Guest network DHCP provides no IP

Was following strictly the official guide but I cannot connect cause no IP gets provided.
Can you please have a look seems only a little peace missing ...

One further thing I noticed when I saved these guest network settings I am getting somehow problems to connect to the router GUI via LAN, means network and internet is there but I can somehow not access the GUI. Need to refresh the IP quite often until suddenly the GUI is starting, can this be dependent on that guest network settings?
And strange is connected via WLAN GUI is accessible without delay
LOGS

BusyBox v1.36.1 (2025-04-13 16:38:32 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.1, r28597-0425664679
 -----------------------------------------------------
root@Diele:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "Diele",
        "system": "ARMv8 Processor rev 4",
        "model": "Cudy WR3000S v1",
        "board_name": "cudy,wr3000s-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}
root@Diele:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd47:86b8:47f8::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.222'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'

root@Diele:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Test'
        option encryption 'psk2'
        option key ''

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Gast'
        option encryption 'psk2'
        option key ''
        option network 'guest'

root@Diele:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'guest'

config dhcp 'lan'
        option interface 'lan'
        option start '223'
        option limit '5'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@Diele:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option dest 'lan'
        option name 'Allow-DNS-Guest'
        option target 'ACCEPT'
        option dest_port '53'

config rule
        option src 'wan'
        option dest 'lan'
        option name 'Allow-DHCP-Guest'
        option target 'ACCEPT'
        option dest_port '67'

I do not know what guides you followed but this looks like a BridgedAP, a secondary router on the same subnet:

If that is the case you should disable the DHCP server on the LAN.

For setting up a Guest wifi on a BridgedAP see:

I was using a link I have got provided, but it is called Guest Wifi using LUCI, I can now see these two documents in the same Open-WRT document folder.

In the meanwhile I checked the settings I did and found an error (what else )
I did wrongly setup source and destination zone in firewall traffic rules.
I adjusted this, still following this other guide - now DHCP IP gets provided but no internet

What is the difference between the two guides, I am not a expert and only see there is difference on LAN or WAN but do not fully get what that means?

Currently I am in a test mode means I do have that device just connected to ISP router,
later when ready setup I would löike to change the connection to PPPOE and replace the ISP router.
When changing this connection type will that require changing the guest network setup as well?

Thanks a lot

OK then you should not follow the setup for a bridged AP and not follow the links I posted.

But it also means your setup is wrong. Your cudy must be setup as a regular router connected with its WAN port to your ISP router.

My advice reset to default.

The only thing you might have to change is the LAN IP address. this should be something different from your ISP router and different in the third octet.
So assuming your ISP router is 192.168.1.1 then change the LAN ip address from the cudy in 192.168.2.1

This should give you normal internet access after a reboot of the router and your PC/laptop

For a Guest wifi follow this:

The IP address for the guest interface must be something else then the ISP router and the LAN e.g. 192.168.3.1

Thanks a lot but wait a second ...

Cause I am currently in that dumb AP mode I just followed that specific guide and "Yes" it is working now. Guest provides IP and internet and I cannot reach LAN devices!
Generally the "tick" which was finally enabling the guest network internet access was the "masquerading flag" for LAN in interface section.

I don´t want to stress "masquerading :-)" but will that somehow impact

• Wireguard server and client setup or
• port forwarding required for NGINX and a seafile server running or
• DynDNS

Coming back to the WAN connection mode what will be my final setup - in that setup the masquerade flag isn´t required, is that correct?
And there was no third Traffic rule for blocking the guest from LAN, why not?

As you now have setup in DumbAP mode a lot of things are different including WireGuard server and client setup.

As your goal is to replace the ISP router you have to redo everything again in gateway mode so consider to setup in gateway mode to begin with, with the router on its own subnet as that is your final goal.
Place the router in the DMZ of the ISP router so you can test your ngingx and Wireguard etc.

If that works it is easy to replace the ISP router by just adding the setup of PPPoE

If you want to keep it like this in DumbAP mode see for WireGuard setup guides:

:

Thanks a lot just checked the two wireguard documents that´s exactly what I require as well.
OK I am still with Cyberghost when talking about client but that should just be a different config file, right?
I will try that as soon I do have the router in PPPOE mode cause my current router does not provide a DMZ so no chance to play with the settings when not in PPPOE mode.

Coming back to the Guest network settings in case the router is in PPPOE mode I can see in the guide that the firewall forward is to WAN instead LAN and no masquerade to LAN.
Is the LAN protected cause the forward is just to WAN and there is also no Traffic rule for blocking guest from LAN?
Second thing - I would need in a later step another network for IoT sharing separate IP range using DHCP but with access to LAN and vice versa for smart home devices. I assume I can use that guest network setup with some adjustments especially for firewall and traffic rules ...
I would need to understand how to fine tune access settings if possible, e.g. allowing LAN access to the IPs in the IoT but not vice versa or similar, is there a document explaining these kind of settings?

Correct

Not necessary blocking is the default you allow traffic with the forward rules

Setup exactly like a guest wifi then make a forward rule from lan to iot, this will allow traffic from lan to iot but not traffic originating from iot to lan.

OK clear, and can I release with a traffic rule maybe one port from the IoT into LAN e.g. port 1883 is standard port for MQTT payloads from IoT devices to the MQTT server what would run in the LAN network? Is that traffic all controlled with traffic rules?
And what about the Zone forwards in the firewall settings, what does Input, Output and Intra zone forward mean is that more generic?
The Guest to LAN is reject Input, accept Output, reject Intra Zone, LAN is accepting all but only towards WAN. Would I need to add one new Zone for LAN to IoT or enough to just add one traffic rule within the LAN zone?

Correct, if you need more finer grained control you do not not use the forward zone but traffic rules for specific ports/clients/destinations etc.

Input and Output or for the router self, Output is usually enabled in all cases, Input is restricted for guest and IoT where you do not want guests or iot devices to be able to tamper with your router, of course you then have to make a traffic rule to specifically allow DNS and DHCP.

Forward is for intrazone forward, meaning if you have multiple interfaces in one zone it allows the forwarding between these interfaces e.g. if you have one firewall zone with IoT and Guest interfaces in that zone, the intrazone forward is what is allowed between these interfaces (subnet).

Progress
I do have the router configured getting WAN access, had so much trouble caused by my Draytec modem, newest firmware has a bug, what a sh.. ok running now!
Was setting up the guest network as shown in the guide and it is working, guest is providing DHCP and internet.
OWRT router is configured on default DHCP range 1.x
I configured the guest now for DHCP range 2.x and this is the range I am using today for my main network.
Today lot´s of devices using static IP assignments. The idea is let all connect now to the guest network and afterwards move one by one to the main network 1.x, and leave specific devices in guest.

But I cannot access these devices, neither when connected to main network nor in guest.
Sure I expected this somehow and we discussed a bit already ... but what exactly can I do now to get control over these devices connected to guest? Can I temporarily setup/change a traffic rule to gain control for guest network and can I logon to their GUI in order to adjust SSID and static IP?

Also, will that guest network be automatically available for my other dumb AP routers connected, these are all on Open-WRT already (configured following the guide for dumb AP)?

You can make a forwarding rule from lan to guest e.g.:
/etc/config/firewall

config forwarding
	option src 'lan'
	option dest 'guest'

This way you can connect to guest from lan but not the other way around.

But note that for seamless access /discovery of IoT devices you sometimes have to be on the same network so you sometimes have to login to the gues/iot network to control those devices.

No, but it is possible to extend the guest/iot network to a DumbAP using VLANS, this way the DumbAP has the same guest/iot netwokr as the main router

Ok will try to configure the forwarding rule with Luci, is this there the traffic rule, or is it the step before in Luci?

VLAN that sounds more complex, no other more simple way? But I need the IoT/guest on the APs as well that's clear.
And thinking a bit further, will that all work together with e.g. Wireguard server? When dialing in from outside what network will I use, can I choose, or do I need two server?

I do not use Luci but you edit the zone in luci

Yes it should work with a WireGuard server

I am just re-thinking about my guest network setup for my four devices, one router three dumb AP. Three Cudy WR3000s one TP-LInk EAP225v3 Outdoor all on v24.10.1 / 10.0
Best would be having the main router serving Guest/DHCP to the dumb AP, but ...
I tried to check existing topics but nothing helps me to get a clear understanding how to solve that.
VLAN - sounds complex and I don´t have the necessary understanding to use that.
WDS - not really understood if that could be a solution.

So I am coming to the conclusion that I maybe just setup separate "Guests" on each device and allocate only such devices to these Guests where I don´t need any access to these devices.
E.G. air conditions, Tuya Wifi plugs, Chinese Wireless cams, all usually using their own APPs for remote management.

What is your suggestion?

WDS is to wirelessly connect routers.

I thought you were talking about connecting your DumbAP's with ethernet cable , which is the preferred solution.

In that case yes you can setup a separate guest wifi on all dumbAP's , you can btw connect to the guest wifi on the DumbAP if you set a static route on the main router.

But my advice use the VLANs and let everything be done by the main router.

Start with setting up main router with Guest wifi then setup one DumbAP and ask for help here on the forum extending your guest wifi via vlan to your DumbAP.

There are many vlan experts who are always willing to help you.

OK, will do that.
The devices are more or less ready, just checking that zone forward for LAN to guest we were talking about.
What is the edit command in O-Wrt, or how does the zone forward rule in Luci look like.
Is it like the LAN to WAN, all on "accept"?

Firewall > LAN zone , edit and on General settings add Guest interface to Destination zones

image1053×549 34.7 KB

Yes I just did that already, works!!

Can I just add a 5Mhz SSID to my Guest, similar to the 2.4Mhz or anything wrong on that idea?