My device (BT Homehub 5A) has two radios: a 2.4GHz radio and a 5 GHz radio.
On each radio I have set up a guest wifi network, following the instructions here .
On the 5 GHz radio I have the ESSIDs: Nirvana5G and Guest5G. On the 2.4 GHz radio I have the ESSIDs: Nirvana and Guest.
For Guest and Guest5G I have selected "Isolate clients".
This is where it gets weird. I can connect devices to Nirvana5G, Nirvana, and Guest, but NOT Guest5G. Connecting to Guest5G results in the device failing to get an IP address from DHCP, and in the router logs I see:
Mon Apr 20 20:04:43 2020 daemon.warn dnsmasq-dhcp[9186]: DHCP packet received on wlan0-1 which has no address
Mon Apr 20 20:04:48 2020 daemon.warn dnsmasq-dhcp[9186]: DHCP packet received on wlan0-1 which has no address
Mon Apr 20 20:04:53 2020 daemon.warn dnsmasq-dhcp[9186]: DHCP packet received on wlan0-1 which has no address
Mon Apr 20 20:04:57 2020 daemon.warn dnsmasq-dhcp[9186]: DHCP packet received on wlan0-1 which has no address
Mon Apr 20 20:05:05 2020 daemon.warn dnsmasq-dhcp[9186]: DHCP packet received on wlan0-1 which has no address
This is very strange, as Guest5G IS associated with a network ("isolated"). And, simply turning off "Isolate clients" for Guest5G results in clients being able to connect and obtain an IP address with no problem . This really doesn't make much sense to me. Does anyone have a clue what might be going wrong here?
Config files are below:
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
option htmode 'VHT80'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'XXX'
option ssid 'Nirvana5G'
option encryption 'psk2'
option wds '1'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:0e.0'
option htmode 'HT20'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Nirvana'
option encryption 'psk2'
option key 'XXX'
config wifi-iface 'wifinet2'
option network 'isolated'
option ssid 'Guest5G'
option encryption 'psk2'
option device 'radio0'
option mode 'ap'
option isolate '1'
option key 'XXX'
config wifi-iface 'wifinet3'
option network 'isolated'
option ssid 'Guest'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option key 'XXX'
option isolate '1'
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdce:bfe6:e2b7::/48'
config dsl 'dsl'
option annex 'a'
option xfer_mode 'atm'
option ds_snr_offset '0'
option tone 'a'
option line_mode 'adsl'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '8c:10:d4:01:eb:1a'
config interface 'wan'
option ifname 'dsl0'
option pppd_options 'debug'
option delegate '0'
option proto 'pppoa'
option atmdev '0'
option encaps 'vc'
option vci '38'
option password 'xxxx'
option username 'xxx'
option vpi '0'
option ipv6 '0'
list dns '127.0.0.1'
option peerdns '0'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr '8c:10:d4:01:eb:1b'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
list dns '0::1'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'isolated'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'isolated'
option forward 'REJECT'
option name 'isolated'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'isolated'
config rule
option dest_port '53'
option name 'Isolated DNS'
option target 'ACCEPT'
option src 'isolated'
config rule
option name 'Isolated DHCP'
option target 'ACCEPT'
option dest_port '67-68'
list proto 'udp'
option src 'isolated'
Interestingly, wlan0-1 does indeed not have an address:
root@router:/etc/config# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN qlen 1000
link/ether ea:3d:84:7b:03:bf brd ff:ff:ff:ff:ff:ff
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
link/ether 4a:d0:2f:58:ba:46 brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
link/ether 8a:f4:ae:5d:c1:c0 brd ff:ff:ff:ff:ff:ff
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 8c:10:d4:01:eb:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fdce:bfe6:e2b7::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8e10:d4ff:fe01:eb1a/64 scope link
valid_lft forever preferred_lft forever
13: eth0.1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 8c:10:d4:01:eb:1a brd ff:ff:ff:ff:ff:ff
14: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 8c:10:d4:01:eb:1c brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e10:d4ff:fe01:eb1c/64 scope link
valid_lft forever preferred_lft forever
15: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 8c:10:d4:01:eb:1d brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e10:d4ff:fe01:eb1d/64 scope link
valid_lft forever preferred_lft forever
16: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 8e:10:d4:01:eb:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global wlan1-1
valid_lft forever preferred_lft forever
inet6 fe80::8c10:d4ff:fe01:eb1c/64 scope link
valid_lft forever preferred_lft forever
17: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 8e:10:d4:01:eb:1d brd ff:ff:ff:ff:ff:ff
inet6 fe80::8c10:d4ff:fe01:eb1d/64 scope link
valid_lft forever preferred_lft forever
18: wlan0.sta1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UNKNOWN qlen 1000
link/ether 8c:10:d4:01:eb:1d brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e10:d4ff:fe01:eb1d/64 scope link
valid_lft forever preferred_lft forever
19: pppoa-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 3
link/ppp
inet 91.125.43.197 peer 172.16.12.24/32 scope global pppoa-wan
valid_lft forever preferred_lft forever
22: ifb4pppoa-wan: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 32
link/ether 5a:85:8a:05:94:11 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5885:8aff:fe05:9411/64 scope link
valid_lft forever preferred_lft forever
So I am starting to think there's a bug in how the uci config files are processed.
And, even weirder, if I remove "Isolate clients" from Guest5G, wlan0-1 gets an address, but wlan1-1 (i.e. Guest) doesn't!
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN qlen 1000
link/ether ea:3d:84:7b:03:bf brd ff:ff:ff:ff:ff:ff
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
link/ether 4a:d0:2f:58:ba:46 brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
link/ether 8a:f4:ae:5d:c1:c0 brd ff:ff:ff:ff:ff:ff
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 8c:10:d4:01:eb:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fdce:bfe6:e2b7::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8e10:d4ff:fe01:eb1a/64 scope link
valid_lft forever preferred_lft forever
13: eth0.1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 8c:10:d4:01:eb:1a brd ff:ff:ff:ff:ff:ff
14: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 8c:10:d4:01:eb:1c brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e10:d4ff:fe01:eb1c/64 scope link
valid_lft forever preferred_lft forever
16: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 8e:10:d4:01:eb:1c brd ff:ff:ff:ff:ff:ff
inet6 fe80::8c10:d4ff:fe01:eb1c/64 scope link
valid_lft forever preferred_lft forever
19: pppoa-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 3
link/ppp
inet 91.125.43.197 peer 172.16.12.24/32 scope global pppoa-wan
valid_lft forever preferred_lft forever
22: ifb4pppoa-wan: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 32
link/ether 5a:85:8a:05:94:11 brd ff:ff:ff:ff:ff:ff
inet6 fe80::5885:8aff:fe05:9411/64 scope link
valid_lft forever preferred_lft forever
24: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 8c:10:d4:01:eb:1d brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e10:d4ff:fe01:eb1d/64 scope link
valid_lft forever preferred_lft forever
25: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 8e:10:d4:01:eb:1d brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global wlan0-1
valid_lft forever preferred_lft forever
inet6 fe80::8c10:d4ff:fe01:eb1d/64 scope link
valid_lft forever preferred_lft forever
26: wlan0.sta1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UNKNOWN qlen 1000
link/ether 8c:10:d4:01:eb:1d brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e10:d4ff:fe01:eb1d/64 scope link
valid_lft forever preferred_lft forever
DjiPi
April 20, 2020, 10:02pm
5
Have you configured the DHCP service in /etc/config/dhcp ?
[..]
config dhcp 'isolated'
option interface 'isolated'
option start '50'
option limit '200'
option leasetime '1h'
[..]
This comes from the CLI guide .
1 Like
Yep, exactly that section is in /etc/config/dhcp.
mk24
April 20, 2020, 10:06pm
7
Network "isolated" needs to be a bridge.
Then brctl show should show that both guest APs are in br-isolated.
When an interface is in a bridge it doesn't have an IP address of its own, it inherits the one from the bridge master interface.
Interesting - why is it necessary for isolated to be a bridge? And, why does changing the isolated setting effect things the way it does?
I will try that tomorrow and report back - I am currently banned from fiddling with the wifi anymore tonight!
mk24
April 20, 2020, 10:17pm
9
A bridge joins multiple interfaces together-- it's the software equivalent of an unmanaged Ethernet switch.
With a bridge set up, everyone can use the Internet but 2 GHz guests will be able to see 5 GHz guests and vise versa. So for complete isolation you could consider two guest networks one for each band. These can be in the same firewall zone but with intra-zone forwarding disabled on that zone.
1 Like