No internet access from guest Wi-Fi

Hey there,

In my network, the OpenWrt behind the ISP’s router acts as router for my private network providing both DNS (unbound) and DHCP. I also use routing in the ISP’s router to avoid double NAT. This set-up works well. Now I want to provide guest Wi-Fi via OpenWrt as well.

While clients can connect to the guest Wi-Fi, they’re not able to access the internet. Thus, I would be happy for any suggestions. :slight_smile: Also, I wonder if DHCP requires a range of ports instead of only port 68 as for the default interfaces?

Here’s my configuration:

cat /etc/config/network

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.178.2'
	option netmask '255.255.255.0'
	option gateway '192.168.178.1'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'wlan0-1'

cat /etc/config/wireless

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '***'
	option encryption 'sae-mixed'
	option isolate '1'
	option key '***'
	option network 'guest'

cat /etc/config/firewall

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest HTTP'
	list proto 'tcp'
	option src 'guest'
	option dest 'wan'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Guest HTTPS'
	list proto 'tcp'
	option src 'guest'
	option dest 'wan'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'Guest block LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	option target 'DROP'

config rule
	option name 'Guest block WAN'
	list proto 'all'
	option src 'guest'
	option dest 'wan'
	option target 'DROP'

Make a copy of your firewall file and then on the active firewall delete this rule below.. the top looks good, but you seem to be giving away candy on the top and then stealing it on the bottom.

Remove the device option, keep the network option in wireless.

Needs only 67.
You can remove the following, as they are redundant.

Have you added the guest network in the ISP router?

@Bill Removing this traffic rule helped. At least, clients using custom DoT can access the internet. However, without custom DNS servers set, clients can not access the internet. In the DHCP settings of the guest interface option:dns-server,0.0.0.0 is set, which works for the regular Wi-Fi.

@trendy You mean, I should delete all three rules? Don’t I need the first rule for forwarding guest requests to the WAN interface?

Yes, the guest Wi-Fi’s IP is set in the ISP router as it is done for the regular Wi-Fi.

Fox, I got the simple :face_with_open_eyes_and_hand_over_mouth: personally don't use (Unbound) so I don't want to mess up your DNS, That would be a huge embarrassment for us both.

@trendy Helping a guy doing some really tricky routing: he should be along shortly, I hope. He's got your back.

if you want to watch him in action... the fun tech stuff he' here

That's right, and no, you are blocking everything with the last rule. In a default config the lack of forwarding means no forwarding allowed.

You didn't mention that earlier, DoT is a different protocol than traditional DNS and works on port 853. This needs to be allowed too, unless the clients fall back to unencrypted DNS.

So what exactly is not working?

I see the redundancy of the rules now. I removed them.

What’s still not working is that clients can not connect to the internet. I was a bit unclear about the DoT. Actually, these clients used a VPN with DoT – so that’s not exactly using port 853. In my network, unbound serves for DNS and this should be announced to the clients in the guest Wi-Fi as well. It seems that this announcement does not work properly. Although I expected setting the DNS server 0.0.0.0 would work as it does for the regular Wi-Fi.

You only allow 80 and 443, anything else is blocked.

OpenWrt is by default advertising itself as the nameserver to the lan hosts. Let's have a look at uci export dhcp

I have also created a rule to allow 53 for DNS. And I read that OpenWrt is advertising itfself by default. However, without dhcp_option 'option:dns-server,0.0.0.0' iOS devices can not establish an internet connection.

The output of uci export dhcp looks like this:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	option port '1053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option 'option:dns-server,0.0.0.0'
	list ra_flags 'none'

cat /etc/config/unbound

Run this please.

cat /etc/config/unbound looks like this:

config unbound 'ub_main'
  option dns64 '0'
  option domain 'lan'
  option edns_size '1232'
  option extended_stats '0'
  option hide_binddata '1'
  option interface_auto '1'
  option listen_port '53'
  option localservice '1'
  option manual_conf '0'
  option num_threads '1'
  option protocol 'default'
  option rate_limit '0'
  option rebind_localhost '0'
  option rebind_protection '1'
  option recursion 'default'
  option resource 'default'
  option root_age '9'
  option ttl_min '120'
  option ttl_neg_max '1000'
  option unbound_control '0'
  option validator_ntp '1'
  option verbosity '1'
  list iface_wan 'wan'
  option enabled '1'
  option validator '1'
  list iface_trig 'lan'
  list iface_trig 'wan'
  option dhcp_link 'dnsmasq'

config zone 'auth_icann'
  option enabled '0'
  option fallback '1'
  option url_dir 'https://www.internic.net/domain/'
  option zone_type 'auth_zone'
  list server 'lax.xfr.dns.icann.org'
  list server 'iad.xfr.dns.icann.org'
  list zone_name '.'
  list zone_name 'arpa.'
  list zone_name 'in-addr.arpa.'
  list zone_name 'ip6.arpa.'

config zone 'fwd_isp'
  option enabled '0'
  option fallback '1'
  option resolv_conf '1'
  option zone_type 'forward_zone'
  list zone_name 'isp-bill.example.com.'
  list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
  option enabled '0'
  option fallback '1'
  option tls_index 'dns.google'
  option tls_upstream '1'
  option zone_type 'forward_zone'
  list server '8.8.4.4'
  list server '8.8.8.8'
  list server '2001:4860:4860::8844'
  list server '2001:4860:4860::8888'
  list zone_name '.'

config zone 'fwd_cloudflare'
  option enabled '0'
  option fallback '1'
  option tls_index 'cloudflare-dns.com'
  option tls_upstream '1'
  option zone_type 'forward_zone'
  list server '1.1.1.1'
  list server '1.0.0.1'
  list server '2606:4700:4700::1111'
  list server '2606:4700:4700::1001'
  list zone_name '.'

Thank You.. while were waiting if you want to read some unbound + dnsmasq related posts.

Some of these comments might jog your memory or provide flavor to the Solve!

These comments helped indeed. :wink: It seems that somehow the announcement as DNS service is not correctly handled when unbound and dnsmasq are run in parallel. If I change to serial mode (unbound listening on port 1053 and dnsmasq on 53) it works. Performance-wise it’s not as good as in parallel mode, but acceptable.
The problem is also solved by adding a second traffic rule for DNS that allows requests at port 1053 when using the parallel mode.

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS on 1053'
	option src 'guest'
	option dest_port '1053'
	option target 'ACCEPT'

I just wonder why this issue only occurs with the guest Wi-Fi. :face_with_monocle: For the set-up, I followed the unbound guide, which is also linked in the OpenWrt documentation. This guide also mentions the option dhcp_option 'option:dns-server,0.0.0.0'.

Do you think, allowing requests at port 1053 is security-wise a problem?

1 Like

Let see what your new dhcp config looks like Fox:

uci export dhcp

Actually, it looks exactly the same as I posted before (just checked by ctrl + f). The difference is only the additional traffic rule for port 1053.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.