[Solved] Cannot configure guest wireless correctly on OM2P

Installing and Using OpenWrt Network and Wireless Configuration
#1

Hi,

I am using several OM2P as AP's, they have 2 ports (wan/lan). Actually I only use the lan port because using them as AP and not as gateway. I was able to set up a private/bridged wireless without any problems. But I am not able to configure a guest wifi, even following the simple instructions on https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan. I can even run all the configuration given at that page but when I connect to the guest wireless, a tracert stops on the static IP from the guest Wifi AP.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
192.168.0.0     *               255.255.252.0   U     0      0        0 br-lan
192.168.30.0    *               255.255.255.0   U     0      0        0 wlan0-1

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd47:8fc8:6cc1::/48'

config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option type 'bridge'

config interface 'lanpriv'
        option enabled '1'
        option ifname 'ssid_priv'
        option mtu '1500'
        option proto 'none'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'HT20'
        option disabled '0'
        option channel 'auto'
        option country '00'

config wifi-iface 'wifi_ssid_priv'
        option device 'radio0'
        option disabled '0'
        option encryption 'psk-mixed'
        option ft_over_ds '1'
        option ft_psk_generate_local '0'
        option hidden '0'
        option ieee80211r '0'
        option ieee80211w '0'
        option ifname 'ssid_priv'
        option isolate '0'
        option key 'lucas15.20'
        option macfilter 'disable'
        option mode 'ap'
        option network 'lan wan lanpriv'
        option reassociation_deadline '1000'
        option rsn_preauth '0'
        option ssid 'Michael PRIV'
        option wds '0'
        option wmm '1'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'none'

config dnsmasq 'dnsmasq1'
        option authoritative '1'
        option boguspriv '1'
        option domain 'lan'
        option domainneeded '1'
        option expandhosts '1'
        option filterwin2k '0'
        option leasefile '/tmp/dhcp.leases'
        option local '/lan/'
        option localise_queries '1'
        option localservice '1'
        option nonegcache '0'
        option nonwildcard '1'
        option readethers '1'
        option rebind_localhost '1'
        option rebind_protection '1'
        option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option netmask '255.255.255.0'

config defaults 'defaults'
        option forward 'REJECT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'

config include 'include1'
        option path '/etc/firewall.user'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config zone 'guest'
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding 'guest_lan'
        option src 'guest'
        option dest 'lan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

Any help would be very welcome :slight_smile: !

#2

There is a specific guide for your case.

#3

I did exactly what they do, but I have the problem that as soon that I bridge the wireless to the lan port, it does not take the lease from the guest dhcp but from lan. If I take away the bridge to lan, the lease is taken by guest but no access to the internet.

#4

Change this to

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

Remove this from /etc/config/firewall

Enable masquerading on the lan zone and create a rule blocking guest access to the lan as described at the end of the guide

2 Likes
#5

Follow what @pavelgl has suggested. But you might need to recreate the lan zone in the firewall — your firewall config file doesn’t seem to have a lan zone. Did that get omitted from the post, or did you remove it from the actual firewall configuration?

1 Like
#6

I tried your recomandation, but same result, if I bridge to LAN, I get an IP from the dhcp server from my private network, if I do not bridge and define forward rules, I get the IP lease correct from the AP but it does not forward. I am not really a crack of this interface & firewall stuff, but I tried several approaches from OpenWrt tutorials I found. All the same problem.

I reduced my whole configuration to just this guest network to reduce config posted here. Also i bridged eth0 & eth1 to one lan interface, as the AP is only connected with either ports to the lan.

So this is my entire configuration interface, wireless, dhcp and firewall. I have no clue why it does not work.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd61:e28b:36c8::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'dhcp'
        option ifname 'eth0 eth1'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0 eth1'
        option ipaddr '192.168.10.1'
        option type 'bridge'

root@OpenWrt:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0'
        option channel '7'
        option country 'BR'
        option htmode 'HT40'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'ap'

config wifi-iface 'wifinet1'
        option ssid 'guest'
        option encryption 'none'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'

root@OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'guest'

root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option drop_invalid '1'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'
        option masq '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guest'

config rule
        option target 'ACCEPT'
        option src 'guest'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Allow_guest_DHCP'

config rule
        option target 'ACCEPT'
        option src 'guest'
        option dest_port '53'
        option name 'Allow_guest_DNS'

config rule
        option dest 'lan'
        option src 'guest'
        option name 'block lan for guest'
        option target 'DROP'

config forwarding
        option dest 'lan'
        option src 'guest'

Any good Idea would be so welcome! Thanks o everyone who tries to figure this out with me.

#7

I made the correction from @pavelgl and also made sure the lan zone is created and allocated correctly, but withou any luck.

#8

Make guest look like this:

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.10.1'

This is the main problem... remove this:

Those two changes should make it work, but will also allow the guest network to access the lan network. Let's test that my assertion is correct and then we will deal with the isolation of the two networks once it is generally working.

#9

You made my day! :slight_smile:

So now I need to find a way to block lan access. Then the configuration is perfect.

#10

blocking the lan access is really simple. It is this rule below:

config rule
        option name 'Block LAN from Guest'
        list proto 'all'
        option src 'guest'
        option dest '*'
        list dest_ip '192.168.1.0/24'
        option target 'DROP'

the destination IP should be the network for your main LAN... if it's not 192.168.1.0/24, substitute accordingly. If it is a /24, make sure you use the .0/24 at the end so you specify the entire network (if you use say .1/24, it would just block the individual host at 192.168.1.1).

#11

Just figured that out now, it works perfect! Thank you so much @psherman!

#12

Awesome! Glad it's working!!

#13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.