Hey guys, currently running 19.07 on a WRT1900AC (v1) and I've followed this guide https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap to set up an isolated guest network, which works, but when I do it I loose internet connectivity on my existing 5Ghz network (guest was using the 2.4Ghz radio) and ideas why? I've done it twice now with the same result. Not a pro but I've gone over it and not seeing why that could be happening. I though it would have to be something with the firewall but even when I disable the rules I set up the 5Ghz has not connectivity to WAN. When I delete everything I set up everything comes back.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Thanks, the current status is I re-followed the tutorial, guest network shows and my normal one is still working this time, but I can't connect to the guest network. Went over everything I couple times and can't figure anything out still.
BusyBox v1.30.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.5, r11257-5090152ae3
-----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "4.14.209",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 2 (v7l)",
"model": "Linksys WRT1900AC",
"board_name": "linksys,mamba",
"release": {
"distribution": "OpenWrt",
"version": "19.07.5",
"revision": "r11257-5090152ae3",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.5 r11257-5090152ae3"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd72:37dc:5fac::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '6,10.0.0.145'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'guest'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '94:10:3e:a0:bd:7c'
option ssid 'xrs2537-2.4_optout_nomap'
option key 'password'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie@82000000/pci0000:00/0000:00:03.0/0000:03:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '94:10:3e:a0:bd:7d'
option key 'password'
option encryption 'psk2'
option ssid 'xrs2537-5_optout_nomap'
config wifi-iface 'wifinet2'
option ssid 'xrs2537-2.4_guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option key 'password'
option encryption 'psk2'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
list server '10.0.0.145'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,10.0.0.145'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac '38:D5:47:77:D4:31'
option leasetime 'infinite'
option dns '1'
option name 'hillary'
option ip '10.0.0.50'
config host
option mac 'B8:27:EB:C8:11:7E'
option leasetime 'infinite'
option dns '1'
option name 'pihole'
option ip '10.0.0.145'
config host
option mac '00:90:A9:BC:B1:B9'
option leasetime 'infinite'
option dns '1'
option name 'nas'
option ip '10.0.0.121'
config host
option mac '40:23:43:DA:B9:E3'
option leasetime 'infinite'
option ip '10.0.0.182'
option name 'printer'
option dns '1'
config host
option mac '74:58:F3:50:FE:79'
option leasetime 'infinite'
option ip '10.0.0.160'
config dhcp 'guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'guest'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '80'
option src 'wan'
option name 'Apache'
option src_dport '80'
option target 'DNAT'
option dest_ip '10.0.0.50'
option dest 'lan'
config redirect
option dest_port '443'
option src 'wan'
option name 'Apache'
option src_dport '443'
option target 'DNAT'
option dest_ip '10.0.0.50'
option dest 'lan'
config redirect
option dest_port '8080'
option src 'wan'
option name 'Airsonic'
option src_dport '8080'
option target 'DNAT'
option dest_ip '10.0.0.50'
option dest 'lan'
config redirect
option dest_port '8096'
option src 'wan'
option name 'Jellyfin'
option src_dport '8096'
option target 'DNAT'
option dest_ip '10.0.0.50'
option dest 'lan'
config redirect
option dest_port '3389'
option src 'wan'
option name 'xrdp'
option src_dport '3389'
option target 'DNAT'
option dest_ip '10.0.0.50'
option dest 'lan'
config redirect
option dest_port '22'
option src 'wan'
option name 'ssh'
option src_dport '22'
option target 'DNAT'
option dest_ip '10.0.0.50'
option dest 'lan'
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
option stop_time '06:00:00'
option weekdays 'Mon Tue Wed Thu Fri'
option name 'Joe Weekday'
list src_ip '10.0.0.160'
list src_ip '10.0.0.135'
list src_ip '10.0.0.193'
list src_mac '74:58:F3:50:FE:79'
list src_mac '0C:7A:15:0C:F7:3D'
list src_mac '74:70:FD:95:39:95'
option start_time '19:05:00'
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
option weekdays 'Sun Sat'
option name 'Joe'\''s Weekends'
option start_time '20:30:00'
option stop_time '05:30:00'
list src_ip '10.0.0.160'
list src_ip '10.0.0.135'
list src_ip '10.0.0.193'
list src_mac '74:58:F3:50:FE:79'
list src_mac '0C:7A:15:0C:F7:3D'
list src_mac '74:70:FD:95:39:95'
config zone
option forward 'REJECT'
option name 'guest'
option output 'ACCEPT'
option input 'REJECT'
option network 'guest'
config forwarding
option dest 'lan'
option src 'guest'
config rule
option dest_port '67-68'
option src 'guest'
option name 'Guest DHCP'
option dest 'lan'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'Guest DNS'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Block guest access to private network'
option dest 'lan'
option target 'DROP'
list dest_ip '10.0.0.1/24'
list proto 'all'
config include 'estab'
option path '/etc/firewall.estab'
option reload '1'
# Reorder firewall rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED.*ACCEPT/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED.*ACCEPT/p")" \
| ${IPT}-restore -c -T filter
done
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/firewall.estab
EOF
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 0.0.0.0/24 brd 0.0.0.0 scope global eth1.2
valid_lft forever preferred_lft forever
12: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 10.0.1.1/24 brd 10.0.1.255 scope global wlan0-1
valid_lft forever preferred_lft forever
default via 0.0.0.0 dev eth1.2 src 0.0.0.0
10.0.0.0/24 dev br-lan scope link src 10.0.0.1
10.0.1.0/24 dev wlan0-1 scope link src 10.0.1.1
0.0.0.0/24 dev eth1.2 scope link src 0.0.0.0
broadcast 10.0.0.0 dev br-lan table local scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local scope host src 10.0.0.1
broadcast 10.0.0.255 dev br-lan table local scope link src 10.0.0.1
broadcast 10.0.1.0 dev wlan0-1 table local scope link src 10.0.1.1
local 10.0.1.1 dev wlan0-1 table local scope host src 10.0.1.1
broadcast 10.0.1.255 dev wlan0-1 table local scope link src 10.0.1.1
broadcast 0.0.0.0 dev eth1.2 table local scope link src 0.0.0.0
local 0.0.0.0 dev eth1.2 table local scope host src 0.0.0.0
broadcast 0.0.0.0 dev eth1.2 table local scope link src 0.0.0.0
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx 1 root root 16 Dec 6 02:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Dec 25 18:46 /tmp/resolv.conf
-rw-r--r-- 1 root root 83 Dec 25 18:42 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 71.252.0.12
nameserver 68.238.112.12
search verizon.net
head: /tmp/resolv.*/*: No such file or directory
root@OpenWrt:~#
You have defined dns 10.0.0.145 in lan interface and in dnsmasq server. You can leave it in lan interface only.
The main problem is that you followed the wrong guide. You don't have a dumbAP, but a router. So you need to follow this guide.
Thanks! I'll fix the DNS and get on that other guide.
Thank you again man! Took less than half the time of the GUI based one and seems to be working perfectly. Connected right away and I can't see the rest of my LAN from it. I appreciate it!
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.