Guest as second SSID not completing connections

tocguy · October 5, 2022, 5:26am

Linksys EA3500 running 21.02.3 and operating as dumb AP.

After following the VanTech tutorial on Youtube I still cannot establish a connection on Guest. Both interface SSIDs are visible but can successfully connect to only the existing one.

Firewall zone has Guest => WAN, reject, accept, reject.
Firewall Traffic rule: Guest DHCP: Incoming IPv4 and IPv6 from Guestzone to this device on UDP port 67. {DNS was configured during the Guest interface setup.}

Symptoms and Indications:
Guest SSID is visible to WiFi devices.
Interface has DHCP enabled with unique subnet 192.168.2.1/10 and mask 255.255.255.0.
While attempting to connect WiFi device(s) to Guest the WiFi device appears in the "Associated Stations" list under Luci's Network->Wireless page.
Devices can connect to the other/non-Guest interface on radio0 whether Guest is enabled or not.
Thought this was initially related to issue 9343 but I really don't know as it is beyond my depth.
Disabling the other/non-Guest interface yields no change in symptoms.
Reboot yields no change in symptoms.

Is this an EA3500 limitation?
Is there some conflict between this dumb AP that usually directs DHCP requests to the main router and the DHCP server that should be enabled under this Guest interface? Not sure how to check for that.
Suggested troubleshooting steps...?

TIA

psherman · October 5, 2022, 5:52am

It's best if we can see your complete config...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

tocguy · October 5, 2022, 2:37pm

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'eth0'
	option ipv6 '0'

config interface 'HYGUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1' {the main router serves IP addresses in the range 192.168.1.1/26}
	list dns '8.8.8.8'
	list dns '8.8.4.4'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'US'
	option txpower '24'
	option cell_density '2'
	option channel '11'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'HY-BG'
	option encryption 'psk2'
	option key 'redacted'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	list maclist 'list redacted'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option txpower '27'
	option country 'US'
	option cell_density '2'
	option channel '165'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'HY-N'
	option encryption 'psk2'
	option key 'redacted'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	list maclist 'list redacted'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'HYGuest'
	option key 'redacted'
	option network 'HYGUEST'
	option isolate '1'
	option encryption 'none'
	option disabled '0'

DHCP

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option ignore '1'
	option start '3'
	option limit '0'
	option dynamicdhcp '0'
	option leasetime '24h'
	list ra_flags 'none'
	option dhcpv6 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	list redacted

config dhcp 'HYGUEST'
	option interface 'HYGUEST'
	option leasetime '12h'
	option start '2'
	option limit '10'
	list ra_flags 'none'

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	list icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'HYGUEST'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option src 'GuestZone'
	option target 'ACCEPT'
	option name 'Guest DHCP'
	list proto 'udp'
	option dest_port '67'

TY for checking into this for me.

psherman · October 5, 2022, 2:44pm

This should forward to the lan zone since the upstream connection is via the lan network.

You also need to enable masquerading on the lan zone.

Pilot6 · October 5, 2022, 2:44pm

Why is

option ipaddr '192.168.1.2'

for lan interface? This is wrong.

tocguy · October 5, 2022, 2:49pm

psherman, My novice understanding is that any given packet whose destination address is outside the local Network address range would automagically reach the WAN. Plz advise...

psherman · October 5, 2022, 2:49pm

I think this is actually the correct ip address. The op is running this device as a dumb ap. The main router is 192.168.1.1, so it stands to reason that this dumb ap would be 192.168.1.2.

psherman · October 5, 2022, 2:51pm

For a dumb ap, your upstream connection is via the lan. It will not work via the wan (there is no upstream connection there).

Enable masquerading on the lan and allow guest > lan forwarding and it will work.

tocguy · October 5, 2022, 2:53pm

The dumb AP is fed via lan connection from the main router and is assigned a static IP address of 192.168.1.2.

Does this help clarify? If not, I'll need a little more clarity on the meaning of "wrong". Thx

psherman · October 5, 2022, 2:59pm

You have the correct configuration your your lan ip.

tocguy · October 5, 2022, 3:08pm

Incorporated changes and rebooted the dumb AP but to no avail. Devices still time out while trying to connect.
Given that the main router is set to only provide addresses in the range 192.168.1.2/24 could that be the source of the problem?
Otherwise, how to troubleshoot from here?

psherman · October 5, 2022, 3:19pm

Post your latest config files.

tocguy · October 5, 2022, 3:53pm

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'eth0'
	option ipv6 '0'

config interface 'HYGUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'US'
	option txpower '24'
	option cell_density '2'
	option channel '11'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'HY-BG'
	option encryption 'psk2'
	option key 'redacted'
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	list maclist redacted

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option txpower '27'
	option country 'US'
	option cell_density '2'
	option channel '165'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'HY-N'
	option encryption 'psk2'
	option key redacted
	option wpa_disable_eapol_key_retries '1'
	option macfilter 'allow'
	list maclist redacted

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'HYGuest'
	option key redacted
	option network 'HYGUEST'
	option isolate '1'
	option encryption 'none'

DHCP

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option ignore '1'
	option start '3'
	option limit '0'
	option dynamicdhcp '0'
	option leasetime '24h'
	list ra_flags 'none'
	option dhcpv6 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host [list redacted]

config dhcp 'HYGUEST'
	option interface 'guest'
	option start '1'
	option limit '5'
	option leasetime '3h'
	list ra_flags 'none'

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	list icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'HYGUEST'

config rule
	option src 'GuestZone'
	option target 'ACCEPT'
	option name 'Guest DHCP'
	list proto 'udp'
	option dest_port '67'

config rule
	option src 'GuestZone'
	option target 'DROP'
	option name 'Guest-Block-All'

config forwarding
	option src 'GuestZone'
	option dest 'lan'

psherman · October 5, 2022, 5:32pm

remove this:

You also will want to either allow DNS (TCP + UDP port 53) into the router, or specify option 6 in the DHCP config for the advertised DNS to the guest network to be something other than the router itself (the Google DNS entries you have in the interface definition won't do anything there -- you need to set that in the DHCP config).

tocguy · October 5, 2022, 7:15pm

Hello psherman,

Plz check my understanding... because the Guest-Block-All rule appears last it has lower precedence and would not be acted upon in the case of a DHCP request because the Guest-DHCP rule would intercept the request. FWIW, omitting the Block rule had no impact on the symptoms.

"specify option 6 in the DHCP config" - I don't understand to what this refers. Can you provide mark-up of the file?

psherman · October 5, 2022, 7:46pm

This is true, but the block rule is not necessary, or not properly specified.

It is not necessary if the desire is to block the guest network from accessing this router -- there is already input = reject in the zone's settings.
If it is intended to prevent the guest network from accessing the main LAN, the rule is improperly constructed. Instead, you want to explicitly include the destination of 192.168.1.0/24 (or is it /26 -- you mentioned that earlier) and that will prevent access.

The way the rule is currently functioning is that it will drop all connections from the guest zone, regardless of their destination (i.e. this router, the upstream network, an the internet -- all blocked).

This is the beginning of your DHCP server definition for your guest network...

You would add the following line to that stanza to advertise 8.8.8.8 (Google DNS) as the DNS server in the DHCP response.

	list dhcp_option '6,8.8.8.8'

More reading here...
https://openwrt.org/docs/guide-user/base-system/dhcp

tocguy · October 6, 2022, 5:00am

Performed a router restore to the previous stable config to essentially start over. Next, I simply followed the info provided on OpenWRTs Guest Wi-Fi basics. With that I was able to establish connections with Hosts buuuuut the devices then have no internet connection.
Firewall config and rules for new guest interface looked correct though I did change from Guest=>wan to Guest=>lan as you suggested due to wan indicating it was "empty"
One small step forward today...

psherman · October 6, 2022, 5:07am

post your latest config files if you'd like us to review.

tocguy · October 6, 2022, 8:57pm

Took a different tack (a step backwards) to verify integrity of the OpenWRT's Guest Wi-Fi Basics routine {on my hardware}. Instead of applying the routine to the dumb AP I instead applied it to the main router and was pleasantly surprised to find that it worked immediately. So, I learned that there is a communication issue peculiar to either the Guest setup when on the dumb AP or between the dumb AP and the main router.
To test the latter, I turned off the radios on the main router leaving only the dumb APs radios active. Ahh, I discovered that devices can connect to the private network thru the dumb AP but then cannot reach the internet.
So, I was unaware that the real problem lay in the basic network, i.e., not a solid foundation upon which to setup the Guest network. Working on that first...