root@OpenWrt:~# ip route
default via 192.168.1.1 dev br-lan src 192.168.1.101
10.0.0.0/24 dev br-lan scope link src 10.0.0.1
10.0.1.0/24 dev wlan1 scope link src 10.0.1.1
192.168.1.0/24 dev br-lan scope link src 192.168.1.101
Your new screenshot of the client device DHCP assignment looks fine.
Can I trouble you to post the contents of your /etc/config/network and /etc/config/firewall files as text using cat <file> rather than the UCI output? I personally find it easier to read it in the file's native format. Don't forget to copy/paste the output as 'preformatted text' to maintain the tab/formatting.
Hmm, to me it looks like some information is still missing:
if "lan2" is your upstream connection, why is there no "lan2" under the firewall zone definition for "wan"?
which interface is assigned to "guest"? I see no wired port, is it only the wifi?
To me it looks like the lan is working because it's really acting as a bridge and DHCP/DNS are coming from your upstream. First your interface "lan" with "bridge" type creates the br-lan interface (see ifconfig) then you're also creating a lan2 interface on top of br-lan as dhcp client.
On the other hand, you're telling your router to send traffic from the "guest" zone to the "wan" zone, which has no assigned interfaces. In fact you have no 10.0.1.x in "ip -4 addr" . No one is listening and forwarding that traffic. Even if it somehow makes its way to the lan bridge, the upstream will probably drop it because it's outside its range.
Maybe someone else can chime in and double-check my analysis, I have a different setup with physical ports for wan, lan and guest, separately bridged to their own ssid on wifi.
This "lan2" makes no sense. When setting up OpenWrt as a LAN device (a "dumb AP") which is part of a network with another router (the main router) you can use either a static or DHCP IP but not both. Choose one method.
For static IP, the LAN IP is in the main router's LAN but doesn't conflict with any other LAN device. The lan option gateway must be set to point to the main router. The option dns DNS server typically is the main router but could also be a third-party DNS on the Internet.
For DHCP IP, set the lan option proto to dhcp instead of static. Do not configure an ip, netmask, gateway or DNS; it will get these from the main router. You should though set an option hostname so you can find what IP the AP has been assigned. If the main router is properly configured you can also connect to the AP by name such as unifiap.lan
I prefer the DHCP method since it will automatically adjust to keep working even should you change something drastic about the main network, and it will never have a conflicting IP. The drawback is that you cannot access the AP unless it is connected to a network with a working main router.
Once you have this set up then look at the guest network. The guest network has a static IP that is outside of the LAN network. Since this AP will be the gateway for guests, it's conventional to use something .1. It has a DHCP server.
The guests are in their own firewall zone. This zone forwards to lan. (there is no WAN). It is essential to set masquerade and mtu_fix on the lan network. The guests will NAT into the LAN as if it were the Internet.
This should allow you to test by connecting as a guest and reaching the Internet.
But there is a security issue that guests can potentially access machines on the LAN, if they know the IP address. That is fixed by placing restrictive firewall rules on the guests. You don't want them to reach any of your private IPs, only the Internet.
Yes, exactly. I do the same. Then after some time I realised the same as mentioned in the same para. There is no way to access the AP without internet access. With unifi firmware I am able to access it without internet and at the same time I can configure wifi in the AP. I want to replicate the same thing with OpenWrt.
This was to access the AP without internet connection. I followed this doc. After removing lan2 I can get the internet on guest network.