Guest WIFI won't hand out DNS servers

My guest network hands out DHCP to clients (192.168.3.x) but the DNS servers never populate. I've tried setting a Custom DNS in config, but that didn't help. Any help would be appreciated.

Log is showing

daemon.err odhcpd[20807]: Failed to send to ff02::1%lan@br-lan (Network unreachable)

I am running AdGuardHome as my DNS server on 192.168.1.1 and its working fine with the main network. As per the guest wifi guide, we are isolating the guest wifi from the lan, so is there an additional step I need to take to allow the guest network to communicate with AdGuardHome specifically?

Also.. if I populate DNS as 192.168.1.1 manually on the client it can communicate and I can see enrtries being blocked in AdGuardHome from the client IP (192.168.3.xxx). So it's able to communicate with the router and DNS server. It's just not populating the DNS when it fetches DHCP.

"kernel": "5.10.127",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03-SNAPSHOT",
                "revision": "r19540-945b13e369",
                "target": "ipq806x/generic",
                "description": "OpenWrt 22.03-SNAPSHOT r19540-945b13e369"

Please post the content of the following files:

  • /etc/config/network
  • /etc/config/wireless
  • /etc/config/firewall

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option country 'US'
	option cell_density '0'
	option channel '153'
	option htmode 'VHT80'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'wifi5'
	option network 'lan wan'
	option encryption 'psk2'
	option key 'password'
	option hidden '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option band '2g'
	option htmode 'HT20'
	option channel '11'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'wifi2'
	option encryption 'psk2'
	option key 'password'
	option network 'lan wan'
	option hidden '1'
	option wps_pushbutton '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option ssid 'guest5'
	option network 'Guest'
	option isolate '1'
	option key 'password'
	option hidden '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest2'
	option encryption 'psk2'
	option key 'password'
	option isolate '1'
	option network 'Guest'
	option hidden '1'

config guest 'network'

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:4904:dcb1::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'

config static 'proto'

config br-guest 'device'

config 192.168.3.1 'ipaddr'

config 255.255.255.0 'netmask'

config interface 'Guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

Firewall

config rule
	option name '[IPv6] [ANY] to [DEVICE] - ALL - DROP'
	option family 'ipv6'
	option src '*'
	list proto 'all'
	option target 'DROP'

config rule
	option name '[IPv6] [ANY] to [ANY] - ALL - DROP'
	option family 'ipv6'
	option src '*'
	option dest '*'
	list proto 'all'
	option target 'DROP'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'Guest'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Guest-DHCP'
	list proto 'udp'
	option src 'guest'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '67-68'

config rule
	option name 'Guest-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53'
	list proto 'tcp'
	list proto 'udp'
	option family 'ipv4'

config forwarding
	option src 'guest'
	option dest 'wan'

Also.. if I populate DNS as 192.168.1.1 manually on the client it can communicate and I can see enrtries being blocked in AdGuardHome from the client IP (192.168.3.xxx). So it's able to communicate with the router and DNS server. It's just not populating the DNS when it fetches DHCP.

I see no guest zone in your firewall. Therefore the proposed rule won't work.

These are in the config I posted. Am I missing something else?

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'Guest'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Guest-DHCP'
	list proto 'udp'
	option src 'guest'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '67-68'

Please show the output of

/etc/config/dhcp

DHCP

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/mnt/sda1/adblock/dns'
	option rebind_protection '0'
	option port '54'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option interface 'Guest'
	option leasetime '12h'
	option start '151'
	option limit '199'

You are missing option 6 on your guest dhcp

A few things happening here...

first -- remove the 'guest_dev' from the bridge definition. It is inconsistent with the 'br-guest' name, and since you already have a line for the name, you don't need to name it in the config device line.

Next, you have a bunch of junk in there that should be removed (unless this is purely a copy/paste error in this post)... delete all of the following:

Finally, remove the the following line from your Guest network interface definition:

Then restart your router and see if it works.

So I need to add this?

Interface->Guest->Advanced->DHCP Options
6,192.168.1.1
2 Likes

Option 6 is not required if the intent is to use the router as the DNS server for the network.

No, it is not necessary.

He is using Adguard

Ah... I missed that. My bad.

@FrankWard -- yes, add that. Sorry for the confusion.

1 Like

Also make sure that Adguard is listening on the guest network as well.

On the Adguard interface go to „setup guide“ and there you have all addresses Adguard is listening on. Make sure that there is an entry with

192.168.3.1

If not go to your Adguard directory and add the ip in your AdGuardHome.yaml under bind hosts:

1 Like

@Hudra Adding option 6 to the guest wifi interface fixed the issue. The clients are now getting 192.168.1.1 as their DNS with the DHCP lease. AdGuard is currently listening on the guest network and is listed in the Setup Guide.

@psherman No worries. I appreciate the advice from everyone. I did not make any other changes yet based on your recommendations, but I'd like to clean it up as much as possible.

As per your instructions,

first -- remove the 'guest_dev' from the bridge definition. It is inconsistent with the 'br-guest' name, and since you already have a line for the name, you don't need to name it in the config device line.

I'm a little confused. If I remove 'config device guest_dev' it will leave a few options without a header. Do I rename this to 'br-guest'?

2 Likes

you can either rename it br-guest, or don't name it at all in that line...

look at this example (from your config), config device doesn't have anything after it, but the name is specified in the next line.

likewise, for the guest bridge definition, I'd recommend:

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'

or, if you prefer to have it named in the config device line, be consistent:

config device 'br-guest'
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'

I see. I should have noticed that. I made these changes and all is well. Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.