The documentation listed at Guest Wi-Fi on a wireless AP using LuCI seems to be incorrect. It forwards guest traffic to the LAN then blocks the LAN with the firewall. Perhaps I am mistaken.
This is one of the methods implementing guest network isolation:
- Allow traffic forwarding from the guest interface to the LAN interface.
- Block transit guest traffic which destination IP matches the LAN subnet.
- Do not allow traffic forwarding from the guest interface to the LAN interface.
- Allow only transit guest traffic which destination does not match the LAN subnet.
Both methods are valid.
Ok. I tried it and it didn’t work for me. I got no connectivity to the internet using this method. I thought maybe it was incorrect. I must have done something wrong. Thank you for the reply.
Collect the output and post it to pastebin.com redacting the private parts:
ubus call system board; \ uci show network; uci show wireless; uci show dhcp; uci show firewall; \ ip address show; ip route show table all; ip rule show; iptables-save; \ head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
This guide you followed is for a dumbAP (only lan). If you are using a wan interface and you are routing, then you need to follow this guide.
I decided not to use this method. I no longer have it implemented therefore I do not have relevant output from the above mentioned commands. Thank you so much for your efforts!
For my guest network, I generally (basically) follow the guide found at Guest Wi-Fi using LuCI with the following exceptions:
I check “isolate clients” under the wireless>interface configuration>advanced settings.
I use DHCP option 6 and eliminate the DNS firewall rule.
I check the “bridge interfaces” box in the “interfaces” menu under the guest interface “physical settings” menu.
I check the “force” box under the “interfaces” guest interface menu under “DHCP server” > “Advanced Settings”.
It seems if I don’t to both #3 and #4 I end up with a race condition after restart and the guest WiFi will not have functionality.
Other than that, this setup seems to be the most straight forward without using terminal.
Also, the screenshots on that doc are from barrier breaker.
Ok problem solved, you were using the wrong guide.
This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.