Guest Wifi - no internet access - Main-Lan with pi-hole as DHCP and DNS-Server

Hi,

my current network-setup ist as followed:

Internet -> FRITZ!Box 6591 Cable -> (Pi-Hole) -> TP-Link Archer C7 v2 -> TP-Link TL-WR841N v7 -> Internet-Consming-Device

The FritzBox is untouched, original OS and the DHCP-Server in this box is deactivated, so it acts only als Inernet-Gateway. (The IP of this thing is 192.168.0.1)

The Pi-Hole (a Raspberry Pi 3) is my DNS- and DHCP-Server. (Its IP-address: 192.168.0.71)

The TP-Link Archer C7 v2 is my "production"-device. Currently I'm using on it the original firmware, but I plan to use OpenWRT on it. Also on this device the DHCP-Server is deactivated and the IP of this device is the 192.168.0.28

The TP-Link TL-WR841N v7 is my "test-device". So I want to make sure everything works on this old device with OpenWRT 18.06.8, before I'm going to flash my Archer C7. The IP of this device is the 192.168.0.30 and also the DHCP-Server for the lan-interface is deactivated.

I want to create a Guest-Network, wich has access to the internet, but not to the internal 192.168.0.x-network.

So, first I thought: "Nice, there is a GUI-way to configure this", so I followed these steps:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

But I had no success: I was able to connect to the Wifi. I got a IP and everything, but I wasn't able to connect to any server on the internet. (I also tried to access a server via its IP, so make sure the DNS is not the problem, but also: no connection.)

So, the next step I did, was to hard-reset the TL-WR841N and reconfigured it like descripted here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

But again with no success: I get a IP (192.168.3.x), but no internet.

For the connection via LAN (and normal Wifi) everything works fine. I get a IP from my Pi-Hole and everything works.
I guess there is something wrong with using the pi-hole als DNS- and DHCP-Server, but I'm not sure what exactly it could be. Has somebody a hint for me?

Here are my configs:

cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfc:41e4:38c3::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.30'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option dns '1.1.1.1 8.8.8.8'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid 'guest'
	option encryption 'psk2'
	option key 'test123456'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'guest_fwd'
	option name 'Allow-Guest-Forward'
	option src 'guest'
	option dest_ip '!.0/'
	option proto 'all'
	option target 'ACCEPT'
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq restart
uci -q delete network.lan.dns
uci add_list network.lan.dns="192.168.0.71"
uci set network.lan.gateway="192.168.0.1"
uci commit network
/etc/init.d/network restart

Then repeat this step:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/extra#wireless_ap

2 Likes

Dear vgaetera, thank you very much for your time, reading into my problem and providing a useful answer. I followed your steps and it is working now without a problem! Thank you!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.