Guest wifi has no internet access

Hi,

I'm using 4 routers to setup my network, all are running 21.02.1. One main router and three APs.
.

IMG_39151622×1134 387 KB

The main router provides DHCP, Firewall and DNS services, and DHCP are disabled for all APs LAN interfaces, and gateway points to main router (192.168.0.1)

All APs have been enabled 802.11r and run same SSID as WirelessA, as you can see from the diagram, all APs connect to main router via LAN, the WANs of APs aren't in use, and all APs work well.

Now, I wish to setup a separated guest network using a subnet (192.168.10.1/24) for all my IoT devices on the 2nd AP (AP2) to prevent the local resources access like NAS etc. (which are connected to the main router). I created a new interface in AP2 which enabled DHCP and firewall.

I followed this link to set the Guest Wi-Fi, the major commands are as followings, but I did a little modifiction, changed uci set firewall.guest_wan.dest="wan" to uci set firewall.guest_wan.dest="lan"

# Configure network
uci -q delete network.guest_dev
uci set network.guest_dev="device"
uci set network.guest_dev.type="bridge"
uci set network.guest_dev.name="br-guest"
uci -q delete network.guest
uci set network.guest="interface"
uci set network.guest.proto="static"
uci set network.guest.device="br-guest"
uci set network.guest.ipaddr="192.168.3.1"
uci set network.guest.netmask="255.255.255.0"
uci commit network
/etc/init.d/network restart

# Configure wireless
WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"
uci -q delete wireless.guest
uci set wireless.guest="wifi-iface"
uci set wireless.guest.device="${WIFI_DEV}"
uci set wireless.guest.mode="ap"
uci set wireless.guest.network="guest"
uci set wireless.guest.ssid="guest"
uci set wireless.guest.encryption="none"
uci commit wireless
wifi reload

# Configure DHCP
uci -q delete dhcp.guest
uci set dhcp.guest="dhcp"
uci set dhcp.guest.interface="guest"
uci set dhcp.guest.start="100"
uci set dhcp.guest.limit="150"
uci set dhcp.guest.leasetime="1h"
uci commit dhcp
/etc/init.d/dnsmasq restart

# Configure firewall
uci -q delete firewall.guest
uci set firewall.guest="zone"
uci set firewall.guest.name="guest"
uci set firewall.guest.network="guest"
uci set firewall.guest.input="REJECT"
uci set firewall.guest.output="ACCEPT"
uci set firewall.guest.forward="REJECT"
uci -q delete firewall.guest_wan
uci set firewall.guest_wan="forwarding"
uci set firewall.guest_wan.src="guest"

# A little change here, since no wan is in use, change wan to lan
# uci set firewall.guest_wan.dest="wan"
uci set firewall.guest_wan.dest="lan"


uci -q delete firewall.guest_dns
uci set firewall.guest_dns="rule"
uci set firewall.guest_dns.name="Allow-DNS-Guest"
uci set firewall.guest_dns.src="guest"
uci set firewall.guest_dns.dest_port="53"
uci set firewall.guest_dns.proto="tcp udp"
uci set firewall.guest_dns.target="ACCEPT"
uci -q delete firewall.guest_dhcp
uci set firewall.guest_dhcp="rule"
uci set firewall.guest_dhcp.name="Allow-DHCP-Guest"
uci set firewall.guest_dhcp.src="guest"
uci set firewall.guest_dhcp.dest_port="67"
uci set firewall.guest_dhcp.proto="udp"
uci set firewall.guest_dhcp.family="ipv4"
uci set firewall.guest_dhcp.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

The problem is that the connection to guest wifi has no issue, but no internet access. Did I miss anything? Don't very understand this part, any help would be appreciated. Thanks.

Hi. Sorry but i don't have much time to explain in detail now, bellow are some links explain about masquerade (more simple to do, but you will have a double nat situation), or you need to adjust the route table of your network inside "main router" (a more hard to do, but avoid the double nat).

Simple, inside AP2 into firewall you need to tell it to masquerade the output to lan network, open luci, firewall and mark the masquerade option in lan, after allow forward from your guest network to lan.

Any problems let me know and in sunday i try post one step by step.

You should have followed the guide for guest wifi on dumbAP.The basic difference is that you don't have wan on the access points, everything is using the lan interface. Apart from the masquerade that @Tecnolobo mentioned, you'd also want to apply a rule to prohibit guest zone from accessing lan zone, which is mentioned in the guide.

Hi @Tecnolobo @trendy You saved my day! thank you so so much, I finally manage to isolate the guest network from the local access, as you both mentioned, I missed two items,

1. masquerade
2. block guest access to private network

Learnt a lot thank you both again, cheers!

@Tecnolobo Sorry I can't mark both as solution, thank you a lot!

Is ok. @trendy solution are better.

Just to you know, after think a little, another solution are vtag the output of quest network and vtag the input of main router. These way the quest network will be isolated and the main router can send them direct to wan.

This are just another possible solution, this will work with Ipv6 too.

If not wrong, vtag requires the vlan configuration in switch part? Strangely, my AP2 does not have that menu, the main router which is a Netgear R7500 has the switch menu.

image2010×900 47.1 KB

Just check if the missing menu don't have change like this other post.

Yes, you are right, it's there, I just googled that too!

image1874×770 63.2 KB

I'm now struggling with another problem, one of my AP3 always downgrades to 100Mbit/s after a while, I have to switch off and on to get 1000Mbit/s back again, and then after a while it drops to 100Mbit/s again... as a comparison, AP1 which has the exact hardware specs has no such a problem,

This from the main router, LAN2 is for the AP3

Screenshot 2021-11-20 at 11.42.43 AM2106×938 99.5 KB

And the overall internet speed drops a lot, I might need to post the problem in another thread.

First, for one test just switch one for another, and check if the speed drop, if so, maybe your problem are related to bad wire. If don't drop maybe one hardware or connector problems.

I made few round tests and found that the cables might have no issue, but I have to use the first port (lan 1) of the AP to connect to main router, for other ports it drops to 100mbps after a while, AP1 was connected to the first port so there was no problem with it, I have switched all to port 1 and have tested for about half an hour, as far the speed for all routers are back, will keep an eye on if it will drop again.

So the conclusion at this moment is, for Linksys EA7500 V2, wire to port 1 if you use it as an AP.

So for vtag stuff, sounds a little simpler, I need to read some more docs about VLAN, just wonder with the vtag is that I just need to filter out those unwanted data traffic with certain tags in firewall? is there any step-by-step tutorial for similar scenarios? is it more efficient?

With vlan you can create guests network in the 3 ap and connect them together into the same network in the main router, will be like a separate network, they only share the same cable with lan, without merge with it.

You can let the main router delivery the dhcp and do the firewall rules simplify your network management.

Just one example

163741960582869081807362641134261135×1080 120 KB

After that create the guest interface into accesspoint, bridge with the tagged network, disable the dhcp and create the firewall rule to dont allow forward.

inside the main router, create the guest interface connected to tagged network, and create firewall rule to forward only to wan.

In a vlan based dumbAP there is no firewall running and would have no effect anyway, since the dumbAP is not routing between the vlans anyway.

Thanks for the advice.

But the use of vtag to create the "guest network" separately.
If these solution are used, the accesspoints and the main router will have reference and access to more than one network.

If the firewall on AP will be used or not in my point of view, noting bad will happen if are set and the guest network be put in another firewall zone.

Like my father say, better be sure, than be sorry.

No, the dumbAPs will not have reference nor access to more than one network. The protocol used for the non-management interface is unmanaged, therefore it doesn't have an IP.
Furthermore, packets traversing the dumbAP from the guest SSID to the vlan tagged port technically cannot hit the firewall, as it is a bridge.

Now I understand, thanks.

My bad.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.