I would like to request your help to create a Guest Wifi network (for IOT devices) on a separate subnet (..188.x) with internet access but no access to my private local network (..178.x).
The private LAN and guest network are fully functional on the main router with OpenWrt v19.07.4 by following this guide
On the 2nd access point device with OpenWrt (with DHCP disabled in private LAN) the private LAN is working but the guest network is connecting without having internet access. After connecting a device with this AP I get the message: ‘connected, no internet’. I can ping 22.214.171.124 but not www.openwrt.org.
I tried multiple guides from the wiki and red multiple forum topics. See some examples below. I expect the source is somewhere in the firewall settings or in the traffic rules. For troubleshooting I disabled the ‘Block Guest access to private network’ firewall rule for know, but I cannot fix the issue.
Some helpful guides used:
I found this a helpful LuCi guide (tried the adding the masquarading option in LAN):
Helpful forum topic (resulted in updated wiki):
Tried adding a ‘Allow-Guest-Forward rule’ without success:
Any help is much appreciated, because currently I am stuck.
When a guest client connects to the second AP, which dns server does it get from dhcp? It should be 192.168.188.50.
Does the secondary AP have a valid dns forwarder? Normally it should get it from the wan interface, but if it is not utilized, then you'll need to add one in lan interface.
That means that routing works but DNS cannot look up names. As @trendy said, your dumb AP (now not so dumb) should be offering a DNS service to the guests and forwarding requests up the line, either to your main router or directly to a third party. For this to work, an option dns must be set in its lan configuration.
When a client connects to the second AP on the guestwifi it's getting the IP: 192.168.188.128, with gateway 192.168.188.50, subnet mask 255.255.255.0 and DNS: 192.168.188.50.
I am not fully sure if my DNS forwarder is set correctly, I have only setup a firewall trafic rule for DNS (port 53) on both devices.
Could you elaborate how I set this option dns to the lan configuration to allow for this forwarding up the line?
@mk24, adding the option with vi to /etc/config/network was the trick that fixed my issue. The guestwifi can now indeed browse the internet! Many thanks.
One follow-up question. Now I also activated the firewall rule to block the access from guest subnet to the private LAN. The strange thing is that from the .188.x devices I can still ping a 178.x device. I was expecting this to be blocked by this rule. Is this normal behavior or do you need to isolate the guest subnet further?
option src 'guest'
option name 'Block Guest access to private network'
option dest 'lan'
list dest_ip '192.168.178.0/24'
option target 'DROP'
thanks for the help. Setting the protocol to 'any' fixed the issue. Now indeed the subnet 188.x cannot ping 178.x anymore. The wifi guest network is now fully functional on both openwrt devices.
Next step for me would be adding the wired RJ45 connections to the 188.x subnet on both devices. After looking trough, the forum and wiki VLAN and tagging seems to be the correct approach. I see many users struggling with this setup. Do you have a good starting point (easy to follow) you would recommend in setting this up correctly for my situation?
Make a new VLAN, number 3. Move one of the LAN hardware ports (2, 3, 4, or 5) out of VLAN 1 and into VLAN 3. Attach eth0.3 to the guest network. Guest network must be a bridge to have more than one physical interface (here it is an AP and an eth port).
@mk24, again thanks for the guidance. I got it figured out and fully working including RJ45 LAN ports to the guest network.
Edit: Due to both devices are using the same SSID and DHCP server, now I also enabled 802.11r to improve the wifi fast roaming between the two devices.
After diving in a bit deeper I discovered one issue on the network.
The private LAN is fully functional and always getting an IP from the 192.168.178.250 DHCP server and connecting to DNS and Gateway 192.168.178.250
The guest WLAN on the 2nd Access Point (192.168.188.50) is not using the DHCP server of the guest main router (192.168.188.1) correctly. When having a 2nd DHCP server on this AP the devices are connecting (but not seamless). When I disable the DHCP server at the AP guest interface this device is not functional anymore. I tried to set a custom DNS and/or gateway to the main router 192.168.188.1 or 192.168.178.250 without success to link them.
What would be the correct approach to set DHCP, DNS, gateway (use masquerading?) to get the guest LAN (188.x) on the AP and router correctly linked?
The firewall needs to allow guests ports 53 and 67 on the AP. Their DHCP and DNS should be the AP's OpenWrt via it's guest interface 192.168.188.50. (To reduce confusion, conventionally gateways are configured at .1 rather than some IP in the middle of the network).
If you wanted guests to DNS directly from the main router (which I would not recommend) then the firewall that blocks guests from all of 192.168.178 would need that exception.
The IP allocation is bad. You are using the 192.168.188.X on both routers even though they are not bridged. Luckily there is no conflict because they are isolated and NATed, but still it causes some confusion.
Guys thanks for all your help I am learning a lot. After your advice, I changed my setup to use for the guest both different subnets (188.x) and (198.x). The issue is now isolated to the guest AP (..198.1). When I connect a device to this AP I get:
I think I have isolated this issues.
Due to the many changes and testing my /etc/config/network has changed at the 'lan' interface. After correcting the settings as below I have regained internet access at the AP.
The only function I cannot get to work for the guest wifi account is 802.11r (fast roaming) due to the guest network share the SSID but not the DHCP server anymore.
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.178.250'
option ipaddr '192.168.178.253'
option dns '192.168.178.250'
You don't need a third network. Your second AP should be truly dumb. It should bridge guests from its wifi back to the first AP (also known as the guest router) using the guest VLAN on the cable*. The first AP will assign wifi guests (on either AP) IP's in the 192.168.188 range and NAT them to the Internet using the main LAN router as gateway.
I think that the dumb AP needs to hold an IP on the guest network for 802.11r to work. Other than that function, it does not. Definitely, you must roam on the same network-- regardless of how inter-AP communication occurs.
Typically these are set up with an unmanaged bridge between wifi and a wired VLAN but again I don't know if that breaks 802.11r.
The cable between the two APs should be a true trunk with two tagged VLANs: VLAN1 for the main trusted LAN and VLAN3 for the guests. Do not try to run untagged and tagged packets on the same cable.