Need help with configuring a guest wifi network

I have installed OpenWRT 19.07.2 on a Linksys WRT32X router and it runs stable.

I have installed multiple additional packages:
AdBlock
OpenVPN
Policy Based Routing
DNSCrypt

Nothing looks out of the ordinary in my kernel or system log.
The LAN Wifi network works just fine.

Now I am trying to get a guest network running (only need the 2.4GHz) and I followed both of these tutorials:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

I have also read through and tested pieces of this tutorial:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

My phone will connect to the guest wifi and receive a DHCP provided IP address.
But, my phone reports "Connected without internet".

I have termux installed on my phone and can run some network diagnostics. I've ping'd the DHCP server IP address, but get a "Destination Port Unreachable" response.

I've been trying just about everything I can think of and I'm out of ideas... Is this a WAN/Guest forwarding issue? A DNS configuration issue? Something else?

Does anyone have any thoughts?

Just a guess, but is your 2.4ghz set to 40mhz by chance? I've had the same problem before, received ip but no internet, when that's the case and setting it to 20mhz solved it. If not you might post the output of -

cat /etc/config/wireless
cat /etc/config/firewall
cat/etc/config/dhcp

Maybe someone will see a problem there (make sure to remove passwords).

Thanks for the help, Mike.

The 2.4ghz is set to 20mhz.

Here is the output of wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:cf:d5:82'
	option key ''
	option ssid 'IStateFan5'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:cf:d5:81'
	option key ''
	option ssid 'IStateFan24'
	option encryption 'psk2'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet3'
	option key ''
	option ssid 'IStateFan24_Guest'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option network 'guest'

**Here is the output of firewall** (some day I will remove all of the IPv6):

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option network 'guest'
	option forward 'REJECT'
	option input 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

config rule
	option dest_port '53'
	option name 'Guest DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option src 'guest'

config rule
	option dest_port '67-68'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	option proto 'udp'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

**Here is the output of dhcp** (I removed all but one of the host reservations):
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'
	option noresolv '1'
	list server '127.0.0.1#5353'
	list server '/pool.ntp.org/8.8.8.8'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option leasetime '12h'
	option limit '75'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option interface 'guest'
	option limit '25'
	option leasetime '2h'

config host
	option mac '8C:04:BA:26:5F:31'
	option name 'CRM23892'
	option dns '1'
	option ip '192.168.2.254'

Checking your configs against mine there are two differences, in -

config rule
option dest_port '53'
option name 'Guest DNS'
option target 'ACCEPT'
option proto 'tcp udp'
option src 'guest'

I have no option proto 'tcp udp', so you might try removing that or changing option to list , and in -

config rule
option dest_port '67-68'
option name 'Guest DHCP'
option target 'ACCEPT'
option proto 'udp'
option src 'guest'

I have list proto 'udp' rather than option proto 'udp', so you might try changing that too, other than that they're the same and mine is working ok.

Mike,
Thanks for the suggestions, but still no luck. The good news is that it means it's probably configured right and maybe it's just my phone. I'm going to see if I can find other devices to test it.
-Adam

This can be explained with your configuration: zone guest has input set to REJECT, and there is no rule to whitelist icmp (ping). Try to ping 8.8.8.8 instead, which passes through forward and should be allowed because of the explicit guest->wan forwarding section.

I suggest to change guest input to ACCEPT temporarily (which should "fix" the problem), then refine the firewall ruleset with the desired restrictions. Blocking all ICMP is not advisable, since it causes problems with IPv4 and breaks IPv6.

Note: please use the </> preformatted text tool for config files.

I just checked my Guest DNS rule again because it didn't seem right that tcp/udp weren't listed, and while they were present in Luci they weren't in cli for whatever reason, so added them again in Luci and they showed up this time, but separately in cli, meaning -

list proto 'tcp'
list proto 'udp'

rather than -

list proto 'tcp udp'

So you might try that change too in addition to @mpa's suggestions.

Thanks mpa and Mike. I had to take a break from breaking the internet while the kids had to transition to on-line school. Then life happened. Now I'm back at this.

I updated the two lines for the DNS rule as Mike suggested.

I added two routes per mpa:
Guest ICMP (from "Guest" to "this device")
Guest IGMP (from "Guest" to "this device")

I also installed the same version of openwrt onto the alternate partition in case that was causing a miss-match somewhere in the layers of firmware (while I pushed a backup of my primary partition on to that new image, I didn't fully configure it).

I also switched the 2.4GHz to 20MHz and then back to 40MHz (channel = auto) to see if that realigned some setting.

With all of this, I can ping the router's IP address for the guest network as well as the gateway IP. I cannot ping my PC on the LAN (which is good). I cannot ping anything on the internet by name or IP address, though ("Destination Port Unreachable).

I also changed the firewall route for the Guest to match the LAN (accept, accept, reject), but still no luck. (and then put it back to reject, accept, reject)

To confirm, Guest should be forwarded to WAN, right? And not to LAN?

Does this sound like a Zone Forwarding issue or a Traffic Rule issue?

-Adam

Goofiness ensues.

So, I decided what better way to spend a Friday night than to configure a fresh install on my WRT32XB.

After installing, the only configurations I've done is:
Install the luci-app-advanced-reboot opkg
to set the time zone
add SSH
Turn off IPV6 on boot

My 5GHz works out of the box once I enable it (and add a key)
My 2.4GHz does not once enabled (and key added)... "Connected without internet"
that's the same error I had on the other partition for the 2.4 GHz guest network
So, I figured that a second SSID (for the guest network) on the 2.4GHz would fail as well... but it works just fine !?

All three are bridged to LAN.

Any ideas on why this is happening?

I simply change the name, and it works.

For this naming convention, one of these two will not provide internet connectivity
IStateFan24
IStateFan24_Guest

For this naming convention, both will provide internet connectivity
IStateFan25
IStateFan24_Guest

Further debug suggests that this name will not work on my clean install: IStateFan24.

Still having issues on my original install using the SSIDs "IStateFan2" and "Guest_IStateFan24" (the guest still cannot connect to the internet).

-Adam

I continued through the fresh build by installing OpenVPN and VPN Policy Routing. Once those were installed and the services running, nothing could get an internet connection. It looked like a DNS issue, so instead of fighting the issue, I simply disabled the VPN service to install DNSCrypt-Proxy. Now that it's installed, I turned the VPN service back on and things seem to work ok.

And I'm back to the guest network reporting "Connected without Internet."

I'm going to do a little more digging, but if someone could help me understand how DNSCrypt/DNSMasq interacts with the lan/guest networks and policy based route through/around VPN, I could use some education. I think I understand the "day in the life of a UDP packet" through two different sources: lan/guest get routed through two different policies bypass/tun... What happens to the DNS routes? Do they follow the same paths as the UDP?

-Adam