icek
March 11, 2022, 11:59am
1
I have setup my Guest access using the instruction on https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
Basicly I have a Virgin router connected to a BT Home Hub 5 on the WAN port, running OpenWrt 19.07.8 r11364-ef56c85848
A second access point running OpenWrt 19.07.8 r11364-ef56c85848 and connected via LAN to the BT Home Hub, which is the DHCP server.
ALL running well with Fast roaming.
I am trying to setup the Guest Wifi on the access point and all is working except for the internet. The devices get the IP from the Guest Wifi and show connected without internet. Only additional thing I have done with the above instructions is to configure the Default Gatewayon the Guest Interface.
It's really unclear what's the OpenWrt device.
But if you made a new interface on the OpenWrt, you also have to make sure you placed it in a firewall zone and allowed that zone to Forward to WAN .
icek
March 11, 2022, 12:48pm
3
The interface for Guest has a firewall zone with destination LAN, as described in the instructions.
Note that the WAN does not work on the Access Point as all traffic for the internet goes through the Main DHCP router 192.168.1.1
Access point is Static address is 192.168.1.2, LAN and normal Wifi connect OK to internet
Guest Wifi static address is 192.168.2.1 with Default GW as 192.168.1.1
icek
March 11, 2022, 12:48pm
4
What is the best logfile to check for errors ?
trendy
March 11, 2022, 12:56pm
5
This doesn't sound right. What is the output of uci export network; uci export dhcp; uci export firewall
from the access point ?
icek
March 11, 2022, 1:59pm
6
network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7b:72fc:0a42::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'c8:91:f9:2d:9e:66'
config interface 'wan'
option ifname 'dsl0'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '1'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'c8:91:f9:2d:9e:67'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'Guest'
option proto 'static'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '1.1.1.1'
option ipaddr '192.168.2.1'
option gateway '192.168.1.1'
DHCP
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'Guest'
Firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option forward 'REJECT'
list network 'Guest'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
config forwarding
option dest 'lan'
option src 'Guest'
config rule
option dest_port '67-68'
option src 'Guest'
option name 'Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'Guest'
option name 'Guest DNS'
option target 'ACCEPT'
per un access point
modifica:
config forwarding
option dest 'wan'
option src 'Guest'
change:
config interface 'Guest'
option proto 'static'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '1.1.1.1'
option ipaddr '192.168.2.1'
icek
March 11, 2022, 2:49pm
10
It is already the same as you requested. Also changing the config forwarding to WAN makes NO difference
then I leave you in the hands of:
lleachii
who is much more competent than myself ...
trendy
March 11, 2022, 4:05pm
12
Try this:
uci delete firewall.Guest.masq
uci set firewall.lan.masq='1'
uci delete network.Guest.gateway
uci delete network.Guest.dns
uci add_list network.lan.dns='1.1.1.1'
uci add_list network.lan.dns='8.8.8.8'
uci set network.lan.gateway='192.168.1.1'
uci commit firewall
uci commit network
service firewall restart
service network restart
1 Like
icek
March 11, 2022, 4:37pm
13
Still the same, IP is served but NO internet.
Any other thoughts ?
Please post your latest config files -- best to see exactly where things are now.
icek
March 11, 2022, 5:23pm
15
trendy:
uci export firewall
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7b:72fc:0a42::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '8.8.8.8'
option gateway '192.168.1.1'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'c8:91:f9:2d:9e:66'
config interface 'wan'
option ifname 'dsl0'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '1'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'c8:91:f9:2d:9e:67'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'Guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
root@BTHH5A-Con:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'Guest'
root@BTHH5A-Con:~# uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option forward 'REJECT'
list network 'Guest'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
config forwarding
option dest 'lan'
option src 'Guest'
config rule
option src 'Guest'
option name 'Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
option dest_port '67-68'
config rule
option dest_port '53'
option src 'Guest'
option name 'Guest DNS'
option target 'ACCEPT'
Remove masquerading from the guest firewall zone. Add it to the lan zone.
If you look at the configuration files posted earlier, you will see that the critical firewall rules are already there. The op has not yet blocked the traffic between subnets, but that will not impact general connectivity.
icek
March 11, 2022, 6:07pm
20
Resolved by changing Masquerading from Guest to LAN.
Thanks to everyone for help, especially Psherman
icek
March 13, 2022, 3:32pm
22
Now that the Guest Wifi works, how do I stop the clients from accessing the local LAN on subnet 192.168.1.
I have enable the client to client communications, but this is not stopping the access to the local 192.168.1 subnet