No WAN traffic on guest network

Installing and Using OpenWrt Network and Wireless Configuration
1

I've set up a guest network, but it's not passing any traffic to the WAN, and I'm unable to figure out why. Setup is as follows.

  • Router: RB5009UG+S+IN (OpenWrt main now, but 24.10 HEAD didn't work either). Trunk through the SFP+ port.
  • Switches: XGS1250-12 en GS1900-8HP both running OEM firmware.
  • EAP615-Wall access points (on OpenWrt 24.10). Trunk through lan0.

The guest network is setup through tagged VLAN 30 and has a 10.1.30.0/24 subnet. Firewalls are disabled on the access points. Troubleshooting suggests the trunk through the XGS1250-12 & GS1900-8HP works just fine.

What works

  • DNS on clients connected to the guest network. They can resolve domains (talk to the DNS server on the router).
  • Ping from the access points on the VLAN interface works, both for WAN IP's and for the router IP on the guest network (10.1.30.1).
  • Ping from the clients to the router IP (10.1.30.1) works.

What does not work
'Internet' on the clients connected to the guest network (outgoing traffic - ping to WAN IP's, HTTP(S) traffic etc).

The fact traffic from the clients is getting through to the router, just not going beyond onto the internet makes me think the issue is with the router setup, but I am unable to locate any issues. Configuration files below. I set the guest firewall to logging, but when e.g. ping isup.me hangs on the client, I am not seeing anything printed on the CLI.

RB5009 network 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf2:239f:1b63::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'p1'
        list ports 'p2'
        list ports 'p3'
        list ports 'p4'
        list ports 'p5'
        list ports 'p6'
        list ports 'p7'
        list ports 'sfp'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.1.0.1/24'
        option device 'br-lan.1'

config interface 'lan6'
        option proto 'dhcpv6'
        option reqprefix 'no'
        option device '@lan'

config interface 'wan'
        option device 'p8'
        option proto 'dhcp'

config interface 'wan6'
        option device 'p8'
        option proto 'dhcpv6'
        option ifname '@wan'

config bridge-vlan 'lan_vlan'
        option device 'br-lan'
        option vlan '1'
        list ports 'p1'
        list ports 'p2'
        list ports 'p3'
        list ports 'p4'
        list ports 'p5'
        list ports 'p6'
        list ports 'p7'
        list ports 'sfp:u*'

config device
        option type '8021q'
        option ifname 'sfp'
        option vid '30'
        option name 'guest'

config interface 'guest'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.1.30.1/24'
        option device 'guest'
        option ip6hint '30'
RB5009 firewall 
config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '2345'
        option name 'Allow-WireGuard-Inbound'

config zone
        option name 'guest'
        list network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest ICMPv4'
        option src 'guest'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        option src 'guest'
        option dest_port '67-68'
        list proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCPv6'
        option src 'guest'
        option src_port '546'
        option dest_port '547'
        list proto 'udp'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Guest ICMPv6'
        option src 'guest'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Guest DoT access'
        option target 'ACCEPT'
        option src 'guest'
        option dest 'wan'
        list proto 'tcp'
        option dest_port '853'

config rule
        option name 'Dropbear WAN'
        list proto 'tcp'
        option dest_port '12345'
        option target 'ACCEPT'
        option src 'wan'
EAP615 network 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan 'lan_vlan'
        option device 'br-lan'
        option vlan '1'
        list ports 'lan0:u*'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan 'guest_vlan'
        option device 'br-lan'
        option vlan '30'
        list ports 'lan0:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.1.0.4/24'
        option dns '10.1.0.1'
        option gateway '10.1.0.1'

config interface 'guest'
        option device 'br-lan.30'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.1.30.4/24'

config interface 'lan6'
        option ifname '@lan'
        option proto 'dhcpv6'
        option reqprefix 'no'
2

You should probably be using a bridge-vlan for the guest VLAN... all I see is this 802.1q stanza which should be removed:

Instead... use this:

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'sfp:t'

You might also find it valuable to include one of the other ports (for example p7 after removing it from the bridge-vlan for VLAN 1) so that you have an wired port you can use directly (untagged).

Meanwhile... what's this:

If you've got an active WG connection, you'll need to either manually define your routes or setup PBR. But it's not clear if you actually have WG running because your network config doesn't show it (I'm not sure if you omitted parts of the configs).

Another thing to note:

You didn't post your DHCP config, but the stanza above suggests that you might have made modifications to DNS handling on your router (although this rule is really not about the router -- it's a guest > wan allowance which is not necessary). If you did indeed make changes to the DNS on the router, you need to fix the above rule (remove the wan zone destination), but more importantly you might need to explicitly specify the gateway (dhcp option 3) and the DNS (DHCP option 6) in the guest DHCP server (changing the DNS behavior can cause Dnsmasq to not send these parameters unless explicitly defined).

On the AP, your guest network should simply be unmanaged like this:

config interface 'guest'
        option device 'br-lan.30'
        option proto 'none'

You have a lot of unusual stuff in your config, though, so you might want to start over from scratch and rebuild.

3

Thanks @psherman, as always.

There's no need for that on the RB5009 since it has just that single interface sitting in the VLAN (it has no wireless). So 802.11q is okay here. Basic connectivity does work, it's just outside traffic from the clients that chokes. If the issue was with the guest network interface on the RB5009, I wouldn't be able to ping it either from clients or other network devices on that VLAN, right?

Yes, that's my bad. I have snipped the WireGuard part, but not thoroughly enough, so you can ignore that.

You're right, see the odhcpd setup below. It's passing the DNS and route options already though.

DHCP config RB5009 
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        list dhcp_option '3,10.1.0.1'
        list dhcp_option '6,10.1.0.1'
        option leasetime '12h'
        option domain 'lan'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_management '1'

config dhcp 'guest'
        option interface 'guest'
        option leasetime '6h'
        option start '51'
        option limit '50'
        option force '1'
        list dhcp_option '3,10.1.30.1'
        list dhcp_option '6,10.1.30.1'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '1'
        option loglevel '4'
        option leasefile '/var/lib/odhcpd/dhcp.leases'
        option leasetrigger '/usr/lib/unbound/odhcpd.sh'
        option piofolder '/tmp/odhcpd-piofolder'
        option hostsdir '/tmp/hosts'

Doing that would make all four ports part of the VLAN, and I just need the (PoE) uplink to be part of it. So setting it to lan0 instead of to the whole bridge seems the better solution to me?

While I understand your point, I have a similar set up at home that just works, it feels like some routing issue on the clients. But it's turning out very hard to pinpoint. And this network needs to be up (the main one that is). So I'd like to try and debug it first rather than wipe it all and rebuild it from scratch.

4

To figure out where the problem is, let's concentrate on the main router.

As I described earlier, remove the 802.1q stanza and add a bridge-VLAN for VLAN 30. This serves two purposes:

  1. properly utilizes the bridge vlan construct, especially because you already have that setup for VLAN 1 (including the sfp port).
  2. allows us to temporarily use one of the other ports as untagged so you can connect directly to the router via ethernet (thus bypassing any potential issues affecting AP). This will let us determine if the problem originates on the router or if it is induced by the AP.

So... delete:

Edit this bridge-vlan to remove one of the other ports so we can use it for VLAN 30... for example, I'll remove port p7:

config bridge-vlan 'lan_vlan'
        option device 'br-lan'
        option vlan '1'
        list ports 'p1'
        list ports 'p2'
        list ports 'p3'
        list ports 'p4'
        list ports 'p5'
        list ports 'p6'
        list ports 'sfp:u*'

Create the bridge-VLAN for VLAN 30 with p7 untagged and sfp tagged:

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'p7:u*'
        list ports 'sfp:t'

Now restart the router and connect a device via ethernet to p7. Test its connectivity. If it works, try the downstream (wifi) again and see if that problem is resolved. If either doesn't work, we'll know where the problem exists.

No, this is an incorrect statement. The network interface itself is L3, while the port assignments are L2 and handled by the bridge VLAN stanzas... we see below that VLAN 30 is only associated as a tagged network with port lan0:

My recommendation to make the guest network unmanaged on the AP is best practice because there is no need for the AP to use an address on that network -- it's better for both security and manageability (and sometimes stability).

1 Like
5

Ah, I see, my apologies. I wasn't getting why you wanted me to test with another port on that VLAN, but yeah, then we could rule out the AP being an issue. Will test that when I'm there again.

Are you saying I could be operating an access point without it having an IP (besides a management IP, that is)? I haven't found that to work yet (only tested it incidentally though).

6

Yes. In fact, it is best practice for an AP to only have a single address. That address on the subnet associated with the management of the device itself. If you have multiple VLANs on an AP, you only need that single address, the rest will be unmanaged (no address) and simply bridging the ethernet <-> wifi.

1 Like