Hello,
thanks for your replies.
@Pilot6 how may I post the configs? Upload the tar-backup? WAN is not set up in any way, though.
@jeff No, not that I know of.
Is the whole set up wrong from the beginning? Do I have to plug in the WAN of the openwrt router for any of this to work and then set up a dhcp relay for my LAN or something like that?
Thank you!
Start with a dumb AP, then add an IoT network to it with its own DHCP server. The IoTs will NAT route to the Internet via LAN. Firewall rules can block them from reaching any LAN IP addresses though.
This is all on your OpenWrt box. To the Fritzbox it is a LAN device.
Should I follow the dump AP guide I linked, then? Am I not deactivating the firewall and dhcp and nat services while doing so?
Yes you will do that. Get the dumb AP working first.
Then you will add the IoT network:
Fritz!OS is targeted to be easy for endusers, while it does offer setting up a guest network (over LAN4 and WLAN), it doesn't offer any way to configure this or to set up VLANs (all ports, aside from WAN needs, are always untagged). This means either the OpenWrt device needs to create the guest zone - or -using the Fritz!Box for this- one would need to use two uplinks (LAN4 for the guest zone, one of LAN1-3 for the normal lan) between Fritz!Box and OpenWrt. The OEM firmware doesn't offer any more advanced configuration options, it's meant to be an all-in-one device just slightly beyond the limits of basic ISP routers - and that hits the limits rather quickly when it comes to configuration options.
So I reset my router and followed the guide and set up my wireless networks. The internal wirreless connection is working.
Then I went to wireless -> add wireless network, named it and created in the same windows the network "guestlan".
Then I went into the interface config and set up the network, 10.10.10.254 /24, Gateway .254 as well, DNS will be 1.1.1.1. In the same window I added the dhcp server and created the "guestlanzone"-zone.
How am I actually able to set the NAT target for my new guestlanzone? I set under Firewall -> Zones: guestlanzone => lan accept, accept, accept....is that how I'm supposed to do it? It still doesn't work, though..sadly.
@lleachii thanks for the welcome 
I enabled masquerading, but my guest wifi still doesn't work 
(it's just activating the checkbox, right?)
What am I doing wrong 
OK, let's see your /etc/config/network and /etc/config/firewall
Because I honestly from reading, don't yet know why you think your issue was NAT.
Check the masquerade box for the lan zone, not guest. Check both masquerade and MSS Clamp.
Guys, please...I'm new to openwrt and asking something to get from the shell is hard enough for me. I don't even know what the best way is to get you your wanted information...
root@OpenWrt:/etc/config# vim network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc4:0762:e6ec::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.10.253'
option gateway '192.168.10.254'
option dns '192.168.10.254'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'guestlan'
option proto 'static'
option ipaddr '10.10.10.254'
option netmask '255.255.255.0'
option dns '1.1.1.1'
don't know how I get out of vim or vi, so I re-ssh'd and got the firewall config.don't know how to scrolll properly so maybe something is missing, I don't know:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'guestlan'
option forward 'ACCEPT'
option masq '1'
option name 'guestlanz'
option family 'ipv4'
config forwarding
option dest 'lan'
option src 'guestlanz'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guestlanz'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guestlanz'
Apparently "guestlanzone" is too long or something, I don't know. I renamed it to guestlanz, that seemed to work.
Here is a screenshot...is that correct now or not?
The cat command woulda worked too.
If you don't want the guest LAN to access things, change forwarding to:
LAN to guestlanz - you currently have the opposite.
Why do I suddenyl not need masquerade?
I just reset the router...again. I think I have to ditch this whole idea, it seems I'm too stupid for this. Why "may" I change that? The guest lan shouldn't use my fritzbox dns, it should use cloudfare's DNS.
Again: the guest wifi or iot wlan or what ever you wanna call it, it just needs it's own SSID and it's own network and internet.
Thank you!
I don't know. You asked about NAT, I simply told you how. You were asked for your configs first anyways. Please follow the thread. We'll do our best to assist. Masquerade merely uses the router IP when talking between another network.
Then you assign that to the clients using DHCP Option No. 6. That DNS settings you added is for the Guest IP of the router to use for its lookups.
I know, and you just deleted it. 
Just:
That's a subject for further study. Get it to work at all first. Note that you can't force clients to use a particular DNS you can only suggest it through DHCP and/or firewall them out of all others (which will break Android which tries to use Google at all times). By default the guests will use the router's DNS server, assuming port 53 is open, and that would recurse to the regular ISP.
I would make guest a bridge so it can have more than one interface in it (e.g. wired and wireless).
Forward from guest to lan. Turn masquerade on on lan. Think of it that the packets get masqueraded by the destination zone.
Ok, after I reset the router and reconfigured it so that that will work: dhcp is deactivated for lan, wireless is activated for lan and the SSID is set up, so that my smartphone can connect and surf. Now I'm going for a backup first.
The next step: @lleachii
the first step: create interface. Is this an actual interface under the "interface" tab? Or do you mean the interface which gets created when I add the second wireless interface? I will try it again, thank you very much for your reply.
@mk24 "Get it to work at all first" -that's the whole reason I opened this thread in the first place 
I will try to plan the next steps correctly, I will be back shortly.
Thank you so far as well!
This is done under Network > Interfaces > Add new interface.
This can be done on the Firewall Settings tab when creating the Interfaces under Network > Interfaces.
Under Network > Firewall - the zone should exist once you've navigated there, simply edit and allow forwarding from LAN.
Hope this helps.
Hm, yes. I followed your instruction exactly and it did indeed work.
The sad part is I don't understand why, but that's my problem.
Just FYI: I also did the way where I not create a new interface under network -> interfaces but while configuring the new wireless network (checkbox at "create" and then typing in the new network name). Following the rest of your steps worked as well, then.
Thank you guys, again, for helping me, it works now.
greetings
Max
Flippin' heck.
I just redid the whole configuration (trying to understand it better), I'm pretty sure I did it exactly like before. But now if I'm trying to join my wireless IOT net, I get stuck at getting an ip adress. Like DHCP isn't running. Even if I restore the backup I made while it was actually working, it doenst work.
I'm sorry...but I gotta ask again
Then I was trying to test it and oh look, it doesn't work. What have I done wrong? Tried rebooting the device with no success. The internal wireless network is still working fine. Please, I'm going crazy over this
/etc/config/firewall:
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
option mtu_fix '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'glanzone'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'G_LAN'
option forward 'ACCEPT'
config forwarding
option dest 'lan'
option src 'glanzone'
/etc/config/network:
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddf:f528:f198::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.10.253'
option gateway '192.168.10.254'
option dns '192.168.10.254'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'G_LAN'
option proto 'static'
option ifname 'eth0'
option ipaddr '10.10.10.254'
option netmask '255.255.255.0'
option gateway '192.168.10.254'
option dns '192.168.10.254'
option type 'bridge'
/etc/config/wireless:
root@OpenWrt:/etc/config# cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0'
option channel 'auto'
option htmode 'HT40'
option legacy_rates '1'
option country 'DE'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'LummTest'
option encryption 'psk2'
option key '<secret>'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'GastTest'
option network 'G_LAN'
option encryption 'psk2'
option key '<secret>'
option isolate '1'
and finally /etc/config/dhcp:
root@OpenWrt:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'G_LAN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'G_LAN'
config dhcp 'test'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'test'
This "test" interface was only created to be able to replicate the steps I actually did...I deleted it already.
Thanks in advance, I hope you can help me again 
Don't do that. You need those processes running for the IoT. dnsmasq serves DHCP addresses, and firewall will forward the packets. You do change the configuration so they are not active on LAN.