Hi anyone, I am sorry to bother with my noob issue. Gratefull if someone can help me to address it.
Got a Cudy WR2100 WiFi router with openwrt-23.05.
1 wan port currently disconnected
4 lan ports bridged (br-lan), working fine:
one to the FTTH modem acting as gateway and DHCP on IP 192.168.1.254
one to the ethernet switch where all lan devices are connected
one to a Linux web server
one currently disconnected
2 WiFi SSIDs 5Ghz and 2.4 GHz are linked to the br-lan with DHCP serving 192.168.1.0 network IPs, working fine.
1 guest WiFi SSID 2.4 GHz linked to a bridge guest network with DHCP serving 192.168.2.0 IPs not working (hosts do connect but do not get any IP).
Here are the config files:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '____:____:____::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option device 'br-guest'
option delegate '0'
option gateway '192.168.1.254'
option broadcast '192.168.2.255'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
option ipv6 '0'
config device
option name 'phy0-ap0'
option ipv6 '0'
config device
option name 'phy1-ap0'
option ipv6 '0'
You'll probably want to add DNS to the lan interface (192.168.1.254), although this is not absolutely required if this device won't be providing DHCP services to the guest network.
Remove the bridge line from the wan interface:
Delete the last 3 lines of guest network interface stanza:
And delete these:
Remove the wan from this wifi config... leave guest -- there must only be one netwrok there.
Is the DHCP server on your main router disabled? If not, you must disable this one by setting it to ignore:
If you do intend to use this device for the main lan DHCP server, you need to remove 192.168.1.1 from option 3.
Enable masquerading on the lan firewall zone by adding option masq '1' to the lan zone stanza:
Delete all of these:
That should get it working. You may wish to tighten the firewall, but we can talk about that after all of the basics are working.
@psherman THANK YOU very much for your time and precious help!!
I've implemented all config amendments mentioned in your post.
Now the 2 wifi on 192.168.1.0 network rely on main DHCP server responding at 192.168.1.254 (the FTTH Fastgate modem) and the guest wifi network 192.168.2.0 is served by OpenWRT (dnsmasq) DHCP server at 192.168.2.1 -- which wasn't working before your suggested config amendments.
This is the ipconfig of a windows host on the guest wifi network:
However, even though the host connected to the wifi guest network is configured in DHCP by 192.168.2.1, it cannot connect to Internet.
When I ping google, the 192.168.2.1 gateway responds that destination port is unreachable:
The same host can connect to the FTTH Fastgate modem at 192.168.1.254 (the other lan subnet) through the OpenWRT gateway at 192.168.2.1:
Maybe I should set 192.168.1.254 as the default gateway to the guest-lan (192.168.2.1) interface ? Or shall I add 192.168.1.254 as its DNS (how) ?
As this is a Dumb AP you need to either allow masquerading on the LAN interface or set a return route on the main router to route 192.168.2.0/24 back to 192.168.1.1
@egc thank you for your feedback. I can (though have no solid knowledge to) fully operate the OpenWRT behind the FTTH modem, but as far as the latter one (a Technicolor MediaAccess FGA2130FWB operated by the ISP Fastweb, pictured here below) I have limited access and configuration ability (though I can forward all traffic to an internal DMZ, or map specific external-internal port forwarding).
Client host on guest wifi gets 192.168.2.1 as DHCP server, DNS server and gateway, but does not connect to Internet.
Tracert on external IP as follows (DNS seems ok, but OpenWRT reports: destination protocol unreachable):
If you bridge the wi-fi and ports and remove Wan and firewall it just becomes a switch with WiFi. Put on a vlan port from the working router and it becomes isolated.
I'm sure I did that once as proof of concept.
Well, pretty sure.
If the main router isn't handling the guest network from a routing perspective, then one of the two options that @egc stated is required.
nat masquerading on the lan interface of a dumb AP makes all traffic to/from the guest network just appear to be to/from the AP itself.... the guest network is masqueraded as the dumb AP's lan IP.
If masq is turned off, the main router will not know how to return traffic to the guest network... that's where the static route comes in -- it tells the main router what gateway address is used for the guest network, and thus the traffic gets sent to the right place.
Although we were talking about two ways, for completeness, there are 3 ways of handling a guest network (where guest could really be any additional subnet for any purpose).
Main router handles all routing. This is preferred when the main router has the capabilities (such as OpenWrt or other more advanced routing OS's). From there, the APs and downstream devices are configured as VLAN aware dumb (no routing) devices.
A dumb AP handles the guest network routing, NAT masquerading disabled and a static route on the main router. This is good when the main router cannot handle VLANs, but does have static route support. It avoids the double-NAT situation on the guest network (not that it really matters, but still preferable).
Dumb AP handles guest network with NAT masquerading enabled. This is probably the most common situation when a consumer/ISP router with stock firmware is the main network router since many of those don't support (or expose user controls for) static routes and VLANs. The guest network will be double-NAT'd, but generally not an issue for most use cases.
Sorry for late reply. I want to thank you all for the support and solution(s) provided which solved the issue. Everything is working as expected now on the isolated guest subnet.
Let me also apologize, for missing the available guide to setup a Guest Wi-Fi on a dumb wireless AP using LuCI.
BTW, I've realized how much I have to go deeper into studying the protocols and software just to start figuring out what is happening and where to intervene.
Also, I would like to have a setup (Wireshark?) in order to be able to study how single packets travel back and forth through the single parts of the system between my office and my home.
I attach the updated config files, and I'll be more than glad to take any further suggestions you may have to improve the settings, also in order to strengthen the security.
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '*******'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
option dns '192.168.1.254'
#config interface 'wan'
# option device 'wan'
# option proto 'dhcp'
#config interface 'wan6'
# option device 'wan'
# option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option device 'br-guest'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
option ipv6 '0'
