Guest wlan on "dumb" ap

tfcbo · October 5, 2020, 11:23pm

In attempting to configure a guest wlan on a "dump ap" I followed the instructions at:

Two differences

no "wan" interface as this is just an AP
no local DNS services (I used this instead: list dhcp_option '6,1.1.1.1')

My "normal" wlans work just fine.

Here are the various configuration files.

root@91OpenWrt:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option channel 'auto'
        option country 'US'
        option legacy_rates '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option channel 'auto'

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'none'

root@91OpenWrt:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcpudp' (note that LUCI doesn't like this value)

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option family 'ipv4'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'guest'

root@91OpenWrt:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd34:5ae0:2e96::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.91'
        option gateway '192.168.1.1'
        list dns '192.168.1.225'
        list dns '1.1.1.1'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'deleted'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'deleted (different than eth0.1)

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

root@91OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '1.1.1.1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'
        list dhcp_option '6,1.1.1.1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'

Thanks!

mk24 · October 6, 2020, 12:41am

Since you're not providing DNS service to guests you need your DHCP server to point them to another one. Put an option 6 in the guest DHCP.
In the firewall enable masq on the lan zone. When guests are forwarded to lan on the way to the Internet they need to be NATd out on the lan IP the router has.

vgaetera · October 6, 2020, 2:09am

You need to apply this section:

tfcbo · October 6, 2020, 1:11pm

Happily the linked Guest WLAN instructions allowed me to configure a working solution. I'm pasting my configuration files for others to see. That said, I'm positive there are extra dhcp_option entries and surely other errors (likely in the Firewall section). That said, this is working in my environment.

As a reminder my goal is to implement an isolated WLAN on a dumb AP. The "main" router has the WAN interface but no WLANs. Implemented on a D-Link DIR-860L B1 running OpenWrt 19.07.4 r11208-ce6496d796.

Thanks for the help!

root@91OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '1.1.1.1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'
        list dhcp_option '6,1.1.1.1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        list dhcp_option '6,1.1.1.1'


root@91OpenWrt:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcpudp'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option family 'ipv4'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'guest'

config rule 'guest_fwd'
        option name 'Allow-Guest-Forward'
        option src 'guest'
        option proto 'all'
        option dest '*'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

root@91OpenWrt:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.91'
        option gateway '192.168.1.1'
        list dns '192.168.1.225'
        list dns '1.1.1.1'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'xxx'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xxx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

root@91OpenWrt:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option channel 'auto'
        option country 'US'
        option legacy_rates '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ft_over_ds '1'
        option ssid 'xxx'
        option encryption 'psk2'
        option ft_psk_generate_local '1'
        option key 'xxx'
        option ieee80211r '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option ssid 'xxx'
        option key 'xxx'

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option isolate '1'
        option key 'xxx'
        option encryption 'psk2'
        option ssid 'xxx'

system · October 16, 2020, 1:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.