hi, successfully configured dumbAP with guestWIFI on different subnet, including isolation of guestWIFI clients (except for the MACs specified in firewall traffic rules). this is all working as intended.
however, can't seem to configure that LAN can actually connect to guestWIFI. tried with firewall zones, also with traffic rules, nothing works for me.
enclosed are my configs. dumbAP is connected to main router, which is mikrotik, i believe its settings have nothing to do with my problem.
thanks for any hints.
firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6'
config rule
option dest 'hostia'
option src 'lan'
option name 'allow lan to guest'
option target 'ACCEPT'
list dest_ip '192.168.8.0/24'
option enabled '0'
config rule
option src 'hostia'
option name 'allow JM a Janka to lan LAN from Lucinka'
option dest 'lan'
option target 'ACCEPT'
list src_mac 'xxx'
list src_mac 'xxx'
list src_mac 'xxx'
option enabled '0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option network 'guest'
option name 'hostia'
option output 'ACCEPT'
option input 'ACCEPT'
option dest 'hostia'
option src 'lan'
option forward 'ACCEPT'
config rule
option src 'hostia'
option dest 'lan'
list dest_ip '192.168.9.225'
option target 'ACCEPT'
list src_mac 'xxx'
option name 'allow hikvision to odroid'
config rule
option src 'hostia'
option name 'allow lucka na tvh'
option dest 'lan'
list dest_ip '192.168.9.225'
option target 'ACCEPT'
list src_mac 'xx:xx:xx:xx:xx:xx'
config rule
option dest_port '67-68'
option src 'hostia'
option name 'Hostia DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'hostia'
option name 'Hostia DNS'
option target 'ACCEPT'
config rule
option src 'hostia'
option dest 'lan'
list dest_ip '192.168.9.0/24'
option target 'DROP'
list proto 'all'
option name 'Block hostia to LAN'
config forwarding
option dest 'lan'
option src 'hostia'
config forwarding
option dest 'hostia'
option src 'lan'
network
root@OpenWrt:/etc/config# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd88:695e:0d4a::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.9.1'
option ipaddr '192.168.9.2'
list dns '192.168.9.1'
option delegate '0'
option force_link '0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option force_link '0'
option ipaddr '192.168.8.2'
wireless
root@OpenWrt:/etc/config# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option channel '36'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet0'
option ssid 'lucinka'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option key 'xxx'
option network 'guest'
option wps_pushbutton '1'
config wifi-iface 'wifinet1'
option encryption 'psk2'
option device 'radio0'
option mode 'ap'
option network 'lan'
option key 'xxx'
option ssid 'xxx'
option wps_pushbutton '1'