dumbAP LAN cant connect to guestWIFI on different subnet

hi, successfully configured dumbAP with guestWIFI on different subnet, including isolation of guestWIFI clients (except for the MACs specified in firewall traffic rules). this is all working as intended.

however, can't seem to configure that LAN can actually connect to guestWIFI. tried with firewall zones, also with traffic rules, nothing works for me.

enclosed are my configs. dumbAP is connected to main router, which is mikrotik, i believe its settings have nothing to do with my problem.

thanks for any hints.

firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option dest 'hostia'
        option src 'lan'
        option name 'allow lan to guest'
        option target 'ACCEPT'
        list dest_ip '192.168.8.0/24'
        option enabled '0'

config rule
        option src 'hostia'
        option name 'allow JM a Janka to lan LAN from Lucinka'
        option dest 'lan'
        option target 'ACCEPT'
        list src_mac 'xxx'
        list src_mac 'xxx'
        list src_mac 'xxx'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option network 'guest'
        option name 'hostia'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option dest 'hostia'
        option src 'lan'
        option forward 'ACCEPT'

config rule
        option src 'hostia'
        option dest 'lan'
        list dest_ip '192.168.9.225'
        option target 'ACCEPT'
        list src_mac 'xxx'
        option name 'allow hikvision to odroid'

config rule
        option src 'hostia'
        option name 'allow lucka na tvh'
        option dest 'lan'
        list dest_ip '192.168.9.225'
        option target 'ACCEPT'
        list src_mac 'xx:xx:xx:xx:xx:xx'

config rule
        option dest_port '67-68'
        option src 'hostia'
        option name 'Hostia DHCP'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option dest_port '53'
        option src 'hostia'
        option name 'Hostia DNS'
        option target 'ACCEPT'

config rule
        option src 'hostia'
        option dest 'lan'
        list dest_ip '192.168.9.0/24'
        option target 'DROP'
        list proto 'all'
        option name 'Block hostia to LAN'

config forwarding
        option dest 'lan'
        option src 'hostia'

config forwarding
        option dest 'hostia'
        option src 'lan'

network

root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd88:695e:0d4a::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.9.1'
        option ipaddr '192.168.9.2'
        list dns '192.168.9.1'
        option delegate '0'
        option force_link '0'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option force_link '0'
        option ipaddr '192.168.8.2'

wireless

root@OpenWrt:/etc/config# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option channel '36'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet0'
        option ssid 'lucinka'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option key 'xxx'
        option network 'guest'
        option wps_pushbutton '1'

config wifi-iface 'wifinet1'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key 'xxx'
        option ssid 'xxx'
        option wps_pushbutton '1'

That is not weird, the guide for guest is made this way to isolate guest from lan.
I'd better suggest to create a new zone and a new SSID for those friends.

As a matter of fact, it does. If Mikrotik doesn't have a route for 192.168.8.0/24 it won't be able to route the packets which come from lan to the guest.

guest isolation from LAN is intended, that is fine and working for me. it does not work other way around, LAN to guest. will check your hint for mikrotik settings.

These two are the same, unless you mean lan isolation from guest.

But even so, you have enabled forwarding guest->lan. This can cause confusion and you have another rule above it to block everything.

And the guest zone has these unknown options:

        option dest 'hostia'
        option src 'lan'

my bad, i mean isolate lan from guest. disabled forwarding guest->lan.

if i do not enable this, internet for guest does not work.

Then you have messed something else, as this is not documented in the guide, nor in the zone configurations.

Start with a clean installation, follow the guide to have a guest network with access only to the internet.
Then create rules for the flows you want to allow from guest to lan and also exclude them from masquerade in lan zone. Also add the static route in mikrotik.

would the setting be like this on mikrotik? if so, still not working to connect

image755×388 30 KB

restarted both routers, seems to work now. thanks for the hints.

Glad you got it working!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.