When my router restarts, my guest account will no longer function properly. Devices will not be assigned IP addresses and thus have no connectivity.
WORKAROUND:
If I go into LUCI and Network>Interfaces>[Guest Acct]>Edit>DHCP Server>Advanced Setting and check the “Force” box it resolves the issue until the next restart.
When the next restart occurs the problem returns and following the above “WORKAROUND” fixes it by this time unchecking “Force”.
Any help would be greatly appreciated.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
netstat -lnp | grep dnsmasq; logread -e dnsmasq
Run these after a reboot, when the problem exists.
ubus call system board;
{
"kernel": "4.14.180",
"hostname": "AP7",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACS",
"board_name": "linksys,shelby",
"release": {
"distribution": "OpenWrt",
"version": "19.07.3",
"revision": "r11063-85e04e9f46",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
}
}
uci export network;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd32:***:***::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.***.***'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2620:fe::fe'
list dns '2620:fe::9'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'AS_Guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.***.***.***'
uci export wireless;
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '**:**:**:**:**:**'
option ssid 'Main5g'
option macfilter 'allow'
option encryption 'psk2+ccmp'
option key '********'
list maclist '**:**:**:**:**:**'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
option channel '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '**:**:**:**:**:**'
option ssid 'Main2g'
option macfilter 'allow'
option encryption 'psk2+ccmp'
option key '*********'
list maclist '**:**:**:**:**:**'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2+ccmp'
option isolate '1'
option key '*********'
option network 'Guest'
uci export dhcp;
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list server '127.0.0.1#****'
list server '127.0.0.1#****'
option noresolv '1'
option doh_backup_noresolv '-1'
list doh_backup_server '127.0.0.1#****'
list doh_backup_server '127.0.0.1#****'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,185.228.168.168,185.228.169.168'
uci export firewall;
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option network 'Guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config forwarding
option src 'Guest'
option dest 'wan'
config rule
option name 'Guest_DNS'
option src 'Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest_DHCP'
list proto 'udp'
option src 'Guest'
option dest_port '67-68'
option target 'ACCEPT'
head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
netstat -lnp | grep dnsmasq;
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5265/dnsmasq
tcp 0 0 192.168.***.***:53 0.0.0.0:* LISTEN 5265/dnsmasq
tcp 0 0 ***.***.***.***:53 0.0.0.0:* LISTEN 5265/dnsmasq
tcp 0 0 10.***.***.***:53 0.0.0.0:* LISTEN 5265/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 5265/dnsmasq
udp 0 0 192.168.***.***:53 0.0.0.0:* 5265/dnsmasq
udp 0 0 ***.***.***.***:53 0.0.0.0:* 5265/dnsmasq
udp 0 0 10.***.***.***:53 0.0.0.0:* 5265/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 5265/dnsmasq
(I removed the ipv6 entries from above)
logread -e dnsmasq
I will do the above if still needed it but if I can avoid it I’d like to due to large output that will be extensive to redact. I have no problem doing so if it is still necessary. Also if you see anything sensitive I missed I’d appreciate a heads up. Thank you in advance.
Seeing the same issue after setting up 19.07.3 from scratch.
After restarting the guest interface and it works. Previously (at least in 19.07.2), this manual action after reboot isn't required.
Cheers.
add a tempo for the start guet dhcp : wait for wan then dhcp client
You first define an interface called "AS_Guest", but then all other config options are related to a "Guest" network... did I miss something?
That was just a paste error sorry. They are in fact all the same in the actual config. I would edit the post but I don’t see a way.
This seems like it may be the solution however I don’t know how to do this. Can it be done in luci?
I do not see anything wrong here... my next step would be to look at the logs.
Fri Jul 24 23:15:09 2020 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Fri Jul 24 23:15:09 2020 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: started, version 2.80 cachesize 150
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: DNS service limited to local subnets
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain test
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain onion
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain localhost
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain local
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain invalid
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain bind
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using nameserver 127.0.0.1#****
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using nameserver 127.0.0.1#***
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: using local addresses only for domain lan
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: read /etc/hosts - 4 addresses
Fri Jul 24 23:15:09 2020 daemon.info dnsmasq[1656]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses
Fri Jul 24 23:15:12 2020 daemon.info dnsmasq[1656]: exiting on receipt of SIGTERM
Fri Jul 24 23:15:12 2020 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Fri Jul 24 23:15:12 2020 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: started, version 2.80 cachesize 150
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: DNS service limited to local subnets
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq-dhcp[6035]: DHCP, IP range 192.168.***.*** -- 192.168.***.***, lease time 12h
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain test
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain onion
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain localhost
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain local
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain invalid
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain bind
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using nameserver 127.0.0.1#5053
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using nameserver 127.0.0.1#****
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: using local addresses only for domain lan
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: read /etc/hosts - 4 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: read /tmp/hosts/odhcpd - 0 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq-dhcp[6035]: read /etc/ethers - 0 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: read /etc/hosts - 4 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: read /tmp/hosts/odhcpd - 0 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq[6035]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Fri Jul 24 23:15:15 2020 daemon.info dnsmasq-dhcp[6035]: read /etc/ethers - 0 addresses
Mon Jul 27 23:50:01 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:01 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:05 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:05 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.**.*** **:**:**:**:**:**
Mon Jul 27 23:50:07 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:07 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:08 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:08 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:08 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:08 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:10 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:10 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:15 2020 daemon.info dnsmasq-dhcp[6035]: DHCPDISCOVER(br-lan) **:**:**:**:**:**
Mon Jul 27 23:50:15 2020 daemon.info dnsmasq-dhcp[6035]: DHCPOFFER(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:16 2020 daemon.info dnsmasq-dhcp[6035]: DHCPDISCOVER(br-lan) **:**:**:**:**:**
Mon Jul 27 23:50:16 2020 daemon.info dnsmasq-dhcp[6035]: DHCPOFFER(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:19 2020 daemon.info dnsmasq-dhcp[6035]: DHCPDISCOVER(br-lan) **:**:**:**:**:**
Mon Jul 27 23:50:19 2020 daemon.info dnsmasq-dhcp[6035]: DHCPOFFER(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:20 2020 daemon.warn dnsmasq-dhcp[6035]: no address range available for DHCP request via wlan1-1
Mon Jul 27 23:50:22 2020 daemon.warn dnsmasq-dhcp[6035]: no address range available for DHCP request via wlan1-1
Mon Jul 27 23:50:24 2020 daemon.info dnsmasq-dhcp[6035]: DHCPDISCOVER(br-lan) **:**:**:**:**:**
Mon Jul 27 23:50:24 2020 daemon.info dnsmasq-dhcp[6035]: DHCPOFFER(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:25 2020 daemon.info dnsmasq-dhcp[6035]: DHCPREQUEST(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:25 2020 daemon.info dnsmasq-dhcp[6035]: DHCPACK(br-lan) 192.168.***.*** **:**:**:**:**:**
Mon Jul 27 23:50:27 2020 daemon.warn dnsmasq-dhcp[6035]: no address range available for DHCP request via wlan1-1
Mon Jul 27 23:50:34 2020 daemon.warn dnsmasq-dhcp[6035]: no address range available for DHCP request via wlan1-1
ip a s dev wlan1-1; grep -e ^dhcp-range= /var/etc/dnsmasq.conf.*; \
uci show network.Guest; uci show dhcp.Guest; uci show wireless.wifinet2
33: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether **:**:**:**:**:** brd **:**:**:**:**:**
inet 10.**.**.1/24 brd 10.**.**.255 scope global wlan1-1
valid_lft forever preferred_lft forever
inet6 fe80::***:****:****:***/64 scope link
valid_lft forever preferred_lft forever
dhcp-range=set:lan,192.168.***.100,192.168.***.249,255.255.255.0,12h
dhcp-range=set:Guest,10.***.**.100,10.***.***.249,255.255.255.0,12h
uci: Entry not found
uci: Entry not found
wireless.wifinet2=wifi-iface
wireless.wifinet2.device='radio1'
wireless.wifinet2.mode='ap'
wireless.wifinet2.ssid='Guest'
wireless.wifinet2.encryption='psk2+ccmp'
wireless.wifinet2.isolate='1'
wireless.wifinet2.key='*********'
wireless.wifinet2.network='Guest'
This network does not match your current network name:
My apologies but this is above my skill level. How do I remedy? As mentioned above the “Guest” “AS_Guest” thing was a paste error. They are all in fact the same in the actual config. The uci error, though, I do not understand.
Could you paste your config files again, please?
Don't swap the interface names. And no need to redact the private IP addresses. You are making troubleshooting more difficult.
My apologies. I hope this is better.
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****:****:****::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.78.80'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2620:fe::fe'
list dns '2620:fe::9'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'Guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.14.17.1'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '*****************'
option ssid 'Main_5'
option macfilter 'allow'
option encryption 'psk2+ccmp'
option key '*********'
list maclist '*****************'
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
option channel '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr ''*****************''
option ssid 'Main'
option macfilter 'allow'
option encryption 'psk2+ccmp'
option key '*********'
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
list maclist ''*****************''
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2+ccmp'
option isolate '1'
option key '*********'
option network 'Guest'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list server '127.0.0.1#5054'
list server '127.0.0.1#5053'
option noresolv '1'
option doh_backup_noresolv '-1'
list doh_backup_server '127.0.0.1#5053'
list doh_backup_server '127.0.0.1#5054'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,185.228.168.168,185.228.169.168'
option force '1'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option network 'Guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config forwarding
option src 'Guest'
option dest 'wan'
config rule
option name 'Guest_DNS'
option src 'Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest_DHCP'
list proto 'udp'
option src 'Guest'
option dest_port '67-68'
option target 'ACCEPT'
I did so above. Thank you for your continued assistance.
In my opinion, it looks much better now.
Just make sure this line is not mangled:
Also, since you have dhcp_option 6, this rule is redundant:
And 67/udp is enough for DHCP server, it does not need 68/udp:
Check if the problem still persists.
Both https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan and https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface need to be updated as they suggest opening UDP ports 67-68 for DHCP.
Cheers.