I’m looking for some help concerning the Wi-Fi for guest configuration.
Overview:
I have a Frit Box 7490 (192.168.178.1) which is connected my new Netgear R7800 router (192.168.178.38) running with OpenWRT 19.07.03. May idea based on OpenWRT is to improve the Wi-FI Connection, since the Frit Box has no external antenna and also does not support the WPA3 yet. The Gateway and DHCP are 192.168.178.1.
Network Configuration Goal:
The OpenWRT is in the same network (192.168.178.xxx) as FritzBox using the DHCP of the FritzBox. Only the network zone for the guest (Wi-Fi) should be different and isolated from 192.168.178.xxx except the internet connection.
Situation:
In internet I have found two different types of realization
• Based on DCHP and DNS rules for port forwarding
• Based on Source NAT (https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/ (sorry it's only in german).
I have tried both, but they are both not working for me unfortunately. I have especially tied different configurations based on source NAT, but without success. I have no idea why. Help is very appreciated.
My configuration based on source NAT :
/etc/config/network
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
list dns '192.168.178.1'
You did not provide any links, so I cannot comment on these solutions.
Please edit your post and mark the config file contents as preformatted text using the </> button.
The result should look like the section quoted below.
Both snat_ip and '192.168.3.1' look wrong to me. Follow the wiki article which recommends enabling masqerading for lan.
Thanks for the reply and the link concerning the AP configuration. There is one step which I have not applied in the past in this approach (DNS and DHCP Port forwarding). I will try it tomorrow and provide you fa eedback.
Please note that these are input rules, not forwarding rules. They are needed because the access point is serving DHCP and DNS for the guest network.
For the LAN network, DHCP and DNS is still served by the Fritz!Box. LAN clients on the R7800 are bridged and the firewall rules do not apply to them.
I have followed your suggestion and have configured my AP according to your link. I had the first success – wow! The first connection to the AP worked, internet and the isolation to the 192.168.178.xx is given! I checked the DHCP values on my client for the guest network and they are okay: ipv4 for dns / ip are set.
But and this is weird for me. The second connection (manual re-connection to the AP on the client) is not working anymore. It looks like, that I do not ipv4 get values from the gest DHCP anymore:
Please note, that I have removed all traffic rules for wan, since I do not use the wan port. Therefor I think this shall no be the issue.
Any ideas?
/etc/config/network
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.178.38'
option gateway '192.168.178.1'
option ifname 'eth0.2 eth1.1'
list dns '192.168.178.1'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
/etc/config/firewall
config zone
option input 'REJECT'
option output 'ACCEPT'
option name 'guest'
option network 'guest'
option forward 'REJECT'
option masq '1'
config zone
option name 'lan'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option output 'ACCEPT'
option masq '1'
config forwarding
option dest 'lan'
option src 'guest'
config rule
option dest_port '67-68'
option src 'guest'
option name 'Guest DHCP'
option target 'ACCEPT'
option proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'Guest DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option name 'Diable Guest LAN Access'
option dest 'lan'
option dest_ip '192.168.178.0/24'
option target 'DROP'
option proto 'all'
option src 'guest'
I have figured out one important aspect. It’s not the re-connection of the wi-fi, that is an issue.
I have two Wi-Fi APs one for 5Ghz one for the 2,4GHz with the same ESSID, so the client must decide which AP to use. The 5GHz takes much more time for boot up, therefore the first connection for 2,4 GHz works correctly. If I try to reconnect, the 5GHz AP is available – since it had sufficient time to boot up. So, the client decides to connect the second time to 5GHz. So the 5 GHz, AP point seems to be the issue.
Since I have disabled the 5GHz AP Wi-FI for guest, the guest wifi works perfectly. Now I have to figure out why the 5GHz AP is not working in this combination. It’s definitely assigned to the same “guest” network as the 2,4 GHz AP.
In order to have guest APs on both radios, or wired and wireless guests, the guest network needs to be a bridge. Add option type bridge like in the lan. A non-bridge network can only have one physical interface.
