OK, in configuration from initial state my question is not applicable, it makes sense only in Dumb AP being already configured. I don't know, why it doesn't work, please, write option src before option dest in config forwarding. There is also strange option
option gateway '192.168.1.254'
in lan configuration.
Swapping dest and src and restarting firewall had not effect.
the
option gateway '192.168.1.254'
is there for the dumb AP to work.
I tried removing it and restarted network.
This caused me to be unable to ping anything on the outside (from my 192.168.1.xxx connected devices)
Step 3 when configuring via the GUI
https://openwrt.org/docs/guide-user/network/wifi/dumbap
Except that my 'dumb ap' does have dhcp enabled.
Got it. Now your router is configured as Dumb AP. So it is connected to main router via lan interface. The problem is in 'masq' option for this interface. Clients of guest wireless interface should use masquerading, so you should set 'masq' to 1 for lan interface. I don't know effect on Dumb AP operation. So you should enable 'wifi'->'lan' forwarding (already done), and set 'masq' to 1 for lan zone.
You're a saint!
it worked, thank you so much!
I don't know what masquerading does, I will have to read up on that.
You are welcome! Masquerading changes IP address of sender by IP address of router itself. So router remembers in its table port number, and changes IP of reverse packet correspondingly.
Thanks again!
Took the whole weekend to get it working, just had to tick 'masq' on lan.
Unbelievable ^^"
Now to play around with the firewall to isolate things
p.s. I want to add this to the official openWRT wiki, would calling it " Configure a guest WLAN on a Dumb AP" be the correct title for it?
At your disposal, to my mind it is correct. Sorry, why whole weekend, if your first message is dated 3 hours before?
I started trying to set it up on Friday evening.
Then spent most of Saturday on it.
After spending a good chunk of today on it, I decided to ask the community for help.
And there you were ;)!
For anyone stumbling upon this thread:
to finish up the firewall to isolate guests completely
add the following to /etc/config/firewall
config rule
option src 'guest'
option dest 'lan'
option name 'Disable Guest LAN Access'
option proto 'all'
option dest_ip '192.168.1.0/24'
option target 'DROP'
config rule
option src 'guest'
option target 'DROP'
option dest_port '80'
option proto 'tcp udp'
option name 'Disable Guest AP HTTP Access'
config rule
option proto 'tcp udp'
option name 'Disable Guest AP SSH Access'
option src 'guest'
option dest_port '22'
option target 'DROP'
The first rule disables people on the guest network (192.168.2.xxx) to access anything on the private network (192.168.1.xxx)
The second rule disables access to the router from the guest network.
The third rules disables ssh access to the router from the guest network.
A writeup has been added to the official openWRT documentation
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-dumbap
Unfortunately I don't have the rights to add pictures, otherwise I'd also show how to do it via the LuCI webinterface.
@WRTuser - nice writeup.
One potential suggestion to consider with respect to the firewall. Consider dropping all connections from the guest network to the dumb-ap device (that is now also routing the guest network) and then selectively allowing services of interest (usually DHCP and DNS). This way, the guest network can not access the router at all, except as explicitly permitted by the firewall rules.
To do this, the default action on the guest zone would be reject for input, and two traffic rules would be enabled for DHCP (tcp+udp 67-68) and DNS (tcp 53),
Also - in your writeup, the guest zone addition to the firewall was neglected -- might be useful to show that, too.
Thanks for this writeup!!
You do have rights to upload pictures.
https://openwrt.org/meta/adding_images_to_openwrt_wiki#troubleshooting
When the media manager opens,
your very first action should be to change to themedianamespace, and possibly further down until you have reached the namespace to which you want to upload the picture.
Thanks for the heads up, I have added the guest zone to the firewall on the wiki.
I have been playing around with your suggestion to Reject input and only allow DNS and DHCP, haven't gotten this to work yet.
When I reject input on the guest zone and I enable the traffic rule for DHCP.
I can ping devices on the 192.168.1.xxx subnet and ssh to them.
Also I can log into my gateway at 192.168.1.254.
config rule
option dest_port '67-68'
option src 'guest'
option name 'Guest DHCP'
option target 'ACCEPT'
option proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'Guest DNS'
option target 'ACCEPT'
option proto 'tcp udp'
I suppose I still have to add rules to block guest -> lan
config rule
option name 'Disable Guest LAN Access'
option dest 'lan'
option target 'DROP'
option proto 'all'
option src 'guest'
option dest_ip '192.168.1.0/24'
With the above added, everything works as before (and I suppose even better as all other ports are blocked).
So only these 3 rules are needed ;).
@WRTuser - Sorry if I caused any confusion about the rulesets. Yes, you still need the drop Guest > LAN access rule, as you have found and described. My intent was to prevent the guest network from accessing your secondary router itself (i.e. the dumb AP that is creating the guest network) on all ports except for those explicitly allowed.
That said, the three rules (plus the input reject for the guest network) is what I was aiming for, and in my experience does indeed work as intended (and hopefully is compliant with best practices -- I'm sure there are other people far more knowledgeable about firewall/security considerations who might be able to chime in if I have this wrong).
Thanks, I have updated the wiki to reflect the changes 
As far as I can tell, this is much better than what I initially had with the firewall.
Can you please cut off the unnecessary whitespace in pic5.jpg?
Whitespace is not that informative 
and just wastes screenspace.
Thanks!
P.S.: And next time please name the uploaded pictures in a usefull way. (Don't worry, I will do that later for the pictures uploaded by you today)
Hey @tmomas, I've updated picture 5.
I was hoping I could edit the names after uploading (can't see that option).
Thanks in advance for renaming them
Can you post your entire firewall setup for us following along?
edit: do you know if any additional setup is required if DNS over TLS was setup for your LAN?
FYI - I have renamed the pictures and also moved the page to https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap ('-' is not a word separator in the wiki, therefore replaced with '_')
Hey @glik22,
the entire firewall setup is at step 4a & 4b at
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
Everything else I haven't touched and is as it is out of the box.
For a visual representation you can check out step 3 at the webinterface config.
Also I haven't set up DNS of TLS (or HTTPS), but as I quickly scrolled the web and I think
if you set up your DNS server to 1.1.1.1 (i.e. cloudflare) they take care of it.
Don't know much about setting up a self-hosted DNS resolver, you could try setting up a Pi-Hole
as your DNS server which comes with many benefits.
https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/
Less to do with openWRT than with pihole.
p.s.
thanks @tmomas
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.