Help with setting up a guest subnet on dedicated guest router

My home network equipment is a mishmash of a few different devices & distros:

  • a x86 box running IPFire as the gateway b/w my ISP's modem/router and the main LAN of my home
  • OpenWrt dumb APs x2, one each on the 1st and 2nd floors; both are on the main LAN
  • and finally, I'm now trying to add a 3rd wireless AP primarily meant for guests, which will go into the basement once successfully configured

The guest device is a Linksys E4200v1, which unfortunately isn't supported by OpenWrt. So I went with flashing FreshTomato onto it, which works quite well when I tested it by connecting it to my home's main LAN.

Today I tried to take the last step, and set it up as an actual dedicated guest router. The relevant devices are connected as such:

                 192.168.1.2,
192.168.1.1      192.168.0.1      192.168.0.10        192.168.0.20
 ISP router <-----> IPFire <-----> OpenWrt AP1 <-----> OpenWrt AP2
                                          ∧
                                          |
                                          |
                                          ∨
                                 Tomato guest router
                                     192.168.0.30,
                                     192.168.7.1

As you can see OpenWrt AP1, which is a TP-Link Archer C7, currently functions as both the main switch for the 192.168.0.0/24 LAN, as well as a dumb AP.


And here's a screenshot of the FreshTomato device's with some additional configuration info (DNS & DHCP) for reference.


With this current connection setup, when I link a client device to the guest router, it's able to successfully obtain a dynamic IP (e.g. 192.168.7.200). And from this client, I was able to ping all devices on the 192.168.0.0/24 subnet, the ISP router at 192.168.1.1, and even hosts on the internet by IP (e.g. 8.8.8.8). However it appears not to be able to resolve any DNS queries.

Another clue I think is from a client on the main LAN, i.e. the 192.168.0.0/24 subnet, I was unable to ping 192.168.0.30, which is ping-able from the 192.168.7.0/24 guest subnet.

I also tried to add a static route on the IPFire gateway, such as:
192.168.0.30 via 192.168.0.10 dev green0 proto static
But this doesn't appear to do anything, which I'm guessing is because 192.168.0.10 (OpenWrt AP1) is not a router, but just acting as a switch.

And this is basically where I'm stuck at now. Not sure if I might be missing something obvious, or if there's some fundamental mistake that I've made. Please help!

  1. On the Tomato you need to add a few firewall rules to deny traffic from guest to the lan. It is explained in the guide, however you need to adapt it for your device/Tomato/usecase.

Verify with packet capturing or logs that queries get to the IPFire.

2 Likes

I used to have two tomato access points with guest wifi and vlan configured, but because my main router, a fritz box, does not support vlans, I used an iptables setup to block traffic from guest to normal lan. That was basically the same approach that is described in the

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap,

but with tomato that one is much harder to setup.

In your specific case, I probably would choose a different approach:
I would set up the guest net on your 1st openwrt access point, delegate one of the ethernet ports to the guest net and use the tomato device as a dump ap within the openwrt guest net.

With that approach you would not have the possible security leaks of tomato (not being developed any further) in your main network.

1 Like

Hmm, thanks for the headsup. And I'm indeed finding it to not be trivial to adapt the firewalling instructions in the OpenWrt guide to Tomato. I'll give it an another shot some time soon, and if I can't figure it out I'll try out some alternative solutions like the one you suggested.

One of the main reasons I wanted to make the Tomato router to do actual routing b/w my main LAN and the guest LAN is to apply its built-in QoS functionality. My intention is to be able to cap the max bandwidth from the guest network to say 30-40% of my ISP's provided bandwidth limit, so that even under heavy usage by guests (which does occur at my house sometimes), my family and I would not be significantly impacted; while at the same time still allowing everyone on the guest network to still get some relatively fair traffic queuing.

Sorry for my last sentence, I thought tomato would be dead, but it looks like they are really continuing with FreshTomato.

About your ping problem: As you have currently configured tomato as a router, could it be that it just does not answers pings from the wan interface ?

You indeed need a static route on your ipfire for the guest net via 192.168.0.30.

Why the dns does not work in the guest subnet is strange. I would try to testwise plug the tomato device directly behind the ipfire.

1 Like

could it be that it just does not answers pings from the wan interface ?

From 192.168.7.0/24, I can ping 192.168.0.30. But from 192.168.0.0/24, the 192.168.0.30 host appears down: nmap cannot see it, ping returns no replies, etc.

You indeed need a static route on your ipfire for the guest net via 192.168.0.30.

So what I'd need to add is something like 192.168.7.0/24 via 192.168.0.30, correct?

I would try to testwise plug the tomato device directly behind the ipfire.

Great idea, I'll give that a shot (it'll probably have to be in the dead of night one day), and report back with the results. Your suggestion also reminded me that I can run a tracepath/traceroute b/w these 2 subnets to see how the hops occur.

This must be the firewall of Tomato.

Yes, and allow this flow on the firewall.

1 Like