[SOLVED] Guest Wifi has no internet access


#1

Hello
I've just recently installed OpenWRT on my router, and I've been satisfied with it, however, I seem to have run into a bit of a issue with creating a second guest wifi on my network. It will broadcast the ESSID, but will fail to allow the user to connect to the internet. Not sure what the heck is going on, and I've tried using the GUI and the SSH methods to have both fail at allowing the Guest Network to work properly

/etc/config/network

config interface 'loopback'                    
        option ifname 'lo'                     
        option proto 'static'                  
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'             
                                               
config globals 'globals'                       
        option ula_prefix 'fd44:c7f8:56a2::/48'
                                      
config interface 'lan'                
        option type 'bridge'          
        option ifname 'eth1.1'        
        option proto 'static'         
        option ipaddr '192.168.1.1'   
        option netmask '255.255.255.0'
        option ip6assign '60'       
        option dns '1.0.0.1 1.1.1.1'
                             
config interface 'wan'       
        option ifname 'eth0' 
        option proto 'dhcp'  
                             
config interface 'wan6'       
        option ifname 'eth0'  
        option proto 'dhcpv6' 
                               
config switch                  
        option name 'switch0'    
        option reset '1'         
        option enable_vlan '1'
        option ports '1 2 3 4 0t'
                                 
config interface 'guest'         
        option proto 'static'    
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option dns '1.0.0.1 1.1.1.1'  
        option type 'bridge'          
   

/etc/config/firewall

config defaults                                 
        option syn_flood '1'                    
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
                                                
config zone                                     
        option name 'lan'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'             
        option network 'lan'                   
                                                
config zone                                     
        option name 'wan'                       
        option input 'REJECT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        option masq '1'                         
        option mtu_fix '1'                      
        option network 'wan wan6'               
                                                
config forwarding                               
        option src 'lan'                        
        option dest 'wan'                      
                                                
config rule                                     
        option name 'Allow-DHCP-Renew'          
        option src 'wan'                        
        option proto 'udp'                      
        option dest_port '68'                
        option target 'ACCEPT'                  
        option family 'ipv4'                 
                                                
config rule                                     
        option name 'Allow-Ping'               
        option src 'wan'                        
        option proto 'icmp'                     
        option icmp_type 'echo-request'         
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                    
        option name 'Allow-IGMP'                
        option src 'wan'                        
        option proto 'igmp'                     
        option family 'ipv4'                    
        option target 'ACCEPT'

config rule                                     
        option name 'Allow-DHCPv6'              
        option src 'wan'                        
        option proto 'udp'                      
        option src_ip 'fc00::/6'                
        option dest_ip 'fc00::/6'               
        option dest_port '546'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                 
        option name 'Allow-MLD'                
        option src 'wan'                        
        option proto 'icmp'                     
        option src_ip 'fe80::/10'               
        list icmp_type '130/0'                  
        list icmp_type '131/0'                  
        list icmp_type '132/0'                  
        list icmp_type '143/0'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Input'        
        option src 'wan'                       
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'

config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config include                                  
        option path '/etc/firewall.user'        
                                                
config zone 'guestzone'                         
        option name 'guestzone'                 
        option network 'guest'                  
        option forward 'REJECT'                 
        option output 'ACCEPT'                  
        option input 'REJECT'                   
                                                
config forwarding 'guestzone_fwd'               
        option src 'guestzone'                  
        option dest 'wan' 

config rule 'guestzone_dhcp'                    
        option name 'guestzone_DHCP'            
        option src 'guestzone'                  
        option target 'ACCEPT'                  
        option proto 'udp'                      
        option dest_port '67-68'                
                                                
config rule 'guestzone_dns'                     
        option name 'guestzone_DNS'             
        option src 'guestzone'                  
        option target 'ACCEPT'                  
        option proto 'tcp udp'                  
        option dest_port '53'                   
                 

#2
ip link show; uci show wireless

#3

So far the only slight mistake is having the guest interface as bridge, while not bridging it with anything.
Does the guest user acquire IP settings by DHCP properly? If not post the /etc/config/dhcp as well.


#4

Try removing the name from config lines from your firewall rules, i.e.

config zone
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'guestzone'
        option dest 'wan'

config rule
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'guestzone_DNS'
        option src 'guest zone'
        option target 'ACCEPT'
        option dest_port '53'

For some reason, the firewall tends to break or act flaky if you attempt to put a name in the config lines.


#5

The guest interface should indeed be a bridge, even though it's not bridged to anything, because if they want to add one (or more) of their wlan radios to the guest network, then when they add the radio in their /etc/config/wireless file, it will get added to the bridge.


#6

Is http://1.1.1.1/ accessible to the clients on the guest network?


#7

DHCP servers are disabled since I have it set up for MAC Whitelist + Static IP assignment basis for added security. My main network works like this and seems to work just fine so I'm just confused why my guest network isn't working with the same set up

Note: My devices on the Guest Network for testing are able to connect and display the IP I input


#8

My 5 & 2.4 Guest Networks are connected via the "Guest" interface, so yes that's why they're bridged


#9

How about DNS? Are you sure the guest devices get proper DNS?

If not that, could you enable DHCP for the sake of testing and see if the problem is there?


#10

With DHCP server enabled it seems to connect with no issues, but I don't really like the idea of letting people connect without me assigning an IP to them, any way to I can get that to work like it does on my main interface, or am I just going to have to live with it?


#11

I'm not sure to be honest. I don't have a guest network, but I am trying to help you with finding where the problem exactly is.

With DHCP off, do they have proper DNS?


#12

Without posting here the things that we ask you, it is kinda hard to guess your mistakes.
It goes without saying that you could have written here what settings you were applying to the guest clients, since you are not using dhcp.


#13

What in the flying.. @#$%!


  • Are you serious about assigning IPs to every single guest user?
  • Why don't you simply rekey the Guest AP SSID - as needed?

#14

Ok, so turns out I kept setting the devices to connect to gateway 192.168.1.1 instead of 192.168.2.1, so that's why it wasn't connecting. I noticed when I switched to automatic it started using 2.1 as the gateway and I realized my mistake. And yes I am serious about the extra measures, I can't exactly explain why, it's just something I do now


#15

An attacker can just use your whitelisted MAC address, and if they have that knowledge they would also know how to set their own static address , gateway and DNS.

Your just making life difficult for yourself.


#16

I'm not sure why your devices actually took that setting; but yes, it's invalid to use a gateway (router) not on the same subnet.

Glad you got it working.