oscar
November 4, 2021, 8:29am
1
Hello,
my guest wifi has been set up a while ago and worked without problems until today. The trouble is that although the internal guest-wifi works, i.e. dhcp etc, there is no access from any connected computers to the internet (just for guest wifi, normal wifi works).
Looking into this further I found that there is a discrepancy of the devices associated to guest-wifi in the various config files. The 'wireless' config points to radio0, the 'network' config to wlan0-1. It is not possible to change this in LUCI ("interfaces"), as I am given only the option wlan0-1 there.
Here are the excerpts from the configs:
/etc/config/wireless
> config wifi-iface 'wifinet0'
option device 'radio0'
option network 'guest'
option mode 'ap'
option isolate '1'
option encryption 'psk2'
option ssid 'Guest_Network'
option key 'XXXXXXXXX'
option macfilter 'deny'
/etc/config/network
>config interface 'guest'
option proto 'static'
option delegate '0'
option force_link '0'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
option device 'wlan0-1'
/etc/config/firewall
>config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option family 'ipv4'
option network 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option family 'ipv4'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option family 'ipv4'
option src 'guest'
config forwarding
option dest 'wan'
option src 'guest`
Any advice is appreciated.
Cheers
Oscar
trendy
November 4, 2021, 8:59am
2
Remove from wireless:
oscar:
option macfilter 'deny'
Remove from network:
oscar:
option device 'wlan0-1'
Fix the initial post and include the console output into preformatted text (the </> button)
Also post the whole uci export firewall
oscar
November 4, 2021, 9:35am
3
trendy:
Remove from network:
option device 'wlan0-1'
This leaves the device setting as 'unspecified'.
uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'br-lan'
option family 'ipv4'
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option family 'ipv4'
option network 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option family 'ipv4'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option family 'ipv4'
option src 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config zone
option name 'Fon'
option forward 'REJECT'
option network 'Fon'
option output 'ACCEPT'
option family 'ipv4'
option input 'ACCEPT'
config forwarding
option dest 'wan'
option src 'Fon'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67'
option name 'Fon DHCP'
option family 'ipv4'
option src 'Fon'
config forwarding
option dest 'Fon'
option src 'lan'
Apologies for the formatting previously, somehow I missed it.
trendy
November 4, 2021, 9:38am
4
It should not be there from the beginning. You have specified in the wireless section of the guest SSID that network is guest, and that is enough to bind the SSID to an interface.
remove the br-lan, there is already the lan network defined.
Other than that, it is fine.
oscar
November 4, 2021, 10:25am
5
Not really
Last lines from the log:
Thu Nov 4 11:13:00 2021 daemon.info hostapd: wlan0-1: STA dc:56:60:36:30:d5 IEEE 802.11: authenticated
Thu Nov 4 11:13:00 2021 daemon.info hostapd: wlan0-1: STA dc:56:60:36:30:d5 IEEE 802.11: associated (aid 2)
Thu Nov 4 11:13:00 2021 daemon.notice hostapd: wlan0-1: AP-STA-CONNECTED dc:56:60:36:30:d5
Thu Nov 4 11:13:00 2021 daemon.info hostapd: wlan0-1: STA dc:56:60:36:30:d5 WPA: pairwise key handshake completed (RSN)
Thu Nov 4 11:13:00 2021 daemon.info dnsmasq-dhcp[11245]: DHCPREQUEST(wlan0-1) 192.168.22.21 dc:56:60:36:30:d5
Thu Nov 4 11:13:00 2021 daemon.info dnsmasq-dhcp[11245]: DHCPACK(wlan0-1) 192.168.22.21 dc:56:60:36:30:d5 MYLAPTOP
Thu Nov 4 11:13:15 2021 daemon.err odhcpd[1158]: Failed to send to ff02::1%lan@br-lan (Permission denied)
The log is flooded with odhcpd error messages. Looks to me like an attempt to connect via IPv6, which I switched off.
oscar
November 4, 2021, 10:53am
6
Initial post reformatted as per request of @trendy
Interim statement: wireless as part of br-lan works, wifi-guest does not, i.e. no connection to wan/internet.
trendy
November 4, 2021, 12:49pm
7
service odhcpd stop; service odhcpd disable
1 Like
oscar
November 4, 2021, 1:02pm
8
This is what puzzles me. In 'wireless', the interface is called wifinet0 and the corresponding device is named radio0. In 'network', interface is guest and the device is called wlan0-1. In 'wireless', guest corresponds to a network, while in 'network' it corresponds to a device.
Nevertheless, up to today it has worked and stopped working today without any interference from my side.
trendy
November 4, 2021, 1:22pm
9
Just a name.
This is the physical radio interface.
This is wrong, you should not use the wifi device in the interface section, because this wlan0-1 might change after a reboot and I recall helping someone else in here who had the same issue.
guest is the interface name. In wireless you associate the SSID to an interface, which handles the IPs etc.
oscar
November 4, 2021, 4:07pm
10
I deleted it immediately following your 1st advice. However, it came back in somehow.
I could not do a reboot of the router until now. So, everything is alright after the reboot! Hope it remains stable .
Thank you, Trendy
1 Like
system
Closed
November 14, 2021, 4:07pm
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.