Guest Wifi has no internet when WAN port is turn into LAN port

I'm trying to get a guest wireless network over the LAN port work using this guide and others: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

I thoroughly followed this thread (which is already closed) for troubleshooting, but with no success:

It does however work over the WAN port though, yet I need to make it work over the LAN port
Appreciate creative ideas on how to troubleshoot and make it work.

Let’s see your configs.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Thanks. I'm resetting and will send it again

I started from fresh, enclosed the entire configuration.
Devices can get IP address, yet can't access the internet.
Appreciate ideas since I'm struggling with it in various ways but no success.


/etc/config$ cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4b:f62a:1999::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.5'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '1.1.1.1'

/etc/config$ cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/10180000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'none'
	option ssid 'Guest'
	option network 'Guest'

/etc/config$ cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option interface 'Guest'
	option leasetime '12h'
	option start '10'
	option limit '15'

/etc/config$ cat /etc/config/firewall

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Guest_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'Guest'

config forwarding
	option src 'Guest_FW'
	option dest 'lan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'Guest_FW'
	option src_port '67-68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Guest DNS'
	option src 'Guest_FW'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'

Am I right to assume that the uplink is on one of the lan ports and that there is a router upstream?

If so, there are two things you need to add:

  • add a gateway to the lan interface. It will be the upstream router's address... likely 192.168.1.1
  • turn on masquerading on the lan firewall zone.
2 Likes

Solved.

Your assumption about another router upstream is correct.

I’m not certain what is the procedure in the forum to send a nice cold beer, you indeed deserve a big one.

Few things:

This guide which is the prevailing reference one is simply misleading, while ignoring those two rules which made me and so many others spend hours until you came up with the solution, saving plentiful additional hours.

If any moderator is listening, that is the time to step in and revise it.

On another issue: I do not see subnet 192.168.1.0 from the guest 192.168.2.0 network using my windows client, however, I’m able to access it with my android phone.
If I block all the traffic from the Guest network to the LAN as suggested in the last step of the guide, then I lose the internet connection as well.

Any solution to that?

The wiki article can be fixed, but let's figure out what specificially is misleading.

  • I do see masquerading being enabled on the lan zone at the end of step 3.
  • I don't see any reference to ensuring that the lan has a gateway defined <---- this seems like a needed update.

Anything else that caused issues for you??

I happen to be a moderator, but actually, the wiki can be edited by anyone once access is granted (see this page for more info).

But you are the second person to say that there are some issues, so I'll see if I can take some time to fix the errors in that article.

This suggests that Windows Firewall may be the reason for this.

if you look more carefully at the guide, you'll see that it isn't blocking all guest > lan, but rather blocking traffic that is going from guest > lan with destination address 192.168.1.0/24. Make sure you have the address in there and it should fix that part.

But note that once you do that, your comment earlier about the windows client not being able to see the 192.168.1.0/24 network (but your android client can) all becomes moot because this will block that by a specific firewall rule.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

Thanks again for the profound support, I’m fairly new here and indeed not used to such prompt and effective solutions.

[psherman]: I do see masquerading being enabled on the lan zone at the [end of step 3]

You are right, easy to miss and I did, probably since those are the interfaces that we did not add and aim to configure. I suggest highlighting all the key elements in the graphic with red circles

[psherman]: if you look more carefully at the guide, you'll see that it isn't blocking all guest > lan, but rather blocking traffic that is going from guest > lan with destination address 192.168.1.0/24. Make sure you have the address in there and it should fix that part.

It is there and solving the problem. Also easy to miss, I suggest highlighting it with a red circle as well.

Reasonable suggestions. I'll make sure to keep this in mind I collect other comments about what needs to be improved in the guide.

Glad your network is working as expected now.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.