Separate all Wifi connections into their own network

This is what often is called Guest Zone however I really dont like this term and what it implies because GZ on my old router was dogcrap, it would just allow ANYONE to connect to AP regardless if password was set for Wireless security.

What I want is for WiFi to operate as it usually does by default setup (you set up a password and SSID and now anyone can connect by password) however, I want all these clients to be completely separate from my LAN machine that is connected via Ethernet cable and just have access to Internet (WAN via PPoE)

As I understand I need to create new Network interface and assign wireless SSID to that network?

My question then how would I link it to the WAN so it will have Internet? The default interface has it but I cant create it that way via Luci it seems

create a new firewall zone add your new interface to that zone, and make that firewall zone forward only to WAN.

2 Likes

Okay so I still need to create new LAN interface, right?

create a new interface, yes, it should be called something other than "lan"

2 Likes

Okay, I'm a bit slow in the head, which interfaces should I choose to avoid it being able to access to the clients that connect to default LAN interface and deny them access to router (Luci/SSH)? This is how default LAN looks like:

Okay, so I created interface WIFI_LAN and, set it to be static address, changed the subnet to different from default LAN (192.168.0.1/255.255.255.0), enabled DCHP server for Wifi client, added Wlan01 to the list of interfaces and set up Firewall Zone.
However in my system log I get this:

Thu Jan 14 01:29:10 2021 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 51:20:19:17:1e:c2
Thu Jan 14 01:29:11 2021 daemon.info hostapd: wlan1: STA 51:20:19:17:1e:c2 IEEE 802.11: authenticated
Thu Jan 14 01:29:11 2021 daemon.info hostapd: wlan1: STA 51:20:19:17:1e:c2 IEEE 802.11: associated (aid 1)
Thu Jan 14 01:29:11 2021 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 51:20:19:17:1e:c2
Thu Jan 14 01:29:11 2021 daemon.info hostapd: wlan1: STA 51:20:19:17:1e:c2 RADIUS: starting accounting session 67B4CBE23E0CAC6E
Thu Jan 14 01:29:11 2021 daemon.info hostapd: wlan1: STA 51:20:19:17:1e:c2 WPA: pairwise key handshake completed (RSN)
Thu Jan 14 01:29:11 2021 daemon.warn dnsmasq-dhcp[4493]: DHCP packet received on wlan1 which has no address
Thu Jan 14 01:29:11 2021 daemon.warn dnsmasq-dhcp[4493]: DHCP packet received on wlan1 which has no address
Thu Jan 14 01:29:12 2021 daemon.warn dnsmasq-dhcp[4493]: DHCP packet received on wlan1 which has no address
Thu Jan 14 01:29:13 2021 daemon.warn dnsmasq-dhcp[4493]: DHCP packet received on wlan1 which has no address
Thu Jan 14 01:29:14 2021 daemon.warn dnsmasq-dhcp[4493]: DHCP packet received on wlan1 which has no address
Thu Jan 14 01:29:17 2021 daemon.warn dnsmasq-dhcp[4493]: DHCP packet received on wlan1 which has no address

It's config from network:

config interface 'WIFI_LAN'
        option ifname 'wlan1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

Getting:
ERROR: Network device is not present

I've added it to "Switch VLAN eth0.1" is is one default LAN interface uses but this again enabled wifi access to Luci and everything on router.

Basically what you suggested does not work.

If anyone else know how if it is actually possible to do what I want I'd appreciate insight

It looks like you haven't given the wifi a proper ESSID... At least it says Wireless Network Master " " (WIFI_LAN) note the blank name in quotes... That should say whatever the name you want... The one that shows up when you wifi scan.

It is there, Wireless SSID has nothing to do with the question I'm asking about:

May be I wasnt clear, let me rephrase:

I want to completely separate Wireless clients and LAN clients, to the point that they dont even know the other can possibly exist

I think Indicates that the wlan device did not get created because of whatever is wrong in your wifi config. Can you show the complete wireless and network config files (without passwords etc)

Also it might be easier if you follow the recipe for a guest network in the wiki you can have something to compare/check against.

That """""""""guide""""" completely broke my Wifi, it no longer works. Why in the everloving fck outdated and no longer relevant stuff is even allowed to stay there?

the guide works, but you were starting from a position of stuff wasn't working, so I suggest a factory reset, and then work through it again.

take a backup first

but you were starting from a position of stuff wasn't working

What, no, my Wifi worked before just fine but with that broke setup there is no network reach, I can ping anything or resolve any dns query.

It is weird, my gateway on wifi client is 0.0.0.0

I think it's going to be easier if you upload the /etc/config/wireless and /etc/config/network, put them into a preformatted text block using the </> button or by using a code fence, three backticks like (```) avoid uploading passwords.

[WIFI]

# 2.4G module is disabled
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

# 5G that is in use
config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MyCoolWifi'
        option encryption 'psk2'
        option key 'SuPirSikrit'
        option hidden '1'
        option isolate '1'
        option network 'GuestWifi'

[LAN]

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0b:c8ca:f6e4::/48'

# This is defaul LAN I use for LAN clients
config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'ISP_pass'
        option ipv6 'auto'
        option username 'ISP_login'
        option type 'bridge'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '28:d1:27:16:9f:09'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

# disabled, ignore
config interface 'WIFI_LAN'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option ifname 'eth0.2'
        option type 'bridge'

config interface 'GuestWifi'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

[Firewall]


Right now all wifi clients receive 0.0.0.0 gateway

Okay, as i said that """"guide""""""" is broke af. This one:


makes PERFECT sense as to what is done and WHY it is done and it works.

It's not broken, it is for a different scenario. You are using the wan interface for uplink, so the guest-wlan guide is the appropriate. The guestwifi_dumbAP is for the scenario where only the lan is used and it is also uplink.

2 Likes