My routers ( Mi4a Giga which i'm running as a dump AP switch ) 2 lan and 1 wan port. So I have no choice but to turn the wan port into Lan port. and when I do that the guest wifi doesn't have internet connection.
How I do the wan to lan. Is that I modify the lan interface with DHCP turn off. And to into wan with the lan bridging. As per the photo below.
Network topgraphy.
router ---- wired ----> router ( run as dump wifi access point switch )
both routers are the same model. Mi4a Giga 1 wan 2 lan.
Btw the Switch menu is missing in the Network options.
Delete wan, and wan6 interfaces.
Add dns on lan interface.
I suppose p is the guest interface, right? Then remove eth0 and wan from ifname under p.
Enable masquerade on lan firewall zone.
Thank you for your advice. I have deleted wan and wan6 and added dns to lan interface. Removed eth0 and wan from P interface. And enable masquerade on the lan firewall zone.
Bellow are my current firewall setting for Lan and P
Make sure the interface name is p (lower case) and not mixed P (upper case) and p (lower case).
Guest users can get an IP from DHCP? Does ping or Luci to the OpenWrt work?
Post once again the following: uci export network; uci export wireless; iptables-save -c
You can't have a wan network without some connection to outside for it. Since all the Ethernet ports are lan, you only have a lan network. Guests should forward to lan. The lan needs to be configured with gateway and DNS so it knows of your main router as the way to get to the Internet. Masquerade must be enabled on lan.
This is all just restating what @trendy said. In the end you only need two networks, lan and guest.
DHCP is only possible when that when p's interface has DHCP. Where else lan's interface is getting DHCP from the Primary Router actually. ' p can't get DHCP from the Primary Router when it's DHCP is turn off.
Bellow is the latest confi. TQ
zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Fri Jun 11 21:46:25 2021
The guest network has a static IP and a DHCP server. Guests are issued an IP in the guest subnet by that server when they connect. The lan network can be either static IP (in the main router's subnet) or DHCP client of the main router.
The IP subnets of the two interfaces must not overlap.
Here's the latest setting. guest wifi still has no internet. DHCP is from the P interface. And not from the Primary router. which the lan interface is set to.
Thanks.
root@OpenWrt:~# uci export network; uci export wireless; iptables-save -c
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd22:7a2a:8782::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'lan1 lan2 wan'
option gateway '192.168.1.254'
list dns '8.8.8.8'
list dns '1.1.1.1'
option ipaddr '192.168.1.203'
config interface 'P'
option proto 'static'
option type 'bridge'
option ifname 'wan'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
list dns '8.8.8.8'
list dns '1.1.1.1'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'IsItHot?5G'
option encryption 'psk2'
option key 't81p1ng888'
option ieee80211r '1'
option mobility_domain '1127'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'P'
option encryption 'psk2'
option key 't81p1ng888'
option ieee80211r '1'
option mobility_domain '1127'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option network 'P'
# Generated by iptables-save v1.8.7 on Sat Jun 12 04:07:27 2021
*nat
:PREROUTING ACCEPT [270:72411]
:INPUT ACCEPT [7:458]
:OUTPUT ACCEPT [33:3681]
:POSTROUTING ACCEPT [46:3922]
:postrouting_P_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_P_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_P_postrouting - [0:0]
:zone_P_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[270:72411] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[231:69485] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[39:2926] -A PREROUTING -i br-P -m comment --comment "!fw3" -j zone_P_prerouting
[55:4561] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[9:639] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[23:1208] -A POSTROUTING -o br-P -m comment --comment "!fw3" -j zone_P_postrouting
[23:1208] -A zone_P_postrouting -m comment --comment "!fw3: Custom P postrouting rule chain" -j postrouting_P_rule
[39:2926] -A zone_P_prerouting -m comment --comment "!fw3: Custom P prerouting rule chain" -j prerouting_P_rule
[9:639] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[9:639] -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[231:69485] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Jun 12 04:07:27 2021
# Generated by iptables-save v1.8.7 on Sat Jun 12 04:07:27 2021
*mangle
:PREROUTING ACCEPT [18797:2636810]
:INPUT ACCEPT [15578:1610448]
:FORWARD ACCEPT [1310:445004]
:OUTPUT ACCEPT [15177:4277954]
:POSTROUTING ACCEPT [16297:4710033]
COMMIT
# Completed on Sat Jun 12 04:07:27 2021
# Generated by iptables-save v1.8.7 on Sat Jun 12 04:07:27 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_P_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_P_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_P_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_P_dest_ACCEPT - [0:0]
:zone_P_dest_REJECT - [0:0]
:zone_P_forward - [0:0]
:zone_P_input - [0:0]
:zone_P_output - [0:0]
:zone_P_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[440:40760] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1203:143411] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1180:138701] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:244] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[11:1814] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[12:2896] -A INPUT -i br-P -m comment --comment "!fw3" -j zone_P_input
[24:1482] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[3:222] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[21:1260] -A FORWARD -i br-P -m comment --comment "!fw3" -j zone_P_forward
[21:1260] -A FORWARD -m comment --comment "!fw3" -j reject
[440:40760] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1148:501676] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1134:500439] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:909] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1:328] -A OUTPUT -o br-P -m comment --comment "!fw3" -j zone_P_output
[22:1324] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:244] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:328] -A zone_P_dest_ACCEPT -o br-P -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_P_dest_REJECT -o br-P -m comment --comment "!fw3" -j reject
[21:1260] -A zone_P_forward -m comment --comment "!fw3: Custom P forwarding rule chain" -j forwarding_P_rule
[21:1260] -A zone_P_forward -m comment --comment "!fw3: Zone P to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_P_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[21:1260] -A zone_P_forward -m comment --comment "!fw3" -j zone_P_dest_REJECT
[12:2896] -A zone_P_input -m comment --comment "!fw3: Custom P input rule chain" -j input_P_rule
[8:2632] -A zone_P_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: P-DHCP" -j ACCEPT
[0:0] -A zone_P_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: P-DNS" -j ACCEPT
[3:200] -A zone_P_input -p udp -m udp --dport 53 -m comment --comment "!fw3: P-DNS" -j ACCEPT
[0:0] -A zone_P_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:64] -A zone_P_input -m comment --comment "!fw3" -j zone_P_src_REJECT
[1:328] -A zone_P_output -m comment --comment "!fw3: Custom P output rule chain" -j output_P_rule
[1:328] -A zone_P_output -m comment --comment "!fw3" -j zone_P_dest_ACCEPT
[1:64] -A zone_P_src_REJECT -i br-P -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[13:909] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11:1814] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[11:1814] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[13:909] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:909] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11:1814] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Sat Jun 12 04:07:27 2021
I manage to get internet for the Guest wifi. Via setting the firewall to forward to the lan instead of the wan. as per the screenshot.
Only issue left is the DHCP. i want the guest to be able to do fast trasistion roaming over 2 routers. The primary and the secondary routers. If the guest gets the different IPs from 2 different routers. Can they do something like control chromecast from a router located in another section of the house ?
Fast transition requires the two or more APs be on the same network. They need to be bridged together with Ethernet or wireless. In this case one of them would be issuing IP addresses on the P network and forwarding to the Internet, and the other would be "dumb." You can't fast transition between two separate networks.