Guest WLAN on stupid AP?

Hi,

struggling with setting up a guest wlan on my dump AP. The dumb AP is a netgear router r7000 running netgear OS.
I've succeded connecting to my router guest WLAN and getting the 192.168.3.x ip address.
But I'm not getting that thru the dump ap, it always give me 192.168.1.x ip address.

Not saying the config is 100% at the moment because I've tested a little bit..

Some red flags?

Network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfe:8179:1be0::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '127.0.0.1#5300'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3t 4 6t'
        option vid '2'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option type 'bridge'

Firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option device 'tun0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule 'vpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option target 'ACCEPT'
        option proto 'udp'

config redirect
        option name 'Divert-DNS'
        option src 'lan'
        option target 'DNAT'
        option proto 'tcp udp'
        option src_dport '5300'
        option dest 'lan'
        option dest_port '5300'

config zone
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'GUEST Allow DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule
        option name 'GUEST Allow DHCP request'
        option src 'guest'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Deny Guest -> LAN'
        option src 'guest'
        option dest 'lan'
        option proto 'all'
        option target 'DROP'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option country 'NO'
        option htmode 'VHT80'
        option channel '36'
        option txpower '23'
        option legacy_rates '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel 'auto'
        option country 'NO'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option macaddr 'removed'
        option encryption 'psk2'
        option ssid 'removed'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '5ghz'
        option encryption 'psk2'
        option key 'removed for this post'
        option network 'lan'
        option macaddr 'removed for this post'

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option macaddr 'removed for this post'
        option encryption 'psk2'
        option ssid 'guest'
        option isolate '1'
        option network 'guest'
        option disabled '1'

DHCP:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '0'
        list server '127.0.0.1#5300'
        option serversfile '/tmp/adb_list.overall'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        list dhcp_option '6,192.168.1.1'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '3h'

There is a guide for that in the documentation.
However your AP is not dumb, you are routing from lan and guest to wan.
masquerade in guest firewall zone is not needed.

Rule Deny Guest -> LAN is not needed.
Guest SSID is disabled, you'll need to enable it.

The "guest" wireless interface is disabled, how are you connecting to it?

Hi, disabled because only one 2.4ghz wlan will work at a time.
@trendy I've removed masquerade and the rule guest -> lan.
I've followed the guide you refer to.

I've successfully connected to guest on my router (openwrt) but I'm not able to get my "dump AP" netgear OS router to "publish" the guest wlan correctly.

When I try to change what config there is on the dump ap, (which is the ssid really and password), it let's me connect to my new guest wlan with a guest password, but the IP address is in wrong range (192.168.1.x)..

My Iphone is now correctly connected to guest wlan on my openwrt router - with 192.168.3.x network range.

Edit: do I allow the guest wlan to be used on my dump ap with this config? I'm not sure how the guest wlan is sent to my dumb ap, it's cabled with ethernet from my router thats for sure.

Did some more low level testing...My dump AP has network address 192.168.1.3 set to static.
Maybe that's why I can't get it to work with 192.168.2.x range.. I want it to do both, one 5ghz network with my home wlan 192.168.1.x and one guest wlan on 2.4ghz on 192.162.2.x.
Soon to give up on this.

Ok, I think I have a better picture of your setup now. Have a look at this thread, where I guided someone else with a similar need:

What does iw list say about that?

I think I misunderstood this part. So there is an OpenWrt router that connects to the internet and has lan and guest interfaces.
There is also some dumbAP router connected downstream to the internet router, right? If so, you'll have to follow the instructions in the topic that @eduperez posted earlier and trunk the guest vlan to the dumbAP. I am not sure if the OS from Netgear will support such function, but you can give it a try.

Thanks, looking at it now. Don't think the netgear os has any vlan capabilities when in AP mode.. Can't seem to find it.. Tried setting it to bridge mode and that really blow up the network, storm issue I guess..
I can see a greyed out function called vlan and bridge settings, just need to get to it...

Edit: OK I reset the dumb ap back to it's basic router settings. Now it's running like a router, but I guess I can make the settings without putting it in AP mode (disable dhcp etc).
On the dumb ap I've made 2 vlans, 10 for ports 1 to 4 including 5ghz wlan.
Vlan 100 for 2.4ghz wlan on called guest.
Thanks for your help so far, I'll be back

Edit: something spooky with the ap, another reset to get in... don't know why its moody.. Vlan 10 and 100 must be changed to 2-3-4 etc since openwrt assigns id's on the fly..?

Edit 2: Ok so I disabled dhcp, wan settings to automatic (tried static (my internet router at first) but it then changed ip to 10.0.0.x because of address conflict), I've setup vlan 2 as home and vlan 3 as guest. Added 2.4ghz to guest.
It rebooted, now I have access to my main router but can't for the life of me login in to my dumb ap.. I believe I sat the ip to .3, but no go.
openwrt switch settings I sat to vlan id 0, 1 and 2 where 0 is off, 1 and 2 is tagged for port 2.
Strange...

Edit: another reset of the dumb ap. I will have to revert back to how it was to make it work somehow..

Make a third 3 VLAN in the switch on your main router with an untagged port on VLAN 3 for the AP. Connect eth0.3 to the guest network. Plug a PC into that port and confirm it gets a 3.x address and has guest access. Then configure the Netgear as AP (static 3.x IP, DHCP server off) and connect the Ethernet.

In other words set up a wired guest network from the main router and use the Netgear as a dumb wired to wifi converter.

But then I will only be able to use my dumb ap with guest wlan - I want both..

The stock firmware doesn't support VLANs though, so you can't do that. I've only seen stock firmware that supports multiple SSIDs and VLANs on devices sold specifically as APs.

Yep, I'll have to give up on this one. Though there is bridge/vlan functionality that seems interesting.. It was not ment to be this time