Guest wifi with different gateway

Hy friends,

I search for a simple how-to/solution to use a different gateway on my guest wifi.
My private wifi uses the standard gateway, defined in br-lan.
in the br-guest interface I set this IPs:

IPv4 address
192.168.3.1
IPv4 netmask
255.255.255.0
IPv4 gateway
192.168.0.4

but this is not working

You cannot set a gateway IP that exists numerically in another network. In order to assist you with your issue, feel free to explain what you desire to accomplish.

3 Likes

i use 192.168.0.0/24 in my private network. i have two gateways here, 192.168.0.4 should be used for guests and 192.168.0.15 for private.
So i put in the br-lan interfaces as gateway 192.168.0.15. now OpenWRT and the private WIFI uses this gateway.

but how can i route 192.168.0.4 to br-guest?

provide all the clients on br-guest with the gw IP of 192.168.0.4, via DHCP ?

Collect the diagnostics:

ip address show; ip route show table all; ip rule show
uci show network; uci show dhcp; uci show firewall

root@CPE210-Nord:~# ip address show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan                                                                                                                                                              state UP qlen 1000
    link/ether d8:47:32:53:c3:be brd ff:ff:ff:ff:ff:ff
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qle                                                                                                                                                             n 1000
    link/ether d8:47:32:53:c3:be brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fde9:35ad:1301::1/60 scope global tentative dadfailed noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::da47:32ff:fe53:c3be/64 scope link
       valid_lft forever preferred_lft forever
5: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP q                                                                                                                                                             len 1000
    link/ether da:47:32:53:c3:be brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::d847:32ff:fe53:c3be/64 scope link
       valid_lft forever preferred_lft forever
6: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-                                                                                                                                                             lan state UP qlen 1000
    link/ether d8:47:32:53:c3:be brd ff:ff:ff:ff:ff:ff
    inet6 fe80::da47:32ff:fe53:c3be/64 scope link
       valid_lft forever preferred_lft forever
7: phy0-ap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-                                                                                                                                                             guest state UP qlen 1000
    link/ether da:47:32:53:c3:be brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d847:32ff:fe53:c3be/64 scope link
       valid_lft forever preferred_lft forever

root@CPE210-Nord:~# ip route show table all

default via 192.168.0.15 dev br-lan
192.168.0.0/24 dev br-lan scope link  src 192.168.0.20
192.168.3.0/24 dev br-guest scope link  src 192.168.3.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.0.20 dev br-lan table local scope host  src 192.168.0.20
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.20
local 192.168.3.1 dev br-guest table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local scope link  src 192.168.3.1
fde9:35ad:1301::/64 dev br-lan  metric 1024
unreachable fde9:35ad:1301::/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
fe80::/64 dev phy0-ap0  metric 256
fe80::/64 dev br-guest  metric 256
fe80::/64 dev phy0-ap1  metric 256
local ::1 dev lo table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev phy0-ap0 table local  metric 0
anycast fe80:: dev phy0-ap1 table local  metric 0
anycast fe80:: dev br-guest table local  metric 0
local fe80::d847:32ff:fe53:c3be dev phy0-ap1 table local  metric 0
local fe80::d847:32ff:fe53:c3be dev br-guest table local  metric 0
local fe80::da47:32ff:fe53:c3be dev br-lan table local  metric 0
local fe80::da47:32ff:fe53:c3be dev phy0-ap0 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev phy0-ap0 table local  metric 256
multicast ff00::/8 dev br-guest table local  metric 256
multicast ff00::/8 dev phy0-ap1 table local  metric 256

root@CPE210-Nord:~# ip rule show

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@CPE210-Nord:~# uci show network

network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fde9:35ad:1301::/48'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='192.168.0.4'
network.lan.device='br-lan'
network.lan.ipaddr='192.168.0.20'
network.lan.gateway='192.168.0.15'
network.guest=interface
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ipaddr='192.168.3.1'
network.guest.netmask='255.255.255.0'
network.guest.gateway='192.168.0.4'
network.guest.device='br-guest'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'

root@CPE210-Nord:~# uci show dhcp

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ignore='1'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.ra_flags='none'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='2'
dhcp.guest.limit='150'
dhcp.guest.leasetime='1h'

root@CPE210-Nord:~# uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].masq='1'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.output='ACCEPT'
firewall.guest.forward='REJECT'
firewall.guest.input='REJECT'
firewall.guest.network='guest'
firewall.guest.family='ipv4'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].src='guest'
firewall.@rule[11].name='Guest no LAN'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_ip='192.168.0.0/24'
firewall.@rule[11].target='REJECT'
firewall.@rule[11].proto='all'
firewall.@rule[12]=rule
firewall.@rule[12].dest_port='80'
firewall.@rule[12].src='guest'
firewall.@rule[12].name='disable Guest AP HTTP Access'
firewall.@rule[12].target='DROP'
firewall.@rule[13]=rule
firewall.@rule[13].dest_port='22'
firewall.@rule[13].src='guest'
firewall.@rule[13].name='disable Guest AP SSH Access'
firewall.@rule[13].target='DROP'
firewall.dns_int=redirect
firewall.dns_int.name='Intercept-DNS'
firewall.dns_int.src='lan'
firewall.dns_int.src_dport='53'
firewall.dns_int.proto='tcp udp'
firewall.dns_int.target='DNAT'
firewall.dns_int.dest='lan'
firewall.dns_int.dest_ip='192.168.0.2'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='guest'
firewall.@forwarding[1].dest='lan'
firewall.@rule[14]=rule
1 Like
opkg update
opkg install kmod-macvlan
uci del_list firewall.@zone[0].network="lan1"
uci add_list firewall.@zone[0].network="lan1"
uci commit firewall
service firewall restart
uci -q delete network.lan1_dev
uci set network.lan1_dev="device"
uci set network.lan1_dev.type="macvlan"
uci set network.lan1_dev.name="veth0"
uci set network.lan1_dev.ifname="br-lan"
uci -q delete network.lan1
uci set network.lan1="interface"
uci set network.lan1.proto="static"
uci set network.lan1.device="veth0"
uci set network.lan1.ipaddr="192.168.0.21/24"
uci set network.lan1.gateway="192.168.0.4"
uci set network.lan1.ip4table="1"
uci set network.guest.ip4table="2"
uci -q delete network.guest_lan1
uci set network.guest_lan1="rule"
uci set network.guest_lan1.in="guest"
uci set network.guest_lan1.lookup="1"
uci set network.guest_lan1.priority="30000"
uci commit network
service network restart
1 Like

I have executed everything, but I get the following error at lan1:
Unknown error (DEVICE_CLAIM_FAILED)

yes yes yes, you are my hero, it works. even if I do not fully understand it :joy:

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.