Setting up guest WLAN on a dumb AP (Part 2)

I have just updated my TP-Link WDR-3600 to V 19.07.2. It has spent it's life as a Dumb AP with a guest network on "that other product". I am now attempting to config this the same, which I have done in the past using doenselmann's directions.

I have used the following recipes:
https://openwrt.org/docs/guide-user/network/wifi/dumbap
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
and read the related post
https://forum.openwrt.org/t/setting-up-guest-wlan-on-a-dumb-ap/50074?u=wrtuser

The Dumb AP internal network appears to work fine.

On the Dumb AP Guest Network, I can connect to the AP but Windows tells me I have No Internet. I can see in Windows Status I do not have an IPV4 address, but do appear to have an IPV6 address.

The first tutorial has one disable IPV6 in Step 5, but I'm honestly not clear what I have disabled. I still see a IPv6 address in the Interface=> LAN=> General Settings => Status box.

In the second tutorial, I followed the GUI install as best I could (there are some GUI differences between v18 and V19) and then went and bounced the resulting config files against the tutorial. There are some differences in the firewall on some entries which I am not sure are material. An example being:

option network 'lan' vs list network 'lan'

The GUI in V19's firewall has Source Address " -- add IP --" as opposed to "any" but based on the config file I assume these are the same (but I consider a more confusing label).

Looking at the forum post, it appears that the protocol config suggested by psherman and the documentation written by WRTuser is in conflict. Specifically

psherman
DHCP tcp+udp 67-68
DNS tcp 53

WRTuser
DHCP tcp 67-68
DNS tcp+udp 53

Tried both with no success.

I am also not really clear what I should see on the Dumb AP's Overview when the Guest is connected. I would like to think I would see the Guest under Leases, but see nothing. I do see the SSID under Wireless radio 0 and an entry under Associated Stations with this as "Master".

Any trouble shooting suggestions are appreciated.

1 Like

These 2 guides are not exactly compatible with each other.
DumbAP turns off DHCP and just bridges Wifi with LAN. Firewall is also not interfering. There must be another router and dhcp to work.
The guestwifi_dumbAP terminates the guest wifi on the OpenWrt, so firewall is used, dhcp is used, NS may be used.
So it depends on your solution. Maybe you can explain here what you want to achieve and we can help you with that.

DHCP is UDP 67 on server 68 on client.
DNS is UDP 53, TCP is used to transfer zones, you don't need it for the guests.

My router (PC-Engines ALIX) runs on 192.168.111.1 and does all the normal router things plus VPN and USB. It has no wireless.

I have a TP-Link WDR3600 which I would like to be an AP with 2.4G and 5G "internal" (all access) WLANs (done i think). I also would like to create an additional Guest WLAN on the 2.4G band that only offers internet access.

As I understand the Dumb AP with Guest recipe, it's basically creating a DHCP server (in my case 192.168.31.1) for the guest, isolates it from the primary LAN and sends the traffic through the TP-Link LAN to my primary router and then the internet.

I think I am basically trying to do what the OP of the original post wanted to do, but his primary router was his ISPs if understand his drawing.

I did freshen up the ports as you suggested with no joy. Devices connect but get an IP in the dreaded 169.254 range.

Just also noticed that in the original post (19) that there are 2 rules in the post that did not make it into the wiki.

config rule
        option src 'guest'
        option target 'DROP'
        option dest_port '80'
        option proto 'tcp udp'
        option name 'Disable Guest AP HTTP Access'

config rule
        option proto 'tcp udp'
        option name 'Disable Guest AP SSH Access'
        option src 'guest'
        option dest_port '22'
        option target 'DROP'

I am of the opinion that the order of things may be relevant, but not sure.

If you have already a good router, then I suggest you leave the AP dumb on both internal and guest. Separate them in 2 different vlans and let the Alix do the DHCP/Routing.

These are for accessing the web interface and ssh of the router. Usually guests don't need such access.

Sorry to report that VLANs (indeed a lot of this) are beyond my skill set.

I used the original Michis Blog, which I think this is based upon, back the the V15 days to set this up on other hardware. Was hoping for a relatively easy redux.

It's one thing to have an IP address and not get Internet.

What is bothering me is that I can not get an IPV4 IP address and am wondering if there is something more fundamental in my DHCP server config?

So re-reading your original post...

the Basic Dumb AP config has me turn off the Firewall, dnsmasq and odhcp in step 6. Am I corect that to use the "guest WLAN on a dumb AP" I need this turned on?

If I need the firewall to process the additional rules, and it has been disabled all along, then it seems like the lack of IP is the first thing to fix??

Let's better have a look at your configuration. If you don't like VLANs then we'll look at a semi-routed scenario, with the guest network routed and the internal network bridged.
uci export network; uci export wireless; uci export dhcp; uci export firewall
Redact any sensitive date, like usernames, passwords, keys etc.

When you're routing guests on the OpenWrt box, firewall and dnsmasq must be running. odhcp is for IPv6-- you can leave it disabled in an IPv4 only situation.

The locally routed guest scenario makes sense in many cases, but with wired links from all your APs to a powerful main router it is better to centrally route. Set up VLANs and have the AP be dumb for both the trusted users and guests.

I have re-enabled dnsmasq and firewall and now get an IP address. Yeah! Thank you!

I have enabled the Traffic Rules for Guest DHCP and Guest DNS, but the others are disabled for now. I expect that I only need those to further restrict traffic after I can get to the internet.

Network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix [redacted]'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.111.11'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '[redacted]'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ar934x_wmac'
	option htmode 'HT20'
	option channel '7'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key '[redacted]'
	option ssid 'BlackStar'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key '[redacted]'
	option ssid 'WhiteStar'

config wifi-iface 'wifinet2'
	option ssid 'Excalibur'
	option encryption 'none'
	option device 'radio0'
	option mode 'ap'
	option network 'Guest'

DHCP

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option start '100'
	option interface 'Guest'
	option limit '110'
	option leasetime '3h'

Firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'Guest'
	option forward 'REJECT'
	option name 'guestfw'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'lan'
	option src 'guestfw'

config rule
	option src 'guestfw'
	option name 'Block Guest Access to Private Network'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.111.0/24'
	option enabled '0'

config rule
	option dest_port '80'
	option src 'guestfw'
	option name 'Disable Guest AP HTTP Access'
	option target 'DROP'
	option enabled '0'

config rule
	option dest_port '22'
	option src 'guestfw'
	option name 'Disable Guest AP SSH Access'
	option target 'DROP'
	option enabled '0'

config rule
	option dest_port '67-68'
	option src 'guestfw'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '53'
	option src 'guestfw'
	option name 'Guest DNS'
	option target 'ACCEPT'
	list proto 'udp'

Thanks for your help!

The config looks correct to me, well done!

Even a blind squirrel gets a nut every once and a while.

I needed to make some additional changes in order to get connected.

1 - Somewhere along the way I lost the Gateway and DNS for the LAN connection on the AP. This should have been done in the original Dumb AP config, but i'm not sure it was. It did work however.
2 - I removed the DNS on the Guest, but not sure this was relevant to getting it working.
3 - Firewall rules for DHCP and DNS must be enabled. Not clear why, I though these only brought back services after "Block Guest Access to Private Network" rule.

FWIW, I am on Windoze 10 and used the Network Sharing => Adapter Settings and disabled\enabled the wireless while the router rebooted between changes. After making the above changes I saw that the Guest indicated it was connecting to the Internet, but it was unable to actually connect until I rebooted the PC.

With the Firewall Rules for DNS and DHCP enabled I can reach the Web Pages for my NAS, Network Printer and Router but not the Dumb AP, which was unexpected at this point. I can not reach any of the local shares in File Explorer.

After enabling the Rule for "Block Guest Access to Private Network" I was unable to access any of the above pages or Network Shares.

Same results after enabling the rules for "Disable Guest AP HTTP Access" and "Disable Guest AP SSH Access". At this point I also tested accessing the router with WinSCP (I'm a dumb Windows user.. Lot of dumb stuff here) and was unable to connect. a good thing.

As best I can tell this is now all working as desired. Thank you both!

I'm getting a respectable 31 down, 16 up which is in line with my "internal" wireless performance on 2.4G. Good enough for my guests.

SUMMARY OF CHANGES FROM WIKI

1 - FIREWALL and DNSMASQ must be re-enabled. (System => Startup). The Dumb AP Wiki disabled these.
2 - Firewall rule protocol for "Guest DHCP" should be UDP only. (Network => Firewall => Traffic Rules)
3 - Firewall rule protocol for "Guest DNS" should be UDP only. (Network => Firewall => Traffic Rules)
4 - Firewall rule for "Disable Guest AP HTTP Access" is not included in the wiki but is in the original post.
5 - Firewall rule for "Disable Guest AP SSH Access" is not included in the wiki but is in the original post.

All these are kinda expected, as you are trying to combine two different approaches and configurations.
The dumbAP guide doesn't use firewall or dhcp, the guestwifi does.
For 4 and 5 they are not needed as the option input for Guest zone is REJECT.

Hey @RangerZ,

It is unfortunate that the wiki post I wrote caused you some confusion.
To make it clearer for future users, I want to iterate through your points and update the wiki as necessary:

  1. The setup here https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap is a standalone setup and works without having to follow the DumbAP one.
  2. The firewall rule for guest DHCP is already set up as udp for ports 67 and 68.
  3. The firewall rule for DNS can be udp+tcp, but as @trendy mentioned it's for transfering zones, is not neccessary but can't hurt either (I think?)
  4. & 5. The rule # Disable guests to access devices in the 192.168.1.xxx range should reject all traffic from guest to other devices on all protocols. I am not sure why this is not working for you?

My setup is a little different nowadays, having setup a vlan for the guest AP.
And I am using the WAN port to connect my router to the modem (still a dumb ap, cannot bridge due to ISP modem not allowing it.)
This allows me to have 4 ports left on the routers.

Port 68 is not needed, it is used from the dhcp client as source port. DHCP server listens to port 67.

It depends how tight you want the firewall to be. Since you don't trust the guests and want to give them only minimum access, udp is enough.

1 Like

@WRTuser I'm very glad you found this thread. I very much appreciate you authoring this!!

I missed that this was stand alone for a few reasons.

  • First sentence includes reference to Dumb AP
  • I pretty much went right to the GUI config
  • Michis original blog started from the Dumb AP

I now see the reference under Manual configuration "...default configuration". This was substantially my mistake. I will suggest the edit below.

This documentation is written to help you set up a guest WLAN on a dumb AP. The changes below assume an OpenWrt default configuration.  

For more information on setting up only a dumb AP see Dumb AP / Access Point Only.

All of the issues related to the firewall rules were related to some form of discrepancy between content in the 2 posts and the wiki.

  • Items 2 & 3 were clarifications on protocols.

  • Items 3 & 4 in the post, but missing from the wiki. Per @trendy , not needed, but not clear to the naive like myself.

I had tried to implement Michi's process recently, but ran into too many differences in the V19 menus compared to the probably V15 it was based on, and aborted the config due to time.

Interestingly I found an old post of mine related to this which tells me to turn on the firewall and yours actually says turn on DHCP (post 12).

Thanks again

@ulmwind, fyi

Thanks, I have updated the wiki accordingly!

My dumb AP is not that dumb to be fair.
I disabled DHCP on the modem provided by the ISP and let the openwrt router handle the DHCP.
But if you have an other DHCP server it can handle this also e.g. pihole.

Hi @RangerZ,
As you suggested here, I answer to your comment:

I am not clear on the static route's purpose or how to configure this

The static route is needed for the router to know where to find your gest subnet in your home :slight_smile:

let' say, as an example:

  • 192.168.1.0/24 is your lan.
  • 192.168.2.0/24 is your guest subnet.
  • 192.168.1.253 is the lan adress of the dumb AP on your LAN.
  • 192.168.1.254 is your router

Now imagine your guest connect its PC or phone with 192.168.2.10
when he goes on www.openwrt.org, the connexion will follow this way:
192.168.2.10 => 192.168.1.254 => the internet => www.openwrt.org server
ok now the data comes back from openwrt website to your guest machine:
www.openwrt.org => the internet => xx.xx.xx.xx (your public internet IP) => 192.168.1.254.....and....well your routeur will desperatly wonder where to find this 192.168.2.10 that is not a member of your LAN :thinking: :thinking: :thinking:

Static route is here for this: it has to be set in the router, not in the dumb AP.
the principe is just to say "if you look for 192.168.2.0/24, please forward to 192.168.1.253 (LAN IP of your dumb AP), because your dumb AP will know where to find 192.168.2.10

Then, how to set a static route may vary depending on your router, but you should easily find a static route section.
setting is not very difficult. basically, you have to set a target network (your guest subnet) and a gateway (here the gateway is the LAN address of the dumb AP).

There may be different way to proceed. Like I told on the other thread, I followed this howto
According to the website, this static route idea is a way to avoid double NAT, that could be an alternate way to proceed (I must admit I didn't checked all the other links).

Hope that helps :slight_smile:

2 Likes

Placing option masq '1' on the LAN network solves this. Traffic from the 192.168.2.0 network will be NATted to have a return address of 192.168.1.253. Thus the main router does not need to carry a route all the way back to the guest user at 192.168.2.X. The locally routed guests appear to be internal use from the AP as a single device on the main router's LAN.

Though home users on its regular AP are bridged to their own 192.168.1.X address. This is the original function of the dumb AP. Adding local DHCP and NAT for guests makes it not so dumb.

1 Like