OpenWrt guest wlan has no internet

I tried configuring a guest wlan using this doc on a Unifi AP.

But when I connect to the guest SSID, there is no Internet access.

This is what /etc/config/network looks like:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:034b:1626::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lan2'
	option ifname 'br-lan'
	option proto 'dhcp'

config interface 'guest'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/qca956x_wmac'
        option htmode 'HT20'

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'none'

We need to see the firewall, too.

/etc/config/firewall:

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan guest'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network ' '
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'nodogsplash'
	option type 'script'
	option path '/usr/lib/nodogsplash/restart.sh'

config zone 'guest_zone'
	option name 'guest'
	option output 'ACCEPT'
	option network ' '
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding 'guest_forwarding'
	option src 'guest'
	option dest 'wan'

config rule 'guest_rule_dns'
	option name 'Allow DNS Queries'
	option src 'guest'
	option dest_port '53'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'guest_rule_dhcp'
	option name 'Allow DHCP request'
	option src 'guest'
	option src_port '68'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

There is an empty zone definition for "guest", it should have "guest" in the "network" key.
For example, I have:

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'guest'
        option network 'guest'

No luck. It's taking forever saying "Obtaining IP address..." when trying to connect.

That's a different issue: you need to serve DHCP for this network too.

Example: (in /etc/config/dhcp)

config dhcp 'guest'
        option interface 'guest'
        option limit '100'
        option leasetime '30m'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'
        option start '4'

Still no internet access.

Work on ONE problem at a time
If you manually set the IP address, the default gateway and the DNS on the guest client, does it work?

Also, if you create a "guest" firewall zone, the "guest" network should not belong to the "lan" zone.

It isn't working on manually setting the IP address and the DNS on the guest client.

Adding "guest" network to the "lan" zone was merely an experiment in an attempt to get things working. But no internet access whether I put "guest" network in "lan" zone or in "guest" zone.

Anyways, I did all the things again step by step. Following is the configuration:

network:

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

wireless:

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'none'

dhcp:

config dhcp 'guest'
        option interface 'guest'
        option start '4'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option limit '100'
        option leasetime '30m'

firewall:

config zone 'guest_zone'
        option name 'guest'
        option network 'guest'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding 'guest_forwarding'
        option src 'guest'
        option dest 'wan'

config rule 'guest_rule_dns'
        option name 'Allow DNS Queries'
        option src 'guest'
        option dest_port '53'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'guest_rule_dhcp'
        option name 'Allow DHCP request'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option target 'ACCEPT'

Also, please note that my AP doesn't have direct access to the Internet. It is behind a router which is assigning IPs in the range 192.168.1.0/24.

The end result is when I connect to the guest hotspot, I am assigned an IP in the 10.0.1.0/24 subnet but there is no Internet access.

image1080×731 41.5 KB

image1080×1104 62 KB

The output of ip route command is as shown:

root@OpenWrt:~# ip route
default via 192.168.1.1 dev br-lan  src 192.168.1.101
10.0.0.0/24 dev br-lan scope link  src 10.0.0.1
10.0.1.0/24 dev wlan1 scope link  src 10.0.1.1
192.168.1.0/24 dev br-lan scope link  src 192.168.1.101

The gateway and dns values handed out by the dhcp server are invalid. Did you specify them manually?

I didn't specify it manually. They are the ones handed out by DHCP server

Sorry I shared the old screenshot (where I assigned the guest network IP as 10.0.1.0)
Please check the new one.

image841×1280 47.5 KB

@haccks why do you have "lan" and "lan2"? Access from the "normal" network works fine, right?

Anyhow, perhaps it's best to post the output of the following commands:

uci show network; uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
iptables-save; ip6tables-save; \
head -n -0 /etc/firewall.user

Please take care to replace sensitive data (passwords, MAC addresses, etc.) before posting, as preformatted text.

lan2 is used to provide dynamic IP while leaving lan to use it access router from a fixed IP.

If I replace the network "guest" by "lan" in wireless, then I am getting Internet access. IP address assigned is in the subnet 192.168.1.0/24 and gateway assigned is 192.168.1.1.

But I want to use a guest network to separate the guest hotspot from everything else.

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd46:52a4:07b4::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='10.0.0.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan2=interface
network.lan2.ifname='br-lan'
network.lan2.proto='dhcp'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='10.0.1.1'
network.guest.netmask='255.255.255.0'

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.guest_zone=zone
firewall.guest_zone.name='guest'
firewall.guest_zone.network='guest'
firewall.guest_zone.input='ACCEPT'
firewall.guest_zone.forward='REJECT'
firewall.guest_zone.output='ACCEPT'
firewall.guest_forwarding=forwarding
firewall.guest_forwarding.src='guest'
firewall.guest_forwarding.dest='wan'
firewall.guest_rule_dns=rule
firewall.guest_rule_dns.name='Allow DNS Queries'
firewall.guest_rule_dns.src='guest'
firewall.guest_rule_dns.dest_port='53'
firewall.guest_rule_dns.proto='udp'
firewall.guest_rule_dns.target='ACCEPT'
firewall.guest_rule_dhcp=rule
firewall.guest_rule_dhcp.name='Allow DHCP request'
firewall.guest_rule_dhcp.src='guest'
firewall.guest_rule_dhcp.src_port='68'
firewall.guest_rule_dhcp.dest_port='67'
firewall.guest_rule_dhcp.proto='udp'
firewall.guest_rule_dhcp.target='ACCEPT'

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='4'
dhcp.guest.force='1'
dhcp.guest.dhcpv6='server'
dhcp.guest.ra='server'
dhcp.guest.ra_management='1'
dhcp.guest.limit='100'
dhcp.guest.leasetime='30m'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
22: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 192.168.1.101/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever

default via 192.168.1.1 dev br-lan  src 192.168.1.101
10.0.0.0/24 dev br-lan scope link  src 10.0.0.1
192.168.1.0/24 dev br-lan scope link  src 192.168.1.101

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

I'd stick with the usual names of "wan" for the uplink and "lan" for the internal network, makes it easier for others to read.

Later I'll compare your output with mine and get back to you.

Thanks a lot for the help. Will be waiting for your response.

Your new screenshot of the client device DHCP assignment looks fine.

Can I trouble you to post the contents of your /etc/config/network and /etc/config/firewall files as text using cat <file> rather than the UCI output? I personally find it easier to read it in the file's native format. Don't forget to copy/paste the output as 'preformatted text' to maintain the tab/formatting.

Thanks.

Hmm, to me it looks like some information is still missing:

• if "lan2" is your upstream connection, why is there no "lan2" under the firewall zone definition for "wan"?
• which interface is assigned to "guest"? I see no wired port, is it only the wifi?

To me it looks like the lan is working because it's really acting as a bridge and DHCP/DNS are coming from your upstream. First your interface "lan" with "bridge" type creates the br-lan interface (see ifconfig) then you're also creating a lan2 interface on top of br-lan as dhcp client.

On the other hand, you're telling your router to send traffic from the "guest" zone to the "wan" zone, which has no assigned interfaces. In fact you have no 10.0.1.x in "ip -4 addr" . No one is listening and forwarding that traffic. Even if it somehow makes its way to the lan bridge, the upstream will probably drop it because it's outside its range.

Maybe someone else can chime in and double-check my analysis, I have a different setup with physical ports for wan, lan and guest, separately bridged to their own ssid on wifi.

This "lan2" makes no sense. When setting up OpenWrt as a LAN device (a "dumb AP") which is part of a network with another router (the main router) you can use either a static or DHCP IP but not both. Choose one method.

• For static IP, the LAN IP is in the main router's LAN but doesn't conflict with any other LAN device. The lan option gateway must be set to point to the main router. The option dns DNS server typically is the main router but could also be a third-party DNS on the Internet.
• For DHCP IP, set the lan option proto to dhcp instead of static. Do not configure an ip, netmask, gateway or DNS; it will get these from the main router. You should though set an option hostname so you can find what IP the AP has been assigned. If the main router is properly configured you can also connect to the AP by name such as unifiap.lan

I prefer the DHCP method since it will automatically adjust to keep working even should you change something drastic about the main network, and it will never have a conflicting IP. The drawback is that you cannot access the AP unless it is connected to a network with a working main router.

Once you have this set up then look at the guest network. The guest network has a static IP that is outside of the LAN network. Since this AP will be the gateway for guests, it's conventional to use something .1. It has a DHCP server.

The guests are in their own firewall zone. This zone forwards to lan. (there is no WAN). It is essential to set masquerade and mtu_fix on the lan network. The guests will NAT into the LAN as if it were the Internet.

This should allow you to test by connecting as a guest and reaching the Internet.

But there is a security issue that guests can potentially access machines on the LAN, if they know the IP address. That is fixed by placing restrictive firewall rules on the guests. You don't want them to reach any of your private IPs, only the Internet.

I guess it is bridged with lan interface so firewall rule for lan will work for lan2 also.

None. It is for wifi only.

Yes, exactly. I do the same. Then after some time I realised the same as mentioned in the same para. There is no way to access the AP without internet access. With unifi firmware I am able to access it without internet and at the same time I can configure wifi in the AP. I want to replicate the same thing with OpenWrt.

This was to access the AP without internet connection. I followed this doc. After removing lan2 I can get the internet on guest network.

This is now an issue. We will talk on this.