[Solved] Guest Network DHCP

GregW · February 15, 2024, 2:54am

Greetings all,

Firstly, thank you for such a wonderful community, I've learned a lot here browsing and reading.

I’m very new to this and am trying to set up a separate guest network that only has internet access and no access to my LAN. I followed this tutorial which seems pretty common among the ones I’ve seen.

The only difference is that I’ve selected ‘true’ on the force option on the DHCP Advanced TAB for the GuestNet interface, and have split up the DNS and DHCP Traffic rules for the GuestNet, neither seem to have made a difference to my problem. I’m using LuCi as I’m not much for CL atm.

The problem is I’m unable to get DHCP working consistently on my guest network. I am able to sometimes log onto the network and obtain a DHCP IP address and then access the internet. I can then watch the device get ‘kicked off’ and end up with an IP Address of 169.254.something and no internet access. I can do this with multiple devices, sometimes they will connect and get an IP address and sometimes not. I’ve done lots of searches and have been unable to solve this problem. My simple set up is a modem in bridge mode and this router going PPPOE through it for internet.

I’ve included below what I think is needed to look at my set up as well as the log files for the times in question when the above has happened.

Thanks for you help,
Greg

The following was cut and pasted into terminal as per what I've read here:
ubus call system board;
uci export network;
uci export wireless;
uci export dhcp; uci export firewall;
head -n -0 /etc/firewall.user;
iptables-save -c;
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv./ ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv./

RESULT:

ubus call system board; \
> uci export network; 
{
	"kernel": "5.15.137",
	"hostname": "MF_House_Router",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc5:4844:079b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username ‘xxxxxxxxxxxxxxxxx’
	option password ‘xxxxxxxxxxxxxxxxx’
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'GuestNet'
	option proto 'static'
	option ipaddr '10.10.10.10'
	option netmask '255.255.255.0'

root@MF_House_Router:~# uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* 
/tmp/resolv.* /tmp/resolv.*/*
package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Searching...'
	option encryption 'sae-mixed'
	option key 'xxxxxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Searching...'
	option encryption 'sae-mixed'
	option key 'xxxxxxxxxxxxxxxxx'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Work'
	option encryption 'sae-mixed'
	option key 'xxxxxxxxxxxxxxxxx'
	option network 'GuestNet'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Work'
	option encryption 'sae-mixed'
	option network 'GuestNet'
	option key 'xxxxxxxxxxxxxxxxx'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GuestNet'
	option interface 'GuestNet'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GuestNet'

config forwarding
	option src 'Guest'
	option dest 'wan'

config rule
	option name 'Guest DNS (Work)'
	option src 'Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP (WORK)'
	list proto 'udp'
	option src 'Guest'
	option dest_port '67 68'
	option target 'ACCEPT'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.5.1/24 brd 192.168.5.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: phy1-ap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.10.10.10/24 brd 10.10.10.255 scope global phy1-ap1
       valid_lft forever preferred_lft forever
15: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet xxxxxxx peer 10.20.23.6/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
default via 10.20.23.6 dev pppoe-wan 
10.10.10.0/24 dev phy1-ap1 scope link  src 10.10.10.10 
10.20.23.6 dev pppoe-wan scope link  src xxxxxxx 
192.168.5.0/24 dev br-lan scope link  src 192.168.5.1 
local 10.10.10.10 dev phy1-ap1 table local scope host  src 10.10.10.10 
broadcast 10.10.10.255 dev phy1-ap1 table local scope link  src 10.10.10.10 
local xxxxxxx dev pppoe-wan table local scope host  src xxxxxxx 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 192.168.5.1 dev br-lan table local scope host  src 192.168.5.1 
broadcast 192.168.5.255 dev br-lan table local scope link  src 192.168.5.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Nov 14 23:38 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Feb 14 11:27 /tmp/resolv.conf
-rw-r--r--    1 root     root           124 Feb 14 11:27 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            50 Feb 14 11:27 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           124 Feb 14 11:27 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver xxxxxxx
nameserver xxxxxxx

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver xxxxxxx
nameserver xxxxxxx
# Interface wan6
nameserver fe80::a691:b1ff:fe68:7bc0%wan

Here is a log file for some succesful log in and some unsuccessful ones. I've replaced external IPs and passwords with xxxxxx and MAC Addresses with MAC ADDRESS 'A' etc.

Wed Feb 14 11:30:50 2024 daemon.err uhttpd[1672]: [info] luci: accepted login on /admin/system/reboot for root from 192.168.5.159
Wed Feb 14 11:31:05 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED MAC 'A'
Wed Feb 14 11:31:05 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'A') IEEE 802.11: disassociated
Wed Feb 14 11:31:06 2024 daemon.info hostapd: phy1-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: associated (aid 1)
Wed Feb 14 11:31:06 2024 daemon.notice hostapd: phy1-ap1: AP-STA-CONNECTED (MAC ADDRESS 'B') auth_alg=sae
Wed Feb 14 11:31:06 2024 daemon.info hostapd: phy1-ap1: STA (MAC ADDRESS 'B') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:31:06 2024 daemon.notice hostapd: phy1-ap1: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'B')
Wed Feb 14 11:31:07 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'A') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:31:09 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy1-ap1) (MAC ADDRESS 'B')
Wed Feb 14 11:31:09 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy1-ap1) 10.10.10.189 (MAC ADDRESS 'B')
Wed Feb 14 11:31:09 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy1-ap1) (MAC ADDRESS 'B')
Wed Feb 14 11:31:09 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy1-ap1) 10.10.10.189 (MAC ADDRESS 'B')
Wed Feb 14 11:31:11 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy1-ap1) 10.10.10.189 (MAC ADDRESS 'B')
Wed Feb 14 11:31:11 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy1-ap1) 10.10.10.189 (MAC ADDRESS 'B')
Wed Feb 14 11:31:21 2024 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED (MAC ADDRESS 'C')
Wed Feb 14 11:31:21 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'C') IEEE 802.11: disassociated
Wed Feb 14 11:31:21 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: associated (aid 1)
Wed Feb 14 11:31:21 2024 daemon.notice hostapd: phy1-ap0: Prune association for (MAC ADDRESS 'C')
Wed Feb 14 11:31:22 2024 daemon.notice hostapd: phy0-ap1: AP-STA-CONNECTED (MAC ADDRESS 'C') auth_alg=sae
Wed Feb 14 11:31:22 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:31:22 2024 daemon.notice hostapd: phy0-ap1: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'C')
Wed Feb 14 11:31:27 2024 daemon.notice hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: did not acknowledge authentication response
Wed Feb 14 11:31:35 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: associated (aid 2)
Wed Feb 14 11:31:35 2024 daemon.notice hostapd: phy1-ap1: Prune association for (MAC ADDRESS 'B')
Wed Feb 14 11:31:35 2024 daemon.notice hostapd: phy1-ap1: AP-STA-DISCONNECTED (MAC ADDRESS 'B')
Wed Feb 14 11:31:37 2024 daemon.notice hostapd: phy0-ap1: AP-STA-CONNECTED (MAC ADDRESS 'B') auth_alg=sae
Wed Feb 14 11:31:37 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:31:37 2024 daemon.notice hostapd: phy0-ap1: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'B')
Wed Feb 14 11:31:47 2024 daemon.info hostapd: phy1-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: associated (aid 2)
Wed Feb 14 11:31:47 2024 daemon.notice hostapd: phy0-ap1: Prune association for (MAC ADDRESS 'C')
Wed Feb 14 11:31:47 2024 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED (MAC ADDRESS 'C')
Wed Feb 14 11:31:47 2024 daemon.notice hostapd: phy1-ap0: Prune association for (MAC ADDRESS 'C')
Wed Feb 14 11:31:49 2024 daemon.notice hostapd: phy1-ap1: AP-STA-CONNECTED (MAC ADDRESS 'C') auth_alg=sae
Wed Feb 14 11:31:49 2024 daemon.info hostapd: phy1-ap1: STA (MAC ADDRESS 'C') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:31:49 2024 daemon.notice hostapd: phy1-ap1: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'C')
Wed Feb 14 11:31:53 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy1-ap1) (MAC ADDRESS 'C')
Wed Feb 14 11:31:53 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy1-ap1) 10.10.10.159 (MAC ADDRESS 'C')
Wed Feb 14 11:31:53 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(phy1-ap1) (MAC ADDRESS 'C')
Wed Feb 14 11:31:53 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(phy1-ap1) 10.10.10.159 (MAC ADDRESS 'C')
Wed Feb 14 11:31:54 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(phy1-ap1) 10.10.10.159 (MAC ADDRESS 'C')
Wed Feb 14 11:31:54 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(phy1-ap1) 10.10.10.159 (MAC ADDRESS 'C') Wander-Air
Wed Feb 14 11:32:05 2024 daemon.info hostapd: phy1-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:32:17 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:32:17 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'C') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:33:11 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: authenticated
Wed Feb 14 11:33:11 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: associated (aid 1)
Wed Feb 14 11:33:11 2024 daemon.notice hostapd: phy1-ap1: Prune association for (MAC ADDRESS 'C')
Wed Feb 14 11:33:11 2024 daemon.notice hostapd: phy1-ap1: AP-STA-DISCONNECTED (MAC ADDRESS 'C')
Wed Feb 14 11:33:11 2024 daemon.notice hostapd: phy0-ap1: AP-STA-CONNECTED (MAC ADDRESS 'C') auth_alg=open
Wed Feb 14 11:33:11 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:33:11 2024 daemon.notice hostapd: phy0-ap1: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'C')
Wed Feb 14 11:33:28 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'D') IEEE 802.11: authenticated
Wed Feb 14 11:33:28 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'D') IEEE 802.11: authenticated
Wed Feb 14 11:33:31 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'D') IEEE 802.11: associated (aid 7)
Wed Feb 14 11:33:31 2024 daemon.notice hostapd: phy1-ap0: Prune association for (MAC ADDRESS 'D')
Wed Feb 14 11:33:31 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED (MAC ADDRESS 'D') auth_alg=sae
Wed Feb 14 11:33:31 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'D') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:33:31 2024 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'D')
Wed Feb 14 11:33:33 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.124 (MAC ADDRESS 'D')
Wed Feb 14 11:33:33 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.5.124 (MAC ADDRESS 'D') MacBook
Wed Feb 14 11:33:36 2024 daemon.warn odhcpd[1558]: No default route present, overriding ra_lifetime!
Wed Feb 14 11:33:37 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Wed Feb 14 11:33:37 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Wed Feb 14 11:33:37 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Wed Feb 14 11:33:37 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Wed Feb 14 11:33:41 2024 daemon.info hostapd: phy1-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:34:01 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'D') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:35:28 2024 daemon.warn odhcpd[1558]: No default route present, overriding ra_lifetime!
Wed Feb 14 11:35:57 2024 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED (MAC ADDRESS 'C')
Wed Feb 14 11:35:57 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: disassociated
Wed Feb 14 11:35:58 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'C') IEEE 802.11: associated (aid 8)
Wed Feb 14 11:35:58 2024 daemon.notice hostapd: phy0-ap1: Prune association for (MAC ADDRESS 'C')
Wed Feb 14 11:35:58 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED (MAC ADDRESS 'C') auth_alg=sae
Wed Feb 14 11:35:58 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'C') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:35:58 2024 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'C')
Wed Feb 14 11:35:58 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.159 (MAC ADDRESS 'C')
Wed Feb 14 11:35:58 2024 daemon.info dnsmasq-dhcp[1]: DHCPNAK(br-lan) 192.168.5.159 (MAC ADDRESS 'C') wrong address
Wed Feb 14 11:35:58 2024 daemon.warn odhcpd[1558]: No default route present, overriding ra_lifetime!
Wed Feb 14 11:36:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.159 (MAC ADDRESS 'C')
Wed Feb 14 11:36:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPNAK(br-lan) 192.168.5.159 (MAC ADDRESS 'C') wrong address
Wed Feb 14 11:36:03 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) (MAC ADDRESS 'C')
Wed Feb 14 11:36:03 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.5.159 (MAC ADDRESS 'C')
Wed Feb 14 11:36:03 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) (MAC ADDRESS 'C')
Wed Feb 14 11:36:03 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.5.159 (MAC ADDRESS 'C')
Wed Feb 14 11:36:04 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.159 (MAC ADDRESS 'C')
Wed Feb 14 11:36:04 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.5.159 (MAC ADDRESS 'C') Wander-Air
Wed Feb 14 11:36:28 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'C') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:36:30 2024 authpriv.info dropbear[4871]: Child connection from 192.168.5.159:50232
Wed Feb 14 11:36:37 2024 authpriv.notice dropbear[4871]: Password auth succeeded for 'root' from 192.168.5.159:50232
Wed Feb 14 11:37:15 2024 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED (MAC ADDRESS 'B')
Wed Feb 14 11:37:15 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: disassociated
Wed Feb 14 11:37:17 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:37:42 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'A') IEEE 802.11: associated (aid 9)
Wed Feb 14 11:37:42 2024 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED (MAC ADDRESS 'A') auth_alg=sae
Wed Feb 14 11:37:42 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'A') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:37:42 2024 daemon.notice hostapd: phy0-ap0: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'A')
Wed Feb 14 11:37:44 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.206 (MAC ADDRESS 'A')
Wed Feb 14 11:37:44 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.5.206 (MAC ADDRESS 'A')
Wed Feb 14 11:37:47 2024 daemon.warn odhcpd[1558]: No default route present, overriding ra_lifetime!
Wed Feb 14 11:39:29 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'C') IEEE 802.11: associated (aid 1)
Wed Feb 14 11:39:29 2024 daemon.notice hostapd: phy0-ap0: Prune association for (MAC ADDRESS 'C')
Wed Feb 14 11:39:29 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED (MAC ADDRESS 'C')
Wed Feb 14 11:39:31 2024 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED (MAC ADDRESS 'C') auth_alg=sae
Wed Feb 14 11:39:31 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'C') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:39:31 2024 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'C')
Wed Feb 14 11:39:31 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.159 (MAC ADDRESS 'C')
Wed Feb 14 11:39:31 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.5.159 (MAC ADDRESS 'C') Wander-Air
Wed Feb 14 11:39:59 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'C') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:40:23 2024 daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED (MAC ADDRESS 'A')
Wed Feb 14 11:40:24 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'A') IEEE 802.11: disassociated
Wed Feb 14 11:40:24 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: associated (aid 1)
Wed Feb 14 11:40:24 2024 daemon.notice hostapd: phy0-ap1: AP-STA-CONNECTED (MAC ADDRESS 'B') auth_alg=sae
Wed Feb 14 11:40:24 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:40:24 2024 daemon.notice hostapd: phy0-ap1: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'B')
Wed Feb 14 11:40:25 2024 daemon.info hostapd: phy0-ap0: STA (MAC ADDRESS 'A') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:40:51 2024 daemon.notice hostapd: phy0-ap1: AP-STA-DISCONNECTED (MAC ADDRESS 'B')
Wed Feb 14 11:40:51 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: disassociated
Wed Feb 14 11:40:52 2024 daemon.info hostapd: phy0-ap1: STA (MAC ADDRESS 'B') IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Wed Feb 14 11:40:52 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'A') IEEE 802.11: associated (aid 2)
Wed Feb 14 11:40:52 2024 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED (MAC ADDRESS 'A') auth_alg=sae
Wed Feb 14 11:40:52 2024 daemon.info hostapd: phy1-ap0: STA (MAC ADDRESS 'A') WPA: pairwise key handshake completed (RSN)
Wed Feb 14 11:40:52 2024 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED (MAC ADDRESS 'A')
Wed Feb 14 11:40:53 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.5.206 (MAC ADDRESS 'A')
Wed Feb 14 11:40:53 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.5.206 (MAC ADDRESS 'A')
Wed Feb 14 11:40:53 2024 daemon.warn odhcpd[1558]: No default route present, overriding ra_lifetime!

psherman · February 15, 2024, 3:27am

Your problem is that you've got the guest network attached to 2 radios, but you're not using a bridge. This can be fixed pretty easily..

Add this to your /etc/config/network file

config device
	option name 'br-guest'
	option type 'bridge'
	option bridge_empty '1'

Then edit your guest network to use the bridge device we just created:

config interface 'GuestNet'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '10.10.10.10'
	option netmask '255.255.255.0'

Then restart and try again.

JustAnotherEndUser · February 15, 2024, 3:35am

I too watched his video series before setting up segregated wireless. Though there is some good information there, I found those videos to be a bit confusing. I ultimately followed the approach detailed in the link below and had success. One notable difference between the video you linked, and the guide I have linked below, is the approach to the firewall rules. Check this guide. IMO, it is easier to follow than the video.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

By the way - don't be thrown off by the "Dumb AP" title of the article. If you want the device to be a router instead of "Dumb AP" , you can still follow the guide and just simply omit the last part about deleting WAN interfaces. Also, if you are setting up for router mode, omit the part about enabling masquerading on the LAN port. Leave masquerading off for LAN. (Don't forget to enable DHCP scopes for each network, and double-check DNSMasq settings.)

You can repeat the step for "guest" interface / zone / wireless setup if you ant to create additional SSIDs for each band. I hope this helps.

JustAnotherEndUser · February 15, 2024, 4:16am

At @GregW - Apologies. When I initially started to type my reply, there were no other replies at the time. I just happened to notice @psherman posted a reply, while I was still editing mine. psherman is by far more knowledgeable than I, so definitely follow his advice.

egc · February 15, 2024, 7:03am

Another potential problem is that you did not set a country code in your wifi.
It is advised to do so.

Furthermore not all clients can deal with sae-mixed / Mixed-Mode security, if it is problematic then use psk2 / WPA2-PSK
If you have problems authenticating then change the security, but if not leave it as is

GregW · February 15, 2024, 9:48am

@psherman Thanks very much for your reply. I've just implemented your suggestion and it now appears to be working. I'll give it a good testing over the next few days to see if there are any other errors in my set up. Thanks again much appreciated.

GregW · February 15, 2024, 9:49am

@JustAnotherEndUser Thanks for the link, I'll have a good read and no doubt learn something! Cheers.

psherman · February 15, 2024, 9:50am

Great.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

GregW · February 15, 2024, 9:52am

Thanks @egc, I've now set my wifi to my country. I've not had any trouble authenticating thus far but will keep that in mind in the future should there be any more issues. Cheers,

system · February 25, 2024, 9:52am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.