Hello, folks!
I am trying to setup a Guest Network that will have multiple APs and one DHCP server. So far I am on the first steps - setting up the first guest network in the network.
I have my ISP router as a Gateway and a DHCP server for the LAN. It is connected LAN-LAN to my managed switch. To the switch I have connected LAN-LAN 2x TP-Link Archer C7 APs with tagged ports for VLAN 1 (LAN) and VLAN 3 (IOT - the "Guest" VLAN).
On AP 1 I want to have the DHCP server for the guest network and I have it setup according to this guide - https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
The issue I am facing is that when I connect a client to the guest Wi-Fi it does not get a local ip from the DHCP server as it should. I have no such issues with the main network.
I would be thankful for any help or suggestions.
Here is the AP 1 config:
package network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd3e:f70b:af81::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '192.168.1.1'
option broadcast '192.168.1.1'
option delegate '0'
option device 'br-lan'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1t 2 3 4 5'
option description 'LAN'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '3'
option ports '0t 1t'
option description 'IOT'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option igmp_snooping '1'
config device 'iot_dev'
option type 'bridge'
option name 'br-iot'
list ports 'eth1.3'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-iot'
option vlan '3'
list ports 'eth1.3:t*'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'iot'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config rule
option dest 'lan'
option proto 'tcp udp'
option target 'ACCEPT'
option src 'iot'
option name 'MQTT'
option src_port '1883'
option dest_ip '192.168.1.5'
option dest_port '1883'
config rule
option name 'Allow IOT DHCP'
option src 'iot'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option name 'Allow IOT DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
Thanks a bunch!
You have VLAN 3 defined 3 times in your configuration with multiple different syntax methods. The way you define them depends on the version of OpenWrt and if your device is DSA or not. You need to clean that up first. Chances are you don't need to be putting your IoT VLAN 3 in a bridge (unless you are using the device's wifi, too).
You didn't show us your dhcp file, either... did you setup the DHCP server for that network?
Hi! Sorry for the late reply.. I'm not sure which part you mean is duplicated. I added the VLAN from the LUCI interface. As far as the DHCP goes, it is/should be enabled for the Guest/IOT network.
Here is the full device config:
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot'
option leasetime '12h'
option limit '150'
option interface 'iot'
option start '1'
option force '1'
list ra_flags 'none'
package dropbear
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'iot'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config rule
option dest 'lan'
option proto 'tcp udp'
option target 'ACCEPT'
option src 'iot'
option name 'MQTT'
option src_port '1883'
option dest_ip '192.168.1.5'
option dest_port '1883'
config rule
option name 'Allow IOT DHCP'
option src 'iot'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option name 'Allow IOT DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
package luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
config internal 'apply'
option rollback '30'
option holdoff '4'
option timeout '5'
option display '1.5'
config internal 'diag'
option dns 'openwrt.org'
option ping 'openwrt.org'
option route 'openwrt.org'
package network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd3e:f70b:af81::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '192.168.1.1'
option broadcast '192.168.1.1'
option delegate '0'
option device 'br-lan'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1t 2 3 4 5'
option description 'LAN'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '3'
option ports '0t 1t'
option description 'IOT'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option igmp_snooping '1'
config device 'iot_dev'
option type 'bridge'
option name 'br-iot'
list ports 'eth1.3'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-iot'
option vlan '3'
list ports 'eth1.3:t*'
package rpcd
config rpcd
option timeout '30'
option socket '/var/run/ubus/ubus.sock'
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
package system
config system
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
option zonename 'Europe/Sofia'
option hostname 'SecondFloor'
option log_proto 'udp'
option conloglevel '8'
option cronloglevel '5'
option timezone 'EET-2EEST,M3.5.0/3,M10.5.0/4'
config timeserver 'ntp'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
package ubootenv
package ucitrack
config network
option init 'network'
list affects 'dhcp'
list affects 'radvd'
config wireless
list affects 'network'
config firewall
option init 'firewall'
list affects 'luci-splash'
list affects 'qos'
list affects 'miniupnpd'
config olsr
option init 'olsrd'
config dhcp
option init 'dnsmasq'
list affects 'odhcpd'
config odhcpd
option init 'odhcpd'
config dropbear
option init 'dropbear'
config httpd
option init 'httpd'
config fstab
option exec '/sbin/block mount'
config qos
option init 'qos'
config system
option init 'led'
option exec '/etc/init.d/log reload'
list affects 'luci_statistics'
list affects 'dhcp'
config luci_splash
option init 'luci_splash'
config upnpd
option init 'miniupnpd'
config ntpclient
option init 'ntpclient'
config samba
option init 'samba'
config tinyproxy
option init 'tinyproxy'
package uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
option key_type 'rsa'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option channel 'auto'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'wifipass'
option ssid 'WiFi'
option encryption 'psk2'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option ieee80211r '1'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option htmode 'HT40'
option channel 'auto'
option path 'platform/ahb/18100000.wmac'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'wifipass'
option ssid 'WiFi'
option encryption 'psk2'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option ieee80211r '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi-iot'
option encryption 'psk2'
option key 'iotpass'
option network 'iot'
Thank you for the time!
trendy
November 23, 2021, 4:21pm
5
A few remarks.
The guide you are using is not applicable in this case. Either you'll add a guest vlan in the trunk along with iot and propagate it to the managed switch and the other AP, or you'll follow the guide to create a guest SSID on a dumbAP .
this is wrong, delete it.
3. IOT zone accepts everything on INPUT, are you sure you want it like this?
4. MQTT rule has src and dst ports 1883. Are you sure this is correct?
1 Like