Guest Network not working as expected

I have a main router and a dumb AP configured with 3 vlans (and corresponding wifi ssids), one the main lan with access to internet and internal resources, a IOT lan for iot devices that can communicate among them and lan devices but not to internet, and a guest lan that should only be able to access internet and connect only to their own wifi ssid.

I have configured dhcp ipv4 for guest network and the firewall rules in the main router as advised in the wiki guest configuration.
This are the firewall settings in the main router:

image1145×907 54.8 KB

The problem is that with that recommended rules when I try to connect to the guest wifi in the main router I cannot because DHCP does not serve an IP address.

If I change input from reject to accept (in the guest->wan rule) I can connect and all seems to work OK, but may be there are security risks, as the recommended setting is reject.

What am I doing wrong?

Trying to connect to the dumb AP gives me same results.

These are the firewall settings in it (in case that matters, but I think the problem is in the main router)

image1147×670 36.7 KB

Seems that the DHCP and/or DNS is not allowed from guests to the router. Let's verify the configuration:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall

Thanks a lot for your answer, here is the output from the main router:

{
        "kernel": "5.10.146",
        "hostname": "router",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd84:XXXX:0c21::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.100.100.1'
        option netmask '255.255.252.0'
        option device 'br-lan.1'
        list dns '208.67.222.222'
        list dns '208.67.220.220'
        option delegate '0'
        list ip6class 'local'
        option ip6assign '48'
        option ip6ifaceid '::1'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'adslppp@xxxxxxx'
        option password 'adslpppp'
        option ipv6 'auto'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option igmp_snooping '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'lan4:t'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '10.200.200.1'
        option netmask '255.255.252.0'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.11'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        list dns '208.67.220.220'
        list dns '208.67.222.222'

config interface 'wgVPN'
        option proto 'wireguard'
        option listen_port '51820'
        option private_key 'xxxxxxxxxxxxxxxxx'
        list addresses '192.168.21.1/24'
        option peerdns '0'
        list dns '10.100.100.1'

config wireguard_wgVPN 'wgclient'
        option description 'movilFernando'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxx'
        option private_key 'yyyyyyyyyyyyyyyyyy'
        list allowed_ips '192.168.21.3/32'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option local '/casa/'
        option domain 'casa'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option start '768'
        option limit '127'
        option ra 'server'
        option dhcpv6 'server'
        option ra_default '2'
        option force '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list ra_flags 'home-agent'
        option ra_slaac '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iot'
        option interface 'iot'
        option leasetime '12h'
        option start '768'
        option limit '127'
        list ra_flags 'none'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option mac 'xx:xx:xx:xx1xx:xx'
        option name 'Hoek'
        option dns '1'
        option ip '10.100.103.1'
        option hostid '::be2'

config domain
        option name 'fernando.casa'
        option ip '10.100.101.1'

config domain
        option name 'servidor.casa'
        option ip '10.100.101.1'


config domain
        option name 'biblioteca.casa'
        option ip '10.100.101.1'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wgVPN'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option input 'REJECT'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'iot'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'iot'

config redirect
        option target 'DNAT'
        option name 'https al servidor'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option dest_port '4443'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'QBelt al servidor'
        list proto 'udp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option dest_port '443'

config redirect
        option target 'DNAT'
        option name 'WireGuard hacia servidor QNAP'
        list proto 'udp'
        option src 'wan'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option src_dport '51821'
        option dest_port '51820'
        option enabled '0'

config wan 'src'

config 51280 'dest_port'

config udp 'proto'

config ACCEPT 'target'

config rule 'wg'
        option name 'Allow-WireGuard'
        option proto 'udp'
        option target 'ACCEPT'
        option dest_port '51820'
        option src 'wan'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

You can remove these from lan and guest interface, they should be used on the wan interface only, from where they are reachable.

cleanup these.

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Allow DNS guest'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option family 'ipv4'
        option name 'Allow-guest-DHCP'

Add these for dhcp and dns.

Thanks a lot, now it seems to work.
I have removed the DNS settings from lan and guest interfaces.
These are now my firewall settings:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wgVPN'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option input 'REJECT'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Allow DNS guest'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option name 'Allow-guest-DHCP'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'iot'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'iot'

config redirect
        option target 'DNAT'
        option name 'https al servidor'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option dest_port '4443'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'QBelt al servidor'
        list proto 'udp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option dest_port '443'

config redirect
        option target 'DNAT'
        option name 'WireGuard hacia servidor QNAP'
        list proto 'udp'
        option src 'wan'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option src_dport '51821'
        option dest_port '51820'
        option enabled '0'

config rule 'wg'
        option name 'Allow-WireGuard'
        option proto 'udp'
        option target 'ACCEPT'
        option dest_port '51820'
        option src 'wan'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

They are still missing, but you got the point.

What do you mean by "they are still missing"?

I have removed the config options you said and added the rules for dns and dhcp ports to be accessed from guest network...

What am I missing?

Okay they are not missing, but they are located somewhere in the middle of the file. And the second rule was mixed with an existing rule for ipv6, so it will not work for ipv4.

Thanks a lot for pointing that.
I don't know what happened, I had deleted what you said, and added the rules at the end of the firewall file.
But hat not rebooted and use the luci interface (refreshed) to see the results. I think I used save and apply in luci.
Might be that what messed things up.

I have restored previous configuration, and reedited firewall file. This time I rebooted the router and it seems to be correct now.

It seems to work and be correct now.

This is the result of uci export firewall command:

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wgVPN'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option input 'REJECT'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'iot'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'iot'

config redirect
        option target 'DNAT'
        option name 'https al servidor'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option dest_port '443'

config redirect
        option target 'DNAT'
        option name 'QBelt al servidor'
        list proto 'udp'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option dest_port '443'

config redirect
        option target 'DNAT'
        option name 'WireGuard hacia servidor QNAP'
        list proto 'udp'
        option src 'wan'
        option dest 'lan'
        option dest_ip '10.100.101.1'
        option src_dport '51821'
        option dest_port '51820'

config rule 'wg'
        option name 'Allow-WireGuard'
        option proto 'udp'
        option target 'ACCEPT'
        option dest_port '51820'
        option src 'wan'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Allow DNS guest'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option family 'ipv4'
        option name 'Allow DHCP guest'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.