Guest wifi on Dumb ap Problems

Hello everyone.
I'm stuck trying to achieve something that should be simple as a Guest Wifi Network on a "Dumb AP".
I tried following guide without success.

Here my network config:

INTERNET -> TP Link MR600 (As main router) -> Switch (unmanaged)->|-> OperWrt "Dumb AP"
|-> OpenWrt "Dumb AP"

Following you can find the configuration of one Dumb Ap.
/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd9:298c:6849::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'dhcp'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '94:83:c4:07:22:16'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option type 'bridge'

/etc/config/firewall


config include
        option path '/etc/firewall.user'

config zone
        option network 'GUEST'
        option name 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'guest'

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Guest DNS'
        option target 'ACCEPT'

The problem is that on Wifi Guest I can get the ip on right range (192.168.2.x) but with "Internet no access" error.

Any hint?

You do not have a LAN zone configured on your firewall, the forwarding option references two zones, not two networks. And you probably need to add masquerading on that zone, as the main router will not expect packets from the 192.168.2.x on it's internal interface.

2 Likes

Yes the destination zone of the forward (lan) needs masq and mtu_fix turned on, as is typically done for the wan zone.

Also take the dns option settings out of the GUEST network. If desired you can push those to clients with DHCP option 6. But using the global default DNS obtained by DHCP from the upstream network is usually satisfactory.

2 Likes

The /etc/config/firewall was not complete but included only configurations for GUEST zone.
This is the actual situation on Luci:

I just tried masquerading but not worked.
Always "No Internet Access" :frowning:

Check masquerading on the top line, which is the LAN. You do not need to check masquerading on the bottom line, which is guest. And you're probably not using wan at all, so you could delete that zone.

In other words, the forwarded packet needs to be masqueraded (NAT) as it enters lan, not as it leaves guest. This is a common rookie misconception.

2 Likes

Well...That check made the trick. Thank you.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.