Guest WiFi devices can't ping ISP modem/router, only WiFi AP

So I have the same problem as the endless list of posts regarding Guest WiFi which assigns an IP but can't access the internet. But as far as I can tell, my configuration matches the recommended solutions in those posts.

I have an openWRT AP setup behind my ISP's main modem/router. The AP is 192.168.1.1, and the ISP router is 192.168.1.254.

My LAN devices are all setup on the 192.168.1.x subnet, and everything works fine for those devices.

I setup a separate interface, subnet (192.168.10.x), and firewall zone for guest (followed this guide). I then also followed this to compare my config to the recommended config. I could not spot any differences that would explain whats happening.

But still any device on the guest network is unable to ping my ISP router (192.168.1.254). Devices are able to get DNS queries through (i.e. ping www.google.com finds the right IP), but if I try to ping the ISP router or 8.8.8.8, I get a response from 192.168.10.1 (AP address for the guest network) that "Destination Port Unreachable". I tried adding a firewall rule to the guest zone to allow ICMP traffic, but that had no effect.

Can someone please help?

root@DLink2640:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-
exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-adver
tisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-
exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Guest DNS'
firewall.@rule[10].dest_port='53'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='guest'
firewall.@rule[11]=rule
firewall.@rule[11].name='Guest DHCP'
firewall.@rule[11].src='guest'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src_port='68'
firewall.@rule[11].dest_port='67'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='guest'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='wan'
root@DLink2640:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fd15:acc5:65f2::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.gateway='192.168.1.254'
network.lan.dns='192.168.1.254'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.guest=interface
network.guest.proto='static'
network.guest.device='wlan0-1'
network.guest.ipaddr='192.168.10.1'
network.guest.netmask='255.255.255.0'

Follow this guide.

1 Like

This is a dumb AP with locally routed guests. The WAN network is unused. So you're locally routing guests from guest to lan. For this to work properly, masquerade must be enabled on lan.

I run a lot of such installations. My recent philosophy has been to connect the upstream network as wan instead, and open ports in the firewall for administration from that side. Then the same general setup of the guest network applies whether the wan side is operated routed (because it is a wifi client) or bridged (a wired connection).

2 Likes

The primary difference between the guide you provided and the ones I followed is that the one I followed told me to forward "guest" to "wan". It seemed to make sense, as the whole point is to keep the guests off of my LAN.

I've now configured "guest" to forward to "lan", and it is operational. I'm a little confused because I though we wanted to keep guest traffic out of the LAN zone entirely, but that's because I don't really know how all of this works. I added the firewall rule to block guest access to the LAN zone, and appears to be working.

Thank you for your help.

So the guide you originally used only works on the router, not on a dump AP. Maybe a disclaimer/note should be added in https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
in to point to the dump AP guest network guide for dump APs https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.