[Solved] Can't get dumb AP + Guest to work

Installing and Using OpenWrt
1

Hello there,

I have a Netgear WAX220 flashed with OpenWrt v23.05.0
This WiFi AP has only one ethernet port. And I think that's the cause of all my sufferings. You'll tell me.

I followed the dumb AP guides, https://openwrt.org/docs/guide-user/network/wifi/dumbap and https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap.

I have one ISP modem/router which sits between WAN<->LAN which is doing DHCP and forcing a DNS to all DHCP client. The router is 192.168.1.254, the DNS is local at 192.168.1.252 (it's a pihole).

I have one WiFi SSID that is plugged to the lan interface.
The lan interface is static at 192.168.1.253 without a DHCP server.
This SSID works fine. Clients connect to the SSID, and they get an IP that the ISP's router DHCP is providing. All good.

What doesn't work is the guest SSID.
The guest interface is static at 192.168.2.1 with a DHCP server which is plugged to an empty device.

When a client connects to the guest SSID on android, they get an "Obtaining an IP address..." and nothing happens. If I force the client to connect with a static IP, I get the IP but then android checks the internet connectivity and it fails.

In firewall, I do have guest forwarded to lan, and lan as masquerade.
And I do have some basic rules to allow DNS and DHCP. So I dunno, can't figure it out.

I have been fiddling with this for like 3 days.
Configurations below.

Thanks!

2

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd8:c4f4:4496::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'eth0'
	option macaddr '94:18:65:43:83:f3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.253'
	option netmask '255.255.255.0'
	list dns '192.168.1.252'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.252'

wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel 'auto'
	option band '2g'
	option htmode 'HE20'
	option country 'FR'
	option cell_density '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Home'
	option encryption 'sae-mixed'
	option key ''
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel 'auto'
	option band '5g'
	option htmode 'HE80'
	option country 'FR'
	option cell_density '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Home'
	option encryption 'sae-mixed'
	option key ''
	option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'sae-mixed'
	option key ''
	option wpa_disable_eapol_key_retries '1'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'sae-mixed'
	option key ''
	option wpa_disable_eapol_key_retries '1'
	option network 'guest'

firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Allow Guest DHCP'
	option src 'guest'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow Guest DNS'
	option src 'guest'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '192.168.1.252'

config rule
	option name 'Block Guest from LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'REJECT'
	option enabled '0'
3

I think option gateway is missing, add:
option gateway '192.168.1.254'

Reboot after adding

1 Like
4

I didn't specify that value since it's was the default (placeholder in the input field in LuCI).

I added the gateway, and still the Guest SSID doesn't seem to give IP addresses.

Updated network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd8:c4f4:4496::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'eth0'
	option macaddr '94:18:65:43:83:f3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.253'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	list dns '192.168.1.252'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.252'
5

That rule could be wrong, 192.168.1.252 is the upstream DNS server for DNSmasq.
You have to simply allow traffic to be able to reach the router:

config rule
	option name 'Allow Guest DHCP'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

Unless you specified option 6 to handout that address

6

Did you setup a dhcp server for the guest network?

/etc/config/dhcp
1 Like
7

I have made the change, here is the updated firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Allow Guest DHCP'
	option src 'guest'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block Guest from LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'REJECT'
	option enabled '0'

However I do not know what option 6 is. Maybe I should be aware of that.

This change didn't improve the situation I still can't connect on the guest SSID.

As for the dhcp config, sorry I forgot to post it up before. Here it is


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '192.168.1.252'
8

It looks like you do want to set option 6 but the right way should be:
list dhcp_option '6,192.168.1.252'

In this case you can revert the changes for port 53

9

Changes were made, and... it worked!
Clients seems to be able to connect to the guest SSID, I get an IP from the correct range. Seems like dhcp_option 6 did the trick

Updated configs:

dhcp


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.252'

firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Allow Guest DHCP'
	option src 'guest'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.1.252'

config rule
	option name 'Block Guest from LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'REJECT'
	option enabled '0'

Thanks @egc

10

Ok now there may be a problem though.

It works fine as it is, but the Guest have access to the lan IP range.
So I activated the firewall rule Block Guest from LAN

Then the Guest can't indeed connect to any stuff from the lan... including the DNS itself it seems.
This is quite strange, as I can connect as a Guest fine to the SSID, I get the IP and correct DNS (192.168.1.252).
But when I ping 192.168.1.252 I get destination port unreachable
When I nslookup a random domain, I can see the android device is using 8.8.8.8
When I have a look at my pihole, indeed, I do not see the Guest clients DNS queries

Something is off.

EDIT
No everything works correctly, it's probably the Termux I am using on android that is using it's own DNS resolver.

I do see the DNS queries coming from the Guest but as the WiFi AP address, namely 192.168.1.253, that's what thrown me off
I guess that's the masquerade thing at work if I understand correctly

EDIT 2
And there's no way I am removing the masquerade since my isp router/modem would not know the route to a Guest IP. And since I can't setup routes on this hardware
That's kinda too bad... I wish I could see individual IPs from the Guest range hitting the DNS resolver...

11

Glad it is working.

But indeed masquerading is necessary if you cannot set a static route on your main router.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like
12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.