Guest wifi and Vlans have no internet access

ddphibes · June 11, 2018, 7:46pm

Hello Forum, I’m a novice with LEDE, so I’m hoping maybe one of the more skilled members could lend their expertise here.
I have setup a single Linksys 1900acs with each port on it’s own vlan. So I have the primary lan,(which i’ll call lan1) and 3 other vlans (lan2,lan3,lan4) for the remaining ports. I’m trying to keep each vlan from being able to access the others. I also have 2 guest wireless networks that I want to keep from accessing any of the vlans, or each other.
The vlans and the guest wireless networks “almost work”.
Each vlan and Guest wireless are unable to access the other, and each hands out addresses from it’s own dhcp scope.
NOTE: Actually, lan1 can access all the others. I use this port only for router configuration.
The guest wireless networks can be seen and connected to via a laptop...So far so good.
The problem I have is that the vlans (except for lan1 port) and the wireless can not access the internet.
I can get them to work, if I change the firewalls for each vlan network to “In>ACCEPT Out>ACCEPT Forward>REJECT.”
I currently have them set as follows:
LAN1= In>ACCEPT Out>ACCEPT Forward>REJECT
LAN2= In>REJECT Out>ACCEPT Forward>REJECT
LAN3= In>REJECT Out>ACCEPT Forward>REJECT
LAN4= In>REJECT Out>ACCEPT Forward>REJECT
GUEST WIFI 1 = In>REJECT Out>ACCEPT Forward>REJECT
GUEST WIFI 2 = In> REJECT Out>ACCEPT Forward>REJECT
DNS is currently coming from ISP , and rules are set to allow dhcp and dns traffic on each interface.
Is there a way to keep the vlans and wireless from accessing one another, and still get internet access?
Everything i’ve searched on guest wireless networks recommend that firewall be set
as above, but as I mentioned, this seems to result in no internet access.
Again, this is also how I have set up lan2,lan3,lan4 firewalls. Please forgive the long, convoluted post. If this makes any sense at all, your suggestions would be greatly appreciated?

Thank you very much..

lleachii · June 11, 2018, 7:53pm

Yes, it seems you have it set correctly.

Did you allow those firewall zones to Forward to zone WAN???

ddphibes · June 11, 2018, 7:56pm

Wow,,that was quick..Thanks for the reply..Yes, i have each of these zones forwarding to wan zone.

lleachii · June 11, 2018, 8:00pm

If you redid the WAN, did you re-enable masquerade?

ddphibes · June 11, 2018, 8:06pm

Thanks @lleachii again for taking time here...I havent done anything with the WAN. I have only created the vlans and guest wifi and tried to configure them the best i could..Obviously im missing something or doing something wrong...

lleachii · June 11, 2018, 8:13pm

If you created a VLAN2, you did mess with the WAN. WAN is VLAN 2 on your OpenWrt device by default. Also, something seems quite odd regarding your ability to access the other LANs.

Please paste your /etc/config/network and /etc/config/firewall (please use the code bracket "</>" above.

You must create configs in the following locations:

Interfaces to make a new physical VLANs
Switch to add them to the physical LAN ports
Firewall to config INPUT, OUTPUT and FORWARD rules
Wireless to add SSIDs to the new Interfaces

ddphibes · June 11, 2018, 8:19pm

You will have to forgive my ignorance, but how to i use the code bracket "</>" to paste the config files. Im sorry i dont know the correct procedure for pasting files to the post..Im just a dummy.

lleachii · June 11, 2018, 8:23pm

There is a WYSIWYG editor when you reply:

paste the requested codes (/etc/config/network and /etc/config/firewall)
highlight them with your mouse or pointer
then hit the button that looks like: </>

Simply paste the code so we can see it and help you, that's all...

ddphibes · June 11, 2018, 8:26pm

NETWORK

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8a:f2eb:ebb6::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.1'
	option ipaddr '10.0.10.10'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '2 5t'

config interface 'lan2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth0.3'
	option ipaddr '10.0.20.20'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '1 5t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '5'
	option ports '0 5t'

config interface 'lan3'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth0.4'
	option ipaddr '10.0.30.30'

config interface 'lan4'
	option proto 'static'
	option ifname 'eth0.5'
	option netmask '255.255.255.0'
	option ipaddr '10.0.40.40'

config interface 'wlan2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.5.5'

config interface 'wlan5'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.50.50'

ddphibes · June 11, 2018, 8:27pm

FIREWALL

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option src_port '68'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'lan2'
	option proto 'udp'
	option name 'lan2 DHCP'
	option src_port '67-68'
	option dest_port '67-68'

config rule
	option target 'ACCEPT'
	option name 'lan2 DNS'
	option src 'lan2'
	option src_port '53'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option src 'lan3'
	option name 'lan3 DHCP'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'

config rule
	option target 'ACCEPT'
	option src 'lan3'
	option name 'lan3 DNS'
	option src_port '53'
	option dest_port '53'





config rule
	option target 'ACCEPT'
	option src 'lan4'
	option name 'lan4 DHCP'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'

config rule
	option target 'ACCEPT'
	option src 'lan4'
	option name 'lan4 DNS'
	option src_port '53'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option src 'wlan2'
	option name 'wlan2 DHCP'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'

config rule
	option target 'ACCEPT'
	option src 'wlan2'
	option name 'wlan2 DNS'
	option src_port '53'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option src 'wlan5'
	option name 'wlan5 DHCP'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'

config rule
	option target 'ACCEPT'
	option src 'wlan5'
	option src_port '53'
	option dest_port '53'
	option name 'wlan5 DNS'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'lan2'
	option output 'ACCEPT'
	option network 'lan2'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan2'

config zone
	option name 'lan3'
	option output 'ACCEPT'
	option network 'lan3'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan3'
config zone
	option name 'lan4'
	option output 'ACCEPT'
	option network 'lan4'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan4'

config zone
	option name 'wlan2'
	option output 'ACCEPT'
	option network 'wlan2'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'wlan2'

config zone
	option name 'wlan5'
	option output 'ACCEPT'
	option network 'wlan5'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'wlan5'

WIRELESS

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'US'
	option legacy_rates '1'
	option htmode 'VHT80'
	option channel '36'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'LEE'
	option macaddr '########'
	option encryption 'psk2+ccmp'
	option key '########'
	option network 'lan'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option country 'US'
	option legacy_rates '1'
	option htmode 'HT20'
	option channel '6'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'LE'
	option macaddr '########'
	option encryption 'psk2+ccmp'
	option key '########'
	option disabled '1'
	option isolate '1'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option key '########'
	option network 'wlan2'
	option ssid 'OP'
	option isolate '1'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'LII'
	option encryption 'psk2+ccmp'
	option key '########'
	option network 'wlan5'
	option isolate '1'

lleachii · June 11, 2018, 8:31pm

@ddphibes,

PLEASE USE THE CODE BOXES AS REQUESTED NEXT TIME!!!

Do you have 2 interfaces in your device?

If not this is wrong. eth1 refers to a second network card.

ddphibes · June 11, 2018, 8:33pm

Yeah,,im sorry,,im working from a different router,,,so i pasted the config files i had saved to my computer.

ddphibes · June 11, 2018, 8:47pm

Again my apologies..I am new to this..including the forum..I dont want to go against normal procedures...or irritate anyone. Thanks for the tip.
As far as eth1.2, that is the WAN interface. eth0.1,eth0.3, eth0.4 and eth0.5 are the vlan interfaces

lleachii · June 11, 2018, 8:54pm

OK, you've edited your posts to include them in code boxes.

A portion of the Network config is gone that shows the Switch.

These Interfaces do not specify a phy (option ifname). Are you using the web GUI or are you entering configs on the command line?

Have you tried the web GUI?

Usually people add WiFi to a bridge, and connect the bridge to a VLAN.

ddphibes · June 11, 2018, 9:05pm

I mostly use the Web GUI, but will occasionally make a manual modification. I was able to access the internet from wlan2, but i did have to change the firewall to accept incoming traffic..By the way credit where credit is do. It appears someone named @tmomas fixed my messed up paste job.

lleachii · June 11, 2018, 9:12pm

I'll be honest, I'm confused at your naming conventions. In addition, you didn't answer my question.

Can you access Internet from WLAN5 (as they appear to be configured the same)?

Provide a list of which LANs/WiFis have and don't have Internet access at this time.

Mushoz · June 11, 2018, 9:35pm

Setting input to reject is the correct thing to do, but it will also block DHCP and DNS requests to the router. Make sure you whitelist those. A GUI explanation can be found here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface