[Solved]Guest interface on OpenWrt 19.7.4

I am trying to create a Guest interface that only has access to the internet.

I have seen many guides and questions but all seem not applicable to my scenario somehow.

The biggest thing which I do not understand is why am I getting assigned an IP address from DHCP attached to if_Guests and am still able to go both LAN and Internet even though I have not made any firewall rules yet to allow that.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:74a7:6e62::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.252.0.0'
	list dns '8.8.8.8'
	option delegate '0'
	option force_link '0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config interface 'if_Trusted'
	option proto 'static'
	option force_link '0'
	option type 'bridge'
	option ipaddr '10.4.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.40'
	list dns '8.8.8.8'
	option delegate '0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 5t'
	option vid '40'

config interface 'if_Guests'
	option proto 'static'
	option type 'bridge'
	option ipaddr '10.5.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.50'
	list dns '8.8.8.8'
	option delegate '0'
	option force_link '0'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 5t'
	option vid '50'

config interface 'if_tmp_oldlan'
	option ifname 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan if_Trusted if_Servers if_Switch_APs if_IOT if_Peripherals if_tmp_oldlan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'lan'
	option name 'block iot wan'
	option src_ip '192.168.1.128/25'
	option dest 'wan'
	option target 'DROP'

config rule
	option src 'lan'
	option name 'block default ipcam'
	option src_ip '192.168.1.10'
	option dest 'wan'
	option target 'DROP'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'guideriis'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.111'

(not sure if useful ) cat /etc/config/dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option sequential_ip '1'
	option localservice '0'
	option boguspriv '0'
        #option logdhcp '1'
        #option logqueries '1'
        #option logfacility '/tmp/dnsmasq.log'

#config dhcp 'wan'
#	option interface 'wan'
#	option ignore '1'

#config odhcpd 'odhcpd'
#	option maindhcp '0'
#	option leasefile '/tmp/hosts/odhcpd'
#	option leasetrigger '/usr/sbin/odhcpd-update'
#	option loglevel '7'

config dhcp 'if_Trusted'
	option interface 'if_Trusted'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

config dhcp 'if_Guests'
	option interface 'if_Guests'
	option start '1025'
	option limit '1000'
	option leasetime '2m'
	option force '1'

Sorry if I write this a bit harsh. But it is no wonder that things are not working if you edit your configuration files like you did. There is a lot things wrong.

It seems you are a beginner. So I would recommend to do your steps gradually and avoid editing configuration files directly (just do it if needed due to missing options in GUI respectively a OpenWrt guide is telling you to do so).

Reset your configuration and start over from scratch to setup a guest lan. You should understand what you are doing to avoid missconfiguration (this is important if you want to avoid possible leaks for future changes you are not aware yet). If standard configuration is working then you can start to modify things to your needs.

What is wrong here (if you want to try to fix it):

  • you defined lan and br-lan in your config. both is configured as a bridge. both have different ip ranges. beside the name conflict: if lan is set as a bridge it will automatically named br-lan by OpenWrt.

  • your firewall defaults are set wrong. you don't want accept everything by default. do not change that.

  • if you put all devices in same zone (lan) they can request ofc request DHCP from any DHCP server instance.

  • if you want to disable ipv6 don't comment out parts of odhcp config only. this makes no sense. instead disable wan6 completely.

There is one official guide and very applicable to your scenario.

Remove the dns 8.8.8.8 from lan and guest interfaces. This should go under wan interface, where it is reachable from.

Other than that I don't see the guest interface assigned to any firewall zone.

That is not correct. There is one server instance of dnsmasq listening to the configured interfaces, if_Trusted and if_Guests, where it will allocate addresses.

This is an attempt for ip alias, using the @lan for ifname is advised in bridged interfaces.

1 Like

True I've missed that part.

Y, I've remembered it wrong:

Create an 'interface' section per IP, but alias interfaces may NOT be of type bridge.

and for got the 2nd part.

1 Like

Thx this one I have not seen before yet. I will take a look at it after I understand why I am getting a DHCP lease even after a service firewall restart

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:74a7:6e62::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.252.0.0'
	option delegate '0'
	option force_link '0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config interface 'if_Trusted'
	option proto 'static'
	option force_link '0'
	option type 'bridge'
	option ipaddr '10.4.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.40'
	option delegate '0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 5t'
	option vid '40'

config interface 'if_Guests'
	option proto 'static'
	option type 'bridge'
	option ipaddr '10.5.0.1'
	option netmask '255.255.0.0'
	option ifname 'eth0.50'
	option delegate '0'
	option force_link '0'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 5t'
	option vid '50'

config interface 'if_tmp_oldlan'
	option ifname 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan if_Trusted if_Servers if_Switch_APs if_IOT if_Peripherals if_tmp_oldlan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'lan'
	option name 'block iot wan'
	option src_ip '192.168.1.128/25'
	option dest 'wan'
	option target 'DROP'

config rule
	option src 'lan'
	option name 'block default ipcam'
	option src_ip '192.168.1.10'
	option dest 'wan'
	option target 'DROP'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'guideriis'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.111'

config zone
	option name 'rl_Guests'
	option input 'ACCEPT'
	option forward 'REJECT'
	option network 'if_Guests'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'rl_Guests'

It would be an enormous knowledge boost if I knew why I am still getting a DHCP lease.

Also once things are in order I will slowly try out the @lan alias

There is no zone for guest interface so it will inherit the defaults.

This is a 10 second thing...

Perhaps our posts crossed each other. Threre is a rl_Guests zone defined in my prious post / current config.

Ok, I'll try @lan now tjen. Exactly what interface should have that? You mean if_tmp_oldlan?

ok I can still connect to my old lan using @lan for if_tmp_oldlan.
thx for the suggestion. I was hesitant earlier becuase I thought) things broke earlier when doing that. But it must have been something else back when my config was still garbled

Also these are my current firewall settings in Luci. The output of cat firewall Is in my previous post.

Still not sure why I am getting a DHCP

Can you please show me how to do that?

I was looking at the first post. Even at the next one you have input accept in guest zone.

Yes

Accept in input.

Disable ip6assign from lan interfaces in Luci .

1 Like

If you want it more restrictive instead of managing each lan interface seperatly then you could it disable on WAN side (if you want):

Or use command-line:

uci set network.wan6.auto='0' # not absolutely necessary
uci set network.wan6.reqaddress='none'
uci commit

Thx for the suggestion. But I do not have a wan6. I removed that default interface.

Well, if you removed WAN6 then none of your LAN devices will get a global routable IPv6 address. There are probably still private addresses (feXX:..., fdXX:...) assigned but they do not harm. If you want to remove them also then remove the ip6 assignment from lan interfaces also (like @trendy has written).

1 Like

I can't edit my first post so i'll add a link for more background information where it all started here:

https://forum.openwrt.org/t/simple-network-segmentation-why-is-it-soooo-hard-for-newcommers/

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.