Hi,
my current network-setup ist as followed:
Internet -> FRITZ!Box 6591 Cable -> (Pi-Hole) -> TP-Link Archer C7 v2 -> TP-Link TL-WR841N v7 -> Internet-Consming-Device
The FritzBox is untouched, original OS and the DHCP-Server in this box is deactivated, so it acts only als Inernet-Gateway. (The IP of this thing is 192.168.0.1
)
The Pi-Hole (a Raspberry Pi 3) is my DNS- and DHCP-Server. (Its IP-address: 192.168.0.71
)
The TP-Link Archer C7 v2 is my "production"-device. Currently I'm using on it the original firmware, but I plan to use OpenWRT on it. Also on this device the DHCP-Server is deactivated and the IP of this device is the 192.168.0.28
The TP-Link TL-WR841N v7 is my "test-device". So I want to make sure everything works on this old device with OpenWRT 18.06.8, before I'm going to flash my Archer C7. The IP of this device is the 192.168.0.30
and also the DHCP-Server for the lan-interface is deactivated.
I want to create a Guest-Network, wich has access to the internet, but not to the internal 192.168.0.x
-network.
So, first I thought: "Nice, there is a GUI-way to configure this", so I followed these steps:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
But I had no success: I was able to connect to the Wifi. I got a IP and everything, but I wasn't able to connect to any server on the internet. (I also tried to access a server via its IP, so make sure the DNS is not the problem, but also: no connection.)
So, the next step I did, was to hard-reset the TL-WR841N and reconfigured it like descripted here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
But again with no success: I get a IP (192.168.3.x), but no internet.
For the connection via LAN (and normal Wifi) everything works fine. I get a IP from my Pi-Hole and everything works.
I guess there is something wrong with using the pi-hole als DNS- and DHCP-Server, but I'm not sure what exactly it could be. Has somebody a hint for me?
Here are my configs:
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfc:41e4:38c3::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.30'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option dns '1.1.1.1 8.8.8.8'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option disabled '1'
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option ssid 'guest'
option encryption 'psk2'
option key 'test123456'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
config rule 'guest_fwd'
option name 'Allow-Guest-Forward'
option src 'guest'
option dest_ip '!.0/'
option proto 'all'
option target 'ACCEPT'