Dumb AP Guest Wifi - No internet

As the title says, my guest wifi has no internet. I need some help in configuring it.

Network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.254.11'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.113.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'

Wireless

config wifi-iface 'wifinet0'
        option network 'guest'
        option ssid 'GUESTWIFI'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option key '[secret]'

config wifi-iface 'wifinet1'
        option ssid 'MAINSSID'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key '[secret]'

DHCP

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'

Firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'guest'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'guest'

config forwarding 'guest_lan'
        option dest 'lan'
        option src 'guest'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67-68'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

My LAN and MAINWIFI has internet.
GUESTWIFI is able to obtain ip address but cannot access the internet, Masquerade is already enabled on LAN firewall zone.

What did I miss? please help.

I think your problem is here:

Instead, try this:

config device 'br-lan'
        option type 'bridge'
        option device 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.254.11'

SSH Connection to dumb AP after applying the settings.

This settings broke my connection to and from my ISP (192.168.254.254) via LAN of my dumb AP. Since my ISP is my DHCP and DNS server. Luckily, I have my guest wifi to revert the changes.

Note: I am using OpenWrt 19.07.10

You must set an option gateway for the lan interface.
Move the DNS server(s) to the lan interface section.

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.254.11'
	    option gateway '192.168.254.254'
	    list dns '192.168.254.254'
	    list dns '8.8.8.8'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.113.1'
        option netmask '255.255.255.0'

The firewall rule blocking guest access to the private network is missing.

uci add firewall rule
uci set firewall.@rule[-1]=rule
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].name='Block-guest-to-lan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].dest_ip='192.168.254.0/24'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'

Still no luck @pavelgl . Here is my config.

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.254.11'
        option gateway '192.168.254.254'
        list dns '192.168.254.254'
        list dns '8.8.8.8'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '28:87:ba:03:bf:f5'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '28:87:ba:03:bf:f6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1 2 3 4'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.113.1'
        option netmask '255.255.255.0'

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'nodogsplash'
        option type 'script'
        option path '/usr/lib/nodogsplash/restart.sh'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'guest'

config forwarding 'guest_lan'
        option dest 'lan'
        option src 'guest'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        list proto 'udp'
        list proto 'tcp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67-68'
        list proto 'udp'
        list proto 'tcp'
        option family 'ipv4'
        option target 'ACCEPT'

Note: Intentionally allowed all packets to pass through on all filters for guest zone.

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/10300000.wmac'
        option htmode 'HT20'
        option country 'PH'

config wifi-iface 'wifinet0'
        option network 'guest'
        option ssid 'GUEST'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option key '[secret]'
        option isolate '1'

config wifi-iface 'wifinet1'
        option ssid 'MAIN'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key '[secret]'

DHCP

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'

firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

ip route

default via 192.168.254.254 dev br-lan
192.168.113.0/24 dev wlan0 scope link  src 192.168.113.1
192.168.254.0/24 dev br-lan scope link  src 192.168.254.11

Check that the AP itself has access to the Internet (you could run opkg update).

From a guest network client try to ping:
192.168.113.1
192.168.254.11
192.168.254.254
8.8.8.8

Check the domain name resolution using nslookup.

LAPTOP connected to my GUEST wifi.

Able to ping 113.1 (guest interface) and 254.11 (lan interface), but not 254.254 (main router) and 8.8.8.8.

Additionally, here is the traceroute to 254.254 from the guest client.

Seems like the trace can't pass 113.1. LAN masquerade is already enabled. Firewall forwarding is also defined, guest->lan.

It seems that the firewall service is not active and therefore masquerading is not working.
What is the output of:

iptables -t nat -nvL zone_lan_postrouting; /etc/init.d/firewall restart; iptables -t nat -nvL zone_lan_postrouting

I think i've found the culprit, Not sure though on how it drops my connection.
It is the nodogsplash package. Once I stop the process, my guest wifi has its internet connection back.

Same laptop connected to guest wifi with nodogsplash process stopped.

Thanks @pavelgl and @psherman for bearing with as I am a total noob to this openwrt thing. Next thing to figure out is how to make this captive portal work on my guest wifi.

Thanks guys.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.