Dear OpenWrt community,

I have installed OpenWrt on my Belkin router and set it up to direct all web traffic through a tunnel to my VPN provider. However, this setup is not the most convenient one as many web services don't want to work with VPN. How would I go about setting up an additional wireless interface with another SSID which would skip this rerouting to VPN and instead go directly to WAN?

Is there some way to trigger a different network policy depending on selected wireless interface?

Currently, I'm using a forwarding rule to send all lan to vpnfirewall.

In my firewall configuration I have:

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

Is the src 'lan' in the forwarding config the same as the network 'lan' in my network config?

1. bridge the new SSID to a new subinterface
2. use policy based routing
3. choose your poison for setting dns for non-vpn clients ( hijack, dhcp<isp|public>, multi-instance )

yes.

I couldn't find any documentation about "subinterface" on the website. By bridging the new SSID to a new subinterface, do you mean creating a separate 'lan2'?

So, you are suggesting adding a config rule into my /etc/firewall configuration firewall? What options would detect which wireless interface was used? I didn't see any plausible sounding options here.

Thanks. I thought the were probably the same, but the change in terminology confused me so I wanted to make sure.

The majority of guides ... about creating a new SSID discuss this... It means that the ssid is not bridged to br-lan... thus via definition, exists within its own broadcast domain and requires the router to have a relevant Layer 3 hook...

How this is achieved is subjective... but most commonly...

1. New bridge
2. New .x cpu interface ( with new subnet )
3. Place new .x cpu interface into the new bridge
4. Associate the newly defined SSID with the new bridge

Search for "Guest SSID" if you can't find anything about having a new SSID on it's own network in the guides... Unlikely, as it comes up here more than a few times a month...

I mentioned nothing about rules and firewalls... just try to get the fundamentals first...

If you've set up your VPN tunnel correctly (as in -- its own interface/firewall zone), you can use vpn-policy-routing package to pick which domains are accessed via WAN.

I found a guide for implementing a guest SSID here. The SSID appears and I can see the configuration in the web control panel, but I can't get my Android phone to connect to it. It reports the error message IP Configuration Failure.

Perhaps the issue is related to the warnings I see when I reload the firewall:

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule
...
Warning: fw3_ipt_rule_append(): Can't find target 'input_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_guest_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_guest_rule'

I tried searching for these quoted phrases in the configuration folder, but I couldn't find any matches. There were no such rules referenced in the guide either.

This one is a little clearer... search for "enable dhcp" in the page below ... which is probably similar to what your missing

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

And you are right about searching... dated and / or nuanced guides show up... it is pretty hard to find just based on broad searches...

Apologies for the learning curve but you do gain alot in adaptability.

( P.S. After this you've still got policy routes, dhcp/dns tweaks and forwarding to iron out )

Unfortunately, I have still not succeeded in achieving a guest wifi interface. The best I have been able to do following the Wiki is have a very confused router. When I first did this, it seemed to work for a bit. Then, either the guest wifi or the other wifi interfaces behind VPN connection ceased to connect to the internet. I have not been able to get both to work at the same time since.

My current guest wireless configuration includes:

/etc/config/network

config interface 'guest'
       option proto 'static'
       option ipaddr '192.168.3.1'
       option netmask '255.255.255.0'

/etc/config/firewall

config zone
       option name 'guest'
       option network 'guest'
       option input 'REJECT'
       option forward 'REJECT'
       option output 'ACCEPT'

config rule
       option name 'Allow SSH in'
       option src 'guest'
       option dest_port '22'
       option proto 'tcp'
       option target 'ACCEPT'

config rule
       option name 'Allow guest ICMP input'
       option src 'guest'
       option proto 'icmp'
       option target 'ACCEPT'
       option family 'ipv6'

config rule
       option name 'Allow DNS Queries'
       option src 'guest'
       option dest_port '53'
       option proto 'tcp udp'
       option target 'ACCEPT'

config forwarding
       option src 'guest'
       option dest 'wan'

config rule
       option name 'Allow guest -> HTTP'
       option src 'guest'
       option dest 'wan'
       option proto 'tcp'
       option dest_port '80'
       option target 'ACCEPT'

config rule
    option name 'Allow Guest -> WAN https'  
    option src 'guest'                  
    option dest 'wan'                      
    option proto 'tcp'                  
    option dest_port '443'
    option target 'ACCEPT' 

/etc/config/dhcp

config dnsmasq
        ...
	list 'interface' 'guest'

config dhcp 'guest'
       option interface 'guest'
       option start '50'
       option limit '200'
       option leasetime '12h'
       option dhcpv6 'server'       
       option ra 'server'

After I setup this configuration I ran the gammut of restart scripts:

  /etc/init.d/network restart
  /etc/init.d/firewall restart
  /etc/init.d/dnsmasq restart
  /etc/init.d/openvpn restart

What am I missing?