan interface but it does not work
cheers
nitin
brada4
September 21, 2024, 1:48pm
2
Likely your internet provider gives you one IP address only.
nitinjs
September 21, 2024, 1:50pm
3
One ip is given by the ISP and the other by vpn
brada4
September 21, 2024, 1:51pm
4
Nutnot 2nd ip for wifi client.
I followed the guide as mentioned by @Linux-DADDY
AP1(Jimmy Neutron
) is pointed to network wf_wireguard
AP2(Goddard
) is pointed to network wf_home
and my original AP(Nitin
) is pointed to network lan
AP1 connects successfully to VPN
The issues are:
AP2
does not connect to internet, I get IP address successfully, no access to luci router configuration panel
AP
does not connect to internet, I get IP address successfully, I am able to access luci router configuration panel
when PC connected via LAN
, it does not connect to internet, I don not get IP address
Please post your config files directly into the forum... this helps improve the process of troubleshooting the issues:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
--ubus call system board--
/etc/config$ ubus call system board
{
"kernel": "5.15.137",
"hostname": "Nitin",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link Archer C50 v4",
"board_name": "tplink,archer-c50-v4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ramips/mt76x8",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
--cat /etc/config/network--
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd4:6727:00d4::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.141.42'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '1c:3b:f3:21:7e:25'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '2 4 6t'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wf_home'
option proto 'static'
option ipaddr '10.0.3.1'
option netmask '255.255.255.0'
config interface 'wf_wireguard'
option proto 'static'
option ipaddr '10.0.5.1'
option netmask '255.255.255.0'
config interface 'wireguard_jp'
option proto 'wireguard'
option private_key '<private key>'
list dns '8.8.8.8'
list dns '8.8.4.4'
list addresses '10.2.0.2/32'
config wireguard_wireguard_jp
option description 'nitin'
option public_key '<public key>'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'wg.nitinsawant.com'
option endpoint_port '51820'
option persistent_keepalive '21'
option route_allowed_ips '1'
config route
option interface 'wireguard_jp'
option target '0.0.0.0/0'
option table '102'
option source '10.2.0.1/24'
config route
option interface 'wireguard_jp'
option target '0.0.0.0/0'
option table '102'
option source '10.2.0.2'
config rule
option in 'wf_wireguard'
option lookup '102'
config interface 'wf_free'
option proto 'static'
option ipaddr '10.0.7.1'
option netmask '255.255.255.0'
--cat /etc/config/wireless--
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option channel '11'
option band '2g'
option htmode 'HT20'
option country 'IN'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Nitin'
option encryption 'psk-mixed'
option macaddr 'f4:1a:9c:dc:53:24'
option key '<pwd>'
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'RH-5.8G'
option bssid '44:95:3B:9E:70:81'
option encryption 'psk2'
option key '<pwd>'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Jimmy Neutron'
option encryption 'psk-mixed'
option macaddr 'f4:1a:9c:dc:53:25'
option key '<pwd>'
option network 'wf_wireguard'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Goddard'
option encryption 'psk-mixed'
option macaddr 'f4:1a:9c:dc:53:26'
option key '<pwd>'
option network 'wf_home'
--cat /etc/config/dhcp--
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
list server '127.0.0.1#5054'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '127.0.0.1#5054'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5053'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wf_home'
option interface 'wf_home'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wf_wireguard'
option interface 'wf_wireguard'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wf_free'
option interface 'wf_free'
option start '100'
option limit '150'
option leasetime '12h'
--cat /etc/config/firewall--
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config zone
option name 'wf_free'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wf_free'
config zone
option name 'wf_home'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wf_home'
config zone
option name 'wf_wg'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wf_wireguard'
config zone
option name 'wg_jp'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wireguard_jp'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'WF_Home DNS'
option src 'wf_home'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'WF_Home DHCP'
list proto 'udp'
option src 'wf_home'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'wf_home'
option dest 'wan'
config rule
option name 'WF_WireGuard DNS'
option src 'wf_wg'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'WF_WireGuard DHCP'
list proto 'udp'
option src 'wf_wg'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'wf_wg'
option dest 'wg_jp'
config rule
option name 'WF_FREE DNS'
option src 'wf_free'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'WF_FREE DHCP'
list proto 'udp'
option src 'wf_free'
option dest_port '67'
option target 'ACCEPT'
brada4
October 28, 2024, 6:41am
8
Forward rules do look in right places.
Try first without firewall flow offloads, then add them and check speed vs latency.
Also will not hurt to update to 23.05.5
1 Like
brada4:
firewall flow offloads
total newbie here to firewall,
it will be good for me if you post the config
thanks in advance
brada4
October 28, 2024, 7:15am
10
Find back 2 boxes you ticked in Luci/Network/Firewall
1 Like
First of all you don't have to name the AP as i did there. WF stands for Wireless Freedom
.
I can see you have some issues.
This should be /24
.
Remove this.
1 Like
nitinjs
October 28, 2024, 8:46am
12
Thanks a ton @Linux-DADDY , @brada4
I did the settings as mentioned, and both APs have internet now,
after things stable I removed the wf_free
and wf_home
interfaces and firewall rules related to it. as it was not used anywhere.
cheers
nitin
1 Like
nitinjs
October 28, 2024, 10:19am
13
@Linux-DADDY , @brada4
Only one issue is LAN not working
brada4
October 28, 2024, 10:23am
14
How it is not working? wifi connected to br-lan allegedly works, so should physical ports.
1 Like
Yes you should. You don't need to copy as i did everything there. If i get time i probably would update that old config file of mine and want to make an tutorial on it.
1 Like
system
Closed
November 7, 2024, 3:47pm
16
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.