I could not get ip address on guest devices. Shouldn't use eth1.10? The cable is connected from eth1 to RT-AC68U.
I'm sorry... I missed the eth1 in the config. I gave you a config with a minor error.
Change the guest network to use device eth1.10 like this:
config interface 'guest'
option device 'eth1.10'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option ip6assign '60'
Wonderful! Guest device obtains ip address on 192.168.100.x and is able to access internet. However, I am still able to access LAN on 192.168.10.x from Guest wifi.
That shouldn't happen... let's check the firewall and network config files -- please post the latest.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'guest'
option device 'eth1.10'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'erspan0'
option ipv6 '0'
config device
option name 'tun0'
option ipv6 '0'
config device
option name 'eth1.10'
option type '8021q'
option ifname 'eth1'
option vid '10'
option ipv6 '0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'guest'
list network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'guest'
option dest_port '53 67-68'
option target 'ACCEPT'
option name 'Allow-Guest'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
and below is the script I run in RT-AC68U, 0=wan port, 5=cpu, t=tagged, eth1 and eth2 are wlan 2.4Ghz/5ghz, wl0.1 is the guest AP
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
robocfg show | grep -i vlan10 > /dev/null 2>&1 || \
(
robocfg vlan 10 ports "0t 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 vlan10
brctl addif br1 wl0.1
ifconfig br1 up
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan10 wl0.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd
)
I don't see any reason why your guest network would be able to reach your main network... how did you test this?
Is the firewall running? Maybe try restarting the router to make sure the firewall is loaded with the latest config.
i reboot both RPI4 and RT-AC68U. I then connect my phone to guest wifi, I can see the phone ip address is 192.168.20.74(I changed guest network to 192.168.20.x). Then I use the browser to open 192.168.10.1 and 192.168.10.4, I can open both web pages
This is obviously your main router's address on the LAN. We have set the input rule to REJECT, so it should not accept any connections except for DNS and DHCP.
Is this the address of the AP?
What is the IP address info (complete: IP, subnet mask, router/gateway, DNS) from your phone?
Is it possible that the reason you're getting a response is actually due to a cached page on your device? Can you try a different device (such as a computer) connected to the guest network?
192.168.10.4 is the Netgear wifi extender. I am able to access the smb share on LAN as well. I also tried on another laptop.
The gate and DNS showing on the phone are 192.168.20.1.
I only see firewall rule for wan, not lan?
What do you mean by this? I see zones for wan, lan, and guest. And they are setup as I would expect (forwarding to wan allowed from lan and guest, no other forwarding allowed; zone input/output/forward rules set appropriately. This matches what we see in the text config.
What is this device?
I mean should not be an entry GUEST=>LAN INPUT reject OUTPUT reject FORWARD reject? I am just guessing.
erspan0 is always there after first boot, not sure what is.
"input" corresponds to a zone's ability to reach the router itself.
"forward" is the ability for traffic to be forwarded between 2 or more networks within the same zone (only applies if you have multiple networks assigned to a given zone).
"output" refers to the ability for traffic that has gone through the frirewall to egress to the network(s) in the zone.
Everything is set correctly, AFAICT.
That's strange.
What is the output of the following:
ubus call system board
root@pi4:~# ubus call system board
{
"kernel": "5.10.146",
"hostname": "pi4",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.5",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
I'm not seeing anything unusual here.
Unplug the Netgear device and then see if you still have the problem? Since it is not VLAN aware, I wonder if it is doing something bad.
Do you have any unmanaged switches in your network?
I have several unmanged switch, but RT-AC68U is directly connected to RPI4.
I think I will try the following:
- disable gust wifi on RT-AC68U
- enable wifi on RPI4 and link to guest
Connect guest device directly to RPI4 wifi.
If that works, the issue maybe on RT-AC68U side.
That sounds like a good test.
You'll need to remove eth1.10 from the guest network config, then you can link the wifi SSID with the guest network.
Hi, psherman:
Using rpi4 own wireless seems ok, but I haven't figured it out why it does not work with RT-AC68U. So I decide to use EA3500 which has openwrt installed to try out. EA3500 is configured as wireless/wired AP only. I added guest wifi on it and linked to internet.10 which is the internet port connected to main router.
I have the follow configuration. Please note that firewall/dnsmasq/odhcpd are disabled in Startup:
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'ethernet1'
list ports 'ethernet2'
list ports 'ethernet3'
list ports 'ethernet4'
list ports 'internet'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.5'
option gateway '192.168.10.1'
list dns '192.168.10.1'
config device
option type '8021q'
option ifname 'internet'
option vid '10'
option name 'internet.10'
option ipv6 '0'
config interface 'guest'
option proto 'static'
option device 'internet.10'
option ipaddr '192.168.20.2'
option netmask '255.255.255.0'
option gateway '192.168.20.1'
list dns '192.168.20.1'
DHCP:
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
option dynamicdhcp '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
Guest device could not get ip address. Anything wrong in EA3500 configuration?
This won't work...
Instead, you'll want to make it look like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'ethernet1'
list ports 'ethernet2'
list ports 'ethernet3'
list ports 'ethernet4'
list ports 'internet'
option ipv6 '0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'ethernet1:u*'
list ports 'ethernet2:u*'
list ports 'ethernet3:u*'
list ports 'ethernet4:u*'
list ports 'internet:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'internet:t'
Then, change the lan as follows:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.5'
option gateway '192.168.10.1'
list dns '192.168.10.1'
and finally the guest network should be unmanaged (no address) and on the br-lan.10 device:
config interface 'guest'
option proto 'none'
option device 'br-lan.10'
So this confirms that the Pi's configuration is correct and that the networks are properly isolated.
I don't know, either, but I wonder if it is related to the rest of your network that includes things that are not designed for use with VLANs. Specifically, unmanaged switches and/or the Netgear extender.
Can you draw a diagram of your complete network topology?
See below:
E3200: Tamato firmware, wifi disabled, acting as wired network extender
EA3500: Openwrt firmware, private wifi + guest wifi, wired and wireless network extender
Netgear EAX20: private wifi, wired and wireless network extender.
All other switches are unmanged.
When I test EA3500, I connect to RPI4 directly. I haven't applied your code yet since they are using the network.