config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
config zone
option name 'guest'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
config forwarding 'guest_lan'
option dest 'lan'
option src 'guest'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67-68'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
My LAN and MAINWIFI has internet.
GUESTWIFI is able to obtain ip address but cannot access the internet, Masquerade is already enabled on LAN firewall zone.
SSH Connection to dumb AP after applying the settings.
This settings broke my connection to and from my ISP (192.168.254.254) via LAN of my dumb AP. Since my ISP is my DHCP and DNS server. Luckily, I have my guest wifi to revert the changes.
You must set an option gateway for the lan interface.
Move the DNS server(s) to the lan interface section.
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.254.11'
option gateway '192.168.254.254'
list dns '192.168.254.254'
list dns '8.8.8.8'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.113.1'
option netmask '255.255.255.0'
The firewall rule blocking guest access to the private network is missing.
uci add firewall rule
uci set firewall.@rule[-1]=rule
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].name='Block-guest-to-lan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].dest_ip='192.168.254.0/24'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ip route
default via 192.168.254.254 dev br-lan
192.168.113.0/24 dev wlan0 scope link src 192.168.113.1
192.168.254.0/24 dev br-lan scope link src 192.168.254.11
I think i've found the culprit, Not sure though on how it drops my connection.
It is the nodogsplash package. Once I stop the process, my guest wifi has its internet connection back.
Same laptop connected to guest wifi with nodogsplash process stopped.
Thanks @pavelgl and @psherman for bearing with as I am a total noob to this openwrt thing. Next thing to figure out is how to make this captive portal work on my guest wifi.