I am facing a problem and i've almost dedicated my last 5 days at full time to search a solution for this problem... but i just can't. I've read a lot here in the forum, google... etc... almost giving up.
Here it goes:
I have my home lan. I have a good ISP Router that manages my Fiber connection. I have my own wifi and a guest one.
I want to extend this setting to another place next to my home. I passed a ethernet cable and i grab my old TPLINK MR3420V2 and flashed with Openwrt.
Here is the goal... I want it to access full lan with lan ports, i want to have a wifi for me, and again a guest wifi.
The guest wifi works like a charm. No intranet connections, internet works fine.
The problem is with my Intranet connections in lan connected devices and private wifi. I have internet... but no intranet connections. and a strange thing, i cant event ping 8.8.8.8 in network diagnosis, even that i have internet.
i have tried to connect the lan cable to wan (from router to tplink...) and i have the problem i showed you before. i also tried from on of the four lan ports... (but the results are even worse then then wan...)
i tryed to turn off firewall, played with dhcp (and when i turn it off... my tlpink doenst pass my router dhcp server assign the ips after the router...
i am stuck on this. there were moments i thought i had it work... but after a few seconds... it stops working...
A quick sketch of your setup, along with /etc/config/network from both routers pasted in using the preformatted button </> will help a lot. You can remove passwords and the like.
With the default settings, connecting to the LAN port will "extend" your home LAN. New router will be working as a switch and AP. Devices connected to new router LAN or WiFi will be as if connected to main router LAN (except guest WiFi of course). You will need your LAN IP to be in the same subnet as your main router, probably best to set it to static IP outside main router DHCP pool. You will need to turn off DHCP on new router.
If you connect to WAN, new router on a separate subnet. You will need to have the WAN port as DHCP client (or static), have the LAN interface IP set to a different subnet. With the default settings, you will have internet access but will need to adjust firewall settings to allow "intranet" access.
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config zone
option name 'public'
option network 'public'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'public'
option dest 'wan'
config rule
option src 'public'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option name 'Allow DHCP request'
config rule
option src 'public'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
option name 'Allow DNS Queries'
config rule
option target 'ACCEPT'
option src 'public'
option dest 'wan'
option name 'Allow Guest on WAN http'
option proto 'tcp'
option dest_port '80'
config rule
option target 'ACCEPT'
option src 'public'
option dest 'wan'
option name 'Allow Guest on WAN https'
option proto 'tcp'
option dest_port '443'
config rule
option src 'public'
option dest 'wan'
option name 'Deny Guest on WAN'
option proto 'all'
option target 'DROP'
That fact that it works doesn't necessarily mean it's how it should be setup. Do you have DCHP enables on the LAN interface? Did you disable DHCP on your main router? Also I see you have LAN IP of 192.168.1.1; can you confirm that your main router's LAN-side IP is different?
What do you mean by lose GuestWiFi setup? It disappears? Or you can't connect ot it? Or you can connect ot it but you can't access other PC? Or you can't access internet form it?
If the later, can you ping an external IP (e.g. 8.8.8.8 or 1.1.1.1) form a device connected to it?
P.S. I see you have only 1 VLAN (LAN), nothing for WAN, I imagine that why WAN doesn't work.
Could you include your code in Pre-formatted text </> (6th button form left , or Ctrl + Shift + C)
Basically you should get rid of wan and have only two networks in the router, lan and public. The trusted users will be on lan and bridge over directly and have full access to LAN resources. The public users will have their own IP range and DHCP server but be forwarded from public to lan for their internet access.
You will need to add firewall rules so the public users are blocked out of devices on the LAN, this means blocking public from the LAN IP block of private IPs but allow them to reach public IPs on the Internet.
Sorry about my code wasn't idented. I did it in a hurry in my smartphone... and i'm not very used to the forum (yet).
Well answering to yout questions:
My router is 192.168.1.254, not the same as the Openwrt router.
The DHCP is on in both devices, but not in the same range... one gives from 1 to 100, the other from 101 to 254. (I tried also with the DHCP disabled on my Openwrt... but then i had to force a static IP in my computer connected to Openwrt device because the router wasn't relaying the DHCP from the main router.
-When i mean guestwifi setup... the gest wifi stop working because all setup was made for wan connection... so, no internet... no intranet... at all.
First get your basic "dumb AP" working, then add the guest network.
When you set your LAN to a static IP in 192.168.1.0/24, the main router's DHCP will set your PC also in this range, so you don't need a DHCP server in the AP. Everything is one network. If you did leave the DHCP server on, it might serve other PCs in the network and tell them that it is the gateway to the Internet, which is not right and it will break your network.
Now i am doing it over my lan port with the help of this one:
its quite similiar... i am stuck in the last step.
Create a static route. This guy says to create a static route... this needs to be created in my router... or in my Openwrt? Any help?
I think you may be off on a road to a place you don't need to go
If your end goal is:
Two locations
LAN clients and "private" wireless clients can
Talk to each other
Reach the Internet
"Guest" wireless clients can
Reach the Internet
Guest wireless clients can not reach LAN or private wireless clients
then there is no special routing or static routes required, just a couple of VLANs and tags on the switch ports that you use for the cable between them.
Thats exatly what i need @jeff. Do you think via vlan should be a better way? but in that case how do i say to a vlan that should only acess internet and not lan? (sorry my basuc questions... networks are a headache to me!)
The way I think of VLANs is often as a cable within a cable. In the case here, it is a way that you can run two, separate packet streams over one Ethernet cable. I'll let one of the folks more familiar with LuCI configuration help you through it, but basically what you'll end up doing is:
Assigning your LAN bridge to eth0.10 (to pick a number)
Assigning your guest bridge to eth0.11
Configuring your switch so it understands they exist and sending them to the CPU tagged
Sending them out (and receiving them) as tagged on a selected port of your switch
In essence, you're going to use the same wire for both, but tell the senders and listeners on each end that "VLAN 10 means LAN" and "VLAN 11 means guest" and "don't mix them up!"
There's also a couple firewall rules you'll need to make sure that your routers don't route packets from LAN to guest or back, or accept packets from guest to the routers that they shouldn't, but that is pretty straightforward too.
Does the ISP router support 802.1Q VLAN tagging on its LAN ports at all?
Would it be OK if the guests behind one router cannot reach the guests behind the other, while all of them still can connect to the internet?
I'm not sure what this is trying to accomplish. The VLANs need to be set up by creating the sub-interfaces and/by adding them to the bridge and in the switch. 802.11 doesn't have the concept of a VLAN at all.
You can determine the VLANs available in your switch, as well as the number of table entries it permits using swconfig for most devices.
For example, from an Archer C7v2 running a recent master build on the ath79 platform, the two important lines for what you're doing are:
This tells me that I can use up to 128 different VLANs at once, 1-4094 are available as valid VLAN tags (0 and 4095 are reserved), and that if I want to use a tag above 128, then I'll need to specify the vid and pvid explicitly in my config. (Your switch may be notably different than this one!)
I understand what you mean. I have an extra tplink AP that in wifi setup i can join an VLAN with it. If my ISP Router creates a VLAN with the Guest Wifi, i just would need to intercept it and use it with no extra setup. BUT... i don't know if it really creates a VLAN... and even it creates a VLAN... i would need to know its number (maybe one of the 4096 possibilities).
I found a solution this afternoon... The solution is a bit silly... but it's working:
DUMB_AP configuration in my Openwrt solves the problem of my inter and intranet for wifi and ethernet.
One of the Lan ports of my Openwrt device connected to the WAN port (same device) and a guest wifi setup...
I am sure i could do it all by software... but i couldn't manage how to do it... so for now... it's working...