Hi, my configuration is a Nexx WT3020F with OpenWrt 19.07.1, and I have create my guest wifi (called FreeWifi) like that:
uci set network.guest=interface
uci set network.guest.proto=static
uci set network.guest.ipaddr=192.168.3.1
uci set network.guest.netmask=255.255.255.0
uci set network.guest.ifname='br-lan'
uci set network.guest.type='bridge'
uci set dhcp.guest=dhcp
uci set dhcp.guest.interface=guest
uci set dhcp.guest.start=100
uci set dhcp.guest.leasetime=12h
uci set dhcp.guest.limit=150
uci set firewall.guest=zone
uci set firewall.guest.name=guest
uci set firewall.guest.network=guest
uci set firewall.guest.forward=REJECT
uci set firewall.guest.output=ACCEPT
uci set firewall.guest.input=REJECT
uci set firewall.guest_fwd=forwarding
uci set firewall.guest_fwd.src=guest
uci set firewall.guest_fwd.dest=wan
uci set firewall.guest_dhcp=rule
uci set firewall.guest_dhcp.name=guest_DHCP
uci set firewall.guest_dhcp.src=guest
uci set firewall.guest_dhcp.target=ACCEPT
uci set firewall.guest_dhcp.proto=udp
uci set firewall.guest_dhcp.dest_port=67-68
uci set firewall.guest_dns=rule
uci set firewall.guest_dns.name=guest_DNS
uci set firewall.guest_dns.src=guest
uci set firewall.guest_dns.target=ACCEPT
uci set firewall.guest_dns.proto=tcpudp
uci set firewall.guest_dns.dest_port=53
uci set wireless.wifinet1=wifi-iface
uci set wireless.wifinet1.device='radio0'
uci set wireless.wifinet1.mode='ap'
uci set wireless.wifinet1.ssid='FreeWifi'
uci set wireless.wifinet1.encryption='none'
uci set wireless.wifinet1.isolate='1'
uci set wireless.wifinet1.network='guest'
uci commit network
uci commit dhcp
uci commit firewall
uci commit wireless
service network reload
service dnsmasq restart
service firewall restart
so my /etc/config/network is:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd85:ec81:2c39::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '20:28:18:a0:fa:86'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option type 'bridge'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '20:28:18:a0:fa:87'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option type 'bridge'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ifname 'br-lan'
option type 'bridge'
config interface 'wwan'
option proto 'dhcp'
my /etc/config/firewall is:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'nodogsplash'
option type 'script'
option path '/usr/lib/nodogsplash/restart.sh'
config zone 'guest'
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'guest_fwd'
option src 'guest'
option dest 'wan'
config rule 'guest_dhcp'
option name 'guest_DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'guest_dns'
option name 'guest_DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcpudp'
option dest_port '53'
and my /etc/config/wireless is:
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/10180000.wmac'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'NEXX'
option encryption 'psk2'
option key '********************'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'FreeWifi'
option encryption 'none'
option isolate '1'
option network 'guest'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'sta'
option ssid 'mijodidawifi'
option key '******************'
option encryption 'psk2'
option network 'wwan guest lan wan wan6'
And It works like I want: If you connect to FreeWifi you can go to internet, but yo can't see LuCI Web and you can't make ssh to Nexx WT3020F.
But after that, I install nodogsplash and attach it to br-guest, so it is my /etc/config/nodogsplash
# The options available here are an adaptation of the settings used in nodogsplash.conf.
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf
config nodogsplash
# Set to 0 to disable nodogsplash
option enabled 1
# Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
# This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
option fwhook_enabled '1'
# WebRoot
# Default: /etc/nodogsplash/htdocs
#
# The local path where the splash page content resides.
# ie. Serve the file splash.html from this directory
#option webroot '/etc/nodogsplash/htdocs'
# Use plain configuration file
#option config '/etc/nodogsplash/nodogsplash.conf'
# Use this option to set the device nodogsplash will bind to.
# The value may be an interface section in /etc/config/network or a device name such as br-lan.
#option gatewayinterface 'br-lan'
option gatewayinterface 'br-guest'
# GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses gateway address as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
#
#option gatewayport '2050'
option gatewayname 'OpenWrt Nodogsplash'
option maxclients '250'
# Enables debug output (0-3)
# Default: 1
# 0 : Silent (only LOG_ERR and LOG_EMERG messages will be seen, otherwise there will be no logging.)
# 1 : LOG_ERR, LOG_EMERG, LOG_WARNING and LOG_NOTICE (this is the default level).
# 2 : debuglevel 1 + LOG_INFO
# 3 : debuglevel 2 + LOG_DEBUG
#option debuglevel '1'
# Client timeouts in minutes
option preauthidletimeout '30'
option authidletimeout '120'
# Session Timeout is the interval after which clients are forced out (a value of 0 means never)
option sessiontimeout '1200'
# The interval in seconds at which nodogsplash checks client timeout status
option checkinterval '600'
# Enable BinAuth Support.
# If set, a program is called with several parameters on authentication (request) and deauthentication.
# Request for authentication:
# $<BinAuth> auth_client <client_mac> '<username>' '<password>'
#
# The username and password values may be empty strings and are URL encoded.
# The program is expected to output the number of seconds the client
# is to be authenticated. Zero or negative seconds will cause the authentification request
# to be rejected. The same goes for an exit code that is not 0.
# The output may contain a user specific download and upload limit in KBit/s:
# <seconds> <upload> <download>
#
# Called on authentication or deauthentication:
# $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
#
# "client_auth": Client authenticated via this script.
# "client_deauth": Client deauthenticated by the client via splash page.
# "idle_deauth": Client was deauthenticated because of inactivity.
# "timeout_deauth": Client was deauthenticated because the session timed out.
# "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
# "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
# "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
#
# Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
#
#option binauth '/bin/myauth.sh'
# Enable Forwarding Authentication Service (FAS)
# If set redirection is changed from splash.html to a FAS (provided by the system administrator)
# The value is the IP port number of the FAS
# Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used.
#
# Typical Remote Shared Hosting Example:
#option fasport '80'
#
# Typical Locally Hosted example (ie fasremoteip not set):
#option fasport '2080'
# Option: fasremotefqdn
# Default: Not set
# If set, this is the remote fully qualified domain name (FQDN) of the FAS.
# The protocol must NOT be prepended to the FQDN (ie http:// or https://)
# To prevent CPD or browser security errors NDS prepends http:// before redirection.
# If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
# Typical Remote Shared Hosting Example:
#option fasremotefqdn 'onboard-wifi.net'
# Option: fasremoteip
# Default: GatewayAddress (the IP of NDS)
# If set, this is the remote ip address of the FAS.
#
# Typical Remote Shared Hosting Example:
#option fasremoteip '46.32.240.41'
# Option: faspath
# Default: /
# This is the path from the FAS Web Root to the FAS login page
# (not the file system root).
#
# Typical Remote Shared Hosting Example (if fasremotefqdn is not specified):
#option faspath '/onboard-wifi.net/nodog/fas.php'
#
# Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set):
#option faspath '/nodog/fas.php'
#
# Typical Locally Hosted Example (ie fasremoteip not set):
#option faspath '/nodog/fas.php'
# Option: faskey
# Default: not set
# A key phrase for NDS to encrypt the query string sent to FAS
# Can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space
#option faskey '1234567890'
# Option: fas_secure_enabled
# Default: 1
#
# ****If set to "0"****
# the client token is sent to the FAS in clear text in the query string of the
# redirect along with authaction and redir.
#
# ****If set to "1"****
# authaction and the client token are not revealed and it is the responsibility
# of the FAS to request the token from NDSCTL.
#
# *****If set to 2****
# clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl
# are encrypted using faskey and passed to FAS in the query string.
#
# The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
#
# The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
#
# Nodogsplash does not depend on this package and module, but will exit gracefully
# if this package and module are not installed when this level is set.
#
# The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
# An example FAS php script is supplied in the source code.
#
#option fas_secure_enabled '0'
# Enable PreAuth Support.
# PreAuth support allows FAS to call a local program or script with html served by NDS
#
# A functional preauth script is installed by default providing
# username/emailaddress login as an alternative to the basic splash page.
# This generates a login page asking for usename and email address.
# User logins are recorded in the log file /tmp/ndslog.log
# Details of how the script works are contained in comments in the script itself.
#
# If set, a program/script is called by the NDS FAS handler
# when all three of the following conditions are met:
# 1. fasremoteip is NOT set,
# 2. fasport is set to the gateway port
# 3. faspath is set to /nodogsplash_preauth/
#
# Initially FAS appends its query string to faspath.
#
# The Preauth program will output html code that will be served to the client by NDS
# Using html GET the Preauth program may call:
# /nodogsplash_preauth/ to ask the client for more information
# or
# /nodogsplash_auth/ to authenticate the client
#
# The Preauth program should append at least the client ip to the query string
# (using html input type hidden) for all calls to /nodogsplash_preauth/
# It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
# for NDS authentication when calling /nodogsplash_auth/
#
# Enable username/emailaddress login.
# Note: fasport must be set to the same value as gatewayport (default = 2050)
# Enable by uncommenting the following three lines
#option fasport '2050'
#option faspath '/nodogsplash_preauth/'
#option preauth '/usr/lib/nodogsplash/login.sh'
# Your router may have several interfaces, and you
# probably want to keep them private from the gatewayinterface.
# If so, you should block the entire subnets on those interfaces, e.g.:
#list authenticated_users 'block to 192.168.0.0/16'
#list authenticated_users 'block to 10.0.0.0/8'
# Typical ports you will probably want to open up.
#list authenticated_users 'allow tcp port 22'
#list authenticated_users 'allow tcp port 53'
#list authenticated_users 'allow udp port 53'
#list authenticated_users 'allow tcp port 80'
#list authenticated_users 'allow tcp port 443'
# Or for happy customers allow all
list authenticated_users 'allow all'
# For preauthenticated users:
#
# *****IMPORTANT*****
# To help prevent DNS tunnelling and DNS Hijacking DO NOT uncomment the following two lines:
#list preauthenticated_users 'allow tcp port 53'
#list preauthenticated_users 'allow udp port 53'
# Allow preauthenticated users to access an external IP address
# This is commonly referred to as a Walled Garden.
# Only IPv4 addresses can be used (not domain names)
#list preauthenticated_users 'allow tcp port 80 to 112.122.123.124'
#list preauthenticated_users 'allow udp port 8020 to 112.122.123.124'
#
# Alternatively, a preconfigured ipset can be used:
#list preauthenticated_users 'allow tcp port [port number] ipset [ipset rule name]'
# Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
list users_to_router 'allow tcp port 22'
list users_to_router 'allow tcp port 23'
list users_to_router 'allow tcp port 53'
list users_to_router 'allow udp port 53'
list users_to_router 'allow udp port 67'
list users_to_router 'allow tcp port 80'
list users_to_router 'allow tcp port 443'
# MAC addresses that are / are not allowed to access the splash page
# Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
#option macmechanism 'allow'
#list allowedmac '00:00:C0:01:D0:0D'
#list allowedmac '00:00:C0:01:D0:1D'
#list blockedmac '00:00:C0:01:D0:2D'
# MAC addresses that do not need to authenticate
#list trustedmac '00:00:C0:01:D0:1D'
# Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
# This mask can conflict with the requirements of other packages such as mwan3, sqm etc
# Any values set here are interpreted as in hex format.
#
# List: fw_mark_authenticated
# Default: 30000 (0011|0000|0000|0000|0000 binary)
#
# List: fw_mark_trusted
# Default: 20000 (0010|0000|0000|0000|0000 binary)
#
# List: fw_mark_blocked
# Default: 10000 (0001|0000|0000|0000|0000 binary)
#
#list fw_mark_authenticated '30000'
#list fw_mark_trusted '20000'
#list fw_mark_blocked '10000'
and that works, now before going to internet you need to do login in nodogsplash...
BUT, suddenly, now I can see LuCI Web and make ssh to Nexx WT3020F.
Why? How fix it?
Thanks.