Guest WiFi fails often to make clients connect

just · May 29, 2023, 7:40pm

Dear all,
I have installed OpenWRT weeks ago and still I can't solve the fact that sometimes devices do not get connected to my guest network. 90% of the time a router reboot solves the issue but after less than a day it still happens.

I have enabled guest wifi with firewall rules, and I also have AdGuardHome installed on router as my DNS resolver.

Which config file should I post in order to help troubleshoot the issue?

psherman · May 29, 2023, 7:42pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

eginnc · May 29, 2023, 8:20pm

This post provides a template for setting up a WiFi gateway router with guest and IOT networks. The post preceding that linked and its linked posts provides some more examples for more complicated arrangements. One of these examples may help you get your set up working.

just · May 30, 2023, 7:37am

Thank you, here are the configs. I have to mention I installed AdGuardHome using opkg and it successfully moved dnsmasq to port 54 in order to use port 53. My main network has an IP of 192.168.93.x and my guest network is 192.168.92.x because I am behind an ISP modem/router which provides internet to the neighbourhood. This is the reason of not using the default 192.168.1.1.

My main network works perfectly with AdGuard and there are no connection issues whatsoever. The Guest network also works with AdGuard (when it works, other times it struggles to make clients connect).

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6b:44c5:b7ac::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.93.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option dns '2620:fe::fe 2620:fe::9'
	option peerdns '0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.92.1'
	option netmask '255.255.255.0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '3'
	option band '2g'
	option txpower '18'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi'
	option channel 'auto'
	option band '5g'
	option htmode 'HE160'
	option cell_density '0'
	option country 'IT'
	option txpower '17'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Main'
	option encryption 'sae-mixed'
	option key '****************'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi+1'
	option channel '9'
	option band '2g'
	option htmode 'HE40'
	option cell_density '0'
	option country 'IT'
	option txpower '18'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'Main'
	option encryption 'sae-mixed'
	option key '*********'

config wifi-iface 'wifinet5'
	option device 'radio2'
	option mode 'ap'
	option ssid 'SSID2'
	option encryption 'sae-mixed'
	option isolate '1'
	option key '************'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'SSID2'
	option encryption 'sae-mixed'
	option key '************'
	option network 'guest'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'SSID'
	option encryption 'psk-mixed'
	option key '************'
	option network 'guest'
	option disabled '1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option port '54'
	option noresolv '1'
	option dnsforwardmax '1024'
	list server '192.168.93.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '24h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'
	list dhcp_option '6,192.168.93.1'
	list dhcp_option '3,192.168.93.1'
	list dns '::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '5'
	option limit '240'
	option leasetime '24h'
	list dhcp_option '6,192.168.93.1'
	option force '1'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest DNS DHCP'
	option src 'guest'
	option dest_port '53 54 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

psherman · May 30, 2023, 6:35pm

You are using both radios for your guest network, but your guest network doesn't work on a bridge. I suspect that this is the main problem.

add this:

config device
	option name 'br-guest'
	option type 'bridge'

And then adjust your guest network to use the bridge device

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.92.1'
	option netmask '255.255.255.0'

There are other things you might want to re-evaluate, but this should fix the core issue.

just · June 1, 2023, 4:12pm

I gave myself I few days to test various guest devices and indeed that was the issue! Thank you!
For a newbie like me it wasn´t clear what bridge is and that I have to create a new "device". I followed a few guides for guest network but haven´t found this concept. Can you confirm that bridge is needed only because of two radios? I enabled two radios and gave the same name so Wi-Fi 6 can be used.

And regarding other things I might want to re-evaluate, can you give some examples? One thing I have not fully understood are these DHCP settings, are they correct? I know DHCP is resposible of IPs assignment

config for lan interface

list dhcp_option '6,192.168.93.1'
list dhcp_option '3,192.168.93.1'

config for guest interface, there's only this

list dhcp_option '6,192.168.93.1'

Are there the things I should re-evaluate? Also I noticed that guest network do not have IPv6 enabled, is that important?

psherman · June 1, 2023, 5:22pm

Yes. If you were only using a single physical interface (one radio or Ethernet), a bridge would not be required. When you use two or more physical interfaces, a bridge is necessary.

I’d recommend removing these. They are not necessary (the router’s address will be automatically provided when you omit these options). And for the guest, it will issue the dns server that is the guest interface address (192.168.92.1)

just · June 1, 2023, 8:43pm

I put them following some answers here on the forum regarding guest clients not able to obtain IP addresses. Also I need that DNS to be provided by AdGuardHome which I suppose operates on 192.168.93.1 that's why it's there for the guest network.

psherman · June 1, 2023, 8:49pm

Ah, I see.

Option 3 is the gatway/router address that is advertised via DHCP to the clients. This will always be the local address of your router on that network unless you override it... here you're overriding it with the same local router address, so it shouldn't be required. Option 6 does the same thing for DNS, and again, it shouldn't be required for the lan since it would (by default) send the same address anyway.

On the guest network... you could configure AGH to also listen on 192.168.92.1 and then it wouldn't be necessary to set the option 6 for the guest network. But either way is fine.

just · June 2, 2023, 8:07pm

Tried to remove those two dhcp options from lan, got clients connected to WiFi but without internet, so I put them back

system · June 12, 2023, 8:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.