Dumb AP & Guest Wi-Fi - Wrong instructions / review necessary?

Hi,
just to make it clear, I am a beginner / noob.
Just tried to make "Dumb AP + Guest WiFi" work on a R7800, openWRT 23.05 , following this guide:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

Problem:
Following the guide does not lead to workig Guest WiFi (= no internet access) . I think the problem are this instructions in the firewall section of he guide:

Allow forward to destination zone: wan. These screenshots are not accurate! Setting to lan might have worked on OpenWrt 18.06 but it has to be wan on OpenWrt 23.05.
It should look as follows, except that guest ⇒ lan should be guest ⇒ wan:

Solution (working for me):
On my R7800, forwarding traffic from "guest" to "wan" leads to nowhere.
Following the guide and / but
Forwarding to "lan" instead of "wan"
is working

Could please one of the people with real knowledge review the guide
and maybe explain whats going on, and why?
EXTRA - Maybe please also explain why one must set "masquarading" in the firewall at "lan" to "wan"

For me it seems clear that WAN is not used in this szenario, and that the upstream traffic flows in LAN upstream only. Traffic send to WAN .. lost.

thx 4 clarifying for a beginner like me.
I can offer to upgrade the guide with actuall screenshots and proper instructions if I am sure what to write / explain / instruct.
Thank you

I also think that these instructions are wrong and over-complicated.
Can you check if a guest setup without a WAN interface like illustrated in https://giuliomagnifico.blog/networking/2022/08/14/home-network_v3.html works for you?

I have not reviewed the guide, but this does not make sense, conceptually. You want to give access to WAN not LAN.

It is a dumb AP, so I would expect there is no WAN, or am I mistaken?

I will investigate further, but, following the detail guide to create a 'dumb AP' in the openwrt guide section has an option to delete WAN completly.

I think that guest wlan on an dumbAP is based on creating an new wlan and a new interface (with own dhcp, ip range, fw zone) that forwards its traffic to LAN und uses the default gateway in LAN. I even think that nat/masquarading is used, similar to the LAN to WAN szenario

WAN Port / Zone seems to be unused in dumbAP szenario generally.

I will test / check further.

No, there is no WAN in a dumb AP, but forwarding an interface to LAN makes it a "non-guest wifi". To have a guest wifi in a dumb AP, I would trunk two networks yo the main router.

I see your point.
Lets assume trunk is not an achivable solution.

So the idee can be to tunnel the guest-traffic through the LAN. Tunnel achived via firewall rules. As far as i can interpret the current guide, it is done / is the goal this way. But i might be wrong.

Then you can't have a fully isolated guest wifi on a remote 'dumb' AP.

That's not how it works. You'll be able to prevent devices on the guest wifi accessing the dumb ap, but by forwarding to the LAN they'll have access to any devices on the LAN (as well as the main router unless access to that is blocked by local firewall rules).

The guest wifi on a dumb ap guide is accurate, as far as I remember - I will try to review later.

There is no wan connection for a dumb ap, so the zone forwarding from guest > lan. LAN masquerading must be enabled.

If the desire is to isolate the guest network, a firewall rule must be added to drop/reject connections from the guest zone to there entire subnet of the upstream (lan) network. For example 192.168.1.0/24.

@mopsza - please post your configs. We can help fix the problem, but more importantly trace where there was one or more missing/missed or incorrect/incorrectly implemented step in the process.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hello psherman,
i will / would gladly post the config information,
but you already answered the question in your post,
and it IS already working for me if I ignore the (wrong) text info in the guide

The current guide clearly advises useres to forward their "guest traffic" to WAN. See screenshot.

Unbenannt1560×1164 128 KB

All I say -
the current TEXT info (yellow marked ) in this guide (link / screenshot) is wrong.

and should be corrected.
.
.

As you stated,
In dumbAP + GustWiFi szenario, it should be (and is working fine for me):

• Guest forwards to LAN
• enable LAN Masquarading
• set coressponding Firwall Rules to isolate traffic in LAN on its journey to "Standard Gatway" in LAN.

I will change the text in the guide tomorrow if you agree, maybe also replacing existing screenshots with some current from openWRT 23.05

Fully agree.
Forwarding traffic from guest to lan undermines isolation.
If you review the guide, isolation of guest traffic in lan is done via firewall-rules and looks good to me

Ah. So it appears someone recently edited the wiki and it wasn’t vetted. Fair enough. Thanks for catching that!!

If you have the time to update the screenshots, that would be awesome. Feel free to pm me if you’d like a second set of eyes on your changes.

Hello ed8,
beautifull clean documention including screenshot & UCI code, congrats.

Yes, I tested it.
One can delete all traces of WAN and the scenario still works.
This also does correspond with what psherman stated.

I think the question is answerd and solved.
Its clear HOW this szenario is set up and working,
AND that the current text in the guide is wrong.

thx 4 helping out,
regards

Great!
I'll do my best .. and yes please review, very appreciated.
regards!

All done.

I updated the guide with new screenshots and lots of new text / additional info.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

Thx 2 you all who contributed.

Hi, @mopsza, I'm always interesting in How to handle the wwan connection to the ISP router on the dumb-AP.
Both instructions of guestwifi_dumbAP and dumbAP do not specified.

refer to my topic:

Hi,
i needed some time to get through.
I can confirm that all WAN related settings are irrelevant and can be deleted in the "dumb AP" szenario. In "dumb AP" szenario (with or without guest WiFi) all (LAN) traffic is send to the Standard Gateway (which resides on another router that has WAN access).

Your topic describes that one can reclaim physical router ports to LAN. Thats right, as WAN is not needed in dumbAP szenario.

You state that the instructions in the guides do not cover wwan topic. Thats true for the time 3 days ago. Please revisit the dumbAP + Guest guide. I added some more Info to explain HOW things are done and also mention that one can delete all WAN traces without loosing any functionality.

Not sure if there was a question or if I answered one.
Just let me know
Regards!

IMHO the masquerading is not correct. Please review.

What do you think the masquerading config should be?

From my review, it looks correct (although you need to look at the last firewall screenshot from step 3 where we see masquerading is enabled on the lan).