Guest Wifi has no internet when WAN port is turn into LAN port

Hi,

My routers ( Mi4a Giga which i'm running as a dump AP switch ) 2 lan and 1 wan port. So I have no choice but to turn the wan port into Lan port. and when I do that the guest wifi doesn't have internet connection.

How I do the wan to lan. Is that I modify the lan interface with DHCP turn off. And to into wan with the lan bridging. As per the photo below.

image

Network topgraphy.
router ---- wired ----> router ( run as dump wifi access point switch )

both routers are the same model. Mi4a Giga 1 wan 2 lan.

Btw the Switch menu is missing in the Network options.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
2 Likes

[quote="trendy, post:2, topic:98847"]
Hi, the Result is per below


BusyBox v1.33.0 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.0-rc1, r16046-59980f7aaf
 -----------------------------------------------------
root@RouterNo1:~# ubus call system board;
{
        "kernel": "5.4.111",
        "hostname": "RouterNo1",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0-rc1",
                "revision": "r16046-59980f7aaf",
                "target": "ramips/mt7621",
                "description": "OpenWrt 21.02.0-rc1 r16046-59980f7aaf"
        }
}
root@RouterNo1:~# uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdf1:c000:4c5e::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.254'
        option ifname 'lan1 lan2 wan'

config interface 'wan'
        option ifname 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'wan'
        option proto 'dhcpv6'

config interface 'P'
        option proto 'static'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth0 wan'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option ra_maxinterval '600'
        option ra_mininterval '200'
        option ra_lifetime '1800'
        option ra_mtu '0'
        option ra_hoplimit '0'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Perception'
        option interface 'Perception'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'P'
        option interface 'P'
        option start '100'
        option limit '150'
        option leasetime '12h'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'P'
        option output 'ACCEPT'
        list network 'P'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'P'
        option dest 'lan'

config rule
        option name 'P'
        list proto 'udp'
        option src 'P'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'P-DNS'
        option src 'P'
        option dest_port '53'
        option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.3/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: br-P: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.254/24 brd 192.168.2.255 scope global br-P
       valid_lft forever preferred_lft forever
default via 192.168.1.254 dev br-lan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.3
192.168.2.0/24 dev br-P scope link  src 192.168.2.254
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.3
local 192.168.1.3 dev br-lan table local scope host  src 192.168.1.3
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.3
broadcast 192.168.2.0 dev br-P table local scope link  src 192.168.2.254
local 192.168.2.254 dev br-P table local scope host  src 192.168.2.254
broadcast 192.168.2.255 dev br-P table local scope link  src 192.168.2.254
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Apr 18 18:06 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Jun 10 21:49 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Jun 10 21:40 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Jun 10 21:40 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
root@RouterNo1:~#


Delete wan, and wan6 interfaces.
Add dns on lan interface.
I suppose p is the guest interface, right? Then remove eth0 and wan from ifname under p.
Enable masquerade on lan firewall zone.

2 Likes

Hi,

Thank you for your advice. I have deleted wan and wan6 and added dns to lan interface. Removed eth0 and wan from P interface. And enable masquerade on the lan firewall zone.

Bellow are my current firewall setting for Lan and P

However Guest wifi still have no internet connection. Thank you.

Make sure the interface name is p (lower case) and not mixed P (upper case) and p (lower case).
Guest users can get an IP from DHCP? Does ping or Luci to the OpenWrt work?
Post once again the following:
uci export network; uci export wireless; iptables-save -c

You can't have a wan network without some connection to outside for it. Since all the Ethernet ports are lan, you only have a lan network. Guests should forward to lan. The lan needs to be configured with gateway and DNS so it knows of your main router as the way to get to the Internet. Masquerade must be enabled on lan.

This is all just restating what @trendy said. In the end you only need two networks, lan and guest.

DHCP is only possible when that when p's interface has DHCP. Where else lan's interface is getting DHCP from the Primary Router actually. ' p can't get DHCP from the Primary Router when it's DHCP is turn off.

Bellow is the latest confi. TQ

 zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Fri Jun 11 21:46:25 2021

The guest network has a static IP and a DHCP server. Guests are issued an IP in the guest subnet by that server when they connect. The lan network can be either static IP (in the main router's subnet) or DHCP client of the main router.

The IP subnets of the two interfaces must not overlap.

1 Like

Edit your post, only a part of the configuration is uploaded.

Here's the latest setting. guest wifi still has no internet. DHCP is from the P interface. And not from the Primary router. which the lan interface is set to.

Thanks.

root@OpenWrt:~# uci export network; uci export wireless; iptables-save -c
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd22:7a2a:8782::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'lan1 lan2 wan'
        option gateway '192.168.1.254'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option ipaddr '192.168.1.203'

config interface 'P'
        option proto 'static'
        option type 'bridge'
        option ifname 'wan'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'IsItHot?5G'
        option encryption 'psk2'
        option key 't81p1ng888'
        option ieee80211r '1'
        option mobility_domain '1127'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'P'
        option encryption 'psk2'
        option key 't81p1ng888'
        option ieee80211r '1'
        option mobility_domain '1127'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option network 'P'

# Generated by iptables-save v1.8.7 on Sat Jun 12 04:07:27 2021
*nat
:PREROUTING ACCEPT [270:72411]
:INPUT ACCEPT [7:458]
:OUTPUT ACCEPT [33:3681]
:POSTROUTING ACCEPT [46:3922]
:postrouting_P_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_P_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_P_postrouting - [0:0]
:zone_P_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[270:72411] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[231:69485] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[39:2926] -A PREROUTING -i br-P -m comment --comment "!fw3" -j zone_P_prerouting
[55:4561] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[9:639] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[23:1208] -A POSTROUTING -o br-P -m comment --comment "!fw3" -j zone_P_postrouting
[23:1208] -A zone_P_postrouting -m comment --comment "!fw3: Custom P postrouting rule chain" -j postrouting_P_rule
[39:2926] -A zone_P_prerouting -m comment --comment "!fw3: Custom P prerouting rule chain" -j prerouting_P_rule
[9:639] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[9:639] -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[231:69485] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Jun 12 04:07:27 2021
# Generated by iptables-save v1.8.7 on Sat Jun 12 04:07:27 2021
*mangle
:PREROUTING ACCEPT [18797:2636810]
:INPUT ACCEPT [15578:1610448]
:FORWARD ACCEPT [1310:445004]
:OUTPUT ACCEPT [15177:4277954]
:POSTROUTING ACCEPT [16297:4710033]
COMMIT
# Completed on Sat Jun 12 04:07:27 2021
# Generated by iptables-save v1.8.7 on Sat Jun 12 04:07:27 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_P_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_P_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_P_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_P_dest_ACCEPT - [0:0]
:zone_P_dest_REJECT - [0:0]
:zone_P_forward - [0:0]
:zone_P_input - [0:0]
:zone_P_output - [0:0]
:zone_P_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[440:40760] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1203:143411] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1180:138701] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:244] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[11:1814] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[12:2896] -A INPUT -i br-P -m comment --comment "!fw3" -j zone_P_input
[24:1482] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[3:222] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[21:1260] -A FORWARD -i br-P -m comment --comment "!fw3" -j zone_P_forward
[21:1260] -A FORWARD -m comment --comment "!fw3" -j reject
[440:40760] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1148:501676] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1134:500439] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:909] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1:328] -A OUTPUT -o br-P -m comment --comment "!fw3" -j zone_P_output
[22:1324] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:244] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:328] -A zone_P_dest_ACCEPT -o br-P -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_P_dest_REJECT -o br-P -m comment --comment "!fw3" -j reject
[21:1260] -A zone_P_forward -m comment --comment "!fw3: Custom P forwarding rule chain" -j forwarding_P_rule
[21:1260] -A zone_P_forward -m comment --comment "!fw3: Zone P to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_P_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[21:1260] -A zone_P_forward -m comment --comment "!fw3" -j zone_P_dest_REJECT
[12:2896] -A zone_P_input -m comment --comment "!fw3: Custom P input rule chain" -j input_P_rule
[8:2632] -A zone_P_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: P-DHCP" -j ACCEPT
[0:0] -A zone_P_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: P-DNS" -j ACCEPT
[3:200] -A zone_P_input -p udp -m udp --dport 53 -m comment --comment "!fw3: P-DNS" -j ACCEPT
[0:0] -A zone_P_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:64] -A zone_P_input -m comment --comment "!fw3" -j zone_P_src_REJECT
[1:328] -A zone_P_output -m comment --comment "!fw3: Custom P output rule chain" -j output_P_rule
[1:328] -A zone_P_output -m comment --comment "!fw3" -j zone_P_dest_ACCEPT
[1:64] -A zone_P_src_REJECT -i br-P -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[13:909] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11:1814] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[11:1814] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[13:909] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:909] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11:1814] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Sat Jun 12 04:07:27 2021

Hi,

I manage to get internet for the Guest wifi. Via setting the firewall to forward to the lan instead of the wan. as per the screenshot.
image

Only issue left is the DHCP. i want the guest to be able to do fast trasistion roaming over 2 routers. The primary and the secondary routers. If the guest gets the different IPs from 2 different routers. Can they do something like control chromecast from a router located in another section of the house ?

There is no forward to lan zone, as it should.
Run fw3 restart and post here the output.

Fast transition requires the two or more APs be on the same network. They need to be bridged together with Ethernet or wireless. In this case one of them would be issuing IP addresses on the P network and forwarding to the Internet, and the other would be "dumb." You can't fast transition between two separate networks.

Noted. Tq.

I got it working already. Thank you.