In my network, the OpenWrt behind the ISP’s router acts as router for my private network providing both DNS (unbound) and DHCP. I also use routing in the ISP’s router to avoid double NAT. This set-up works well. Now I want to provide guest Wi-Fi via OpenWrt as well.
While clients can connect to the guest Wi-Fi, they’re not able to access the internet. Thus, I would be happy for any suggestions. Also, I wonder if DHCP requires a range of ports instead of only port 68 as for the default interfaces?
Make a copy of your firewall file and then on the active firewall delete this rule below.. the top looks good, but you seem to be giving away candy on the top and then stealing it on the bottom.
@Bill Removing this traffic rule helped. At least, clients using custom DoT can access the internet. However, without custom DNS servers set, clients can not access the internet. In the DHCP settings of the guest interface option:dns-server,0.0.0.0 is set, which works for the regular Wi-Fi.
@trendy You mean, I should delete all three rules? Don’t I need the first rule for forwarding guest requests to the WAN interface?
Yes, the guest Wi-Fi’s IP is set in the ISP router as it is done for the regular Wi-Fi.
That's right, and no, you are blocking everything with the last rule. In a default config the lack of forwarding means no forwarding allowed.
You didn't mention that earlier, DoT is a different protocol than traditional DNS and works on port 853. This needs to be allowed too, unless the clients fall back to unencrypted DNS.
I see the redundancy of the rules now. I removed them.
What’s still not working is that clients can not connect to the internet. I was a bit unclear about the DoT. Actually, these clients used a VPN with DoT – so that’s not exactly using port 853. In my network, unbound serves for DNS and this should be announced to the clients in the guest Wi-Fi as well. It seems that this announcement does not work properly. Although I expected setting the DNS server 0.0.0.0 would work as it does for the regular Wi-Fi.
I have also created a rule to allow 53 for DNS. And I read that OpenWrt is advertising itfself by default. However, without dhcp_option 'option:dns-server,0.0.0.0' iOS devices can not establish an internet connection.
These comments helped indeed. It seems that somehow the announcement as DNS service is not correctly handled when unbound and dnsmasq are run in parallel. If I change to serial mode (unbound listening on port 1053 and dnsmasq on 53) it works. Performance-wise it’s not as good as in parallel mode, but acceptable.
The problem is also solved by adding a second traffic rule for DNS that allows requests at port 1053 when using the parallel mode.
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest DNS on 1053'
option src 'guest'
option dest_port '1053'
option target 'ACCEPT'
I just wonder why this issue only occurs with the guest Wi-Fi. For the set-up, I followed the unbound guide, which is also linked in the OpenWrt documentation. This guide also mentions the option dhcp_option 'option:dns-server,0.0.0.0'.
Do you think, allowing requests at port 1053 is security-wise a problem?