Hi,
I have an AP (Netgear WAC104 on OpenWrt 24.10.0) which I use as a "Dumb AP", means, it's lan is a br-lan with DHCP client, obtaining address, gateway and DNS from my main router.
Works fine so far.
Now I have created a guest WIFI according to this page https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
I have only changed two items:
I do get an IP-Address when connecting to guest, I do see the DNS servers being assigned, however, I don't get any internet data.
Can someone help with diagnosing? I am Linux-savvy, however, not so much with the networking stack.
Thanks in advance.
You need the following guide:
Fundamentally, the problem is likely fairly simple:
The upstream network should be in a different firewall zone than the downstream
The upstream network's firewall zone should have masquerading enabled
There should be forwarding from the downstream network > upstream network (firewall zones)
Optional, but good practice: there should be a rule to block access from the downstream (guest) network reaching the upstream, except for use of the internet via the gateway.
I was afraid someone said that
I just did a fresh walk through on the article and I have everything exactly as it was given. I used 192.168.55.0/24 as a network for guest. My other LAN is 192.168.71.0/24.
Still, I cannot access "the internet".
rschneid@maui:~ $ ping openwrt.org
PING openwrt.org (64.226.122.113) 56(84) bytes of data.
From _gateway (192.168.55.1) icmp_seq=1 Destination Port Unreachable
But I can't get traffic to be routed.
If you have any more clues what I could do.... go ahead
Let’s see the configs… much easier to spot the problem:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
Here you are:
root@Netgear-OWRT:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "Netgear-OWRT",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear WAC104",
"board_name": "netgear,wac104",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@Netgear-OWRT:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde4:d575:7ef0::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.55.1'
option netmask '255.255.255.0'
root@Netgear-OWRT:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option band '2g'
option channel '1'
option htmode 'HT20'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae-mixed'
option key 'password'
option ocv '0'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae-mixed'
option key 'password'
option ocv '0'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest_WiFi'
option encryption 'none'
option network 'guest'
root@Netgear-OWRT:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@Netgear-OWRT:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
option masq '1'
config rule
option name 'Allow-Guest-DNS'
option src 'guest'
option target 'ACCEPT'
option dest_port '53'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'Allow-Guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Block-Guest-from-LAN'
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.71.0/24'
option target 'REJECT'
config forwarding
option src 'guest'
option dest 'lan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
root@Netgear-OWRT:~#
Is PBR running? That could cause issues if you don’t have the right policy definitions. It can be disabled, though, because it is not necessary.
No, not running. As i had a suspicion on that already, i did an uninstall of pbr and tried again.
let's see the following tests, first from the AP in question (via ssh) and then from a computer connected to the guest wifi network.
ping 192.168.71.1 (I'm assuming that this is the upstream router's address; if not, please adapt)
ping 8.8.8.8
ping 64.226.122.113
ping openwrt.org
Yes, 192.168.71.1 is the upstream router's address.
From the router:
root@Netgear-OWRT:~# ping 192.168.71.1
PING 192.168.71.1 (192.168.71.1): 56 data bytes
64 bytes from 192.168.71.1: seq=0 ttl=64 time=1.246 ms
64 bytes from 192.168.71.1: seq=1 ttl=64 time=0.885 ms
64 bytes from 192.168.71.1: seq=2 ttl=64 time=0.852 ms
root@Netgear-OWRT:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=115 time=101.105 ms
64 bytes from 8.8.8.8: seq=1 ttl=115 time=102.829 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
root@Netgear-OWRT:~# ping 64.226.122.113
PING 64.226.122.113 (64.226.122.113): 56 data bytes
^C
--- 64.226.122.113 ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss
root@Netgear-OWRT:~# ping openwrt.org
PING openwrt.org (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=8 ttl=50 time=178.487 ms
64 bytes from 64.226.122.113: seq=9 ttl=50 time=177.916 ms
64 bytes from 64.226.122.113: seq=10 ttl=50 time=179.137 ms
From a PC that is in Guest_Wifi:
rschneid@maui:~ $ ping 192.168.71.1
PING 192.168.71.1 (192.168.71.1) 56(84) bytes of data.
From 192.168.55.1 icmp_seq=1 Destination Port Unreachable
From 192.168.55.1 icmp_seq=2 Destination Port Unreachable
From 192.168.55.1 icmp_seq=3 Destination Port Unreachable
^C
--- 192.168.71.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms
rschneid@maui:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.55.1 icmp_seq=1 Destination Port Unreachable
From 192.168.55.1 icmp_seq=2 Destination Port Unreachable
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms2
rschneid@maui:~ $ ping 64.226.122.113
PING 64.226.122.113 (64.226.122.113) 56(84) bytes of data.
From 192.168.55.1 icmp_seq=1 Destination Port Unreachable
From 192.168.55.1 icmp_seq=2 Destination Port Unreachable
^C
--- 64.226.122.113 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
rschneid@maui:~ $ ping openwrt.org
PING openwrt.org (64.226.122.113) 56(84) bytes of data.
From _gateway (192.168.55.1) icmp_seq=1 Destination Port Unreachable
From _gateway (192.168.55.1) icmp_seq=2 Destination Port Unreachable
^C
--- openwrt.org ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
Could you please run this command to see if it makes a difference?
nft insert rule inet fw4 forward ip saddr 192.168.55.0/24 ip daddr != 192.168.71.0/24 counter accept
I don't currently see any reasons why this would not be working.
I'm going to recommend that you:
Make a backup
Reset to defaults
Unpack the backup on your computer
Copy (via scp) the following files (don't do a full restore):
/etc/config/network/etc/config/firewall/etc/config/wireless/etc/config/dhcp
Let us know if that helps.
pavelgl's suggestion did not make any difference
Hi,
Thanks very much for dealing with this, Peter and Pavel.
resetting all and only copying the four files did the trick. After that, I found my openvpn devices to be not existant anymore.
Somebody who can see what's going on?
client
remote somehost someport
dev tunCGus
proto udp
auth-user-pass /etc/openvpn/cyberghost_us.auth
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
#ncp-disable
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
verb 4
ca /etc/openvpn/cyberghost_ca.crt
cert /etc/openvpn/cyberghost_us_client.crt
key /etc/openvpn/cyberghost_us_client.key
robertaramar:
redirect-gateway def1
If the vpn is active, all traffic is routed through the tunnel.
The vpn interface is not assigned to any firewall zone, which means default policies are applied (forwarding is rejected).
You probably have two options:
Consider the vpn interface as trusted and assign it to the lan firewall zone.
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list device 'tun+'
option masq '1'
Create a dedicated zone and enable guest=>vpn forwarding.
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'tun+'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'guest'
option dest 'vpn'
Note that when the vpn is active, the guest network will use it to access the internet.
Removing the redirect-gateway def1 does not make the Gues_WiFi route properly. Only if the interface is down.
1 Like
This is the first mention of a VPN. That would have been useful information earlier. But it is also part of the reason that I recommended the reset -- I knew that there was something unknown to us that was running on your system, although I thought it might be something that was more in the category of an unused appendage. In the future, please be sure to describe all the packages/functions you have running on your device since it makes it much easier to troubleshoot and recommend solutions.
That said, I'm glad that things appear to be working now.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
system
June 2, 2025, 3:16pm
17
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
I already came across that article yesterday and I tried that as well, however, to no avail.
