Guest Wi-Fi on an dumb AP couldn’t reach the internet

Few topics, one, two, on this forum are pointing to almost the same issue, the wiki and user-guide step-by-step instructions on how to configure a Guest Wi-Fi access point leads to a functional Wi-Fi, without actual internet connection.

The reason of disfunctionality is beyond my comprehention as well as why all the given information and efforts from involved persons, are not solving the intended purpose.
Followed pictorial guide, CLI guide, extra guide to no avail in having a functional Guest Wi-Fi.

Interesting fact, TP-Link AP's I have (EAP 110, EAP225, EAP245) with original firmware, are perfectly able to comply the Guest Wi-Fi with just few ticks.
No VLAN's, no extra managed switches etc.

For me, the only intend from a Guest Wi-Fi is to prevent reaching any local IP subnet.

Someone please step in and find/offer a working solution. Many thanks !!!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Very true. That is the most common issue with folks setting up a guest network - and calming they're following the guide. It would be good to Identify the documentation bug (if one exists).

Thank you for your fast reply.

LE, added the firewall section, not so comfortable with putty.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd37:b182:8773::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.100'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.10.250'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.15.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key 'xxx'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'DeGu'
	option encryption 'psk2'
	option key 'xxx'
	option network 'guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '2'
	option limit '20'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest_DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block_Guest_from_LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.10.0/24'
	option target 'REJECT'

So far, most things look fine.

Is this the correct gateway address? Just verifying that this is the address of the main router.

I do see that you are missing dns in the lan network stanza. You’ll want to add that.

And the firewall file did not get posted.

Yes, main router is 192.168.10.250

The other "OpenWrt" Wi-Fi is perfectly functional, I suppose the DNS is obtained through DHCP from main router.

Added firewall section, sorry

Try adding dns as I mentioned above. That is the only thing I see at the moment.

For the dumb AP clients, yes. But the AP itself doesn’t have dns because you have it set to a static ip and you haven’t specified a dns server.

Fill up "Use custom DNS" section in Interfaces -> lan -> Advanced settings ?

Yes. Exactly. You can use your main router or a public dns server.

Thank you very much !, that did solved the problem.

Might be a good idea to add a note to the picture tutorial.

This tutorial uses dhcp client on the lan interface, which means the information is obtained automatically from the upstream dhcp server. The difference in your case was that you were using static ip where you must specify everything (ip, subnet mask, gateway, and dns).

Hi,
as I put some rework in the dumb AP + GuestWiFi Guide, I would like to comment to make it easier for people who find this posting to understand what exactly happend:

edit:
-> wrong conclusion / needs rework <-

thx Peter Sherman for solving this sooooo quick!
hope the makes it easier to get it done
keep on rockin' with openWrt !

Sorry to get contradictory, the 3rd. point is not correct. The "dumb Wi-Fi AP", the Wi-Fi attached to lan interface, was perfectly functional before, as well as after guest interface Wi-Fi adition.

Main difference was that Wi-Fi attached to lan interface had internet access while Wi-Fi attached to guest interface did not.

Even at this moment, the lan interface having a static IP, does not have DNS configured.
It is only the guest interface that has been configured with a DNS server.

Different trials to add Guest Wi-Fi had always been done on a factory reset AP, all default settings, DNS remained unset for all interfaces.
All my AP's are configured with static IP's from the first setup.

Please let me know if I can be of help providing log files.

LE. This was definitely the fastest forum reply and working solution I have ever experienced. Hats off to such skill and commitment.

lan interface - empty DNS908×317 22.7 KB

Thank you for this feedback.
I understand and I need to examine that.

Hello radunre,
I took a look @ my config, its more or less the same as yours.

Neither LAN nor GUEST on my dumb AP + Guest WiFi have a custom DNS configured (similar to the screenshots you provided). Both of them seem to use the standard DNS on the router that is configured here

Unbenannt1451×959 92.7 KB

Could you check your config in the section the screenshot is showing ?
LAN and GUEST will use this .. at least in my case.

Never the less - the dumb AP guide advices to put a DNS Server into the custom DNS Section. I did not do as well, but at least I configured a "global" DNS Forwarding which seems to be used by "AP seen as a System" & GUEST (not LAN ..LAN is served by your master router / master DHCP with DNS info stored in the master router).

I am pretty sure that your "standard" DNS forwarder ist empty (see screenshot, nothing at the place where it shows 192.168.0.171). That means that the "AP as a System" in your case has no idea where to forward DNS requests. The interesting thing is - as you described, that the AP clients in LAN are served from the DHCP from your main router, and get their DNS Server from it - in most cases the IP of the main router that acts as global DNS Server.

When you add Guest WiFi, there is no friendly main router DHCP service for clients anymore. A new DHCP serves your guests, and this new DHCP needs to know where the DNS Server is. He can take this info from a "custom" DNS - as Peter Sherman advised you to add, or he can take the global defined DNS Server / Forwarding (screenshot: 192.168.0.171) in the DNS Settings of the router. If forwardings in the standard DNS configs are emty AND the custom DNS as well - no DNS service for your GUEST clients.

If my conclusions are right - I will doublecheck with Peter if possible - I will update the Guest WiFi Guide to make sure that the situation you came in is avoided upfront. You are not the first one who got into this situation for sure, but the first one to make this problem visible, thx.

Hello mopsza,

The DHCP and DNS screenshot show no populated fields on my config.
Yet, somehow, the plain dumb AP configuration without Guest, has provided internet access.

If could be of help, I can factory default the test unit, create a dumb AP and post the configuration.

DHCP and DNS847×537 59.4 KB

LE. Just seen your edited post and my thougths are identical.
The lan interface, being in the same subnet with main router, will place all clients (through DHCP) in same subnet and benefit from DHCP DNS service.

Thank you for taking your time to further analize this situation.

Yeah Riddle solved. All explained, no mysteries left.
Thank you for bringing this issue to sunlight.

I have already editet the dumb AP WiFi Guide,
adding a section where one shall check if a DNS forwarding on the AP System does exist.

image1172×805 143 KB

Peter analyzed the problem blazing fast & found a solution with the custom DNS.
Having a standard DNS defined solves the problem as well and maybe also avoids other / future problems.

radunre, thx again for your contribution! mopsza

I've been meaning to get back to this... sorry for the delay.

Thanks @mopsza for your edits to the wiki.
Some thoughts about your updates...

1. The guide overall has some inconsistencies for the upstream network -- 192.168.1.0/24 vs 192.168.0.0/24 -- in both the text descriptions and the screenshots. This might lead to some confusion.
2. The DNS forwardings method is fine and valid, but I personally prefer to put the DNS into the lan interface definition... it's possibly splitting hairs here, but the dns forwardings in the dnsmasq service are 'automatically' determined when the upstream network has DNS defined; including it in the lan interface is useful for that reason and for readability.
3. DNS forwardings (and/or inclusion in the lan interface definition) is only generally necessary when the lan address is set via static IP. In the screenshots, the lan interface uses DHCP which normally means that the upstream DHCP server will provide DNS server information.
4. A bit more explanation about the address used in the DNS forwardings (or DNS in the lan interface definition) could be useful to ensure that people understand that they may need to adapt to their own network (it does hint, but could be more explicit) and that they can alternatively use a public DNS server.

So, yes... this is clearly the missing DNS situation was an oversight in the previous iteration of the wiki page... but it would be useful to make sure that the text and screenshots are consistent and to make the options (and potentially required adaptations) more clear.

Other than those comments (maybe 'nit-picks' ), honestly a very good and useful update. Thank you!!

Hi Peter,
Very useful insights, thank you.
I think I understand all inputs and will put them into the guide.

A little bit incredible we all have not seen the DNS issue. In my case .. i came from a static lan main router config and had the standard dns value already put in standard dns config.

Thx
Regards
J

Hi,
I updated the LuCI screemshot guide regarding dumb AP + GUEST.

• All dumb AP screenshots with LAN configuration visible now show a static setting, with dumb AP LAN IP 192.168.1.2
• All IP adresses in screenshots and text are now openWrt Standard .
• DNS server setting added, using "custom dns" in the interface configuration
• added a little more info in the DNS section, making clear that openWrt nomally uses main router 192.168.1.1 as DNS Server, but e.g. 1.1.1.1 can be used as well.

In some far away future .. this dumb AP + Guest Network guide will be very good

thx again to everybody who contributes