Guest Wifi on an external dumb AP... Can't reach internet

Let me preface this by saying I followed multiple guides, a read the documentation, read hundreds of forum posts, reddit stuff, watched Youtube videos, I did my best for several days, now I need help!

Here is the deal:
I have an OpenWRT router and I want to have a guest network to connect an access-point for my backyard... The AP will give an internal IP, that is provided by the router, but I can't access Internet with it!

Here is a simplified Topology of my network:

I followed OpenWRT's guide on setting-up a Guest Wifi with a dumb AP
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

Devices connected to the AP won't access Internet...
Here are my configs (VLAN 1 works without issue, so I won't detail it here):

The bridge VLAN device:

The guest Interface
(My main network is on 192.168.22.xxx, I want the guest network to be on 192.168.23.xxx):

DHCP is enabled, everything set to default values

Firewall zone is named "guest" and assigned to this interface

main firewall page

The firewall rules as per the guide:

Note: VLAN 2 is tagged between the switch and the router, untagged after that

What did I miss?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Of course...

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:89d8:b521::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan.1'
	option netmask '255.255.255.0'
	option proto 'static'
	option ipaddr '192.168.22.1'
	list dns '192.168.22.1'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'wlan0'
	option ipv6 '0'

config interface 'wan'
	option proto 'pppoe'
	option username 'REDACTED'
	option password 'REDACTED'
	option ipv6 'auto'
	option device 'eth0.35'
	option type 'bridge'

config interface 'WireguardVPN'
REDACTED (I removed the wireguard part because it is in use)

config interface 'guest'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.23.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth1:t'

wireless: There is no wireless on the router directly
DHCP has a shit ton of stuff to redact, what do you need in the file?
Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WireguardVPN'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name '00-no-Internet-at-all-Laurent'
	option target 'REJECT'
	option src 'lan'
	list src_ip '192.168.22.185'
	option dest 'wan'
	option enabled '0'

config rule
	option name '00-Internet Hours Laurent'
	option src 'lan'
	list src_ip '192.168.22.185'
	option dest 'wan'
	option target 'REJECT'
	option start_time '01:00:00'
	option stop_time '09:00:00'

config rule
	option name 'GUEST_DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'GUEST_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'GUEST-BLOCK-LAN'
	option src 'guest'
	option dest 'lan'
	option target 'REJECT'
	list proto 'all'
	list dest_ip '192.168.23.0/24'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.22.17'
	option dest_port '180'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip 'REDACTED'
	option dest_port 'REDACTED'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireguardVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport 'REDACTED'
	option dest_ip '192.168.22.1'
	option dest_port 'REDACTED'

REDACTED ENTRIES, not related to guest network
(forwarding to internal services)

config rule
	option enabled '0'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

If you see something I missed and did not redact, please tell me ASAP!

what is the output of:

ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt-NAMO-01",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi Compute Module 4 Rev 1.1",
	"board_name": "raspberrypi,4-compute-module",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

This rule is wrong... it should have a destination of wan:

this rule is not necessary and can be removed:

Reboot and try again.

Oh my god! it was the WAN thing!... So the official guide is just plain bad!
Thanks a ton!

Here are a few additional questions for you:

Now, I can ping devices on the guest network... what rule do I need to add so that devices on the guest network are isolated from one another?

Is there a rule that I can add that would make it possible to go in the web UI of the AP that is on the guest network from a computer on the LAN without giving access the other way around ?

Why is it that the hostnames of the devices on the guest network are not reported to the router? do I need to open a port for that?

That's not related to the router at this point. Wifi isolation may be available on your guest network's AP (I know for sure it is on anything running OpenWrt; vendor firmware may or may not have this option). But this technique only isolates wifi devices from each other -- it will not isolate from ethernet connected devices or those connected to another AP, should you extend your guest/iot network via ethernet or additional APs.

Yes.

config forwarding
	option src 'lan'
	option dest 'guest'

(or it can be more granular, if you want).

This is a function of the client devices themselves -- not all will inform the router of a hostname. You can do this manually on the router, if you want, though.

Oh... okay... So Wifi Isolation is the job of the AP, got it...
If I install OpenWRT on the AP, where is that function?

Is there a way to isolate from other ethernet connected devices within OpenWRT?

Where is that in the UI??
Sorry, I know that from the terminal, things might be easier to configure in a second, but I am trying to find my way around the UI...

It's called Isolate Clients in the wireless config > advanced settings.

Not in your situation -- there is something called a bridge firewall (which I have never tried to implement), but that only works if the OpenWrt device is literally between the two devices in question. Your device doesn't have a built-in switch, so no, it's not possible.

Network > Firewall > Edit the lan zone and allow forwarding to the guest zone.

Thank you @psherman, your help has been really appreciated!

If ever you feel even more generous of your time, I have another question...

My network is actually setup to advertise my Pi-Hole device as the main DNS server

The pi-Hole is on 192.168.22.18
The router is on 192.168.22.1

The lan interface is set like so:

What combination of sorcery do I need to do to have the 192.168.23.xxx use the DNS advertised by the router (and mostly, the PiHole)?

Create a new firewall rule that:

  • accepts
  • TCP + UDP traffic
  • Port 53
  • Source zone guest
  • Destination zone lan
  • Destination IP 192.168.22.1

That will allow devices on your guest network to reach the Pihole.

You also need to set the pihole to Permit all origins (Settings > DNS > Interface Settings).

Thanks again for your time.

When doing that, I lose internet access (technically, name resolution, ip direct access works)

We can review the config. Post the firewall file for starters.

Sorry, I did not answer right away, people came over and spent the rest of the day!
As soon as I have 15 minutes, I will do that!
Thanks again!

There, Sorry for the delay... the network was in use all weekend because we had people over...

When forwarding DNS request from "Guest" to "device", I have Internet access but no filter by the Pi-Hole... When Applying this rule, the Wifi will default to 192.168.24.1 for the DNS (the guest network is on the 192.168.24.xxx subnet now... I had to change some stuff) and there is no internet access.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WireguardVPN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name '00-no-Internet-at-all-Laurent'
	option target 'REJECT'
	option src 'lan'
	list src_ip '192.168.22.185'
	option dest 'wan'
	option enabled '0'

config rule
	option name '00-Internet Hours Laurent'
	option src 'lan'
	list src_ip '192.168.22.185'
	option dest 'wan'
	option target 'REJECT'
	option start_time '01:00:00'
	option stop_time '09:00:00'

config rule
	option name 'GUEST_DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'GUEST_DNS-Pi-HOLE'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53'
	option dest 'lan'
	list dest_ip '192.168.22.1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

<<REDACTED FOR SECURITY REASONS - (outside access to certain services) >>

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

The "Laurent" rules are to restrict my kid from surfing the net at night or when he is grounded! :smile:

Is the pihole actually at the same address as the router itself? The lan address of the router is 192.168.22.1. Where is the pihole?

192.168.22.18... I tried fowarding to both without success

ok... well, first, fix the firewall rule to point to the pihole. Right now it obviously won't work because it's not forwarding to the right address.

Then, on your pihole, go to Settings > DNS > Interface Settings and select Permit All Origins

Test once that is done.