DHCP not working for Guest WiFi

neil1 · July 3, 2021, 7:03pm

Sometimes it work and sometimes it don't
I don't know what i did wrong
on my mobile wifi is stuck at obtaining IP address.
My local desktop got ip from LAN but no internet.

/etc/config/dhcp

        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dnsforwardmax '2300'
        option min_cache_ttl '270'
        option cachesize '5000'
        list ipset '/igamecj.com/gcloudcs.com/qos.gcloud.qq.com/latsens,latsens6'
        list ipset '/zoom.us/streaming,streaming6'
        list ipset '/googlevideo.com/*.googlevideo.com/streaming,streaming6'
        list ipset '/vevo.com/streaming,streaming6'
        list ipset '/nflxvideo.net/streaming,streaming6'
        list ipset '/netflix.com/streaming,streaming6'
        list ipset '/nflxso.net/streaming,streaming6'
        list ipset '/nflximg.com/streaming,streaming6'
        list ipset '/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/streaming,streaming6'
        list ipset '/fbcdn.net/streaming,streaming6'
        list ipset '/ttvnw.net/streaming,streaming6'
        list ipset '/audio-fa.scdn.cot/streaming,streaming6'
        list ipset '/deezer.com/streaming,streaming6'
        list ipset '/sndcdn.com/streaming,streaming6'
        list ipset '/last.fm/streaming,streaming6'
        list ipset '/v.redd.it/streaming,streaming6'
        list ipset '/iview.abc.net.au/streaming,streaming6'
        list ipset '/play.stan.com.au/streaming,streaming6'
        list ipset '/disneyplus.com/streaming,streaming6'
        list ipset '/cloudfront.net/streaming,streaming6'
        list ipset '/aiv-cdn.net/r.cloudfront.net/aiv-delivery.net/streaming,streaming6'
        list ipset '/vs-dash-uk-live.akamaized.net/streaming,streaming6'
        list ipset '/cdn.bllon.isp.sky.com/live.bidi.net.uk/streaming,streaming6'
        list ipset '/ssl-bbcdotcom.2cnt.net/streaming,streaming6'
        list ipset '/millicast.com/streaming,streaming6'
        list ipset '/xirsys.com/streaming,streaming6'
        list ipset '/googletagmanager.com/googleusercontent.com/*.googleusercontent.com/google.com/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn,usrcdn6'
        list ipset '/akamai.net/usrcdn,usrcdn6'
        list ipset '/download.qq.com/bulk,bulk6'
        list ipset '/steamcontent.com/bulk,bulk6'
        list ipset '/gs2.ww.prod.dl.playstation.net/bulk,bulk6'
        list ipset '/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/bulk,bulk6'
        list ipset '/drive.google.com/drive-thirdparty.googleusercontent.com/bulk,bulk6'
        list ipset '/1drv.ms/bulk,bulk6'
        list ipset '/1drv.com/bulk,bulk6'
        list ipset '/docs.google.com/docs.googleusercontent.com/bulk,bulk6'
        list ipset '/gvt1.com/bulk,bulk6'
        list ipset '/mmg-fna.whatsapp.net/bulk,bulk6'
        list ipset '/upload.youtube.com/upload.video.google.com/bulk,bulk6'
        list ipset '/windowsupdate.com/update.microsoft.com/bulk,bulk6'
        list ipset '/ms-acdc.office.com/bulk,bulk6'
        list ipset '/graph.microsoft.com/bulk,bulk6'
        list ipset '/web.whatsapp.com/bulk,bulk6'
        list ipset '/*.fastly.net/bulk,bulk6'
        list ipset '/downloads.openwrt.org/bulk,bulk6'
        list ipset '/*.cdn.openwrt.org/bulk,bulk6'
        list ipset '/gvt1.com/gvt2.com/android.clients.google.com/clients1.google.com/clients2.google.com/clients3.google.com/clients4.google.com/clients5.google.com/clients6.google.com/play.googleapis.com/bulk,bulk6'
        list ipset '/assetcdn.101.arenanetworks.com/gamecache4,gamecache6'
        list ipset '/assetcdn.102.arenanetworks.com/gamecache4,gamecache6'
        list ipset '/assetcdn.103.arenanetworks.com/gamecache4,gamecache6'
        list ipset '/live.patcher.bladeandsoul.com/gamecache4,gamecache6'
        list ipset '/dist.blizzard.com/gamecache4,gamecache6'
        list ipset '/dist.blizzard.com.edgesuite.net/gamecache4,gamecache6'
        list ipset '/llnw.blizzard.com/gamecache4,gamecache6'
        list ipset '/edgecast.blizzard.com/gamecache4,gamecache6'
        list ipset '/blizzard.vo.llnwd.net/gamecache4,gamecache6'
        list ipset '/blzddist1-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/blzddist2-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/blzddist3-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/blzddist4-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/level3.blizzard.com/gamecache4,gamecache6'
        list ipset '/nydus.battle.net/gamecache4,gamecache6'
        list ipset '/edge.blizzard.top.comcast.net/gamecache4,gamecache6'
        list ipset '/cdn.blizzard.com/gamecache4,gamecache6'
        list ipset '/cdn-11.eft-store.com/gamecache4,gamecache6'
        list ipset '/cl-453343cd.gcdn.co/gamecache4,gamecache6'
        list ipset '/cdn.homecomingservers.com/gamecache4,gamecache6'
        list ipset '/nsa.tools/gamecache4,gamecache6'
        list ipset '/pls.patch.daybreakgames.com/gamecache4,gamecache6'
        list ipset '/cdn1.epicgames.com/gamecache4,gamecache6'
        list ipset '/cdn.unrealengine.com/gamecache4,gamecache6'
        list ipset '/cdn1.unrealengine.com/gamecache4,gamecache6'
        list ipset '/cdn2.unrealengine.com/gamecache4,gamecache6'
        list ipset '/cdn3.unrealengine.com/gamecache4,gamecache6'
        list ipset '/download.epicgames.com/gamecache4,gamecache6'
        list ipset '/download2.epicgames.com/gamecache4,gamecache6'
        list ipset '/download3.epicgames.com/gamecache4,gamecache6'
        list ipset '/download4.epicgames.com/gamecache4,gamecache6'
        list ipset '/epicgames-download1.akamaized.net/gamecache4,gamecache6'
        list ipset '/cdn.zaonce.net/gamecache4,gamecache6'
        list ipset '/hirez.http.internapcdn.net/gamecache4,gamecache6'
        list ipset '/level3.nwhttppatch.crypticstudios.com/gamecache4,gamecache6'
        list ipset '/filedelivery.nexusmods.com/gamecache4,gamecache6'
        list ipset '/ccs.cdn.wup.shop.nintendo.com/gamecache4,gamecache6'
        list ipset '/ccs.cdn.wup.shop.nintendo.net/gamecache4,gamecache6'
        list ipset '/ccs.cdn.wup.shop.nintendo.net.edgesuite.net/gamecache4,gamecache6'
        list ipset '/geisha-wup.cdn.nintendo.net/gamecache4,gamecache6'
        list ipset '/geisha-wup.cdn.nintendo.net.edgekey.net/gamecache4,gamecache6'
        list ipset '/idbe-wup.cdn.nintendo.net/gamecache4,gamecache6'
        list ipset '/idbe-wup.cdn.nintendo.net.edgekey.net/gamecache4,gamecache6'
        list ipset '/ecs-lp1.hac.shop.nintendo.net/gamecache4,gamecache6'
        list ipset '/receive-lp1.dg.srv.nintendo.net/gamecache4,gamecache6'
        list ipset '/*.wup.eshop.nintendo.net/gamecache4,gamecache6'
        list ipset '/*.hac.lp1.d4c.nintendo.net/gamecache4,gamecache6'
        list ipset '/*.hac.lp1.eshop.nintendo.net/gamecache4,gamecache6'
        list ipset '/origin-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/lvlt.cdn.ea.com/gamecache4,gamecache6'
        list ipset '/rxp-lv.cncirc.net/gamecache4,gamecache6'
        list ipset '/cronub.fairplayinc.uk/gamecache4,gamecache6'
        list ipset '/amirror.tyrant.gg/gamecache4,gamecache6'
        list ipset '/mirror.usa.tyrant.gg/gamecache4,gamecache6'
        list ipset '/renx.b-cdn.net/gamecache4,gamecache6'
        list ipset '/l3cdn.riotgames.com/gamecache4,gamecache6'
        list ipset '/worldwide.l3cdn.riotgames.com/gamecache4,gamecache6'
        list ipset '/riotgamespatcher-a.akamaihd.net/gamecache4,gamecache6'
        list ipset '/riotgamespatcher-a.akamaihd.net.edgesuite.net/gamecache4,gamecache6'
        list ipset '/*.dyn.riotcdn.net/gamecache4,gamecache6'
        list ipset '/patches.rockstargames.com/gamecache4,gamecache6'
        list ipset '/gs2.ww.prod.dl.playstation.net/gamecache4,gamecache6'
        list ipset '/gs2.sonycoment.loris-e.llnwd.net/gamecache4,gamecache6'
        list ipset '/patch-dl.ffxiv.com/gamecache4,gamecache6'
        list ipset '/lancache.steamcontent.com/gamecache4,gamecache6'
        list ipset '/*.content.steampowered.com/gamecache4,gamecache6'
        list ipset '/content1.steampowered.com/gamecache4,gamecache6'
        list ipset '/content2.steampowered.com/gamecache4,gamecache6'
        list ipset '/content3.steampowered.com/gamecache4,gamecache6'
        list ipset '/content4.steampowered.com/gamecache4,gamecache6'
        list ipset '/content5.steampowered.com/gamecache4,gamecache6'
        list ipset '/content6.steampowered.com/gamecache4,gamecache6'
        list ipset '/content7.steampowered.com/gamecache4,gamecache6'
        list ipset '/content8.steampowered.com/gamecache4,gamecache6'
        list ipset '/cs.steampowered.com/gamecache4,gamecache6'
        list ipset '/steamcontent.com/gamecache4,gamecache6'
        list ipset '/client-download.steampowered.com/gamecache4,gamecache6'
        list ipset '/*.hsar.steampowered.com.edgesuite.net/gamecache4,gamecache6'
        list ipset '/*.akamai.steamstatic.com/gamecache4,gamecache6'
        list ipset '/content-origin.steampowered.com/gamecache4,gamecache6'
        list ipset '/clientconfig.akamai.steamtransparent.com/gamecache4,gamecache6'
        list ipset '/steampipe.akamaized.net/gamecache4,gamecache6'
        list ipset '/edgecast.steamstatic.com/gamecache4,gamecache6'
        list ipset '/steam.apac.qtlglb.com.mwcloudcdn.com/gamecache4,gamecache6'
        list ipset '/*.cm.steampowered.com/gamecache4,gamecache6'
        list ipset '/cdn1-sea1.valve.net/gamecache4,gamecache6'
        list ipset '/cdn2-sea1.valve.net/gamecache4,gamecache6'
        list ipset '/*.steam-content-dnld-1.apac-1-cdn.cqloud.com/gamecache4,gamecache6'
        list ipset '/*.steam-content-dnld-1.eu-c1-cdn.cqloud.com/gamecache4,gamecache6'
        list ipset '/steam.apac.qtlglb.com/gamecache4,gamecache6'
        list ipset '/edge.steam-dns.top.comcast.net/gamecache4,gamecache6'
        list ipset '/edge.steam-dns-2.top.comcast.net/gamecache4,gamecache6'
        list ipset '/steam.naeu.qtlglb.com/gamecache4,gamecache6'
        list ipset '/steampipe-kr.akamaized.net/gamecache4,gamecache6'
        list ipset '/steam.ix.asn.au/gamecache4,gamecache6'
        list ipset '/steam.eca.qtlglb.com/gamecache4,gamecache6'
        list ipset '/steam.cdn.on.net/gamecache4,gamecache6'
        list ipset '/update5.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update2.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update6.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update3.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update1.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update4.dota2.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update5.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update2.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update4.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update3.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update6.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/update1.csgo.wmsj.cn/gamecache4,gamecache6'
        list ipset '/st.dl.bscstorage.net/gamecache4,gamecache6'
        list ipset '/cdn.mileweb.cs.steampowered.com.8686c.com/gamecache4,gamecache6'
        list ipset '/live.patcher.elderscrollsonline.com/gamecache4,gamecache6'
        list ipset '/d3rmjivj4k4f0t.cloudfront.net/gamecache4,gamecache6'
        list ipset '/addons.forgesvc.net/gamecache4,gamecache6'
        list ipset '/media.forgecdn.net/gamecache4,gamecache6'
        list ipset '/files.forgecdn.net/gamecache4,gamecache6'
        list ipset '/*.cdn.ubi.com/gamecache4,gamecache6'
        list ipset '/content.warframe.com/gamecache4,gamecache6'
        list ipset '/dl1.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl2.wargaming.net/gamecache4,gamecache6'
        list ipset '/wg.gcdn.co/gamecache4,gamecache6'
        list ipset '/wgusst-na.wargaming.net/gamecache4,gamecache6'
        list ipset '/wgusst-eu.wargaming.net/gamecache4,gamecache6'
        list ipset '/update-v4r4h10x.worldofwarships.com/gamecache4,gamecache6'
        list ipset '/wgus-wotasia.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-ak.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-gc.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-se.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wot-cdx.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-ak.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-gc.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-se.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wows-cdx.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-ak.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-gc.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-se.wargaming.net/gamecache4,gamecache6'
        list ipset '/dl-wowp-cdx.wargaming.net/gamecache4,gamecache6'
        list ipset '/*.windowsupdate.com/gamecache4,gamecache6'
        list ipset '/windowsupdate.com/gamecache4,gamecache6'
        list ipset '/*.dl.delivery.mp.microsoft.com/gamecache4,gamecache6'
        list ipset '/dl.delivery.mp.microsoft.com/gamecache4,gamecache6'
        list ipset '/*.update.microsoft.com/gamecache4,gamecache6'
        list ipset '/*.do.dsp.mp.microsoft.com/gamecache4,gamecache6'
        list ipset '/*.microsoft.com.edgesuite.net/gamecache4,gamecache6'
        list ipset '/amupdatedl.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl2.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl3.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl4.microsoft.com/gamecache4,gamecache6'
        list ipset '/amupdatedl5.microsoft.com/gamecache4,gamecache6'
        list ipset '/assets1.xboxlive.com/gamecache4,gamecache6'
        list ipset '/assets2.xboxlive.com/gamecache4,gamecache6'
        list ipset '/dlassets.xboxlive.com/gamecache4,gamecache6'
        list ipset '/xboxone.loris.llnwd.net/gamecache4,gamecache6'
        list ipset '/xboxone.vo.llnwd.net/gamecache4,gamecache6'
        list ipset '/xbox-mbr.xboxlive.com/gamecache4,gamecache6'
        list ipset '/assets1.xboxlive.com.nsatc.net/gamecache4,gamecache6'
        list ipset '/xvcf1.xboxlive.com/gamecache4,gamecache6'
        option noresolv '1'
        option doh_backup_noresolv '-1'
        list doh_backup_server ''
        list server '127.0.0.1#5053'
        option serversfile '/var/run/simple-adblock.servers'
        list address '/router/192.168.1.2'
        option sequential_ip '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        list ra_flags 'none'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd0:bdd0:06e2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        list dns '127.0.0.1'
        option igmp_snooping '1'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth1'
        option username '*********************'
        option password '*************'
        option ipv6 'auto'
        option peerdns '0'
        list dns '127.0.0.1'

config interface 'accessmodem'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.10.7'
        option netmask '255.255.255.0'

config interface 'IPTV'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.10.10.1'
        option device 'eth1'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option cell_density '0'
        option hwmode '11g'
        option channel '1'
        option txpower '20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2+ccmp'
        option ssid '************'
        option key '***********'
        option network 'guest'

cat /etc/config/firewall

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'accessmodem'
        list network 'IPTV'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option name 'Guest DHCP and DNS'
        option src 'Guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

trendy · July 3, 2021, 9:33pm

iptables-save -c -t filter

neil1 · July 3, 2021, 9:42pm

iptables-save -c -t filter
# Generated by iptables-save v1.8.7 on Sat Jul  3 21:41:40 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_Guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_Guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_Guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_Guest_dest_ACCEPT - [0:0]
:zone_Guest_dest_REJECT - [0:0]
:zone_Guest_forward - [0:0]
:zone_Guest_input - [0:0]
:zone_Guest_output - [0:0]
:zone_Guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[100413:10626166] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[938547:109580813] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[92036:51208365] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[450568:23688936] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[58443:3930516] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[785956:54191866] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[1:32] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[505:166150] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_Guest_input
[25983314:12433379986] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[24849564:12309927045] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1133750:123452941] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_Guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[100413:10626166] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[937075:100526196] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[919630:99844444] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[14073:526140] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3338:154252] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[34:1360] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_Guest_output
[433569:22731153] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[352347:31459155] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[448962:23605052] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[1606:83884] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_Guest_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Guest_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_Guest_forward -m comment --comment "!fw3: Custom Guest forwarding rule chain" -j forwarding_Guest_rule
[0:0] -A zone_Guest_forward -m comment --comment "!fw3: Zone Guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Guest_forward -m comment --comment "!fw3" -j zone_Guest_dest_REJECT
[505:166150] -A zone_Guest_input -m comment --comment "!fw3: Custom Guest input rule chain" -j input_Guest_rule
[0:0] -A zone_Guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DHCP and DNS" -j ACCEPT
[0:0] -A zone_Guest_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Guest DHCP and DNS" -j ACCEPT
[0:0] -A zone_Guest_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Guest DHCP and DNS" -j ACCEPT
[0:0] -A zone_Guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DHCP and DNS" -j ACCEPT
[505:166150] -A zone_Guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Guest DHCP and DNS" -j ACCEPT
[0:0] -A zone_Guest_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Guest DHCP and DNS" -j ACCEPT
[0:0] -A zone_Guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Guest_input -m comment --comment "!fw3" -j zone_Guest_src_REJECT
[0:0] -A zone_Guest_output -m comment --comment "!fw3: Custom Guest output rule chain" -j output_Guest_rule
[0:0] -A zone_Guest_output -m comment --comment "!fw3" -j zone_Guest_dest_ACCEPT
[0:0] -A zone_Guest_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
[14073:526140] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[1133750:123452941] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1133750:123452941] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[58443:3930516] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[13311:426136] -A zone_lan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 3" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[45132:3504380] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[14073:526140] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[14073:526140] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[45132:3504380] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[3083:132270] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1134005:123474923] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[34:1360] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -d 239.255.255.250/32 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 1" -j zone_lan_dest_DROP
[0:0] -A zone_wan_forward -d 224.0.0.0/4 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 2" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[785957:54191898] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[1:32] -A zone_wan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 0" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[40:1558] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[785916:54190308] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[3372:155612] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[3372:155612] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[785916:54190308] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Jul  3 21:41:40 2021

trendy · July 3, 2021, 9:50pm

The necessary ports are udp 67 and udp 53. All tcp and 68 are not necessary.
Other that that there is nothing wrong here. Make sure that the wifi connection is robust and not marginal.

neil1 · July 3, 2021, 10:10pm

I changed it to port 67 and 53 UDP only.
and tried connecting again. Phone again was stuck at obtaining IP address.
Restarted the WIFI radio0 and now it's working.

neil1 · July 3, 2021, 10:14pm

Something to do with services not starting properly?

neil1 · July 3, 2021, 10:16pm

One more thing, I can access my modem from the guest WIFI. Is it possible to stop it?

trendy · July 3, 2021, 11:27pm

Poor wifi signal, or wifi radio stuck.

Services start fine, you may need to check closer if wifi is producing any errors and needs to be restarted.

neil1 · July 3, 2021, 11:49pm

I am sitting next to it.

vgaetera · July 4, 2021, 12:00am

It's best to enable bridging for the guest network to avoid race conditions.

neil1 · July 4, 2021, 12:08am

bridging with Lan?

anon50098793 · July 4, 2021, 9:39am

this is absent of any device... not sure what the guidance here is but you are relying on implicit setup (bound to what device exactly)?

[root@dca632 /usbstick 42°]# ifstatus guest
{
	"up": false,
	"pending": false,
	"available": false,
	"autostart": true,
	"dynamic": false,
	"proto": "static",
	"data": {
		
	},
	"errors": [
		{
			"subsystem": "interface",
			"code": "NO_DEVICE"
		}
	]
}

you should probably use dummy0 or something here... ( or a br-guest with a dummy0 port )

config interface 'guest'
        option proto 'static'
	    option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'dummy0'

neil1 · July 4, 2021, 12:57pm

ifstatus guest
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 53305,
        "l3_device": "wlan0",
        "proto": "static",
        "device": "wlan0",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "192.168.3.1",
                        "mask": 24
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}