Guest wifi and adguard-home on 25.12

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,
On my MT6000, on 24.10, I managed to have adguard-home working + isolated guest wifi (with no LAN access and custom DNS 9.9.9.9).
On 25.12, I had to go from scratch. I did create guest wifi and then installed adguard-home, following Adguard-home tutorial and Guest wifi using Luci tutorial

I though everything was working, but I realised I had no internet access on the guest network. I added the line in DHCP as mentioned in the guest wifi tutorial, with no change.

I read on this topic that guest wifi must be created after adguard-home. Didn't change anything.

I compared my conf files from 25.12 and from 24.10, and couldn't find what's different. So I don't really understand what to do.

Can someone lead me in the right direction?

Thanks!

2

is the guest lan subnet added to the AGH config (or simply use 0.0.0.0) ?

since it's a guest wifi you could point those untrusted devices to an upstream DNS, like 8.8.8.8, using the 6 option from the old thread.

3

Adguard-home is binded to 0.0.0.0, yes.

4

Ok. I keep the 3,192.168.2.1 for the DHCP?

I'm gonna bin all the guest wifi conf and go with the tutorial again (3rd time today), because I cannot even connect this time. I'll try with 6,8.8.8.8 in DHCP.

5

How is the guest network setup (I didn't check the tutorial)? VLAN? Is it allowed to access the DNS? If not, maybe use something along the lines of /etc/config/firewall:

config rule
	option name 'Allow guest DHCP and DNS'
	option src 'guest'
	option dest_port '53 67 68 853'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

To eliminate any doubts, I prefer to specify each IP range in AGH's bind_hosts: explicitly.

And, of course, don't forget to add AGH to option 6, as per the above post.

Edit: perhaps it's easier if you shared all the relevant configs here. Don't forget to anonymize any secrets.

6

Ok, I just recreated my guest wifi, and I cannot connect, my device doesn't receive an IP.

  • Router is behind ISP box (192.168.1.254)
  • Router IP is 192.168.0.1
  • Lan is 192.168.0.0/24
  • There's a wireguard server with clients on 10.8.0.0/24
  • Guest network is 192.168.3.0/24

Here is my conf:

dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option port '54'
	option noresolv '1'
	list interface 'guest'
	list interface 'lan'
	list interface 'wan'
	list interface 'wan6'
	list interface 'wg0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_preference 'medium'
	list dhcp_option '3,192.168.0.1'
	list dhcp_option '6,192.168.0.1'
	list dhcp_option '15,lan'
	list dns 'fdcb:6c6d:bd7b::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Webserver-443'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.0.11'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Webserver-80'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.0.11'
	option dest_port '80'

config rule
	option src 'wan'
	option name 'Allow-51820'
	list proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config forwarding
	option src 'wgserver'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wgserver'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option src 'guest'
	option name 'Allow-DNS-Guest'
	option dest_port '53-54'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '0004bf7c66ef14ab4f62869db8e9bdcb5f47'
	option ula_prefix 'fdcb:6c6d:bd7b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.0.1/24'
	option multipath 'off'
	list dns '192.168.0.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'wg0'
	redacted

config wireguard_wg0
	redacted

config wireguard_wg0
	redacted

config device
	option type 'bridge'
	option name 'guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option multipath 'off'
wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option cell_density '0'
	option country 'FR'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option cell_density '0'
	option country 'FR'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'psk2'
	option key 'redacted'
	option network 'lan'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'psk2'
	option key 'redacted'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'sae'
	option key 'redacted'
	option ocv '0'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'sae'
	option key 'redacted'
	option ocv '0'
extract of adguardhome.yaml 
http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.0.1:8083
  session_ttl: 720h
users:
  - name: redacted
    password: redacted
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/pool.ntp.org/]9.9.9.9'
    - '[/pool.ntp.org/]149.112.112.112'
    - '[/pool.ntp.org/]2620:fe::fe'
    - '[/pool.ntp.org/]2620:fe::9'
    - tls://unfiltered.joindns4.eu
    - tls://ns0.fdn.fr
    - tls://ns1.fdn.fr
    - https://dns10.quad9.net/dns-query
    - https://unfiltered.joindns4.eu/dns-query
    - https://ns0.fdn.fr/dns-query
    - https://ns1.fdn.fr/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
    - 86.54.11.100
    - 86.54.11.200
    - 2a13:1001::86:54:11:100
    - 2a13:1001::86:54:11:200
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients:
    - 192.168.0.0/24
    - 192.168.1.0/24
    - 192.168.3.0/24
    - 10.8.0.0/24
    - 127.0.0.1
    - redacted
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
    - 192.168.0.11/32
  cache_enabled: true
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  cache_optimistic_answer_ttl: 30s
  cache_optimistic_max_age: 12h
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 127.0.0.1:54
    - 192.168.0.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
  pending_requests:
    enabled: true

:worried:

7

In the dhcp config, you need a line under the guest section:

list dhcp_option '6,192.168.3.1'
1 Like
8

This is missing a network assignment to guest,

2 Likes
9

That's on me. Thanks.

10

Yes. Thanks.

11

So, it's now working. Even if I'm pretty sure that I tested thoses options before with no luck.

I'll check which dns the clients are using as it's not clear to me. But everything is working and it was trivial :expressionless_face:

Thanks for your time and attention :folded_hands:

12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.