[Solved] Different subnet for wired and wireless

rboterenbrood · January 21, 2023, 3:48pm

I'm an OpenWrt noob, but I managed to get my Cudy X6 up and running after a lot of headaches...
I like the idea of OpenWrt, but I wonder why anything besides the default should be so hard...

I have a wireless network with PSK.
Now I'd like to have my wired ports and my wireless networks to be on two different subnets.
So device IP is 192.168.1.1
Wired dhcp is 192.168.1.100 and up.
My wireless dhcp should be 192.168.2.100 and up

Should be simple, but...
I've managed to lose connection to my device several times and have hardware reset, reflashed and backup restored the device at least a dozen times.
So anyone being able to tell me what to do from start to finish would be much appreciated.
I've found several topics on multiple subnets, but they all were already a long way there, so those explanations are all useless if you can't get the basics right.

psherman · January 21, 2023, 4:26pm

If your goal is simply numerical organization of your network, you can achieve it by creating the two subnets.... but it may end up being more complicated in the long run..

You can configure the firewall so that the two networks are open to each other (if desired; or they can be isolated from each other), but certain things like auto-discovery and inter-device streaming that use mdns and similar techniques (think Chromecast, Airplay, Airprint, etc.) will not work by default across the subnets, and it can be a bit of effort to get those things to working again.

So is this what you really want?

If so, you can follow the guest wifi guide to get you started. Depending on your goals in terms of inter-vlan routing (permitted, prohibited, etc), the firewall settings in the guide may or may not apply... but the general idea of creating your new subnet is there.

rboterenbrood · January 21, 2023, 5:10pm

I'm on OpenWrt 21.02-SNAPSHOT r16094-73d52b255f , btw.

The manual you'r referring to is incorrect.
When I do Add on the Wireless page I don't get a new Interface, I get a new wireless network.

My question is simple:
Physical ports: lan network with ip 192.168.1.x and internet access.
Wireless (guest) network: 192.168.2.x and internet access.
No communication between lan and wifi.

Guest network is already configured, I just want it on another subnet.

And when I add a new Interface with ip 192.168.2.1, It states that it is not present, probably because there's no device associated. And I lose access to the device via the browser again and can only configure by cli.

psherman · January 21, 2023, 5:15pm

You should upgrade to a stable release unless there is a specific reason you are running such an old snapshot. The latest in the 21 series is 21.02.5. Ideally, you'd upgrade to 22.03.3.

No, this guide is correct.

Correct, the creation of the interface is done in the next step (configure the interface) in the guide (personally, I'd do the interface first, but it's not critical, so the guide is still correct).

Ok... so the firewall rules in the guest wifi guide will apply here.

If that's the case, please share your configs...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

rboterenbrood · January 21, 2023, 5:27pm

I'm on the official Cudy OpenWrt image.
Is there a downside to upgrading to a non-official OpenWrt release?

psherman · January 21, 2023, 5:29pm

I see... if that is the case:

I'd recommend using an official version... if you want to use a vendor release, that's up to you. But here is the guidance:

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Borromini · January 21, 2023, 6:19pm

You've got a few things backwards:

OpenWrt releases by manufacturers are by definition unofficial and build on whatever OpenWrt codebase they choose to use (which more often than not is old and sprinkled with binary blobs). And 'unofficial' is a kind term here - since those releases are often outdated, butchered beyond recognition and sprinkled with binary blobs OpenWrt cannot use.
There's only upsides to using official - ie vanilla - OpenWrt builds. That is, if you would like this forum here to help you.

For Cudy firmware, talk to Cudy. Cudy does not contribute to OpenWrt. If you need help with their stuff, you should talk to them. Furthermore, like @psherman pointed out, the documentation is correct; you should simply not expect vendor firmware to match official OpenWrt. Which brings us back to point #2 above.

rboterenbrood · January 21, 2023, 6:39pm

Ok. Thanks for your assistance so far.

Upgraded to official OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd .

Manual is still incorrect.
First part:
After logging into the web-interface, manoeuvre to the Wireless page under Network . Click Add over the wireless controller (e.g., the 2.4 GHz radio) you want to have your guest network on. A new interface will be added as shown here

Should be:
After logging into the web-interface, manoeuvre to the Wireless page under Network . Click Add over the wireless controller (e.g., the 2.4 GHz radio) you want to have your guest network on. A new SSID will be added as shown here

But I tried the steps to create a new Interface under Wireless, which didn't work.
So I created a new Interface under Network > Interfaces > "Add new interface" with IP 192.168.2.1
There it stated: Error: Network device is not present.

So under network > Interfaces > Devices > "Add device configuration" I added a "Bridge device" without connected ports and "Bring up empty bridge" ticked.
Error is now gone and picture looks like the third picture in the manual.

Then I configured DHCP Server on the Interface.
And I created a zone for the firewall.

But I still don't get an IP address.
When i do "radiusd -X" I see the device connecting. I see the device appear under "Associated Stations" for a little while, but I get no real connection.

This is my (obfuscated) config:

/etc/config/network


config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd54:10fd:8864::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option ifname 'wan'
	option proto 'dhcp'
	option device 'wan'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'gast_netwerk'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-gast_netwerk'

config device
	option type 'bridge'
	option name 'br-gast_netwerk'
	option bridge_empty '1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option isolate '1'
	option encryption 'psk2'
	option ssid 'wifi-Private'
	option key 'somepassword'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option cell_density '0'
	option htmode 'VHT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi-Private'
	option isolate '1'
	option encryption 'psk2'
	option key 'somepassword'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'wifi-Public'
	option isolate '1'
	option encryption 'wpa2'
	option auth_server '127.0.0.1'
	option auth_secret 'otherpassword'
	option acct_server '127.0.0.1'
	option acct_secret 'otherpassword'
	option network 'gast_netwerk'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'gast_netwerk'
	option interface 'gast_netwerk'
	option start '100'
	option limit '150'
	option leasetime '12h'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'gast_netwerk'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'gastnetwerk'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'gastnetwerk'
	option dest 'wan'

psherman · January 21, 2023, 6:42pm

remove this line from your gast network.

what's going on with this auth server... do you have a RADIUS server setup?

You have the gast network associated with the lan firewall zone... there is no network associated with this zone, though.

rboterenbrood · January 21, 2023, 8:56pm

Did that and I get an ip address and an internet connection now! Thanks!

Yes. hence the "radiusd -X" I mentioned.
Got that working with this article, which is for a great part correct (but also not all).
That was the start of my headaches though. Not very nice to try and get that working if you're a noob...

Euh, and? What does that imply? Do I need to fix that? And how?

Thanks again for your help! And patience...

psherman · January 21, 2023, 9:01pm

Great

I saw that, but you hadn't mentioned it until about half way down this thread... so I wasn't; sure if this was an option you had enabled intentionally or accidentally.

Currently, your gast network is included in the lan firewall zone. Because the lan zone (currently) has forward=accept, it means that the gast network and the lan can communicate with each other. Further, it has input=accept, which means that the gast network can connect to the router ssh, web, and any other services are running on the device.

Typically, a guest/untrusted network is associated with a separate zone that does not allow inter-VLAN routing with the trusted network(s), and typically blocks all connections to the router except those that are necessary (DHCP and often DNS, in a standard config).

You don't need to fix this, but the gast firewall zone doesn't do anything at all (because it doesn't have a network attached) and, as just described, the gast network is not currently treated with any additional restrictions... fixing this (or not) depends on your goals.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

rboterenbrood · January 21, 2023, 9:40pm

Ok. I'll look into the firewall bit with your explanation.
Thanks again for your help.

system · January 31, 2023, 9:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.