Frustrating experience setting up guest wifi - Resolved!

Router: WRT1200AC

All configuration was done through Luci. No other custom network config in the mix, just setting up a guest wifi.

I am trying to create full separation of the wifi radios clients from the routers wired lan clients. To accomplish this, I created a separate interface and firewall zone for each of the 2 radios (matching the default lan zones settings). I then created some traffic rules to restrict traffic in various ways - but before you jump on this, I have tried disabling all rules and just testing the bare interface+zone, which did not work even though the interface and zone are essentially copies of the default lan interface/zone except with a different static IP for each of the new interfaces.

The problem is clients that join the wifi fail to get provisioned by DHCP. They do not receive an IP address. Yes, the new interfaces have a DHCP server setup on each. When I switch the wifi back to the lan interface, everything works fine.

I have read through a bunch of threads and tried various suggestions with no luck, would really appreciate some help as I've been up all night pulling my hair out over this normally trivial router config task.

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option igmp_snooping '1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'WorkGuest'
	option proto 'static'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'

/etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'CA'
	option htmode 'VHT40'
	option channel '44'
	option txpower '18'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option macaddr CENSORED
	option ssid CENSORED
	option isolate '1'
	option disassoc_low_ack '0'
	option key CENSORED
	option wpa_disable_eapol_key_retries '1'
	option ieee80211w '2'
	option network 'Guest'
	option encryption 'psk2+ccmp'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'CA'
	option channel '11'
	option txpower '12'
	option beacon_int '300'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option macaddr CENSORED
	option ssid CENSORED
	option isolate '1'
	option disassoc_low_ack '0'
	option encryption 'psk2+ccmp'
	option key CENSORED
	option network 'WorkGuest'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option confdir '/opt/usbd/dns'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Guest'

config host
	option mac CENSORED
	option name CENSORED
	option dns '1'
	option ip '192.168.1.194'

config dhcp 'WorkGuest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'WorkGuest'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option drop_invalid '1'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'lan'

config zone
	option name 'guest'
	option input 'DROP'
	option forward 'DROP'
	option output 'ACCEPT'
	list network 'Guest'

config zone
	option input 'DROP'
	option forward 'DROP'
	option name 'workguest'
	option output 'ACCEPT'
	list network 'WorkGuest'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'DROP'
	list network 'wan'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	list icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'DROP'
	list dest_ip 'fc00::/6'
	list src_ip 'fc00::/6'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	option target 'DROP'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	option target 'DROP'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'allowdns'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '67'
	option src 'guest'
	option name 'allowdhcp'
	option target 'ACCEPT'
	list dest_ip '192.168.1.1'
	list proto 'udp'

config rule
	option dest_port '68'
	option name 'allowdhcp2'
	option target 'ACCEPT'
	option dest 'guest'
	list src_ip '192.168.1.1'
	list proto 'udp'

config rule
	option dest_port '67'
	option src 'workguest'
	option name 'allowdhcpwork'
	option target 'ACCEPT'
	list dest_ip '192.168.1.1'
	list proto 'udp'

config rule
	option dest_port '68'
	option name 'allowdhcpwork2'
	option target 'ACCEPT'
	option dest 'workguest'
	list src_ip '192.168.1.1'
	list proto 'udp'

config rule
	option dest_port '12023'
	list proto 'udp'
	option name 'logger'
	list src_ip '192.168.1.1'
	option dest 'lan'
	list dest_ip '192.168.1.194'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option dest_port '53'
	option src 'workguest'
	option name 'allowdnswork'
	option target 'ACCEPT'
	list dest_ip '192.168.1.1'
	list proto 'udp'

config rule
	option src 'guest'
	option name 'blocklanguest'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	option enabled '0'

config forwarding
	option dest 'wan'
	option src 'workguest'

config rule
	option src 'workguest'
	option name 'blocklanwork'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	option enabled '0'

config rule
	option src 'workguest'
	option name 'blockworktoguest'
	option dest 'guest'
	option target 'DROP'
	list proto 'all'
	option enabled '0'

config rule
	option src 'guest'
	option name 'blockguesttolan'
	option dest 'workguest'
	option target 'DROP'
	list proto 'all'
	option enabled '0'

Post v20.x OpenWRT has been incredibly unstable on WRT1200AC APs, typically involving radio issues with this older marvell chipset. v19 was stable and mature for this device, so something basic like setting up a guest wifi network should not require latest release.

Can you elaborate further on creating the bridge devices? Can this be done in Luci? Thanks for weighing in

From the guest rules in firewall remove the specific IPs, especially in DHCP this is not how it works.
Remove these rules:

config rule
	option dest_port '68'
	option name 'allowdhcp2'
	option target 'ACCEPT'
	option dest 'guest'
	list src_ip '192.168.1.1'
	list proto 'udp'

config rule
	option dest_port '68'
	option name 'allowdhcpwork2'
	option target 'ACCEPT'
	option dest 'workguest'
	list src_ip '192.168.1.1'
	list proto 'udp'

config rule
	option dest_port '12023'
	list proto 'udp'
	option name 'logger'
	list src_ip '192.168.1.1'
	option dest 'lan'
	list dest_ip '192.168.1.194'
	option target 'ACCEPT'
	option src 'lan'

4 Likes

Thank you both for your help - I think your advice has worked, the problem seems to have been a dumb mistake I made with the src ip for the DHCP traffic rules - it wasn't reflected in the version of the logs I posted, but I'm pretty sure I did also try making the src IP for those rules the IP of each interface running its own DHCP server - so should src_ip always be unset for rules regarding DHCP? I guess I need to brush up on the DHCP protocol.

Oddly enough I didn't need to do the bridge configuration for this to resolve the issue - what impact does setting the type to bridge have in this context? Is it still necessary to avoid other problems with this configuration? I ask because other threads I was digging through actually suggested UNsetting the type from bridge while others were aligned with your advice.

Thanks again

The bridge is not necessary if the interface is purely wireless on one band.
There is no need to complicate your firewall with source and destination IPs. Especially in DHCP it can cause the rule to block legitimate traffic, as it did in your case.

3 Likes

Ok thanks again for the help both of you!!

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.