Setting up guest WLAN on a dumb AP issue

I have a dir-505 A2, which I want to used it as dumb AP(I have a main router as DHCP and DNS server), at the same time, I need to add a guest Wlan on it, I tried configured it according to guidance of openwrt wiki.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

but it can not works. the client could connect to the dumb AP and get IP address, but can not access internet at all.

I used latest Openwrt 19.07.2 in it.
the configuration like below:

uci export network

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd71:d692:a4be::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.5'
        option delegate '0'

config interface 'guest'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# uci export wireless
package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ar933x_wmac'
        option disabled '0'
        option country 'US'
        option channel 'auto'
        option htmode 'HT40'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option isolate '1'
        option encryption 'psk2+ccmp'
        option key 'xxxxxxxxxx'
        option wpa_disable_eapol_key_retries '1'
        option ssid 'guest_G'

root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '200'
        option leasetime '1h'

root@OpenWrt:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config rule
        option name 'Diable Guest LAN Access'
        option dest 'lan'
        option dest_ip '192.168.0.0/24'
        option target 'DROP'
        option proto 'all'
        option src 'guest'

config rule
        option dest_port '67-68'
        option src_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'
        option proto 'udp'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'Guest DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'

config forwarding
        option dest 'lan'
        option src 'guest'

I tried to adjust some options according to link:

But nothing changed.

In my test process, I can not ping any ip address or nslook any domin, or traceroute any address.

Could someone help to tell me how to diagnostic it or help me check if there have some error in configuration, thanks!

Do your guest wireless clients get proper dhcp issued addresses? Can you list the ip address, subnet mask, gateway, and dns server info from one of the clients?

Can you ping the openwrt guest router (10.0.0.1)? What about an up on the internet 8.8.8.8? Or a domain name google.com?

my wireless clients get IP 10.0.184, gateway is 10.0.0.1, dns is 10.0.0.1,netmask is 255.255.255.0.

I tried to ping 10.0.0.1, it reported destination port unreachable.

I tried to ping bing.com, it report unknown host bing.com .

I tried to ping IP of bing.com, it's no feedback at all.

So you have input REJECT and you've allowed DHCP and DNS... pings will fail.

1 Like

If you ssh into the openwrt router, can you ping the internet?

I tried ping in ssh, reported like below:

root@OpenWrt:~# ping bing.com
PING bing.com (13.107.21.200): 56 data bytes
ping: sendto: Network unreachable

just now, I set the gateway and dns server in LAN interface with main router gateway and DNS server, and the issue solved, everything looks OK.
root@OpenWrt:~# ping bing.com
PING bing.com (204.79.197.200): 56 data bytes
64 bytes from 204.79.197.200: seq=0 ttl=118 time=32.142 ms
64 bytes from 204.79.197.200: seq=1 ttl=118 time=32.220 ms
64 bytes from 204.79.197.200: seq=2 ttl=118 time=31.687 ms

ping internet is OK and wifi client could accept internet too.

so if on this kind of condition, we need to configure lan side gateway and DNS server with main router gateway and DNS server address. I hope the wiki could be update if my method is right. so it could help others which may meet this kind of issue again.

Thanks for your help!

Add a gateway/dns in lan interface.

Note that you can edit the wiki yourself if you want (after registration).

The lan network configuration can be found in the dumb AP article, no need to repeat it in the guest WLAN on a dumb AP article.

However, I am in favour of permitting ICMP input from the guest zone in the firewall, in addition to DHCP and DNS. If IPv6 was used, permitting ICMPv6 would be even more important.

@mpa, please see post 14 in my thread. The author intended this to be stand alone, and I missed that so mine did not work initially.

@johnz, Pressed for time ATM, Unfortunately what I thought were firmware issues appear to be hardware issues and my TP-Link is now not working. I will try to look for a config backup. I reset the device and started from scratch, got it up in 1 go.

1 Like

I believe these files to be my "go to production" files for my dead TP-Link, but can not confirm. Worth noting, I used the GUI approach and have sections left over from stock that I do not see in your code.

Primary Network: 192.168.111.1
Guest Network: 192.168.31.1
NOTE: @johnz, it's good to include this framing for readers so they do not need to try to figure out your LAN.

In my Network=> Lan section I have an option gateway parameter, so i'm guessing for you...
option ipaddr '192.168.0.1'

In my Firewall => Guest DHCP i do not have
option src_port '67-68'
and I have the config forwarding rule above all the related config rules.

NETWORK

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ''[redacted]'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.111.11'
	option gateway '192.168.111.1'
	list dns '192.168.111.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '[redacted]'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'Guest'
	option proto 'static'
	list ipaddr '192.168.31.1'
	option netmask '255.255.255.0'

WIRELESS

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ar934x_wmac'
	option htmode 'HT20'
	option channel '7'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key '[redacted]'
	option ssid '[redacted]'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key '[redacted]'
	option ssid '[redacted]'

config wifi-iface 'wifinet2'
	option ssid '[redacted]'
	option device 'radio0'
	option mode 'ap'
	option network 'Guest'
	option key '[redacted]'
	option encryption 'psk2'

DHCP

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option start '100'
	option interface 'Guest'
	option limit '110'
	option leasetime '3h'

FIREWALL

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'Guest'
	option forward 'REJECT'
	option name 'guestfw'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'lan'
	option src 'guestfw'

config rule
	option src 'guestfw'
	option name 'Block Guest Access to Private Network'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.111.0/24'

config rule
	option dest_port '80'
	option src 'guestfw'
	option name 'Disable Guest AP HTTP Access'
	option target 'DROP'

config rule
	option dest_port '22'
	option src 'guestfw'
	option name 'Disable Guest AP SSH Access'
	option target 'DROP'

config rule
	option dest_port '67-68'
	option src 'guestfw'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src 'guestfw'
	option name 'Guest DNS'
	option target 'ACCEPT'
	list proto 'udp'

There is no gateway and dns in the lan interface. The masqueraded guest traffic cannot be routed to the internet.