[Solved] Guest wifi on dumb AP problems [Solved]

Hi everyone.
I'm trying to set up a guest wifi network with AP isolation and without access to my main network.

I'm trying to do this on a BUFFALO WBMR-HP-G300H and I'd like to do the same even on a TP-LINK TD-W8970 (the first is running OpenWrt "19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-22.019.56061-cc8ba6e" while the second "OpenWrt 19.07.4 r11208-ce6496d796 / LuCI openwrt-19.07 branch git-22.019.56061-cc8ba6e".
For AP isolation I simply checked the related box in the Advanced settings tab in the newly created wifi network.
For separating the guest wifi from my main network, I've just finished to follow this guide, Guest Wi-Fi on a dumb wireless AP using LuCI and it seemed to work immediately but.....I can connect to the guest wlan with internet access but, even if I assigned a different subnet IP (i.e. 192.168.X.1) to the new guest network interface, as soon as I connect my mobile, I still get an IP on the main subnet (e.g. 192.168.Y.136) and, obviously, I can reach all the other IPs on my main network. May I ask you some help to solve this issue?

Thanks

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Hi Peter, thanks for the fast answer...sorry for my late reply.
Here you are the info requested:
network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '----:----:-deb::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option firmware '/lib/firmware/adsl.bin'
        option annex 'b'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.X.1'
        option ipaddr '192.168.X.aaa'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'
        option auto '0'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.Y.1'
        option netmask '255.255.255.0'

wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option channel '3'
        option txpower '4'
        option disabled '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ft_over_ds '0'
        option ssid 'MAIN-WIFI-NAME'
        option encryption 'psk2.ccmp'
        option ft_psk_generate_local '1'
        option mobility_domain '4f57'
        option key 'PWD'
        option ieee80211r '1'
        option network 'lan'
        option disabled '1'

config wifi-iface 'wifinet1'
        option ssid 'GUEST-WIFI-NAME'
        option device 'radio0'
        option mode 'ap'
        option isolate '1'
        option key 'PWD'
        option network 'lan guest'
        option encryption 'psk2+ccmp'
        option disabled '1'

dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option start '100'
        option leasetime '12h'
        option interface 'guest'
        option limit '110'

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option forward 'REJECT'
        list network 'guest'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option dest 'lan'
        option src 'guest'

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'guest DHCP'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'guest DNS'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Block guest access to Private Zone'
        option dest 'lan'
        list dest_ip '192.168.X.0/24'
        option target 'DROP'
        list proto 'all'

I should have listed all the info, with redacted values. Consider that I still have the wan interfaces because I never decided to delete them even I use this device only as an AP.

I thank you in advance for any suggestion you would give me.

Have a nice day!

Remove the lan interface from option network. Everything else seems to be correct.

4 Likes

Hi Pavel!

Thanks for the suggestion. I tried but it doesn't work. Yesterday evening the issue was limited to the wrong IP assignment with internet connection working. After your proposed modification, the IP is still assigned on my main subnet and, moreover, there isn't internet connection.

Please try to renew the DHCP lease again and post the output of the following commands:

brctl show; /etc/init.d/log restart; /etc/init.d/dnsmasq restart; sleep 3; netstat -nlpu | grep 67; logread -e dhcp
1 Like

I'm not sure to have understood what do you mean with "renew the DHCP" . Anyway, here you are the output you asked about:

me@OpenWrt:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.0024a5bdb0d4       no              eth0.1
                                                        wlan0
                                                        wlan0-1
me@OpenWrt:~# /etc/init.d/log restart
me@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
me@OpenWrt:~# sleep 3
me@OpenWrt:~# netstat -nlpu | grep 67
udp        0      0 0.0.0.0:67              0.0.0.0:*                                                      9499/dnsmasq
me@OpenWrt:~# logread -e dhcp
Thu Jan 27 15:08:35 2022 daemon.info dnsmasq-dhcp[9499]: DHCP, IP range 192.168.Y.aaa -- 192.168.Y.bbb, lease time 12h
Thu Jan 27 15:08:35 2022 daemon.info dnsmasq[9499]: read /tmp/hosts/dhcp.cfg01411c - 1addresses
Thu Jan 27 15:08:35 2022 daemon.info dnsmasq-dhcp[9499]: read /etc/ethers - 0 addresses

Finally, a furhter detail.... when I tested this morning the guest network, I saw on the mobile (via a dedicated app) that the IP assigned was still on my main network (Reserved 192.168.X.aaa IP set in my main router) but, now, I can see in Luci section "DHCP and DNS", "Static Leases" tab, that my mobile has a reserved IP 192.168.Y.aaa for 9,5hrs left.

The guest wireless interface is still a member of the lan bridge. Execute /etc/init.d/network restart && wifi and run brctl show again. You should see only eth0.1 and wlan0 as bridge members.

And don't obscure the private (rfc1918) IP addresses. It's not a sensitive information.

Edit: Just to make sure everything is correct:

uci delete wireless.wifinet1.network
uci set wireless.wifinet1.network="guest"
uci commit wireless
/etc/init.d/network restart
wifi
brctl show
2 Likes

The config you posted has all the wifi disabled, so it must not be what you're actually running.

You probably want to make the guest network a bridge so you can have guests on more than one physical interface, e.g. wired and wireless. But it will also work as not a bridge as long as there is only one physical device.

1 Like

Sorry for the mistake on private IP address.
wifinet1 deleted
set it again
committed changes
restarted network and wifi.

me@OpenWrt:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.0024a5bdb0d4       no              eth0.1
                                                        wlan0

The IP is now assigned correctly but internet connection is lost.

please post updated config files so we can be sure that we're all on the same page.

2 Likes

Here you are the updated config files

me@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '----:----:-deb::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option firmware '/lib/firmware/adsl.bin'
        option annex 'b'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option ipaddr '192.168.1.142'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'
        option auto '0'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

me@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option channel '3'
        option txpower '4'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ft_over_ds '0'
        option ssid 'MAIN-WIFI'
        option encryption 'psk2.ccmp'
        option ft_psk_generate_local '1'
        option mobility_domain '4f57'
        option key 'MAIN_WIFI_PWD'
        option ieee80211r '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option ssid 'OpenWrt_GUEST_Test'
        option device 'radio0'
        option mode 'ap'
        option isolate '1'
        option key 'GUEST-WIFI-PWD'
        option encryption 'psk2+ccmp'
        option network 'GUEST guest'

root@OpenWrt-Buffalo:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option start '100'
        option leasetime '12h'
        option interface 'guest'
        option limit '110'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'MyMobile'
        option dns '1'
        option ip '192.168.3.100'

me@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option forward 'REJECT'
        list network 'guest'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option dest 'lan'
        option src 'guest'

config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'guest DHCP'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option dest_port '53'
        option src 'guest'
        option name 'guest DNS'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Block guest access to Private Zone'
        option dest 'lan'
        list dest_ip '192.168.1.0/24'
        option target 'DROP'
        list proto 'all'

me@OpenWrt:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.0024a5bdb0d4       no              eth0.1
                                                        wlan0

me@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

me@OpenWrt:~# netstat -nplu | grep 67
udp        0      0 0.0.0.0:67              0.0.0.0:*                           5483/dnsmasq

me@OpenWrt:~# logread -e dhcp
Thu Jan 27 18:02:03 2022 daemon.info dnsmasq-dhcp[5483]: DHCP, IP range 192.168.3.100 -- 192.168.3.209, lease time 12h
Thu Jan 27 18:02:03 2022 daemon.info dnsmasq[5483]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Thu Jan 27 18:02:03 2022 daemon.info dnsmasq-dhcp[5483]: read /etc/ethers - 0 addresses

remove the "GUEST" network -- it should just be the lowercase 'guest'

1 Like

Also, your radio's channel is odd -- this should be 1, 6, or 11. The other channels are basically guard bands and shouldn't really be used. I don't think this is related to your issue, but it is something that should be addressed.

1 Like

this is not needed. You need to delete the forwargind

first though.

lan zone doesn't have any interface, it should have the lan. Also masquerade is not needed.

1 Like

If I understand the OP's configuration and intent correctly, I am pretty sure the OpenWrt device is acting as a dumb AP + guest network. This would mean that the lan interface is the upstream connection, and therefore the masquerading and guest > lan forwarding (as well as the blocking of guest > private zone rule) would be required.

1 Like

About this. I selected channel 3 because it is one with lower interference in my building. I did't know that 1, 6, 11 are the better ones.

Sorry for the deletion. I'm not used to edit post. May I ask you please how can I remove that?

Yeah, in some ways it is odd that the intermediate channels exist as user-selectable options (across all wifi devices), when they really aren't supposed to be used. Stick with 1, 6, or 11 -- whichever has the lowest interference in your building.

1 Like

You are right about the forwarding, I overlooked that.
Still the lan zone is missing the network option.

1 Like