I am trying to create a Guest interface that only has access to the internet.
I have seen many guides and questions but all seem not applicable to my scenario somehow.
The biggest thing which I do not understand is why am I getting assigned an IP address from DHCP attached to if_Guests and am still able to go both LAN and Internet even though I have not made any firewall rules yet to allow that.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd68:74a7:6e62::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.252.0.0'
list dns '8.8.8.8'
option delegate '0'
option force_link '0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 6t'
config interface 'if_Trusted'
option proto 'static'
option force_link '0'
option type 'bridge'
option ipaddr '10.4.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.40'
list dns '8.8.8.8'
option delegate '0'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '2t 5t'
option vid '40'
config interface 'if_Guests'
option proto 'static'
option type 'bridge'
option ipaddr '10.5.0.1'
option netmask '255.255.0.0'
option ifname 'eth0.50'
list dns '8.8.8.8'
option delegate '0'
option force_link '0'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '2t 5t'
option vid '50'
config interface 'if_tmp_oldlan'
option ifname 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan if_Trusted if_Servers if_Switch_APs if_IOT if_Peripherals if_tmp_oldlan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'lan'
option name 'block iot wan'
option src_ip '192.168.1.128/25'
option dest 'wan'
option target 'DROP'
config rule
option src 'lan'
option name 'block default ipcam'
option src_ip '192.168.1.10'
option dest 'wan'
option target 'DROP'
config redirect
option dest_port '443'
option src 'wan'
option name 'guideriis'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.1.111'
Sorry if I write this a bit harsh. But it is no wonder that things are not working if you edit your configuration files like you did. There is a lot things wrong.
It seems you are a beginner. So I would recommend to do your steps gradually and avoid editing configuration files directly (just do it if needed due to missing options in GUI respectively a OpenWrt guide is telling you to do so).
Reset your configuration and start over from scratch to setup a guest lan. You should understand what you are doing to avoid missconfiguration (this is important if you want to avoid possible leaks for future changes you are not aware yet). If standard configuration is working then you can start to modify things to your needs.
What is wrong here (if you want to try to fix it):
you defined lan and br-lan in your config. both is configured as a bridge. both have different ip ranges. beside the name conflict: if lan is set as a bridge it will automatically named br-lan by OpenWrt.
your firewall defaults are set wrong. you don't want accept everything by default. do not change that.
if you put all devices in same zone (lan) they can request ofc request DHCP from any DHCP server instance.
if you want to disable ipv6 don't comment out parts of odhcp config only. this makes no sense. instead disable wan6 completely.
There is one official guide and very applicable to your scenario.
Remove the dns 8.8.8.8 from lan and guest interfaces. This should go under wan interface, where it is reachable from.
Other than that I don't see the guest interface assigned to any firewall zone.
That is not correct. There is one server instance of dnsmasq listening to the configured interfaces, if_Trusted and if_Guests, where it will allocate addresses.
This is an attempt for ip alias, using the @lan for ifname is advised in bridged interfaces.
Thx this one I have not seen before yet. I will take a look at it after I understand why I am getting a DHCP lease even after a service firewall restart
ok I can still connect to my old lan using @lan for if_tmp_oldlan.
thx for the suggestion. I was hesitant earlier becuase I thought) things broke earlier when doing that. But it must have been something else back when my config was still garbled
Well, if you removed WAN6 then none of your LAN devices will get a global routable IPv6 address. There are probably still private addresses (feXX:..., fdXX:...) assigned but they do not harm. If you want to remove them also then remove the ip6 assignment from lan interfaces also (like @trendy has written).