Hi all,
I am working with OpenWrt for a couple of years already. Most of the times I manage, but now I have an issue. Found some topics on this, but didn't help me out unfortunately.
I flashed a TP-LINK Archer C7 V2 with OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363 and made it a dumb AP. This works 100%, both 2.4 and 5.0. Than I added in both 2.4 and 5.0 a guest network with own DHCP in another subnet. Radio's work, but no internet access on the guest networks. I think I am missing something. Who can help me out?
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7b:7b9b:ce47::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.50.70'
option gateway '192.168.50.50'
list dns '192.168.50.50'
list dns '8.8.8.8'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option htmode 'VHT80'
option country 'US'
option path 'pci0000:00/0000:00:00.0'
option channel '44'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option htmode 'HT20'
option path 'platform/ahb/18100000.wmac'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option network 'lan'
option key 'test1234'
option encryption 'psk2'
option ssid 'testTETS'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option network 'lan'
option key 'test1234'
option encryption 'psk2'
option ssid 'testTETS24'
config wifi-iface 'wifinet2'
option device 'radio0'
option network 'guest'
option ssid 'gastWIFI'
option mode 'ap'
option encryption 'none'
option isolate '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option network 'guest'
option mode 'ap'
option encryption 'none'
option isolate '1'
option ssid 'gastWIFI24'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option nonwildcard '0'
list server '/.bit/178.32.31.41'
list server '/.bit/106.187.47.17'
list server '/.bit/176.58.118.172'
list server '/.glue/66.244.95.20'
list server '/.glue/95.211.32.162'
list server '/.glue/95.142.171.235'
list server '/.parody/66.244.95.20'
list server '/.parody/95.211.32.162'
list server '/.parody/95.142.171.235'
list server '/.dyn/66.244.95.20'
list server '/.dyn/95.211.32.162'
list server '/.dyn/95.142.171.235'
list server '/.bbs/66.244.95.20'
list server '/.bbs/95.211.32.162'
list server '/.bbs/95.142.171.235'
list server '/.free/66.244.95.20'
list server '/.free/95.211.32.162'
list server '/.free/95.142.171.235'
list server '/.fur/66.244.95.20'
list server '/.fur/95.211.32.162'
list server '/.fur/95.142.171.235'
list server '/.geek/66.244.95.20'
list server '/.geek/95.211.32.162'
list server '/.geek/95.142.171.235'
list server '/.gopher/66.244.95.20'
list server '/.gopher/95.211.32.162'
list server '/.gopher/95.142.171.235'
list server '/.indy/66.244.95.20'
list server '/.indy/95.211.32.162'
list server '/.indy/95.142.171.235'
list server '/.ing/66.244.95.20'
list server '/.ing/95.211.32.162'
list server '/.ing/95.142.171.235'
list server '/.null/66.244.95.20'
list server '/.null/95.211.32.162'
list server '/.null/95.142.171.235'
list server '/.oss/66.244.95.20'
list server '/.oss/95.211.32.162'
list server '/.oss/95.142.171.235'
list server '/.micro/66.244.95.20'
list server '/.micro/95.211.32.162'
list server '/.micro/95.142.171.235'
list rebind_domain '.bit'
list rebind_domain '.glue'
list rebind_domain '.parody'
list rebind_domain '.dyn'
list rebind_domain '.bbs'
list rebind_domain '.free'
list rebind_domain '.fur'
list rebind_domain '.geek'
list rebind_domain '.gopher'
list rebind_domain '.indy'
list rebind_domain '.ing'
list rebind_domain '.null'
list rebind_domain '.oss'
list rebind_domain '.micro'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest'
option interface 'guest'
option start '50'
option limit '200'
option leasetime '1h'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'
config include 'tor_include_file'
option path '/etc/tor.firewall'
option reload '1'
config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Diable Guest LAN Access'
option dest 'lan'
option target 'DROP'
option proto 'all'
option src 'guest'
list dest_ip '192.168.50.0/24'
config rule
option dest_port '67-68'
option src 'guest'
option name 'Guest DHCP'
option target 'ACCEPT'
option proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'Guest DNS'
option target 'ACCEPT'
option proto 'tcp udp'
Thanks,
Martin