Guest Network on AP

d3nt0n · June 24, 2021, 12:34am

Tried configuring an isolated Guest network on AP following this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

I can connect to the network but DHCP is not handing out an address, and if I manually set one it will connect but not have any internet access. I doubled checked all my settings against the guide and everything looks correct. Is there some other firewall rule that will need to be set on my gateway, which acts as a DCHP server for my private LAN and is also running OpenWRT?

Stefan1 · June 24, 2021, 5:54am

The guide has been working for me out of the box.
On your gateway you only need a static route to your guest network in case you want to reach devices in your guest network from within your lan network.
There are no other settings required there.

You probably need to check once more and maybe post your configuration here:
/etc/config/dhcp
/etc/config/network
/etc/config/wireless
/etc/config/firewall

Note: Make sure to obscure the "option key" value(s) in the wireless config results as well as all passwords and mac addresses before posting.

d3nt0n · June 24, 2021, 12:51pm

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcd:118d:9cd8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key '*********'
	option ssid 'Private LAN'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option hwmode '11g'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Private LAN'
	option encryption 'psk2'
	option key '*********'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'psk2'
	option key '*************'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'psk2'
	option key '***********'
	option network 'guest'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'Guest'
	option dest 'lan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'Guest'
	option target 'ACCEPT'
	option dest_port '67-68'

config rule
	option name 'Guest DNS'
	option src 'Guest'
	option src_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block Guest Access to LAN'
	option src 'Guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'DROP'

Stefan1 · June 25, 2021, 6:03pm

The settings do not look incorrect from a comparison with mine. The only thing I am wondering is where the dns settings are for your guest network. But if you cannot even get an ip address in the guest net, try to testwise disable the firewall rule that blocks access from guest to LAN. Does it work then ?
( Or in other words, is it a dhcp problem or a firewall problem ? )
If you assign a static ip, can you ping google ? Can you ping a numeric ip in the internet ( e.g. an opendns server 208.67.222.222 ?
What about ip6 ? Have you enabled that in your lan ? I am not familiar with that and I completely disabled it.

d3nt0n · June 25, 2021, 6:44pm

Disabling the firewall rule did not help. I went back and added the DNS servers, but DHCP isn't working so that didn't help much. I can't ping any public IP address, nor any address on my local network, not even the access point itself.

16F84 · June 26, 2021, 12:58am

Are you using a dumb AP? If so you need to assign the LAN port the dumb AP is on to a separate VLAN and bridge it to the guest IP range.

What routers are you using?

d3nt0n · June 26, 2021, 1:13pm

Yeah it's a dumb AP.

If so you need to assign the LAN port the dumb AP is on to a separate VLAN and bridge it to the guest IP range.

I'm not sure how to do this. Are they any guides or good docs that could help?

What routers are you using?

The AP is a TP-Link EAP245 v3. My gateway is just an x86 server running OpenWrt.

16F84 · June 26, 2021, 2:57pm

The guide @Stefan1 referred to works. Its what I used. I think you need to factory reset your routers and reattempt the guide before going the VLAN route. Make a backup of your configs so you can reload them if it doesn't work. If you have already done this to no avail and are ready to go the VLAN route then read on.

Additional info.....

https://www.reddit.com/r/openwrt/comments/o24xqt/configuring_guest_wifi_on_a_vlan/