[Solved] Guest network: LAN connections lost + no guest connection

Installing and Using OpenWrt
1

Hi,

Since resolving my previous problem ([Solved] Simple private LAN: DHCP not giving leases (or more) - #12 by itsthejb), I've finally been able to set up my old Fritz!BOX 7530 with the kind of home network I wanted to long ago. Great!

So now I thought to add a guest/IOT restricted network using this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan. However I ran into trouble again.

23.05rc2 ipq40xx/generic

Configs:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd85:2a51:d5c3::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'j'
	option tone 'b'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname '<<>>'

config interface 'wan'
	option device 'lan1'
	option proto 'dhcp'
	option ipv6 '1'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'lan1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel 'auto'
	option band '2g'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '<<>>'
	option encryption 'psk2'
	option key '<<>>'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel 'auto'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '<<>>'
	option encryption 'sae'
	option key '<<>>'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid '<<>>'
	option encryption 'psk2'
	option key '<<>>'

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

However I got:

  • Lost LAN ports on the main lan network
  • Guest network didn't have an upstream connection

This feature is a bit of a nice-to-have, so I can live without it. Perhaps I hit some limitations of support for my device here? Adding the network seems simple enough, so don't see what could be wrong with it

Hope someone can help! Thanks in advance

2

If the configs provided are the currently running ones, there is literally no guest network defined and the lan should theoretically work. However, I'm guessing you changed things... can you post the latest config files?

3

Hi. I've updated the configs to have just the guest wifi setup that isn't working out for me

Hope you can help!

4

Generally looks okay from this part...

I would recommend removing the guest_dev section name...

make it look like this:

config device
	option type 'bridge'
	option name 'br-guest'

Remove the IPv6 statement from the wan interface (there's a wan6 interface for this purpose already):

I don't see the dhcp file -- can you post that?

And finally, what is the upstream subnet? Is it another RFC1918 address or a public IP?

5

Thanks for your help

The upstream address is 93.174.86.96, so public

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option port '54'
	list server '192.168.1.1'
	list interface 'br-guest'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns 'fd85:2a51:d5c3::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
6

Remove thse two lines from the dchp server:

You have not defined a guest dhcp server... add this:

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Then restart your router and see if this fixes things.

7

Hi there,

Alright! So I have it working. What I did was add your recommendations, but also:

diff --git a/config/dhcp b/config/dhcp
index 6839fd6..bf3a5c6 100644
--- a/config/dhcp
+++ b/config/dhcp
@@ -57,6 +57,8 @@ config dhcp 'guest'
 	option limit '150'
 	option leasetime '12h'
 	option dhcpv4 'server'
+	list dhcp_option '3,192.168.9.1'
+	list dhcp_option '6,1.1.1.1,1.0.0.1'

 config host
 	option ip '192.168.1.219'
diff --git a/config/network b/config/network
index 04fd1bf..7b87f4c 100644
--- a/config/network
+++ b/config/network
@@ -55,4 +55,5 @@ config interface 'guest'
 	option device 'br-guest'
 	option ipaddr '192.168.9.1'
 	option netmask '255.255.255.0'
+	option ip6assign '60'

These are copied from the lan interface. I think the only part that's actually important is the dhcp_option '6,1.1.1.1,1.0.0.1': I'm using AdGuardHome on the device, so dnsmasq is actually using port 54. Since I don't care for adblocking on the guest network, I can just pass those to the Cloudflare public DNS directly.

Please let me know if you have any other thoughts on that, and thanks otherwise for the help!

PS. As a follow-on, I tried removing the questionable ip6assign and dhcp_option 3. Everything works ok, so it was purely a case of providing something to handle the AdGuardHome + dnsmasq port 54 situation for the guest network

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.