Hello Everyone.
I've been struggling for the last couple of days with somehting that seem's so easy that it's beggining to make me doubt even my common sense...
The issue :
I can't get internet acess with my smartphone when connected to the RPI4 AP.
What I'm trying to achieve :
Clients connect to the AP (open security)
[TODO] They authenticate via Captive Portal
They get access to the internet via a set of configurable rules (firewall) through ETH0
PS : I know of the poor wifi capabilities of the PI4.
Info you might need :
My ISP router is distributing internet to the whole network 192.168.1.254
ISP router is used as DHCP with static lease for RPI4 eth0 mac 192.168.1.1
RPI4 can be accessed both via SSH and LuCi with his IP from my laptop connected to the ISP router via wifi.
From SSH and LuCi, I can ping on the internet both with IP and domain name
I'm using a "guest" interface because I'll try to add a captive portal later on.
Any help would be gladly welcomed...
Thanks to you all
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd02:584d:2b22::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
list dns '1.1.1.1'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.1.99'
option netmask '255.255.255.0'
option device 'wlan0'
root@OpenWrt:~# cat /etc/config/firewall
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'guest'
option forward 'REJECT'
config forwarding
option src 'guest'
option dest 'lan'
@psherman, here are the whole files after modification (still no internet)
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd02:584d:2b22::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
list dns '1.1.1.1'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
And the whole firewall config
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'guest'
option forward 'REJECT'
config forwarding
option src 'guest'
option dest 'lan'
The reason why I didn't put the whole file was because most of the rules refer to the WAN interface (default rules I guess). But there is NO wan interface on the RPI4 config.
If I understand things correctly, the wireless device is linked to the guest interface in the wireless interface Configuration > Général setup > Network.
Therefore, any client connected via wifi is connected to the guest network.
Then, the firewall rule forwards all traffic from the guest network (interface) to the br-lan network (interface) because the guest network is attached to the guest firewall zone (same name, not the same thing) and also because the br-lan network is attached to the lan interface. Is this correct ?
Perfect. Everything is working. I'll close the subject.
I'll now start working on the captive portal.
Could you please explain to me in layman terms why do I need to set the guest network on a subnet. Also, regarding masquerading, what is it and why is it necessary ?
In order to create a unique network that is separate from another, it has to be defined with a different subnet.
Each subnet operates at layer 2 (L2) -- switching. Basically this is how devices on the same network are able to communicate with each other with MAC address level connections. This only allows devices on the same subnet to communicate with each other -- it doesn't have the capability to route from one network to the next.
Routing is a layer 3 concept and allows different networks to interact with each other (if permitted by firewall rules) using IP addresses. In order to route, there must be different subnet on each side of the routing engine. If you have 2 networks that have the same subnet definition, there would be ambiguity about where a packet should go and the router would not know how to route packets. Let's say that Bob, Bob, and John are sitting together at a table and John picks up a package from the desk that is labeled "Bob" -- which Bob does he give it to? If, on the other hand, it is Bob, David, and John, there would be no ambiguity that the package labeled Bob goes to Bob -- the only Bob in the room.
Masquerading is concept of "hiding" or "masking" a network behind a single address. In IPv4, this is totally common for home connections -- your ISP gives you one IPv4 address, and your router performs NAT (Network Address Translation) Masquerading to create a private network that can share many devices with just a single ISP provided IP address. It's like how an apartment building has a single street address, but many people live inside. This is necessary on your lan zone in this case because the Pi takes one IPv4 address on your main LAN and then creates a network behind that (via NAT Masquerading / routing). It is possible to not use masquerading -- that requires that your upstream router has a feature to add static routes. But that's another technique entirely and not necessary for most guest network type configs.
In the meantime:
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.