No guest access on dumb AP Archer C7

Hi all,

I am working with OpenWrt for a couple of years already. Most of the times I manage, but now I have an issue. Found some topics on this, but didn't help me out unfortunately.

I flashed a TP-LINK Archer C7 V2 with OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363 and made it a dumb AP. This works 100%, both 2.4 and 5.0. Than I added in both 2.4 and 5.0 a guest network with own DHCP in another subnet. Radio's work, but no internet access on the guest networks. I think I am missing something. Who can help me out?

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7b:7b9b:ce47::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.50.70'
        option gateway '192.168.50.50'
        list dns '192.168.50.50'
        list dns '8.8.8.8'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option htmode 'VHT80'
        option country 'US'
        option path 'pci0000:00/0000:00:00.0'
        option channel '44'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option htmode 'HT20'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key 'test1234'
        option encryption 'psk2'
        option ssid 'testTETS'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option network 'lan'
        option key 'test1234'
        option encryption 'psk2'
        option ssid 'testTETS24'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option network 'guest'
        option ssid 'gastWIFI'
        option mode 'ap'
        option encryption 'none'
        option isolate '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option network 'guest'
        option mode 'ap'
        option encryption 'none'
        option isolate '1'
        option ssid 'gastWIFI24'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'
        list server '/.bit/178.32.31.41'
        list server '/.bit/106.187.47.17'
        list server '/.bit/176.58.118.172'
        list server '/.glue/66.244.95.20'
        list server '/.glue/95.211.32.162'
        list server '/.glue/95.142.171.235'
        list server '/.parody/66.244.95.20'
        list server '/.parody/95.211.32.162'
        list server '/.parody/95.142.171.235'
        list server '/.dyn/66.244.95.20'
        list server '/.dyn/95.211.32.162'
        list server '/.dyn/95.142.171.235'
        list server '/.bbs/66.244.95.20'
        list server '/.bbs/95.211.32.162'
        list server '/.bbs/95.142.171.235'
        list server '/.free/66.244.95.20'
        list server '/.free/95.211.32.162'
        list server '/.free/95.142.171.235'
        list server '/.fur/66.244.95.20'
        list server '/.fur/95.211.32.162'
        list server '/.fur/95.142.171.235'
        list server '/.geek/66.244.95.20'
        list server '/.geek/95.211.32.162'
        list server '/.geek/95.142.171.235'
        list server '/.gopher/66.244.95.20'
        list server '/.gopher/95.211.32.162'
        list server '/.gopher/95.142.171.235'
        list server '/.indy/66.244.95.20'
        list server '/.indy/95.211.32.162'
        list server '/.indy/95.142.171.235'
        list server '/.ing/66.244.95.20'
        list server '/.ing/95.211.32.162'
        list server '/.ing/95.142.171.235'
        list server '/.null/66.244.95.20'
        list server '/.null/95.211.32.162'
        list server '/.null/95.142.171.235'
        list server '/.oss/66.244.95.20'
        list server '/.oss/95.211.32.162'
        list server '/.oss/95.142.171.235'
        list server '/.micro/66.244.95.20'
        list server '/.micro/95.211.32.162'
        list server '/.micro/95.142.171.235'
        list rebind_domain '.bit'
        list rebind_domain '.glue'
        list rebind_domain '.parody'
        list rebind_domain '.dyn'
        list rebind_domain '.bbs'
        list rebind_domain '.free'
        list rebind_domain '.fur'
        list rebind_domain '.geek'
        list rebind_domain '.gopher'
        list rebind_domain '.indy'
        list rebind_domain '.ing'
        list rebind_domain '.null'
        list rebind_domain '.oss'
        list rebind_domain '.micro'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '200'
        option leasetime '1h'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'
config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'openvpn_include_file'
        option path '/etc/openvpn.firewall'
        option reload '1'

config include 'tor_include_file'
        option path '/etc/tor.firewall'
        option reload '1'

config remote_accept 'ra_22_22'
        option local_port '22'
        option remote_port '22'
        option proto 'tcp'
        option zone 'wan'

config zone
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Diable Guest LAN Access'
        option dest 'lan'
        option target 'DROP'
        option proto 'all'
        option src 'guest'
        list dest_ip '192.168.50.0/24'

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'
        option proto 'udp'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Guest DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'

Thanks,
Martin

An initial observation is that there's no guest interface in your network config. Once you've created that, you'll also need to add appropriate firewall rules for DHCP and DNS.

This ref. may help.

1 Like

@tectonic
Sorry, One way or another part of the network config was missing in my post.
This is the complete file, guest interface is there.

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7b:7b9b:ce47::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.50.70'
        option gateway '192.168.50.50'
        list dns '192.168.50.50'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5'

# config switch_vlan
#       option device 'switch0'
#       option vlan '2'
#       option ports '1 6'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option  netmask '255.255.255.0'

Added the bridge options. Didn't help.
Further I did follow the instructions on openwrt.org, but no luck. I am stuck.

Exactly what doesn't work? Check these:

  • AP(s) on the air.
  • Client can connect and receive DHCP configuration.
  • DHCP configuration received by client is correct.
  • Client can ping an Internet site by numeric (8.8.8.8).
  • Client can ping an Internet site by name.
  • AP's are on the air.
  • Normal AP's (dumb AP) work 100%, incl internet access.
  • Clients of the guest-network are connecting, however no internet access and an automatic obtained 169-address. So DHCP does not seem to work properly.
  • Internet-IP like 8.8.8.8 cannot be pinged from the guest-AP's. Unreachable.
  • Internet-URL cannot be pinged from the guest-AP's. Unreachable.

in you router/modem
you need to add static route to forward packets destined for subnet 192.168.2.x to be routed to 192.168.50.70 for delivery

the device that is doing NAT routing may not allow this

This is not necessary. Since the lan zone has masquerading enabled, IP addresses 192.168.2.x are translated to 192.168.50.70 and do not appear outside the guest network.

Okay, but why doesn't the DHCP for 192.168.2.x work?
I followed the instructions on openwrt.org, double-checked and don't see why it doesn't work. The only difference between the instructions and my situation is that I probably have a newer version of OpenWrt, since the Luci-interface is slightly different (settings are divided over different tabs.

In the status of the Luci-interface I see connections are being made with the guest network, but my MacBook reports and 169.x.x.x IP-address instead of 192.168.2.x.

Temporarily change the guest firewall input default to ACCEPT and disable the guest DHCP rule. I'm not sure if port '67-68' is a legal syntax.

Sorry, no change.

Anyway, I decided to reflash the firmware, keeping the settings. Just a wild guess. But suddenly it works!! Can't explain why, but problem seems to be solved.

Thanks all for your help.