Ip error: can't access internet

I have a guest network that can't connect to internet.
Sometime it can and sometime it can't.
I think it's a problem with ip assigned.

Screenshot 2023-08-19 alle 08.02.56746×418 29.8 KB

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd86:0fdc:14d5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '1.1.1.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	list addresses '10.14.0.2/16'
	list dns ''
	list dns ''

config wireguard_wg0
	option description 'i'
	option public_key ''
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'it-
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0

Can someone help me to solve this problem?
thank you.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

IP address of 169.254.x.x is a link-local fallback address in case there is no DHCP server. First guess would be that you are not properly assigning DHCP pool for the guest network.

Either DHCP or firewall might be the problem.

root@OpenWrt:~# cat /etc/config/wireless

  

config wifi-device 'radio0'

option type 'mac80211'

option phy 'wl0'

option channel '1'

option band '2g'

option htmode 'HT20'

option cell_density '0'

option disabled '1'

  

config wifi-device 'radio1'

option type 'mac80211'

option phy 'wl1'

option cell_density '0'

option band '5g'

option htmode 'HE20'

option channel 'auto'

  

config wifi-iface 'default_radio1'

option device 'radio1'

option network 'lan'

option mode 'ap'

option ssid 'TV'

option encryption 'sae'

option key '9ddddddddddddC*'

  

config wifi-device 'radio2'

option type 'mac80211'

option path 'platform/18000000.wmac'

option channel '1'

option band '2g'

option htmode 'HT20'

option disabled '1'

  

config wifi-device 'radio3'

option type 'mac80211'

option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'

option channel '36'

option band '5g'

option htmode 'HE80'

option disabled '1'

  

config wifi-iface 'wifinet3'

option device 'radio1'

option mode 'ap'

option ssid 'HomeMax'

option encryption 'sae'

option key 'dddddddddr'

option network 'guest'

option disabled '1'

  

config wifi-iface 'wifinet4'

option device 'radio0'

option mode 'ap'

option ssid 'Stampanti'

option encryption 'psk2'

option key 'k!SddddddddJ'

option network 'guest'

option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

  

config dnsmasq

option domainneeded '1'

option boguspriv '1'

option filterwin2k '0'

option localise_queries '1'

option rebind_protection '1'

option rebind_localhost '1'

option local '/lan/'

option domain 'lan'

option expandhosts '1'

option nonegcache '0'

option cachesize '1000'

option authoritative '1'

option readethers '1'

option leasefile '/tmp/dhcp.leases'

option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

option nonwildcard '1'

option localservice '1'

option ednspacket_max '1232'

option filter_aaaa '0'

option filter_a '0'

  

config dhcp 'lan'

option interface 'lan'

option start '100'

option limit '150'

option leasetime '12h'

option dhcpv4 'server'

option dhcpv6 'server'

option ra 'server'

option ra_slaac '1'

list ra_flags 'managed-config'

list ra_flags 'other-config'

  

config dhcp 'wan'

option interface 'wan'

option ignore '1'

  

config odhcpd 'odhcpd'

option maindhcp '0'

option leasefile '/tmp/hosts/odhcpd'

option leasetrigger '/usr/sbin/odhcpd-update'

option loglevel '4'

  

config dhcp 'guest'

option interface 'guest'

option start '100'

option limit '150'

option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

  

config defaults

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option synflood_protect '1'

  

config zone

option name 'lan'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

option mtu_fix '1'

list network 'lan'

option masq '1'

  

config zone

option name 'wan'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

list network 'wan'

list network 'wan6'

  

config forwarding

option src 'lan'

option dest 'wan'

  

config rule

option name 'Allow-DHCP-Renew'

option src 'wan'

option proto 'udp'

option dest_port '68'

option target 'ACCEPT'

option family 'ipv4'

  

config rule

option name 'Allow-Ping'

option src 'wan'

option proto 'icmp'

option icmp_type 'echo-request'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-IGMP'

option src 'wan'

option proto 'igmp'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-DHCPv6'

option src 'wan'

option proto 'udp'

option dest_port '546'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-MLD'

option src 'wan'

option proto 'icmp'

option src_ip 'fe80::/10'

list icmp_type '130/0'

list icmp_type '131/0'

list icmp_type '132/0'

list icmp_type '143/0'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Input'

option src 'wan'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

list icmp_type 'router-solicitation'

list icmp_type 'neighbour-solicitation'

list icmp_type 'router-advertisement'

list icmp_type 'neighbour-advertisement'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Forward'

option src 'wan'

option dest '*'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-IPSec-ESP'

option src 'wan'

option dest 'lan'

option proto 'esp'

option target 'ACCEPT'

  

config rule

option name 'Allow-ISAKMP'

option src 'wan'

option dest 'lan'

option dest_port '500'

option proto 'udp'

option target 'ACCEPT'

  

config zone

option name 'vpn'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

list network 'wg0'

  

config zone

option name 'guest'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

list network 'guest'

  

config forwarding

option src 'guest'

option dest 'wan'

  

config rule

option name 'Guest-DNS'

option src 'guest'

option dest_port '53'

option target 'ACCEPT'

  

config rule

option name 'Guest-DHCP'

list proto 'udp'

option src 'guest'

option dest_port '67'

option target 'ACCEPT'

  

config forwarding

option src 'guest'

option dest 'wan'

  

config forwarding

option src 'lan'

option dest 'vpn'

  

config include 'pbr'

option fw4_compatible '1'

option type 'script'

option path '/usr/share/pbr/pbr.firewall.include'```

The masquerading and mtu fix lines should not be in the lan zone... remove those.

Meanwhile, you are showing a wifi connection to the "HomeMax" SSID, but that appears to be disabled here, so I'm not sure how that is possible...

Since your computer is unable to get a DHCP address from the HomeMax SSID (which is associated with the guest network), try temporarily changing your guest firewall zone to accept input... like this:

config zone
    option name 'guest'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network 'guest'

See if that fixes things (don't forget to reboot the router first).

Thank you for your help, but I had a big problem follow this advice.
Internet didn't working and I could not connect even by LAN.
I made a reset of the router.
I think that I had not to remove this:

config zone

option name 'lan'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

option mtu_fix '1'

list network 'lan'

option masq '1'

The lan zone should never need masquerading )unless you have another router upstream and are connected in a lan-lan configuration... But that doesn't appear to be relevant to your situation). Removing masquerading would not affect your ability to connect to the router.

Now it's not masquerade and I add this:

option name 'guest'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network 'guest'

But it doesn't work.

That also should not cause any issues -- if anything, it should become more permissive.

What version of OpenWrt are you running?

ubus call system board

	"kernel": "5.15.118",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Netgear WAX206",
	"board_name": "netgear,wax206",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0-rc2",
		"revision": "r23228-cd17d8df2a",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.0-rc2 r23228-cd17d8df2a"

Ok... so that's up to date.

My recommendation would be to reset to defaults and test connectivity in the default state. Once verified, we can add one network and test that new network. If it works, you can repeat the recipe and the rest should work.

It's like new.
I did it 2 days ago.
If I create a guest network it works correctly.
The problem is wireguard.
But I need a vpn.
Now I'm trying to set PBR, but nothing is changed.
Same error.
I try to put wan like primary gateway instead of wireguard, but it's the same.

oh... the WG interface is a different issue entirely. WG should not cause a DHCP failure. So we're dealing with two different issues.

• Reset to defaults.
• Test connectivity
• add WG interface
• test connectivity.
• stop here.... post your configs. We'll help you add a guest network.

I did it.
Another person controlled my configuration and was perfect.
I followed the guide in this website.
He told me that the problem was wireguard and the solution are pbr.
I try with pbr but I don’t find a solution.
I would like only 2 network.
One with vpn and one without.
How can I do?
I want the vpn work only on one device, but with pbr and static up and MAC address I didn’t obtain a solution.

if you want the lan to go through the WG interface and the guest network to go through the standard wan, you will need PBR (or manually configured routes)... PBR is the easiest way.

But your original issue was not at all related to the VPN/routing at all... instead, it seemed that your guest network was not working with DHCP.

So, the DHCP issue must be fixed first...
Therefore, my recommendation is simple:

If all goes well, this will result in your lan having normal connectivity via the VPN.

Then, we'll add the guest network. It will also go through the VPN at first.
Once all of that is done, you can setup PBR to steer the guest network through the normal wan.

Ok.
I’ll do it tomorrow.
I continue here or I’ll open another topic?

Let’s get through the creation of the guest network in this thread. Then you can open a new thread for the pbr issue.

I made a fresh install of the firmware and I configured wireguard again.
And I create a wifi for test.
All works correctly.

root@OpenWrt:~# cat /etc/config/network

  

config interface 'loopback'

option device 'lo'

option proto 'static'

option ipaddr '127.0.0.1'

option netmask '255.0.0.0'

  

config globals 'globals'

option ula_prefix 'fd4e:84b5:945d::/48'

  

config device

option name 'br-lan'

option type 'bridge'

list ports 'lan1'

list ports 'lan2'

list ports 'lan3'

list ports 'lan4'

  

config interface 'lan'

option device 'br-lan'

option proto 'static'

option ipaddr '192.168.1.1'

option netmask '255.255.255.0'

option ip6assign '60'

  

config interface 'wan'

option device 'wan'

option proto 'dhcp'

  

config interface 'wan6'

option device 'wan'

option proto 'dhcpv6'

  

config interface 'wg0'

option proto 'wireguard'

option private_key 'xxxxxxxxxxxxx'

list addresses '10.14.0.2/16'

list dns '162.252.172.57'

list dns '149.154.159.92'

  

config wireguard_wg0

option description 'ixxxxxxf'

option public_key 'xxxxxxxxxxx'

list allowed_ips '0.0.0.0/0'

option endpoint_host 'xxxxxxxxxx'

option endpoint_port '51820'

option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/wireless

  

config wifi-device 'radio0'

option type 'mac80211'

option path 'platform/18000000.wmac'

option channel '1'

option band '2g'

option htmode 'HT20'

option disabled '1'

  

config wifi-iface 'default_radio0'

option device 'radio0'

option network 'lan'

option mode 'ap'

option ssid 'OpenWrt'

option encryption 'none'

  

config wifi-device 'radio1'

option type 'mac80211'

option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'

option channel 'auto'

option band '5g'

option htmode 'HT20'

option cell_density '0'

  

config wifi-iface 'default_radio1'

option device 'radio1'

option network 'lan'

option mode 'ap'

option ssid 'test'

option encryption 'sae'

option key 'xxxxxxxxxxxxx'

root@OpenWrt:~# cat /etc/config/dhcp

  

config dnsmasq

option domainneeded '1'

option boguspriv '1'

option filterwin2k '0'

option localise_queries '1'

option rebind_protection '1'

option rebind_localhost '1'

option local '/lan/'

option domain 'lan'

option expandhosts '1'

option nonegcache '0'

option cachesize '1000'

option authoritative '1'

option readethers '1'

option leasefile '/tmp/dhcp.leases'

option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

option nonwildcard '1'

option localservice '1'

option ednspacket_max '1232'

option filter_aaaa '0'

option filter_a '0'

  

config dhcp 'lan'

option interface 'lan'

option start '100'

option limit '150'

option leasetime '12h'

option dhcpv4 'server'

option dhcpv6 'server'

option ra 'server'

option ra_slaac '1'

list ra_flags 'managed-config'

list ra_flags 'other-config'

  

config dhcp 'wan'

option interface 'wan'

option ignore '1'

  

config odhcpd 'odhcpd'

option maindhcp '0'

option leasefile '/tmp/hosts/odhcpd'

option leasetrigger '/usr/sbin/odhcpd-update'

option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

  

config defaults

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option synflood_protect '1'

  

config zone

option name 'lan'

list network 'lan'

option input 'ACCEPT'

option output 'ACCEPT'

option forward 'ACCEPT'

option mtu_fix '1'

  

config zone

option name 'wan'

list network 'wan'

list network 'wan6'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

  

config forwarding

option src 'lan'

option dest 'wan'

  

config rule

option name 'Allow-DHCP-Renew'

option src 'wan'

option proto 'udp'

option dest_port '68'

option target 'ACCEPT'

option family 'ipv4'

  

config rule

option name 'Allow-Ping'

option src 'wan'

option proto 'icmp'

option icmp_type 'echo-request'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-IGMP'

option src 'wan'

option proto 'igmp'

option family 'ipv4'

option target 'ACCEPT'

  

config rule

option name 'Allow-DHCPv6'

option src 'wan'

option proto 'udp'

option dest_port '546'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-MLD'

option src 'wan'

option proto 'icmp'

option src_ip 'fe80::/10'

list icmp_type '130/0'

list icmp_type '131/0'

list icmp_type '132/0'

list icmp_type '143/0'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Input'

option src 'wan'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

list icmp_type 'router-solicitation'

list icmp_type 'neighbour-solicitation'

list icmp_type 'router-advertisement'

list icmp_type 'neighbour-advertisement'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-ICMPv6-Forward'

option src 'wan'

option dest '*'

option proto 'icmp'

list icmp_type 'echo-request'

list icmp_type 'echo-reply'

list icmp_type 'destination-unreachable'

list icmp_type 'packet-too-big'

list icmp_type 'time-exceeded'

list icmp_type 'bad-header'

list icmp_type 'unknown-header-type'

option limit '1000/sec'

option family 'ipv6'

option target 'ACCEPT'

  

config rule

option name 'Allow-IPSec-ESP'

option src 'wan'

option dest 'lan'

option proto 'esp'

option target 'ACCEPT'

  

config rule

option name 'Allow-ISAKMP'

option src 'wan'

option dest 'lan'

option dest_port '500'

option proto 'udp'

option target 'ACCEPT'

  

config include 'pbr'

option fw4_compatible '1'

option type 'script'

option path '/usr/share/pbr/pbr.firewall.include'

  

config zone

option name 'vpn'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

list network 'wg0'

option masq '1'

  

config forwarding

option src 'lan'

option dest 'vpn'

ok... good.

Now, to make a guest network (wifi only)... add this to your network config:

config device
    option name 'br-guest'
    option type 'bridge'

config interface 'guest'
    option device 'br-guest'
    option proto 'static'
    option ipaddr '192.168.5.1'
    option netmask '255.255.255.0'

And this to your dhcp file:

config dhcp 'guest'
    option interface 'guest'
    option dhcpv4 'server'
    option start '100'
    option limit '150'
    option leasetime '12h'

Then add the following to your firewall file:

config zone
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config forwarding
    option src 'guest'
    option dest 'wan'

config forwarding
    option src 'guest'
    option dest 'vpn'

config rule
	option name 'Allow-Guest-DHCP'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '67-68'

config rule
	option name 'Allow-Guest-DNS'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '53'

Now, create a new SSID and connect it with the guest network. That should produce a working guest network (which will use the VPN). Test that and let me know what happens.

Thank you.
You are my hero.
Now I've the last problem to solve.
All the network work only under VPN.
I don't know how to exclude it.
I made many test, but without success.

Screenshot 2023-08-20 alle 09.00.02987×455 45 KB