Hello there,
I just installed the latest openwrt firmware on my older TP Link router and it's working without any problems.
I'm very new to openwrt and I have problems setting up a second wireless network.
Let me explain: I'm using a fritzbox as main modem router. Lately I have some problems with the wireless functionality. So to test it further I decided to confgure a different router as Access Point - where I just installed openWrt on.
What I want: One wireless network for internal use, where all laptops and mobile phones are connected, in the same subnet like my fritzbox.
A second wireless network for the "internet of things" or guest network, with a different subnet of course. The gateway needs to be the fritzbox though, of course. And the IoT network is not allowed in my internal network, but the internal network might want to access hosts in the IoT net.
Then I tried this one: https://openwrt.org/docs/guide-user/network/wifi/dumbap
But I don't think that's the right one either, because there is no possibilty to add a second network with appropiate firewall settings and stuff.
I think the problem is that I don't have a real "WAN" or it's not set up correctly. I have no idea what I'm doing wrong. Can someone help me?
Hello,
thanks for your replies. @Pilot6 how may I post the configs? Upload the tar-backup? WAN is not set up in any way, though. @jeff No, not that I know of.
Is the whole set up wrong from the beginning? Do I have to plug in the WAN of the openwrt router for any of this to work and then set up a dhcp relay for my LAN or something like that?
Thank you!
Start with a dumb AP, then add an IoT network to it with its own DHCP server. The IoTs will NAT route to the Internet via LAN. Firewall rules can block them from reaching any LAN IP addresses though.
This is all on your OpenWrt box. To the Fritzbox it is a LAN device.
Fritz!OS is targeted to be easy for endusers, while it does offer setting up a guest network (over LAN4 and WLAN), it doesn't offer any way to configure this or to set up VLANs (all ports, aside from WAN needs, are always untagged). This means either the OpenWrt device needs to create the guest zone - or -using the Fritz!Box for this- one would need to use two uplinks (LAN4 for the guest zone, one of LAN1-3 for the normal lan) between Fritz!Box and OpenWrt. The OEM firmware doesn't offer any more advanced configuration options, it's meant to be an all-in-one device just slightly beyond the limits of basic ISP routers - and that hits the limits rather quickly when it comes to configuration options.
So I reset my router and followed the guide and set up my wireless networks. The internal wirreless connection is working.
Then I went to wireless -> add wireless network, named it and created in the same windows the network "guestlan".
Then I went into the interface config and set up the network, 10.10.10.254 /24, Gateway .254 as well, DNS will be 1.1.1.1. In the same window I added the dhcp server and created the "guestlanzone"-zone.
How am I actually able to set the NAT target for my new guestlanzone? I set under Firewall -> Zones: guestlanzone => lan accept, accept, accept....is that how I'm supposed to do it? It still doesn't work, though..sadly.
Guys, please...I'm new to openwrt and asking something to get from the shell is hard enough for me. I don't even know what the best way is to get you your wanted information...
don't know how I get out of vim or vi, so I re-ssh'd and got the firewall config.don't know how to scrolll properly so maybe something is missing, I don't know:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'guestlan'
option forward 'ACCEPT'
option masq '1'
option name 'guestlanz'
option family 'ipv4'
config forwarding
option dest 'lan'
option src 'guestlanz'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guestlanz'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guestlanz'
Apparently "guestlanzone" is too long or something, I don't know. I renamed it to guestlanz, that seemed to work.
Here is a screenshot...is that correct now or not?
If you don't want the guest LAN to access things, change forwarding to:
LAN to guestlanz - you currently have the opposite.
It also seems that you don't need masquerade
You shortened the zone name; but you misspelled the Interface name, hence it's grey. Perhaps you didn't hit Save/Apply; because it appears renamed in the file?
You have different DNS servers for LAN and guestlan - you may want to change that
Why do I suddenyl not need masquerade?
I just reset the router...again. I think I have to ditch this whole idea, it seems I'm too stupid for this. Why "may" I change that? The guest lan shouldn't use my fritzbox dns, it should use cloudfare's DNS.
Again: the guest wifi or iot wlan or what ever you wanna call it, it just needs it's own SSID and it's own network and internet.
I don't know. You asked about NAT, I simply told you how. You were asked for your configs first anyways. Please follow the thread. We'll do our best to assist. Masquerade merely uses the router IP when talking between another network.
Then you assign that to the clients using DHCP Option No. 6. That DNS settings you added is for the Guest IP of the router to use for its lookups.
I know, and you just deleted it.
Just:
create the interface
add it to its own firewall zone
edit zone to permit forwarding from LAN to guest
Go to Wireless and create the SSID and security configs
That's a subject for further study. Get it to work at all first. Note that you can't force clients to use a particular DNS you can only suggest it through DHCP and/or firewall them out of all others (which will break Android which tries to use Google at all times). By default the guests will use the router's DNS server, assuming port 53 is open, and that would recurse to the regular ISP.
I would make guest a bridge so it can have more than one interface in it (e.g. wired and wireless).
Forward from guest to lan. Turn masquerade on on lan. Think of it that the packets get masqueraded by the destination zone.
Ok, after I reset the router and reconfigured it so that that will work: dhcp is deactivated for lan, wireless is activated for lan and the SSID is set up, so that my smartphone can connect and surf. Now I'm going for a backup first.
The next step: @lleachii
the first step: create interface. Is this an actual interface under the "interface" tab? Or do you mean the interface which gets created when I add the second wireless interface? I will try it again, thank you very much for your reply.
@mk24 "Get it to work at all first" -that's the whole reason I opened this thread in the first place
I will try to plan the next steps correctly, I will be back shortly.
Thank you so far as well!
(it's just activating the checkbox, right?)
