IPv4 DHCP not working with Guest WiFi

mvasek · December 20, 2024, 5:01pm

I tried setting up Guest WiFi by following:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

The issue is that I am not getting IPv4 address. If I manually configure IPv4 it seems to work all right, so this is probably some DHCP issues.

Interestingly IPv6 works all right I am getting both types of addresses: locally generated random addresses but also DHCPv6 addresses (chosen suffix).
I just had to set IPv6 DNS servers, but I want to do that anyway for Guest WiFi.

Any ideas?
I will provide further info if you tell me what it is.

mvasek · December 20, 2024, 5:06pm

I even tried to "accept input" on guest zone just to be sure FW is not blocking DHCP, still no success.

mvasek · December 20, 2024, 5:11pm

It turned out I did not have DHCP listening on the newly created guest interface.

mvasek · December 20, 2024, 5:13pm

I am surprised it cannot be set to "any interface" ( 0.0.0.0,:: ) the same way as dropbear is.

mvasek · December 20, 2024, 5:14pm

Is this my bad or is the Guest WiFi recipe incomplete/not-up-to-date?

pavelgl · December 20, 2024, 5:21pm

The guide was recreated a month ago.
Post the result of uci show dhcp and cat /tmp/etc/dnsmasq*

mvasek · December 20, 2024, 5:33pm

I think the relevant part of uci show dhcp is:

dhcp.@dnsmasq[0].interface='guest' 'lan' 'wg'

I just added guest there (via LuCI) and it seems to fix the issue.

What is the default value for dhcp.@dnsmasq[0].interface ?

mvasek · December 20, 2024, 5:34pm

It's possible I changed it some time ago, which could be causing the troubles.

pavelgl · December 20, 2024, 5:39pm

By default, dnsmasq should listen on all interfaces.
The interface option is most likely set by you.
To be sure, check the default configuration.

cat /rom/etc/config/dhcp

mvasek · December 20, 2024, 5:41pm

config dnsmasq
	option domainneeded	1
	option boguspriv	1
	option filterwin2k	0  # enable for dial on demand
	option localise_queries	1
	option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
	option rebind_localhost 1  # enable for RBL checking and similar services
	#list rebind_domain example.lan  # whitelist RFC1918 responses for domains
	option local	'/lan/'
	option domain	'lan'
	option expandhosts	1
	option nonegcache	0
	option cachesize	1000
	option authoritative	1
	option readethers	1
	option leasefile	'/tmp/dhcp.leases'
	option resolvfile	'/tmp/resolv.conf.d/resolv.conf.auto'
	#list server		'/mycompany.local/1.2.3.4'
	option nonwildcard	1 # bind to & keep track of interfaces
	#list interface		br-lan
	#list notinterface	lo
	#list bogusnxdomain     '64.94.110.11'
	option localservice	1  # disable to allow DNS requests from non-local subnets
	option ednspacket_max	1232
	option filter_aaaa	0
	option filter_a		0
	#list addnmount		/some/path # read-only mount path to expose it to dnsmasq

config dhcp lan
	option interface	lan
	option start 	100
	option limit	150
	option leasetime	12h

config dhcp wan
	option interface	wan
	option ignore	1

mvasek · December 20, 2024, 5:42pm

It's quite possible that stupider past me would deliberately limit interfaces not realizing that it should be protected by FW.

mvasek · December 20, 2024, 5:43pm

I think I latter tried to set it to any ( 0.0.0.0, :: ) but in LuCi there is not such an option.

pavelgl · December 20, 2024, 5:48pm

Uncheck all the selected interfaces and make it look like this.

mvasek · December 20, 2024, 5:50pm

Yes, this seems to work!

mvasek · December 20, 2024, 5:54pm

So my bad after all.

mvasek · December 20, 2024, 5:55pm

At first I was probably confused because SSH drop-down has explicit "unspecified" option.

mvasek · December 20, 2024, 6:12pm

Thank you for helping me with this!

mvasek · December 21, 2024, 5:16pm

Summary for posterity:

The wiki recipe for Guest WiFi is probably correct.

My issue was that in the past I explicitly listed interfaces on which DHCP/DNS is listening. I did that so my DNS server does reply even to request from outside lan interface. However I forgot to add the new guest iface to that enumeration so DHCP did not work.

One of the possible solutions to this issue of mine is to not enumerate ifaces -- just leave it "unspecified" and tic-out "Local service only".

While the Guest WiFi recipe is all right there is one possible improvement: IPv6 enablement.

Steps:

In guest interface advanced settings enable IPv6 PD and select prefix length (e.g. /64 since most likely there won't sub-networking in guest net).
Under "DHCP->IPv6 Settings" set RA-Service and DHCPv6-Service to Server Mode.
Under "DHCP->IPv6 RA Settings->RA Flags" add Managed Config mode.
In FW allow ICMP to router (at least for IPv6) from guest zone.
In FW allow UDP 547 to router from guest zone.

This enables both auto-config and DHCP IPv6. If we wanted only autoconfig it would be slightly easier (but I did not tested that!):

In guest interface advanced settings enable IPv6 PD and select prefix length (e.g. /64 since most likely there won't sub-networking in guest net).
Under "DHCP->IPv6 Settings" set RA-Service to Server Mode.
In FW allow ICMP to router (at least for IPv6) from guest zone.

cc @pavelgl

system · December 31, 2024, 5:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.