Problem:
Following the guide does not lead to workig Guest WiFi (= no internet access) . I think the problem are this instructions in the firewall section of he guide:
Allow forward to destination zone: wan. These screenshots are not accurate! Setting to lan might have worked on OpenWrt 18.06 but it has to be wan on OpenWrt 23.05. It should look as follows, except that guest ⇒ lan should be guest ⇒ wan:
Solution (working for me):
On my R7800, forwarding traffic from "guest" to "wan" leads to nowhere.
Following the guide and / but
Forwarding to "lan" instead of "wan"
is working
Could please one of the people with real knowledge review the guide
and maybe explain whats going on, and why?
EXTRA - Maybe please also explain why one must set "masquarading" in the firewall at "lan" to "wan"
For me it seems clear that WAN is not used in this szenario, and that the upstream traffic flows in LAN upstream only. Traffic send to WAN .. lost.
thx 4 clarifying for a beginner like me.
I can offer to upgrade the guide with actuall screenshots and proper instructions if I am sure what to write / explain / instruct.
Thank you
I will investigate further, but, following the detail guide to create a 'dumb AP' in the openwrt guide section has an option to delete WAN completly.
I think that guest wlan on an dumbAP is based on creating an new wlan and a new interface (with own dhcp, ip range, fw zone) that forwards its traffic to LAN und uses the default gateway in LAN. I even think that nat/masquarading is used, similar to the LAN to WAN szenario
WAN Port / Zone seems to be unused in dumbAP szenario generally.
No, there is no WAN in a dumb AP, but forwarding an interface to LAN makes it a "non-guest wifi". To have a guest wifi in a dumb AP, I would trunk two networks yo the main router.
I see your point.
Lets assume trunk is not an achivable solution.
So the idee can be to tunnel the guest-traffic through the LAN. Tunnel achived via firewall rules. As far as i can interpret the current guide, it is done / is the goal this way. But i might be wrong.
Then you can't have a fully isolated guest wifi on a remote 'dumb' AP.
That's not how it works. You'll be able to prevent devices on the guest wifi accessing the dumb ap, but by forwarding to the LAN they'll have access to any devices on the LAN (as well as the main router unless access to that is blocked by local firewall rules).
The guest wifi on a dumb ap guide is accurate, as far as I remember - I will try to review later.
There is no wan connection for a dumb ap, so the zone forwarding from guest > lan. LAN masquerading must be enabled.
If the desire is to isolate the guest network, a firewall rule must be added to drop/reject connections from the guest zone to there entire subnet of the upstream (lan) network. For example 192.168.1.0/24.
@mopsza - please post your configs. We can help fix the problem, but more importantly trace where there was one or more missing/missed or incorrect/incorrectly implemented step in the process.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Hello psherman,
i will / would gladly post the config information,
but you already answered the question in your post,
and it IS already working for me if I ignore the (wrong) text info in the guide
The current guide clearly advises useres to forward their "guest traffic" to WAN. See screenshot.
Fully agree.
Forwarding traffic from guest to lan undermines isolation.
If you review the guide, isolation of guest traffic in lan is done via firewall-rules and looks good to me
Hi, @mopsza, I'm always interesting in How to handle the wwan connection to the ISP router on the dumb-AP.
Both instructions of guestwifi_dumbAP and dumbAP do not specified.
Hi,
i needed some time to get through.
I can confirm that all WAN related settings are irrelevant and can be deleted in the "dumb AP" szenario. In "dumb AP" szenario (with or without guest WiFi) all (LAN) traffic is send to the Standard Gateway (which resides on another router that has WAN access).
Your topic describes that one can reclaim physical router ports to LAN. Thats right, as WAN is not needed in dumbAP szenario.
You state that the instructions in the guides do not cover wwan topic. Thats true for the time 3 days ago. Please revisit the dumbAP + Guest guide. I added some more Info to explain HOW things are done and also mention that one can delete all WAN traces without loosing any functionality.
Not sure if there was a question or if I answered one.
Just let me know
Regards!
What do you think the masquerading config should be?
From my review, it looks correct (although you need to look at the last firewall screenshot from step 3 where we see masquerading is enabled on the lan).