Guest Network with no Internet access on DSA 21.02

Hello All!

I am attempting to migrate my setup from OpenWRT 19.07 to 21.02 using the latest build from Divested-WRT on my WRT1900ACSv2 (Divested-WRT SNAPSHOT r16837+14-e002179a6d / LuCI Master git-21.148.48881-79947af). I have basic level hobby skills without formal training.

On 19.07, I successfully used a VLAN configuration to create a separate network for my Amazon Firesticks and Recast devices, shared remotely to other devices over a OpenVPN Tap connection. Functionally it would loose internet access intermittently, but mostly work without flaws.

I want to create a similar network configuration on 21.02, but I couldn't figure out how to create a working VLAN with the new DSA implementation.

Instead, building from scratch (mostly in luci), I have set up a "Guest" WiFi network called "Fire" following similar [Guest Network Guides] (https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface). My intent is not to use this as a guest network, but it will function the same.

This "Fire" network should use the IP 192.168.73.0/24 whereas the main LAN network should use the IP 192.168.70.0/24. Later, a bridge will be set up connecting the wlan0-1 wireless network and the Tap0 OpenVPN connection.

At present, I am unable to get Internet Access to my new "Fire" Network. It does not appear that my computer connected to this network is being assigned an ipv4 address. Instead it has an ipv6 address. The Fire network interface is not configured to assign ipv6. I'm not sure if the DHCP is working correctly.

I need some help from the community to review my configuration. If it's not a configuration issue, it may be a bug in the build(?).

Bellow are my configuration files:

  • Of note my config interface fire is not assigned to a device in luci (unspecified).

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'Redacted:/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.70.1'

config device
        option name 'wan'
        option macaddr 'Redacted'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Fire'
        option proto 'static'
        option ipaddr '192.168.73.1'
        option netmask '255.255.255.0'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone 'fire'
        option name 'fire'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'fire'
        list network 'Fire'

config forwarding 'fire_wan'
        option src 'fire'
        option dest 'wan'

config rule
        option name 'DNS Fire'
        option src 'fire'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'DHCP Fire'
        list proto 'udp'
        option src 'fire'
        option dest_port '67-68'
        option target 'ACCEPT'

DHCP

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Fire'
        option interface 'Fire'
        option start '100'
        option limit '150'
        option leasetime '12h

Please let me know if you need any additional files. Thank you!

tutorial, probably a few syntax changes since

Edit: pretty sure that community build is based on master not 21.x

Thank you for your reply.

I'm not sure what the differences between the master and 21.xx build are yet.

I attempted to set up the Multiple networks (using bridges) configuration and assigned lan3 and lan4 to br-lan2. I wanted to take the wlan0-1 out of the equation. I wire connected to lan4 and was unable to get an IP assignment to connect to the br-lan2.

Another clue that there may be a bug in the DHCP.

This description is not borne out by the above network config dump.

There's your problem.
Create bridge device & assign your Fire interface to it. Without that OpenWrt:

  1. has no L2 interface to assign 192.168.73.1 to
  2. has no L2 bridge to attach wlan0-1 to

You can easily create bridge device in LuCI. It should give you something like

config device
        option name 'guest'
        option type 'bridge'

then you need option device guest in your Fire interface.

For those interested, I was able to fix my issue:

First I created a new network bridge br-lan2 with lan4, removing lan4 from br-lan. I had to assign the mac address to the same mac as used by the other (lan1 lan2 lan3) devices. Then I assigned this bridge as the base device on the "Guest" network interface. I used similar firewall rules as my original post (Input Reject, Output Accept, Forwarding Reject, with no lan forwarding). Next I had to fix/undo a "network hardening" customization specifically in the Divested build configuration by commenting the interface=br-lan line in /etc/dnsmasq.conf (aka add a # before the line of code). Then I rebooted my network (MUST reboot to take effect). I did force DHCP on both br-lan and br-lan2 connected interfaces, but I don't think that was necessary. I now have internet on my guest/fire interface!

I appreciate everyone's input! It was valuable!

4 Likes

There was an issue. I enabled the radios on a mamba to test a couple of days back after reading many posts of issue, while the WLAN got an IP, it never got out the door, no matter how I configured things. Same config today with netifd commits works just fine.

1 Like

Thanks! That worked perfectly!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.