I have a TP-Link Deco S4 that has openwrt installed and using it as an AP.
The 5ghz is on 192.168.0.x in the main network. I want to set the 2.4ghz as a guest network separate from the main network (192.168.3.x).
If this is a dumb AP and your main router doesn't support VLANs, you want to be looking at the guest wifi on a dumb AP tutorial.
But that is an assumption... so I'll ask these questions:
Is this operating as a dumb AP (i.e. you have another device that is the actual router)?
If so, does that router run OpenWrt or another firmware that allows you to configure VLANs?
And in that case, have you setup a VLAN for the guest network on the main router?
Once we understand how you are using your device, we can then advise what changes you might need to make, based on what we see in your configuration:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
This is operating as a dumb AP (so yes, I have another device which is doing the routing - RT-AC88u).
Yes, that router is also running OpenWRT.
No, I have not set up that router with VLANs for the guest network.
This is 1 of 3 APs I have and the only AP I want my guest network on (all the IoTs I have are in this room) so I figured I didn't need to touch the rest of my network setup (main router, other 2 APs).
I followed the how-to in your link this time and it's still not connecting. TestWRT is the guest SSID I'm configuring the guest network for.
Thanks in advance for helping.
root@Deco_Tr0LL:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'Redacted'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config device
option name 'eth0.1'
option macaddr 'Redacted'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.40'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.0.38'
list dns '192.168.0.38'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 5 0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
root@Deco_Tr0LL:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Redacted'
option encryption 'psk2'
option key 'Redacted'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Redacted'
option encryption 'psk2'
option key 'Redacted'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'TestWRT'
option encryption 'psk2'
option network 'guest'
option key 'Redacted'
root@Deco_Tr0LL:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
list server '8.8.8.8'
list server '8.8.4.4'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@Deco_Tr0LL:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'Guest DNS'
option src 'guest'
option target 'ACCEPT'
option dest_port '53'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option target 'ACCEPT'
option dest_port '67-68'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Block Guest Access to Private Network'
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.0.0/24'
option target 'DROP'
Try adding this line to the dhcp server section for the guest network.
option dhcpv4 'server'
Restart the device and test again.
Everything else looks good from what I can see. If that doesn’t work, try connecting to the network and manually setting the ip address in the same subnet (don’t forget to include the subnet mask, dns, and router addresses).
I added that line and it still doesn't work. It doesn't get a DHCP ip from the router. If I set it manually to 192.168.3.x, then it connects and I can ping the 192.168.3.1 but I get no internet.
At this point, I just flashed the stock firmware back to 1 of my 3 meshes and use the guest on that. I still have some weird issue with openwrt capping my wifi speeds to 260mbps anyway (I believe it's an issue with the S4 routers as it happens with stock firmware too if it's on router mode, but works at full speed in AP mode).
Had you disabled dnsmasq and the firewall? If so, that would explain what you were seeing -- no DHCP server and no access to the internet -- both dnsmasq and firewall are required for those to work.
OHHH, you're right, I did disable them as the guide I followed said to disable them when using it as a dumb ap. I enabled them and now it's working. Thanks for your help!!
