shhkid
January 19, 2021, 6:26am
1
Hi,
My AP is behind another router, which is doing the DHCP for my main (wifi) network.
I followed this tutorial https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap implementing it.
On my client I get a correct IP address assigned for the network and the subnet seems to be correct as well.
Here's my config so far:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf5:96ac:bf77::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.3'
option ifname 'eth0 eth0.1'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.2 eth0'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option type 'bridge'
option stp '1'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.66.1'
option netmask '255.255.255.0'
wireless:
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ar934x_wmac'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'No Key Here :)'
option ssid 'Wu Tang LAN'
option network 'wan lan guest'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'The Internet'
option encryption 'psk2'
option key 'noKeyHere :)'
option network 'guest'
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option ssid 'guest'
option encryption 'none'
option network 'guest'
option disabled '1'
DHCP:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ignore '1'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
option netmask '255.255.255.0'
firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'ACCEPT'
option forward 'ACCEPT'
Thanks in advance.
Regards
Why is eth0 bridged to both LAN and WAN?
Is this device connected to the main router using the WAN port or a LAN port?
Does the main router run OpenWrt? Could you configure the guest network there? And use VLANs?
2 Likes
shhkid
January 19, 2021, 7:06am
3
The device is connected to the main router via LAN. Unfortunately I cannot run OpenWrt on the main router.
Your firewall looks strange. As you say you followed this guide:
In your system config guest zone looks totally different.
Check especially the firewall zone settings, the masquerade and reject,... .
I have later on deleted my wan interface and divided up the switch between guest and lan. But this is on top. The basic config worked for me along that guide.
1 Like
Hi,
The how-to in the original documentation refers to OpenWRT 18.06 screenshots which are different than the setting sections in 19.07.
Does anyone maybe have some 100% working setup or config export for 19.07? I reset my AP to factory defaults now.
Thanks a bunch!
shhkid
January 20, 2021, 6:12am
6
You're right, i changed it after I noticed it didn't work the other way because I had issues with my main WIFI.
I think you should open your own thread (it's free!). Helping two people with potentially different configurations on the same thread is confusing.
3 Likes
The guide you followed works on a router configuration, not a dumb access point.
You need to enable forwarding from the guest to the LAN network, and also enable masquerading on the LAN network.
2 Likes
shhkid
January 20, 2021, 9:43am
9
So it should work with this configuration?
Thanks in advance
Almost: you need to enable masquerading on the LAN zone instead.
1 Like
shhkid
January 20, 2021, 10:45am
11
Ok I added it:
But still no Internet on guest wifi.
Could you share your updated config files, please?
1 Like
shhkid
January 20, 2021, 3:22pm
13
Sure, here you are:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ignore '1'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
option netmask '255.255.255.0'
Firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'lan'
option src 'guest'
Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ar934x_wmac'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
option channel '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'asdf'
option network 'wan lan guest'
option ssid 'Wu Tang LAN'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option ssid 'The Internet'
option isolate '1'
option key 'asdf'
option disabled '1'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'The Internet'
option encryption 'psk2'
option key 'asdf'
option network 'guest'
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option ssid 'guest'
option encryption 'none'
option network 'guest'
option disabled '1'
Network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf5:96ac:bf77::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.3'
option ifname 'eth0 eth0.1'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.2 eth0'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option type 'bridge'
option stp '1'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.66.1'
option netmask '255.255.255.0'
Thanks for your help
mk24
January 20, 2021, 4:01pm
14
Guest should forward to wan not to lan.
Take option netmask out of DHCP config
Wifi option network should specify a single network.
shhkid
January 20, 2021, 5:59pm
15
Guest should forward to wan not to lan.
Take option netmask out of DHCP config
What do you mean with 'Wifi option network should specify a single network.'?
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'asdf'
option network 'wan lan guest'
option ssid 'Wu Tang LAN'
points to 3 networks.
Stefan1
January 20, 2021, 7:03pm
16
I just checked my wireless config. I do have 2 radios ( 2.4 ghz, 5ghz), and 4 wifi-iface entries, 2 for each radio, one for lan, one for guest. None has more than one network set.
shhkid
January 21, 2021, 5:55am
17
I just figured out that I connected my AP via LAN to the main router. Therefore forwarding to WAN doesn't make sense, or am I wrong?
1 Like
Stefan1
January 21, 2021, 7:12am
18
This is why I wrote that your config does not at all fit to the guide you say you followed. In that guide for lan masquerade is on, guest -> lan with accept, accept, reject, ...
Save your existing config and check it along that guide again carefully. If it then does not work, post it here.
My working config (except the splash page, I did not try to fix that, as the splash page on my old devices caused trouble anyhow)
This is wrong, you cannot attach the wireless interface to three different networks at the same time:
Choose on which network should this interface be attached, and delete the others.
This is also wrong, you cannot bridge eth0 on two different interfaces:
You do not need to care about eth0 at all; use just eth0.1 for one interface and eth0.2 for the other.
Now comes the debugging part:
When a client connects to the guest wifi, what parameters are configured on the network.
Can it ping the AP? Can it ping the main router? Can it ping 8.8.8.8?
Can it ping Google by name?
2 Likes
shhkid
January 22, 2021, 1:10pm
20
I can ping the AP and the main router, but 8.8.8.8 (destination net unreachable) and google.com is not working.
