Master wifi with VPN and guest wifi without VPN

Hello, I have been trying to set up a master wifi with VPN (LAN) together with another one without VPN (GUEST). No luck so far.
What I can say is that both master and guest wifi work when there is no VPN, but as soon as I turn on VPN the master works with VPN while the GUEST doesn't have access to internet.

I have included some rules in the firewall, but they don't seem to help. In case it helps, I have a Linksys1900acs and this is my /etc/config/firewall file:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN'
	option output 'ACCEPT'
	option network 'VPN'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '51194'
	option name 'OpenVPN'
	option src '*'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'VPN'
	option src 'lan'

I am not sure if you have done it, but you need to specify a PBR rule to forward all guest traffic to wan interface, otherwise as soon as the vpn comes up, routing will push everything towards the vpn.
Take a look at this topic describing the same problem.


You'll need this in your network configuration

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

config rule                                    
	option in 'Guest'
	option lookup '2'

I did it, but it didn't work. I have default gateway ticked on in wan config.

I just tried that, but I didn't specify gateways so it got off. I am a noob with command lines and internet specifications. But I saw this post too, where they say that these type of set ups stopped working with the new firmware: Guest wifi with OpenVPN not working after 18.06-rc1
So, I don't know anymore if it is possible to do it... with new firmware, new packages.

Btw, now I have the code you shared implemented in /etc/config/network and now the guest wifi is there, but not available, independently of whether I switched VPN on or not. So, I guess it is better than before, since now I specify that it has to connect directly to wan, but it still doesn't provide internet. There must be something it can be done.

Please post here the output of the following command, all in one line
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

Thanks a lot for the help!

;     config interface 'loopback';     	option ifname 'lo';     	option proto 'static';     	option ipaddr 'x.x.x.x';     	option netmask 'x.x.x.x';     ;     config globals 'globals';     	option ula_prefix 'x:x:x::/x';     ;     config interface 'lan';     	option type 'bridge';     	option proto 'static';     	option ipaddr 'x.x.x.x';     	option netmask 'x.x.x.x';     	option ip6assign '60';     	option ifname 'eth0.1';     ;     config interface 'wan';     	option ifname 'eth1.2';     	option proto 'dhcp';     ;     config interface 'wan6';     	option ifname 'eth1.2';     	option proto 'dhcpv6';     	option reqaddress 'try';     	option reqprefix 'auto';     ;     config switch;     	option name 'switch0';     	option reset '1';     	option enable_vlan '1';     ;     config switch_vlan;     	option device 'switch0';     	option vlan '1';     	option ports '0 1 2 3 5t';     ;     config switch_vlan;     	option device 'switch0';     	option vlan '2';     	option ports '4 6t';     ;     config interface 'VPN';     	option proto 'none';     	option ifname 'tun0';     ;     config interface 'Guest';     	option type 'bridge';     	option proto 'static';     	option ipaddr 'x.x.x.x';     	option netmask 'x.x.x.x';     	option ip6assign '60';     ;     config route;     	option interface 'wan';     	option target '0.0.0.0';     	option netmask '0.0.0.0';     	option table '2';     ;     config rule;     	option in 'Guest';     	option lookup '2';     ;     ;     config defaults;     	option syn_flood '1';     	option input 'ACCEPT';     	option output 'ACCEPT';     	option forward 'REJECT';     ;     config zone;     	option name 'lan';     	option input 'ACCEPT';     	option output 'ACCEPT';     	option forward 'ACCEPT';     	option network 'lan';     ;     config zone;     	option name 'wan';     	option input 'REJECT';     	option output 'ACCEPT';     	option forward 'REJECT';     	option masq '1';     	option mtu_fix '1';     	option network 'wan wan6';     ;     config rule;     	option name 'Allow-DHCP-Renew';     	option src 'wan';     	option proto 'udp';     	option dest_port '68';     	option target 'ACCEPT';     	option family 'ipv4';     ;     config rule;     	option name 'Allow-Ping';     	option src 'wan';     	option proto 'icmp';     	option icmp_type 'echo-request';     	option family 'ipv4';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-IGMP';     	option src 'wan';     	option proto 'igmp';     	option family 'ipv4';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-DHCPv6';     	option src 'wan';     	option proto 'udp';     	option src_ip 'x::/x';     	option dest_ip 'x::/x';     	option dest_port '546';     	option family 'ipv6';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-MLD';     	option src 'wan';     	option proto 'icmp';     	option src_ip 'x::/x';     	list icmp_type '130/0';     	list icmp_type '131/0';     	list icmp_type '132/0';     	list icmp_type '143/0';     	option family 'ipv6';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-ICMPv6-Input';     	option src 'wan';     	option proto 'icmp';     	list icmp_type 'echo-request';     	list icmp_type 'echo-reply';     	list icmp_type 'destination-unreachable';     	list icmp_type 'packet-too-big';     	list icmp_type 'time-exceeded';     	list icmp_type 'bad-header';     	list icmp_type 'unknown-header-type';     	list icmp_type 'router-solicitation';     	list icmp_type 'neighbour-solicitation';     	list icmp_type 'router-advertisement';     	list icmp_type 'neighbour-advertisement';     	option limit '1000/sec';     	option family 'ipv6';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-ICMPv6-Forward';     	option src 'wan';     	option dest '*';     	option proto 'icmp';     	list icmp_type 'echo-request';     	list icmp_type 'echo-reply';     	list icmp_type 'destination-unreachable';     	list icmp_type 'packet-too-big';     	list icmp_type 'time-exceeded';     	list icmp_type 'bad-header';     	list icmp_type 'unknown-header-type';     	option limit '1000/sec';     	option family 'ipv6';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-IPSec-ESP';     	option src 'wan';     	option dest 'lan';     	option proto 'esp';     	option target 'ACCEPT';     ;     config rule;     	option name 'Allow-ISAKMP';     	option src 'wan';     	option dest 'lan';     	option dest_port '500';     	option proto 'udp';     	option target 'ACCEPT';     ;     config include;     	option path '/etc/firewall.user';     ;     config zone;     	option name 'VPN';     	option output 'ACCEPT';     	option network 'VPN';     	option masq '1';     	option mtu_fix '1';     	option input 'REJECT';     	option forward 'REJECT';     ;     config zone;     	option name 'guest';     	option output 'ACCEPT';     	option network 'Guest';     	option input 'ACCEPT';     	option forward 'ACCEPT';     ;     config rule;     	option target 'ACCEPT';     	option proto 'tcp udp';     	option dest_port '53';     	option name 'Guest DNS';     	option src 'guest';     ;     config rule;     	option target 'ACCEPT';     	option proto 'udp';     	option dest_port '67-68';     	option name 'Guest DHCP';     	option src 'guest';     ;     config forwarding;     	option dest 'wan';     	option src 'guest';     ;     config forwarding;     	option dest 'wan';     	option src 'lan';     ;     config forwarding;     	option dest 'VPN';     	option src 'lan';     ;     config wifi-device 'radio0';     	option type 'mac80211';     	option channel '36';     	option hwmode '11a';     	option path 'soc/soc:pcie/x/x/x';     	option htmode 'x';     	option country 'x';     	option legacy_rates '1';     ;     config wifi-iface 'default_radio0';     	option device 'radio0';     	option mode 'ap';     	option macaddr 'x';     	option ssid 'x';     	option key 'x';     	option network 'lan';     	option encryption 'psk2';     	option disabled '1';     ;     config wifi-device 'radio1';     	option type 'mac80211';     	option hwmode '11g';     	option path 'soc/soc:pcie/x/x/x';     	option htmode 'HT20';     	option country 'x';     	option legacy_rates '1';     	option channel '6';     ;     config wifi-iface 'default_radio1';     	option device 'radio1';     	option mode 'ap';     	option macaddr 'x:x:x:x:x:x';     	option ssid 'x';     	option encryption 'psk2+ccmp';     	option key 'x';     	option network 'lan';     ;     config wifi-iface;     	option device 'radio1';     	option mode 'ap';     	option ssid 'x';     	option encryption 'psk2+ccmp';     	option network 'Guest';     	option key 'x';     ;     config wifi-iface;     	option device 'radio0';     	option mode 'ap';     	option ssid 'x';     	option key 'x';     	option encryption 'psk2';     	option network 'Guest';     	option disabled '1';     ;     ;     config dnsmasq;     	option domainneeded '1';     	option boguspriv '1';     	option filterwin2k '0';     	option localise_queries '1';     	option rebind_protection '1';     	option rebind_localhost '1';     	option local '/lan/';     	option domain 'lan';     	option expandhosts '1';     	option nonegcache '0';     	option authoritative '1';     	option readethers '1';     	option leasefile '/tmp/dhcp.leases';     	option resolvfile '/tmp/resolv.conf.auto';     	option nonwildcard '1';     	option localservice '1';     ;     config dhcp 'lan';     	option interface 'lan';     	option start '100';     	option limit '150';     	option leasetime '12h';     	option dhcpv6 'server';     	option ra 'server';     	option ra_management '1';     ;     config dhcp 'wan';     	option interface 'wan';     	option ignore '1';     ;     config odhcpd 'odhcpd';     	option maindhcp '0';     	option leasefile '/tmp/hosts/odhcpd';     	option leasetrigger '/usr/sbin/odhcpd-update';     	option loglevel '4';     ;     config domain;     ;     config dhcp 'Lan2';     	option interface 'Lan2';     	option start '100';     	option limit '150';     	option leasetime '12h';     ;     config dhcp 'Guest';     	option start '100';     	option leasetime '12h';     	option limit '150';     	option interface 'Guest';     	option ra 'server';     	option dhcpv6 'server';     	option ra_management '1';     ;     1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000;         inet x.x.x.x/x scope host lo;            valid_lft forever preferred_lft forever;     7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000;         inet x.x.x.x/x brd x.x.x.x scope global br-lan;            valid_lft forever preferred_lft forever;     9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000;         inet x.x.x.x/x brd x.x.x.x scope global eth1.2;            valid_lft forever preferred_lft forever;     33: br-Guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000;         inet x.x.x.x/x brd x.x.x.x scope global br-Guest;            valid_lft forever preferred_lft forever;     default via x.x.x.x dev eth1.2 proto static src x.x.x.x ;     x.x.x.x/x dev eth1.2 proto kernel scope link src x.x.x.x ;     x.x.x.x/x dev br-lan proto kernel scope link src x.x.x.x ;     x.x.x.x/x dev br-Guest proto kernel scope link src x.x.x.x ;     0:	from all lookup local ;     1:	from all iif br-Guest lookup 2 ;     32766:	from all lookup main ;     32767:	from all lookup default ;     

Not-formmated layout


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr 'x.x.x.x'
	option netmask 'x.x.x.x'

config globals 'globals'
	option ula_prefix 'x:x:x::/x'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr 'x.x.x.x'
	option netmask 'x.x.x.x'
	option ip6assign '60'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'VPN'
	option proto 'none'
	option ifname 'tun0'

config interface 'Guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr 'x.x.x.x'
	option netmask 'x.x.x.x'
	option ip6assign '60'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

config rule
	option in 'Guest'
	option lookup '2'


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'x::/x'
	option dest_ip 'x::/x'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'x::/x'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN'
	option output 'ACCEPT'
	option network 'VPN'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'VPN'
	option src 'lan'

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/x/x/x'
	option htmode 'x'
	option country 'x'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option macaddr 'x'
	option ssid 'x'
	option key 'x'
	option network 'lan'
	option encryption 'psk2'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/x/x/x'
	option htmode 'HT20'
	option country 'x'
	option legacy_rates '1'
	option channel '6'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option macaddr 'x:x:x:x:x:x'
	option ssid 'x'
	option encryption 'psk2+ccmp'
	option key 'x'
	option network 'lan'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'x'
	option encryption 'psk2+ccmp'
	option network 'Guest'
	option key 'x'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'x'
	option key 'x'
	option encryption 'psk2'
	option network 'Guest'
	option disabled '1'


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain

config dhcp 'Lan2'
	option interface 'Lan2'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Guest'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet x.x.x.x/x scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet x.x.x.x/x brd x.x.x.x scope global br-lan
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet x.x.x.x/x brd x.x.x.x scope global eth1.2
       valid_lft forever preferred_lft forever
33: br-Guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet x.x.x.x/x brd x.x.x.x scope global br-Guest
       valid_lft forever preferred_lft forever
default via x.x.x.x dev eth1.2 proto static src x.x.x.x 
x.x.x.x/x dev eth1.2 proto kernel scope link src x.x.x.x 
x.x.x.x/x dev br-lan proto kernel scope link src x.x.x.x 
x.x.x.x/x dev br-Guest proto kernel scope link src x.x.x.x 
0:	from all lookup local 
1:	from all iif br-Guest lookup 2 
32766:	from all lookup main 
32767:	from all lookup default 

With the exception of the wan IP address, all other IPs are private and there is no need to mask them with x.x.x.x
Other than that did you restart the network service after adding these? service network restart
Do you have installed ip-full? opkg list-installed | grep ip-full
Is the gateway properly installed for the new routing table? ip ro ls table 2
Do you use also IPv6 over the VPN tunnel?

With the exception of the wan IP address, all other IPs are private and there is no need to mask them with x.x.x.x

Thanks!

Other than that did you restart the network service after adding these? service network restart

I just did, and no luck. Same issue. Guest wifi on with no internet.

Do you have installed ip-full? opkg list-installed | grep ip-full

Yes. Outcome: ip-full - 4.16.0-8

Is the gateway properly installed for the new routing table? ip ro ls table 2

It is set to default. Outcome: default dev eth1.2 proto static scope link

Do you use also IPv6 over the VPN tunnel?

No, my provider does not support it.

From a host connected to guest network can you try the following:
Does it resolve and address? nslookup openwrt.org
Which path does it follow? tracert 1.1.1.1 for windows or traceroute 1.1.1.1 for linux/mac
Do you get any replies when you ping the guest IP of the router?

Does it resolve and address? nslookup openwrt.org
It does resolve

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

Which path does it follow? tracert 1.1.1.1 for windows or traceroute 1.1.1.1 for linux/mac

I share the outcome with x.x.x.x (sorry, I don't know what should be private vs what not, still learning)

 1  x.x.x.x (x.x.x.x)  1.277 ms  1.383 ms  1.498 ms
 2  *  *  *
 3  x.x.x.x (x.x.x.x)  10.150 ms  11.235 ms  3.903 ms
 4  0-14-0-3-cgw01.websitecompany.com (209.148.233.161)  11.141 ms  3006-cgw01.websitecompany.com (x.x.x.x)  14.444 ms  0-14-0-3-cgw01.x.x.net.x.com (x.x.x.x)  8.966 ms
 5  x.x.x.x (x.x.x.x)  9.855 ms  x.x.x.x (x.x.x.x)  13.842 ms  x.x.x.x (x.x.x.x)  11.562 ms
 6  *  *  *
 7  one.one.one.one (1.1.1.1)  11.409 ms  9.806 ms  9.635 ms

Do you get any replies when you ping the guest IP of the router?

Yes, there are replies. I also checked with facebook, and they are replies as well. But it is not available neither in android or linux laptop

Sorry, I was mistaken about one thing. I didn't check the traceroute from computer session but from router session.
I actually have problems with traceroute, but not with ping to the router ipaddr from my session connected to wifi. I get this:

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  OpenWrt.lan (x.x.x.x)  110.667 ms  110.666 ms  110.737 ms
 2  x.x.x.x (x.x.x.x)  3185.318 ms !H  3185.360 ms !H  3185.485 ms !H

Private addresses are 10.x.x.x, 172.16-31.x.x and 192.168.x.x
Repost everything because I cannot understand what is going on here with all these masked IP addresses.
Don't mask IP addresses in traceroute!

On a sidenote, reaching the router at 110ms is worrying.

Hello, again!
I installed some packages required for vpnbypass and I got vpnbypass working, so I don't need the wifi guest anymore. But! for the sake of understanding the problem, I continue posting

I installed and replaced some packages for vpnbypass:

opkg update; opkg remove dnsmasq; opkg install ipset iptables dnsmasq-full;

And now I am getting this outcome from host connected to guest network.

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.x.x)  3.991 ms  3.987 ms  4.110 ms
 2  192.168.x.x (192.168.x.x)  3136.429 ms !H  3136.449 ms !H  3136.550 ms !H

Not more than that.

PS: The traceroute I sent before was from machine with proper connection to internet, so it is not relevant for this.

If you keep masking the IP addresses it won't be easy for anyone to help.

Okey, I got informed about those types of IPs. You are right, I just didn't know.

Anyway, I messed with my linux and I am replying from a USB live linux. I could test it again, though, with tracepath instead.

 1?: [LOCALHOST]                      pmtu 1500
 1:  OpenWrt.lan                                           6.074ms 
 1:  OpenWrt.lan                                           0.668ms 
 2:  no reply
 2:  192.168.0.14                                        3098.259ms !H
     Resume: pmtu 1500 

This is what I get

OpenWrt.lan is your router. I don't know what 192.168.0.14 is.
Go back to this post and upload again the output without masking the IPs. Change slighty the MACs if you are concerned and the IP of eth1.2 (wan).

I stopped trying to set the independent extra wifi without VPN. I don't need it anymore. Too much work. And the previous post was not about the wifi I want to set up. It was about the connection you get with ethernet in the router. Thanks a lot for all the help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.