Setup with adguardhome, different firewalls. two ssid, guest and main.
On guests my PC gets internet, my fire tv stick also gets internet, but my phone and the other laptop doesn't. My guest network is vlan 91.
Vlan 91 is firewalled off router access, but I have custom traffic rules for it:
But this shouldn't matter, since the question is how is it possible for one devices on the same vlan, same ssid, get internet connection, while the other one doesn't? Both of my machines are macbooks, there are no security rules that might affect them, my phone is the one not getting internet connection for example, while my fire tv stick is getting it successfully.
Here are some of the logs:
Successful connection:
Fri Aug 23 22:04:15 2024 daemon.info hostapd: phy1-ap1: STA [mac address redacted] IEEE 802.11: associated (aid 2)
Fri Aug 23 22:04:15 2024 daemon.notice hostapd: phy1-ap1: AP-STA-CONNECTED [mac address redacted] auth_alg=sae
Fri Aug 23 22:04:15 2024 daemon.info hostapd: phy1-ap1: STA [mac address redacted] WPA: pairwise key handshake completed (RSN)
Fri Aug 23 22:04:15 2024 daemon.notice hostapd: phy1-ap1: EAPOL-4WAY-HS-COMPLETED [mac address redacted]
Fri Aug 23 22:04:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.91) [mac address redacted]
Fri Aug 23 22:04:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.91) 192.168.9.167 [mac address redacted]
Fri Aug 23 22:04:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan.91) [mac address redacted]
Fri Aug 23 22:04:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan.91) 192.168.9.167 [mac address redacted]
Fri Aug 23 22:04:21 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.91) 192.168.9.167 [mac address redacted]
Fri Aug 23 22:04:21 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.91) 192.168.9.167 [mac address redacted] main-pc
Failed connection:
Fri Aug 23 22:05:55 2024 daemon.info hostapd: phy1-ap1: STA [mac address redacted] IEEE 802.11: authenticated
Fri Aug 23 22:05:55 2024 daemon.info hostapd: phy1-ap1: STA [mac address redacted] IEEE 802.11: associated (aid 1)
Fri Aug 23 22:05:55 2024 daemon.notice hostapd: phy1-ap1: AP-STA-CONNECTED [mac address redacted] auth_alg=open
Fri Aug 23 22:05:55 2024 daemon.info hostapd: phy1-ap1: STA [mac address redacted] WPA: pairwise key handshake completed (RSN)
Fri Aug 23 22:05:55 2024 daemon.notice hostapd: phy1-ap1: EAPOL-4WAY-HS-COMPLETED [mac address redacted]
Fri Aug 23 22:05:56 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.91) 192.168.9.122 [mac address redacted]
Fri Aug 23 22:05:56 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.91) 192.168.9.122 [mac address redacted] secondary-pc
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Please check the updated version, but the logs I guess should answer your questions.
Also, I didn't mention that I had a few more vlans and firewall rules to keep it simple, so these are included here.
I believe I redacted everything needed.
ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT3000",
"board_name": "glinet,gl-mt3000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'redacted'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan.71'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth0'
option proto 'pppoe'
option type 'bridge'
option username 'redacted'
option password 'redacted'
option ipv6 'auto'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
config interface 'wwan'
option proto 'dhcp'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '21'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '31'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '41'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '51'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '61'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '71'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '81'
list ports 'eth1:t'
config interface 'VLAN21_admin'
option proto 'static'
option device 'br-lan.21'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config interface 'VLAN41_NAS'
option proto 'static'
option device 'br-lan.41'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config interface 'VLAN31_PC'
option proto 'static'
option device 'br-lan.31'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'VLAN51_Server'
option proto 'static'
option device 'br-lan.51'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'VLAN31_2'
list ports 'br-lan.31'
config device
option type '8021q'
option ifname 'br-lan'
option vid '91'
option name 'br-lan.91'
config interface 'VLAN61_IoT'
option proto 'static'
option device 'br-lan.61'
option ipaddr '192.168.6.1'
option netmask '255.255.255.0'
config interface 'VLAN91_Guest'
option proto 'static'
option device 'br-lan.91'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '111'
option name 'br-lan.111'
config interface 'VLAN111_General'
option proto 'static'
option device 'br-lan.111'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wifi'
option channel '6'
option band '2g'
option htmode 'HE20'
option cell_density '0'
option country 'redacted'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'redacted'
option encryption 'sae'
option key 'redacted'
option wpa_disable_eapol_key_retries '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/18000000.wifi+1'
option channel '44'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'redacted'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'redacted'
option encryption 'sae'
option key 'redacted'
option network 'lan'
option wpa_disable_eapol_key_retries '1'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'redacted'
option encryption 'sae-mixed'
option isolate '1'
option key 'redacted'
option network 'VLAN91_Guest'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'redacted'
option encryption 'sae-mixed'
option isolate '1'
option key 'redacted'
option network 'VLAN91_Guest'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option noresolv '0'
option cachesize '1000'
option port '54'
list server '192.168.1.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'VLAN21_admin'
option interface 'VLAN21_admin'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN41_NAS'
option interface 'VLAN41_NAS'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN31_PC'
option interface 'VLAN31_PC'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN51_Server'
option interface 'VLAN51_Server'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN61_IoT'
option interface 'VLAN61_IoT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN91_Guest'
option interface 'VLAN91_Guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN111_General'
option interface 'VLAN111_General'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'General'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-lan.111'
list network 'VLAN111_General'
config zone
option name 'admin'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VLAN21_admin'
list device 'br-lan.21'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-lan.91'
list network 'VLAN91_Guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
config rule
option name 'Guest DHCP and DNS'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
config zone
option name 'PC'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-lan.31'
list network 'VLAN31_PC'
config zone
option name 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VLAN61_IoT'
list device 'br-lan.61'
config zone
option name 'NAS'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-lan.41'
list network 'VLAN41_NAS'
config zone
option name 'Server'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-lan.51'
list network 'VLAN51_Server'
config forwarding
option src 'admin'
option dest 'IoT'
config forwarding
option src 'admin'
option dest 'NAS'
config forwarding
option src 'admin'
option dest 'Server'
config forwarding
option src 'General'
option dest 'wan'
config forwarding
option src 'General'
option dest 'IoT'
config forwarding
option src 'General'
option dest 'NAS'
config forwarding
option src 'admin'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'IoT'
config forwarding
option src 'lan'
option dest 'NAS'
config forwarding
option src 'PC'
option dest 'wan'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'NAS'
option dest 'wan'
config forwarding
option src 'Server'
option dest 'wan'
config rule
option name 'PC DHCP and DNS'
option src 'PC'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'IoT DHCP and DNS'
option src 'IoT'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'NAS DHCP and DNS'
option src 'NAS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Server DHCP and DNS'
option src 'Server'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'General DHCP and DNS'
option src 'General'
option dest_port '53 67 68'
option target 'ACCEPT'
Remove the bridge line from the wan interface:
Delete this... you already have a bridge-vlan for VLAN 31:
Delete the 802.1q stanza:
And this one:
Remove the device line from all of the firewall zones... only the network should be there:
Make sure that you have these rules for each of the firewall zones (too many zones, I didn't check them all -- you may be fine, but double check):
Finally, you appear to have something with your DNS -- AGH or DoH/DoT?
This could cause problems for some of the devices..
Which devices are able to connect and which fail? On which network(s) does this happen?
I have a macbook that fails to connect (without internet access) and a macbook (main) which doesn't. I have a family iphone and samsung galaxy phones that fail to connect (without internet access) and a fire tv stick that successfully connects...
Yes, I do have AGH. I do run DoQ/DOH on it. One thing I notice during the final step of the installation https://openwrt.org/docs/guide-user/services/dns/adguard-home#setup
Everything was fine, but when I ran the latest step:
/etc/init.d/dnsmasq restart
I had this error:
openwrt udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: no lease, failing
Failed a few times and stopped.
I do have the needed rules for each and every firewall zone, does it matter that I have AGH? AGH also lives on port 53 as I see for the DNS.
I have my mt3000 (2 port) in a configuration where I plugin my main ISP router (which is a bridge mode) directly to my wan port on my mt3000 router which is what we are configuring now, then I connect it to my 8 port managed switch. Hence I am having separate 802.1q vlans assigned for each firewall zone. Why would I remove them?
Same here.
I would recommend undoing the AGH/DoH/DoT to see if that is related to the issue. Alternatively, you can specify a public DNS server on the devices that are having trouble connecting -- if that fixes the issue, it's clearly DNS related (AGH/DoH/DoT).
This is normal. It is a check to make sure that the OpenWrt Dnsmasq DHCP server is the only server active.
Generally, that's fine, but it is possible that a misconfiguration here is responsible for the issue.
wizcourage:
Same here.
What do you mean by this?
@psherman
The weird
I wonder why should I delete the 802.1q, as I said I have an ISP router bridged to the openwrt device > managed switch, hence I have the vlans setup like that?
psherman:
I would recommend undoing the AGH/DoH/DoT to see if that is related to the issue. Alternatively, you can specify a public DNS server on the devices that are having trouble connecting -- if that fixes the issue, it's clearly DNS related (AGH/DoH/DoT).
As for this, I tried disabling adguard from it's interface, the wifi still did not work.
I just stopped adguard through service adguardhome stop and same issue, some of my devices connect online, some don't.
The 802.1q functions are created implicitly when the VLANs are configured (via the appropriate method for a given device -- DSA, swconfig, or dotted notation). I have always recommended removing them (except sometimes on the wan port) as I've never found them to be necessary (and I have a suspicion that they might actually conflict in certain situations).
Are they able to connect to the WiFi network in general, but then not access the internet? Or are they unable to connect at all? Do they manage to get a DHCP lease?
They connect successfully to the router, but can't get internet connection. It even says on android No internet.
Please check the original post, I left the connection logs of a successfully connected device and one that can't connect.
wizcourage:
Successful connection:
wizcourage:
Failed connection:
Specifically what I'm asking is the state of the devices themselves:
Do they get a DHCP lease? If so, what is the information populated for IP, subnet mask, router/gateway, DNS?
Can they ping an internet address via IP (such as 64.226.122.113)
If you specify a public DNS server on the device, can it ping a domain name (such as openwrt.org )
Just checked on the other mac that isn't possible to connect online.
It seems like it does get a DHCP lease, the IP is on the same subnet as the guest network so in this case 192.168.9.x.
Can't ping via IP nor via a domain.
What values does that mac get for subnet mask, dns, and router/gateway?
So there was no routing or gateway:
route: writing to routing socket: not in table
subnet mask:
255.255.255.0
specific ip:
192.168.9.122
The DNS was also not set.
So what I actually tried, was forcing my own custom DNS locally (which I already had on the other mac, pretty sure not on the fire tv stick, but maybe it does by default). After I configured the custom domain settings (set cloudflare for example), everything started working fine. Got connected, got proper routing, got the gateway at 192.168.9.1 and so on.
So it seems that I can't get adguard to handle setting up proper DNS settings for any peers on my guest network (except those who already have them pre-configured locally). Note that the SSID that works for everyone is on 192.168.1.x subnet, which is the same one adguard uses.
How do I fix this?
Did you also have to add the gateway, or only the DNS?
@psherman Tried to VPN in with WG through my phone. Same thing. If I set the dns servers to be managed by the router (WG interface in this case, properly firewalled, no connection), if I force set a DNS server like 1.1.1.1, it works.
So you have now proven that the DNS on your router is not working as expected...
The problem is your AGH/DoH/DoT configuration. As I had said earlier...
I am not an AGH/DoH/DoT expert, so I cannot help you fix that. I would recommend disabling those features for now so that you are using normal DNS. Then apply one at a time to find out where it breaks.
But I've tried disabling adguard from it's user interface or completely stopping the service. It did not fix the issue?