No Internet Access Through Second WIFI AP

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello all,

I am trying to configure a TP-Link Archer C7 V2 to have two WIFI APs. One that will tunnel all traffic through a VPN service and the other that won't. So far, I have the VPN one up and working. I can connect to it, and the VPN is working. The problem is that when I connect to the other AP, I have no internet access. I have looked at a few guides on setting up a guest network but still no success.

More information:

  • The first AP is set up on 192.168.0.1
  • The second AP is set up on 192.168.2.1
  • While configuring it, I have the router setup as a wireless client for internet access.
  • It is using LEDE 17.01.0
  • It should be using NordVPN DNS servers

Does anyone have any ideas? Thanks!

Here is the /etc/config/network file:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '***************'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '162.242.211.137'
	list dns '78.46.223.24'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	option dns '162.242.211.137 78.46.223.24'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'

config interface 'Lan_NoVPN'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'nordvpntun'

config zone
	option name 'lan_novpn'
	option output 'ACCEPT'
	option network 'Lan_NoVPN'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan_novpn'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'NoVPN DNS'
	option src 'lan_novpn'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'NoVPN DHCP'
	option src 'lan_novpn'

config forwarding
	option dest 'vpnfirewall'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '443'
	option name 'NoVPN HTTPS'
	option src 'lan_novpn'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '80'
	option name 'NoVPN HTTP'
	option src 'lan_novpn'
	option dest 'wan'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'LEDE'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT20'
	option disabled '0'
	option channel '6'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'WaveVPN'
	option encryption 'psk2+ccmp'
	option key '***********************'

config wifi-iface
	option network 'wwan'
	option ssid 'wave'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'sta'
	option bssid '*********************'
	option key '********************'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'Wave'
	option encryption 'psk2+ccmp'
	option key '**********************'
	option network 'Lan_NoVPN'