d3nt0n
June 24, 2021, 12:34am
1
Tried configuring an isolated Guest network on AP following this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
I can connect to the network but DHCP is not handing out an address, and if I manually set one it will connect but not have any internet access. I doubled checked all my settings against the guide and everything looks correct. Is there some other firewall rule that will need to be set on my gateway, which acts as a DCHP server for my private LAN and is also running OpenWRT?
The guide has been working for me out of the box.
On your gateway you only need a static route to your guest network in case you want to reach devices in your guest network from within your lan network.
There are no other settings required there.
You probably need to check once more and maybe post your configuration here:
/etc/config/dhcp
/etc/config/network
/etc/config/wireless
/etc/config/firewall
Note: Make sure to obscure the "option key" value(s) in the wireless config results as well as all passwords and mac addresses before posting.
d3nt0n
June 24, 2021, 12:51pm
3
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcd:118d:9cd8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 5 0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key '*********'
option ssid 'Private LAN'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option hwmode '11g'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Private LAN'
option encryption 'psk2'
option key '*********'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key '*************'
option network 'guest'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key '***********'
option network 'guest'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'Guest'
option dest 'lan'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'Guest'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option name 'Guest DNS'
option src 'Guest'
option src_port '53'
option target 'ACCEPT'
config rule
option name 'Block Guest Access to LAN'
option src 'Guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'DROP'
The settings do not look incorrect from a comparison with mine. The only thing I am wondering is where the dns settings are for your guest network. But if you cannot even get an ip address in the guest net, try to testwise disable the firewall rule that blocks access from guest to LAN. Does it work then ?
( Or in other words, is it a dhcp problem or a firewall problem ? )
If you assign a static ip, can you ping google ? Can you ping a numeric ip in the internet ( e.g. an opendns server 208.67.222.222 ?
What about ip6 ? Have you enabled that in your lan ? I am not familiar with that and I completely disabled it.
d3nt0n
June 25, 2021, 6:44pm
5
Disabling the firewall rule did not help. I went back and added the DNS servers, but DHCP isn't working so that didn't help much. I can't ping any public IP address, nor any address on my local network, not even the access point itself.
16F84
June 26, 2021, 12:58am
6
Are you using a dumb AP? If so you need to assign the LAN port the dumb AP is on to a separate VLAN and bridge it to the guest IP range.
What routers are you using?
d3nt0n
June 26, 2021, 1:13pm
7
Yeah it's a dumb AP.
If so you need to assign the LAN port the dumb AP is on to a separate VLAN and bridge it to the guest IP range.
I'm not sure how to do this. Are they any guides or good docs that could help?
What routers are you using?
The AP is a TP-Link EAP245 v3. My gateway is just an x86 server running OpenWrt.
16F84
June 26, 2021, 2:57pm
8
The guide @Stefan1 referred to works. Its what I used. I think you need to factory reset your routers and reattempt the guide before going the VLAN route. Make a backup of your configs so you can reload them if it doesn't work. If you have already done this to no avail and are ready to go the VLAN route then read on.
Additional info.....
I think I have isolated this issues.
Due to the many changes and testing my /etc/config/network has changed at the 'lan' interface. After correcting the settings as below I have regained internet access at the AP.
The only function I cannot get to work for the guest wifi account is 802.11r (fast roaming) due to the guest network share the SSID but not the DHCP server anymore.
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
…
https://www.reddit.com/r/openwrt/comments/o24xqt/configuring_guest_wifi_on_a_vlan/
VLAN VLAN is the acronym for Virtual Local Area Network, it is a virtual partitioning of physical network switches on OSI layer 2. It is a way to keep network clients separated from each other even if they use the same shared physical network,...