Hi, I'm new to networking, just recently bought a router and flasked OpenWrt on it. I have come to find a very vibrant community and OpenWrt is awesome. Kudos to the developers!
I am facing issues trying to use this guide to setup a Guest Wifi: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
My LAN Subnet is: 192.168.0.1/24
The first thing I check is if DHCP was enabled on the guest interface and it is:
Some configs:
# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dns_service '0'
list dhcp_option '6,192.168.0.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'pihole'
list mac '****************'
option ip '192.168.0.4'
option leasetime 'infinite'
config host
option name 'homeserver'
list mac '****************'
option ip '192.168.0.14'
option leasetime 'infinite'
config host
option name 'm4-mini'
list mac '****************'
option ip '192.168.0.19'
option leasetime 'infinite'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5f:962d:b60e::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
list dns '192.168.0.4'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'Hotspotshield'
option proto 'none'
option device 'tun0'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list dns '1.1.1.1'
list dns '2.2.2.2'
option type 'bridge'
list ipaddr '192.168.10.1/24'
# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'homeserver https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.0.14'
option dest_port '443'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguard'
option family 'ipv4'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.0.4'
option dest_port '51820'
config forwarding
option src 'lan'
option dest 'wan'
config nat
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.0.4'
option dest_port '53'
option target 'MASQUERADE'
option name 'pihole_primary'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_ip '!192.168.0.4'
option src_dport '53'
option dest_ip '192.168.0.4'
option dest_port '53'
option name 'pihole_primary'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-guest'
list proto 'udp'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'guest'
What am I doing wrong here?
Remove the bridge line below:
Reboot and test again.
config interface 'guest'
option proto 'static'
option device 'br-guest'
list dns '1.1.1.1'
list dns '2.2.2.2'
list ipaddr '192.168.10.1/24'
Just did that. Still no luck.
If it helps, under Networking > Wiireless > Associated Stations, I do see the phone I am using to connect to the guest wifi but no IP Address, it just says ?.
One other thing I noticed was that my default lan interface option ipaddr '192.168.0.1' and my guest interface's is list ipaddr '192.168.10.1/24'. I remembered that I gave 192.168.10.1/24 instead of 192.168.10.1 while debugging. Reverted that now, restarted. Still no luck.
I did that before because when I gave 192.168.10.1 in LuCI 192.168.10.1/32 showed up instead of /24. So I tried to hardcode 192.168.10.1/24 in LuCI instead. After the above revert I see /32 once again. Could this have something to do with it?
config interface 'guest'
option proto 'static'
option device 'br-guest'
list dns '1.1.1.1'
list dns '2.2.2.2'
list ipaddr '192.168.10.1'
Also my lan's value is option ipaddr and guest's is list ipaddr. Is that weird?
If you feel comfortable diving a bit more into the technical side, you good look at a tcpdump for the DHCP messages.
Either on the client or the router.
This would show you the network communication happening between them. And it would help debug the error.
I don't mind doing that at all. But seems like my opkg is broken as well?
# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.5/targets/ramips/mt7621/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/targets/ramips/mt7621/packages/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/base/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/luci/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/packages/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/routing/Packages.gz
Downloading https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/telephony/Packages.gz
Collected errors:
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.5/targets/ramips/mt7621/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/base/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/luci/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/routing/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/23.05.5/packages/mipsel_24kc/telephony/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
I am unable to install tcpdump.
I do have internet:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=8.758 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=8.801 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 8.758/8.779/8.801 ms
Seems like I have a separate(?) DNS issue. My router is not able to get to my DNS. I have my pihole running in 192.168.0.4. Works for the interfaces but not the router.
# ping google.com
ping: bad address 'google.com'
No, there are technical difficulties with the projects servers. This one is not your router.
1 Like
Where is it trying to get that DNS name from?
My lan interface is configured with dhcp_option pointing to my pihole:
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dns_service '0'
list dhcp_option '6,192.168.0.4'
I also have port forwarding and NAT rules setup to push all DNS queries to the piHole:
config nat
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.0.4'
option dest_port '53'
option target 'MASQUERADE'
option name 'pihole_primary'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_ip '!192.168.0.4'
option src_dport '53'
option dest_ip '192.168.0.4'
option dest_port '53'
option name 'pihole_primary'
Let’s take a fresh look at the complete config again:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Sure. Here it is:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear R6260",
"board_name": "netgear,r6260",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5f:962d:b60e::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
list dns '192.168.0.4'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list dns '1.1.1.1'
list dns '2.2.2.2'
list ipaddr '192.168.10.1'
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid '****************'
option encryption 'sae'
option key '****************'
option network 'lan'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid '****************'
option encryption 'psk2'
option key '****************'
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dns_service '0'
list dhcp_option '6,192.168.0.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'pihole'
list mac '****************'
option ip '192.168.0.4'
option leasetime 'infinite'
config host
option name 'homeserver'
list mac '****************'
option ip '192.168.0.14'
option leasetime 'infinite'
config host
option name 'sriyan-m4-mini'
list mac '****************'
option ip '192.168.0.19'
option leasetime 'infinite'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'homeserver https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.0.14'
option dest_port '443'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguard'
option family 'ipv4'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.0.4'
option dest_port '51820'
config forwarding
option src 'lan'
option dest 'wan'
config nat
list proto 'tcp'
list proto 'udp'
option src 'lan'
option dest_ip '192.168.0.4'
option dest_port '53'
option target 'MASQUERADE'
option name 'pihole_primary'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_ip '!192.168.0.4'
option src_dport '53'
option dest_ip '192.168.0.4'
option dest_port '53'
option name 'pihole_primary'
option enabled '0'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-guest'
list proto 'udp'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# ping google.com
ping: bad address 'google.com'
root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=58 time=9.064 ms
64 bytes from 8.8.8.8: seq=1 ttl=58 time=8.844 ms
64 bytes from 8.8.8.8: seq=2 ttl=58 time=16.620 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 8.844/11.509/16.620 ms
root@OpenWrt:~#
You earlier commented that you removed the /24 from the IP address. A subnet mask or a subnet size must be defined. That is missing here now:
I'll show you two equivalent ways to specify this:
Option 1 - use IP address and netmask:
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
Option 2 - use IP address and subnet size in CIDR notation:
option ipaddr '192.168.10.1/24'
You also don't need the DNS addresses. So, edit your guest interface to look like this:
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
You have an SSID defined that doesn't have a network associated:
If the above SSID was intended to be the guest network, you need to add the following:
option network 'guest'
Once those changes have been implemented, restart your device and test again.
2 Likes
That worked! Thank you! I guess I "debugged" my way into a pit.
system
January 28, 2025, 6:26pm
15
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
