Guest wifi no internet

I just started using OpenWRT and been tinkering with it all day yesterday. First I got a wireguard tunnel for all traffic working, but don't seem to be able to get guest wifi working. I followed the guide provided (although zones are a bit 'more accepting' for testing atm). After many hours I read a wireguard connection can't be shared between zones, so decided to delete the wg for now. I expecting to get guest wifi working now, but no go. I deleted wireguard en guest wifi for a fresh start, but same same. I did read other topics with this problem, but this did not fix my problem. I spend to many hours chasing this already

Situation:
I got an existing network (192.168.178.0/24) to which OpenWRT (10.0.0.0/24) is connected until I get everything working and stable to replace my main router.

Problem:
Normal wifi is working, but guest wifi is not. I can ping 10.0.0.1 from guest wifi, but not 192.168.178.251 (pi-hole) (i can from normal wifi). I believe I got both zones and traffic rules set up the same way for both radios, but I guess not...

Really appreciate any help.

        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 ubootmod",
        "board_name": "zyxel,ex5601-t0-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3a:8df8:660c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.90.0'
        option netmask '255.255.255.0'
        option gateway '192.168.178.251'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option name 'Allow_DNS_IN'
        option family 'ipv4'
        option target 'ACCEPT'
        option src_port '53'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option enabled '0'

config rule
        option name 'Allow_DNS_OUT'
        option family 'ipv4'
        option target 'ACCEPT'
        option src_port '53'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option dest 'wg_proton'
        option enabled '0'

config rule
        option dest 'lan'
        option name 'Allow_SSH_OUT'
        list proto 'tcp'
        option src_port '22'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option dest 'wg_proton'
        option name 'Allow_HTTP(S)_OUT'
        list proto 'tcp'
        option dest_port '80 443'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg_proton'
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option name 'Guest-DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Guest-DHCP'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.90.0'
        option netmask '255.255.255.0'
-        option gateway '192.168.178.251'

Remove this line
And please post

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

cat /etc/config/wireless

Was https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface the guide you were following?

To be clear, no interface can be shared [safely] between [firewall] zones, as you could create conflicting rules in those indvidual zones.

Same result without gateway, when removed the same ip is visible in light grey with (wan). Added because it was a solution in another topic. Removed now.

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae'
        option key 'xxx'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae'
        option key 'xxx'
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Moto'
        option encryption 'psk2'
        option key 'xxx'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guest'
        option encryption 'sae-mixed'
        option key 'xxx'
        option ocv '0'
        option network 'guest'

@frollic yes
@lleachii tnx, so 'sharing' should be managed through traffic rules I guess?

That is not an ip address use 10.0.90.1

Please define "sharing" - it's not clear what you're seeking or attempting to accomplish with the Wireguard interface (nor anything you plan to "share").

You have to select network for each guest wifi

@egc Damn... I was fully confident it must be something stupid, but still. Thanks a bunch. Guest wifi now works.

@lleachii About the sharing... probably not the correct name. But I got it working now. I added a wireguard interface again. And forwarded both guest and lan to it, like so ('sharing' the wireguard interface between them):

wrt963×306 61.6 KB

Still learning all this stuff, but I don't get it, if I change wg_proton to wan at the guest zone, it doesn't work anymore. Maybe because the wireguard has Allowed IP's 0.0.0.0/0 and route allowed ip's checked?

I mean it's ok if guests use wireguard as well, but I just want to understand it.

Next up is a wifi network just for internal use for very outdated devices

The problem is with basic router setup, not even touching wireguard - guest LAN interface is not valid, it is broadcast address and will not communicate with anything (change last bit to 1)
And guest wifis are not connected to any network.

Not valid because I used a .0 address (network address)? Or because there is no wired port connected to the bridge?

Not sure why the guest interface is able to route to wg_proton but no to wan.

Because altering the firewall doesn't change the routing configuration.

You also need to change/revert the route from the Wireguard interface back to WAN.

Thanks for confirming the obvious

Well, do you need help with the obvious or were you merely commenting about the firewall?

Your response is unclear.

Earlier I was wondering: Maybe because the wireguard has Allowed IP's 0.0.0.0/0 and route allowed ip's checked?

So I assumed you confirmed this for me. Now it's obvious that indeed just altering the Firewall isn't enough. I need to change the routing as well.

Help is always welcome, not sure what the best way is. Limiting the allowed IP's in wg_proton, or making another route just for the subnet of the guest network, or both, or something completely different...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.