Guest network does not receive internet

Good afternoon,

I have been trying this for about 4 months on and off and stuff cannot seem to work out why my guest network cannot access the internet.

I have done a fresh install and followed the steps in the wiki so we have a fresh system to analyze, I have added just the addition of a VLAN and bridge to the guest network as I wish to use wired and wireless on this isolated network.

My aim is purely to isolate this network from the rest of the devices on the network.

Modem gateway 192.168.10.1

cat /etc/config/firewall

        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'guest'
        option forward 'REJECT'
        option name 'guest'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option dest 'lan'
        option src 'guest'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Guest DNS'
        option target 'ACCEPT'

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option src 'guest'
        option name 'Block Guest from Private'
        option dest 'lan'
        list dest_ip '192.168.1.0/24'
        option target 'DROP'

cat /etc/config/dhcp

        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'guest'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'my-password-private'
        option ssid 'Private'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet2'
        option ssid 'guest'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option key 'my-password-guest'

cat /etc/config/network

        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd49:7eea:c704::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.11'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.22'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth0.22'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4'
        option vid '11'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '22'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth0.33'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 5'
        option vid '33'

Please can you see if there is anything wrong here and I will be eternally in your debt for the fix!!

I am not sure if this is relevant but my goal is to then route all traffic through openvpn

From a first glance it looks correct. Can you do a traceroute from a guest host to verify where the packets stop?
tracert 8.8.8.8 from windows or tracert 8.8.8.8 from linux/mac.

That's a good idea, I will check and post when home. Thanks for your rapid attention!

There is no firewale rule to forward guest to wan with a quick glance you do for lan but not for guest.

config forwarding
        option src 'guest'
        option dest 'wan'

In dumbAP the wan is not used.

Then the OP is missing the gateway option:

Otherwise, this is not a dumb AP and the OP has followed the wrong guide.

1 Like

I'm sorry guys I actually bricked my archer c6 after this, waiting on a switch so I can try to debrick.

The aim is, one router acting as backup which is running default, so as to not piss off my girlfriend.

One network isolated from the rest of the network for iot devices, with wireless and wired and both this and the private network running through ideally nordvpn wireguard but happy to use with openwrt as they do not release wireguard config files and would have to run through a rpi running raspian. Is this advisable? I guess I could also have a pihole running on this pi?

My equipment, once the order arrives is one basic tp link router that cannot run dd wrt or openwrt.

One unmanaged switch, with option possibly to manage with a raspberry pi 3b or 4.

An archer c6, which may be 2 if I can debrick.

Is there anything else I could use to make this easier or do I not need anything more that the archer to achieve my goals?

Could I go from the wan directly into a switch and split into two routers? Or do I need a router before the switch?

That can depend on your ISP. If the ISP will only assign one IP per modem/service line then likely no. Overall this may over-complicate the solution you are looking for, and is likely difficult for a novice to configure.

There seems to be some confusion, did you have a single OpenWRT device which was connected directly to the modem, and you wanted that single device to serve both LAN and Guest traffic through wireless and wired connections? If so it really does look like you were only missing a forward from guest to wan.

1 Like

Hi! Did you ever resolve this? Seems I have a very similar problem Stuck creating "guest"-style internal network