I installed 19.07.1 and configured per a document I have been using and updating with each release.
After I finished configuration my guest wireless connection I created could not get to the Internet. The lan network worked fine. I use the guest network for any and all IOT devices.
Doing a tracert to www.google.com resulted in a "Destination Protocol Unreachable" message on the second hop from Windows 10. I had no issue pinging the routers IP, so the guest Wi-Fi was working fine.
I double checked the network setup, and the firewall setup, and just couldn't find where the config for the guest network and guest firewall rules differed from the lan rules.
I ended up punting and going to 18.06.7 which configured up just fine.
I did backup the 19.07.1 config before going back if that might be helpful to anyone. I can also extract specific files from that config archive.
trendy
February 29, 2020, 10:09pm
2
You could post here the network, dhcp, wireless and firewall, but it's hard to troubleshoot if there is no possibility for testing and run-time information.
We can test, I can upgrade and reload the packages and restore the configuration to test. I've gotten pretty good at that.
Note I configured the firewall zone with Luci, and this looks bogus as there is no network listed, even though I selected one:
config zone
option input 'ACCEPT'
option name 'guest'
option output 'ACCEPT'
option forward 'ACCEPT'
Thank you for the help.
DHCP:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
option noresolv '1'
option domain 'brossard.local'
option local '/brossard.local/'
list rebind_domain 'plex.direct'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option dhcpv6 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'guest'
option ra 'server'
option dhcpv6 'server'
option ra_management '1'
config host
option mac '6C:2B:59:D7:18:F7'
option dns '1'
option name 'DellServer'
option hostid '64'
option duid '0001000125DE33396C2B59D718F7'
option ip '192.168.1.100'
config host
option mac '64:51:06:69:BA:09'
option ip '192.168.1.101'
option name 'HPEnvy5535'
option dns '1'
config host
option mac 'BC:AE:C5:0F:F2:B3'
option name 'Brossard5'
option dns '1'
option ip '192.168.1.102'
config host
option mac 'C0:C1:C0:4B:CA:B9'
option name 'TiVo'
option dns '1'
option ip '192.168.1.103'
config host
option mac '00:18:39:43:3B:49'
option name 'Vonage'
option dns '1'
option ip '192.168.1.104'
config host
option mac 'C0:3F:0E:58:E1:78'
option name 'nas-58-E1-78'
option dns '1'
option ip '192.168.1.105'
config host
option mac 'B8:27:EB:E6:08:9B'
option name 'rasberrypi'
option dns '1'
option ip '192.168.1.106'
config host
option mac '8C:3B:AD:E3:3C:F8'
option name 'WAC104'
option dns '1'
option ip '192.168.1.107'
config host
option mac '00:26:2D:00:84:5B'
option name 'HPServer2'
option dns '1'
option ip '192.168.1.108'
Firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'guest'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'wan'
option src 'guest'
config redirect
option dest_port '32400'
option src 'wan'
option name 'Plex'
option src_dport '32400'
option target 'DNAT'
option dest_ip '192.168.1.100'
option dest 'lan'
list proto 'tcp'
Network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
option igmp_snooping '1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
option dns '127.0.0.1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option peerdns '0'
list dns '0::1'
option reqprefix '60'
option reqaddress 'try'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.3.1'
option ip6assign '64'
option type 'bridge'
Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '16:91:82:b5:de:56'
option key
option ssid 'Buzzard'
option encryption 'psk2+ccmp'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
option channel '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '16:91:82:b5:de:55'
option key
option ssid 'Buzzard'
option encryption 'psk2+ccmp'
config wifi-iface 'wifinet2'
option ssid 'Brossard_Guest'
option encryption 'psk2+ccmp'
option device 'radio0'
option mode 'ap'
option network 'guest'
option key ''
config wifi-iface 'wifinet3'
option ssid 'Brossard_Guest'
option encryption 'psk2+ccmp'
option device 'radio1'
option mode 'ap'
option network 'guest'
option key ''
Comparing the configs resulting from setting up each version from scratch I see this as a difference:
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'guest'
option network 'guest' #This is missing from the 19.07.1 firewall config above
option forward 'ACCEPT'
I'll work on this tomorrow. There are grand-kids to babysit tonight.
J
trendy
March 1, 2020, 1:00am
6
It's not just the interface that needs to be created.
You need to create a new vlan
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '5t'
Then assign the guest interface to it
config interface 'guest'
option ifname 'eth0.3'
Finally you might want to treat the guest firewall zone a bit more like wan and a little less like lan. This means you might also have to allow certain things like DHCP, DNS, NTP.
trendy:
config switch_vlan
The OP only needs to do switch if they want an Ethernet port. Otherwise, enumerating the VLAN should be enough. I do this all the time e.g. when turning off all LAN ports for security.
1 Like
The "option network 'guest"' that was missing from the 19.07.1 firewall config was the issue.
Thank you @trendy for pointing me to the config files I should have compared between the working and non-working configs.
1 Like
system
Closed
March 11, 2020, 4:39pm
9
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.