Guest Wifi on Dumb AP

Although reading this guide:

[OpenWrt Wiki] Guest Wi-Fi on a dumb wireless AP using LuCI

reading the forum and trying for hours, I can’t get another guest wifi running. What is working now on the bridged AP is a STD wifi and a VPN wifi via Wireguard.

Anyone seeing the obvious error?

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd67:907c:fea8::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.8'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config device
        option type 'bridge'
        option name 'br-vpn'
        option bridge_empty '1'

config interface 'vpn_int'
        option proto 'static'
        option device 'br-vpn'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest_int'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

config interface 'wg_int'
        option proto 'wireguard'
        option private_key 'key'
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'
        option defaultroute '1'

config wireguard_wg_int
        option description 'Surfshark_FRA'
        option public_key 'key'
        option endpoint_host 'de-fra.prod.surfshark.com'
        option endpoint_port '51820'
        option persistent_keepalive '30'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option band '2g'
        option channel '1'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'STD'
        option encryption 'psk2'
        option key 'key'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'STD'
        option encryption 'psk2'
        option key 'key'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'VPN'
        option encryption 'psk2'
        option key 'key'
        option network 'vpn_int'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'VPN'
        option encryption 'psk2'
        option key 'key'
        option network 'vpn_int'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'GUEST'
        option encryption 'psk2'
        option key 'key'
        option network 'guest_int'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'GUEST'
        option encryption 'psk2'
        option key 'key'
        option network 'guest_int'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vpn_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn_int'

config rule
        option src 'vpn_zone'
        option name 'VPN_DHCP'
        list proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'vpn_zone'
        option name 'VPN_DNS'
        option dest_port '53'
        option target 'ACCEPT'

config zone
        option name 'wg_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg_int'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'vpn_zone'
        option dest 'wg_zone'

config redirect
        option name 'DNS-VPN'
        option target 'DNAT'
        option src 'vpn_zone'
        option src_dport '53'
        option dest_ip '162.252.172.57'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_int'
        option family 'ipv4'

config forwarding
        option src 'guest_zone'
        option dest 'lan'

image1192×682 62.6 KB

image1195×371 29.8 KB

You need to add policy based routing to set the appropriate rules for routing the guest network out the normal upstream (lan) instead of via the vpn (which it isn’t allowed to do by the firewalll).

I’ll give it a try. Thought configuring the firewall with forwarding from the guest_zone to lan_zone would be enough. LAN is working fine.

Although the firewall allows it there is no route via the lan.
So take the advice of psherman

I am not experienced att all concerning OpenWRT and PBR. Would it be in the “Firewall - NAT Rules” I had to set the appropriate rule? And why would my configuration not work without, when it followed the steps here: [OpenWrt Wiki] Guest Wi-Fi on a dumb wireless AP using LuCI?

The guest wifi is unbridged which means the traffic goes through the router in contrast to the lan interface which just bypasses the router.
Meaning the guest wifi follows the default route which is going via the vpn.

So you have to take care of the routing by means of policy based routing as already pointed out.

Thanks for all advices.

You need to add policy based routing to set the appropriate rules for routing the guest network out the normal upstream (lan) instead of via the vpn (which it isn’t allowed to do by the firewalll).

Just to be sure, PBR would apply to the upstream router?

No. PBR will be installed on the router that you have been describing (the "dumb AP with guest wifi"). You will create a policy that says that the guest network should route through to the upstream (I.e. the lan in this case), and another for the VPN'd network that routes through the VPN tunnel.

If your upstream router is VLAN aware (especially if it is running OpenWrt), all of this could be done there, instead. But I'm assuming that the main/upstream router is not VLAN capable.

The upstream router is VLAN capable but I would prefer a solution witout, just to not need to start with one more area I am not used to.

It is impossible for me to start PBR on the dumb AP. There is an error message : ERROR: Uplink/WAN interface is still down, increase value of 'procd_boot_trigger_delay' option!

Tried of course to change the delay option but this is probably not the problem.

Tried to configure the lan interface as uplink device:

	option uplink_interfaces 'lan'

or

	option uplink_interfaces 'br-lan'

without success.

The uplink interface is lan.

What are the errors you're seeing? And what does the PBR config show?

PBR config

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option procd_boot_trigger_delay '5000'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option uplink_interfaces 'lan'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

/etc/init.d/pbr restart

Using uplink interface (on_start): wan [✓]
Processing environment (on_start) ERROR: Uplink/WAN interface is still down, increase value of 'procd_boot_trigger_delay' option!
Setting interface trigger for wan [✓]
Setting interface trigger for wan6 [✓]
pbr 1.2.0-r2 FAILED TO START in fw4 nft file mode!!!Check the output of nft -c -f /var/run/pbr.nftERROR: The pbr 1.2.0-r2 service failed to discover WAN gateway!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!

After deleting the not needed wan/wan6 devices:

Using uplink interface (on_start): wan [✓]
Processing environment (on_start) ERROR: Uplink/WAN interface is still down, increase value of 'procd_boot_trigger_delay' option!
pbr 1.2.0-r2 FAILED TO START in fw4 nft file mode!!!Check the output of nft -c -f /var/run/pbr.nftERROR: The wan interface not found, you need to set the 'pbr.config.uplink_interface' option!
ERROR: Refer to https://docs.openwrt.melmac.ca/pbr/1.2.0/#uplink_interface!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!

one ‘s’ to much !!!

	option uplink_interface 'lan'

whats left:

restart
Using uplink interface (on_start): lan [✓]
Found uplink gateway (on_start): 192.168.1.1 [✓]
Processing environment (on_start) [✓]
Installing fw4 nft file [✓]
pbr 1.2.0-r2 monitoring interfaces:
ERROR: Failed to set up any gateway!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!

But that may be due to that I do not have a configured wireguard interface right now?

No. The uplink and gateway is clearly on the lan interface. The WG interface is not the issue.

I'd recommend you ask the questions about PBR in the support thread for that package:

Seem though to work by now. After going back to my ealier configuration and adding

	option uplink_interface 'lan'

PBR starts:

Resetting chains and sets [✓]
Removing routing for 'wg_int/10.14.0.2' [✓]
pbr 1.2.0-r2 (fw4 nft file mode) stopped [✓]
Using uplink interface (on_start): lan [✓]
Found uplink gateway (on_start): 192.168.1.1 [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wg_int/10.14.0.2' [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wg_int [✓]
pbr 1.2.0-r2 monitoring interfaces: wg_int
pbr 1.2.0-r2 (fw4 nft file mode) started with gateways:
wg_int/10.14.0.2 [✓]

Would the following be the appropriate rule to route the guest wifi?

config policy
	option name 'Guest WiFi main router'
	option src_addr '192.168.11.0/24'
	option interface 'lan'
	option gateway '192.168.1.1'

Obviously not:

ERROR: Policy 'Guest WiFi main router' has an unknown interface!

But the interface pmost probably would be “WG_int"!

The interface is guest_int

tried that one, but was not considered “unknown interface”.

wg_int is the only interface listed as Service Gateway in PBR (LuCi). Adding it as interface gives a rule without error, but does (of course) not route the guest traffic to the primary router.

Any other way to define guest_int as known interface?

confusing, this shows guest_int as “interface”

root@OpenWrt:~# uci show network | grep "=interface"
network.loopback=interface
network.lan=interface
network.vpn_int=interface
network.guest_int=interface
network.wg_int=interface

still

config policy
	option name 'Guest WiFi main router'
	option enabled '1'
	option src_addr '192.168.11.0/24'
	option interface 'guest_int'
	option gateway '192.168.1.1'

gives:

Resetting chains and sets [✓]
Removing routing for 'wg_int/10.14.0.2' [✓]
pbr 1.2.0-r2 (fw4 nft file mode) stopped [✓]
Using uplink interface (on_start): lan [✓]
Found uplink gateway (on_start): 192.168.1.1 [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wg_int/10.14.0.2' [✓]

Routing 'Guest WiFi main router' via guest_int [✗]
Installing fw4 nft file [✓]
Setting interface trigger for wg_int [✓]
pbr 1.2.0-r2 monitoring interfaces: wg_int
pbr 1.2.0-r2 (fw4 nft file mode) started with gateways:
wg_int/10.14.0.2 [✓]
ERROR: Policy 'Guest WiFi main router' has an unknown interface!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!

I have never tried to setup PBR on a BridgedAP but as far as I know you have to set the lan interface as uplink instead of the wan, it looks like you did that.

Without PBR you have a default route via the VPN so what you want in this case is to route your guest interface via the lan

config policy
	option name 'guest wifi'
	option src_addr '@br-guest'
	option interface 'lan'

To complicate matters there is also a PBR option lan_device you might need to set this to br-guest:
option lan_device 'br-guest'

If that does not work remove default route via the VPN by disabling route_allowed_ips on the WG peer.
Reboot and check that everything goes via the lan.

The only PBR policy necessary should then be:

config policy
	option name 'vpn wifi'
	option src_addr '@br-vpn'
	option interface 'wg_int'

I wrote from my telephone so carefully check but I hope you got the meaning