Device doesn't get assigned an IP address when connecting to guest network

Hello.

I've followed tutorial on setting up a guest network on dumb access point. Tutorial I've followed: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

Unfortunately, device doesn't get assigned an IP address when connecting to the guest network via dumb AP. Any help is much appreciated.

Here are the configs.

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf9:bde4:3471::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option ipaddr '192.168.1.13'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'XX:XX:XX:XX:XX:XX'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option country 'GB'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'MAIN'
	option encryption 'psk2'
	option macfilter 'allow'
	list maclist 'XX:XX:XX:XX:XX:XX'
	option key 'XXXXXXXX'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option country 'GB'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'XXXXXXXX'
	option macfilter 'allow'
	option ssid 'MAIN'
	option encryption 'psk2'
	list maclist 'XX:XX:XX:XX:XX:XX'

config wifi-iface 'wifinet2'
	option ssid 'GUEST_TEST'
	option encryption 'none'
	option device 'radio1'
	option mode 'ap'
	option network 'guest'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'guest'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'lan'
	option src 'guest'

config rule
	option dest_port '67'
	option src 'guest'
	option name 'GUEST DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'GUEST DNS'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Block Guest Access to Private Network'
	option dest 'lan'
	list dest_ip '192.168.1.1/24'
	option target 'DROP'
	list proto 'all'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'

Why would a dumb AP give out an IP???

You didn't ptovide logs, but the configs are somewhat helpful....

???

???

This is wrong. Client DHCP requests comes from udp/68 (the reply is what comes from udp/67). You have DHCP requests blocked.

It acts as an AP for the LAN network, but as a router with firewall and DHCP server for the guest network.

This line was added by uci export, it is not part of the config file. No reason to worry.

This configuration looks fine to me. The rule says dest_port '67' and this is where DHCP requests go. The source port of the DHCP request is not relevant here.

Thanks for the reply.

I corrected mistakes in the post. What I meant is that device doesn't get assigned an IP address when connecting to the guest network via dumb AP.

Should I provide syslogs?

• https://openwrt.org/docs/guide-user/network/wifi/guestwifi/extras#resolving_race_conditions
• https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#network

I've applied following commands. When applying /etc/init.d/dnsmasq restart, it says command not found.

So far the problem still persists.

# OpenWrt
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq start

Well. I applied all commands above and disabled MAC filter for non-guest wifi. This time device can connect to the guest network, but the response is that internet may not be accessible (meaning device cannot connect to the internet).

# Client
ping 8.8.8.8
ping example.org
nslookup example.org 8.8.8.8
nslookup example.org

ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
100 packets transmitted, 0 received, 100% packet loss, time 101379ms

It hanged at ping, so I cancelled it after a minute.

nslookup openwrt.org 8.8.8.8

;; connection timed out; no servers could be reached

nslookup openwrt.org

Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225
Name:	openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

Check the same commands from OpenWrt.

Collect the output from OpenWrt and post it to pastebin.com redacting the private parts:

uci show network; uci show wireless; uci show dhcp; uci show firewall; \
ip address show; ip route show table all; ip rule show; iptables-save -c

# OpenWrt
/etc/init.d/firewall enable
/etc/init.d/firewall start

Thanks a lot. Problem solved.

Well I might ask just one last question. When creating dumb AP from router in guide, it showed that firewall and dnsmasq have to be disabled. Why is that when creating guest network, firewall and dnsmasq have to be enabled?

...and it should say 68...but if you insist it's correct...keep searching.

I hope the best.

The dumb AP guide configures an AP which is a bit too dumb.
Since the guest network is isolated, you need to provide the necessary network services.
Firewall is required for filtering/masquerading and Dnsmasq for DHCP/DNS.

Thank you very much for the explanation.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.