Guest network - input question

Installing and Using OpenWrt Network and Wireless Configuration
1

I followed this guide to setup a guest wifi network:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
However it did not work at the end. Reading my previous doubts when I did it manually on another router, I tried chaging imput on firewall from reject to accept and soon after the guest wifi worked.
My question is if it's dangerous to let it like that, what does it actually changes in terms of security on input from acept to reject? And would could I do in order for it to work having set the input to reject?

2

You might not have added the necessary rules to make it work with input = reject.

"Dangerous" depends on who is using your guest network.

  • Family/friends, probably not an issue
    • although also consider if their devices might have malware that would attack your router.
    • That is to say it's a question of how much you trust them personally, and also how much you trust their ability to maintain proper security hygiene on their computer -- for examlpe, do they keep their systems up-to-date and do they use firewalls/anti-virus software appropriately, or do they visit questionable sites, download and install random software, especially from p2p services, etc.)
  • General population (say in a cafe), certainly not good to allow input.

The input rule on the zone is what controls the ability for hosts on the covered networks to reach the router itself. That means any services, including ssh and http/https (LuCI) for administration would be exposed and available if input = accept.

On an untrusted network (such as the guest network) typically you'll set input = reject and then add 2 rules:

  • accept DHCP (udp port 67)
  • accept DNS (tcp + udp port 53)
1 Like
3

Thanks for the explanation, I would like to have input set to reject then, but here's my current settings when I set reject and it won't connect to guest wifi:

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Guest'
	list proto 'tcp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'
4

The issue is here:

Change the proto to udp

	list proto 'udp'

Then restart and test again.

1 Like
5

Oh a small detail...thank you so much for your time and atention!!! It's working as expected now

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.