Hi everyone.
I'm trying to set up a guest wifi network with AP isolation and without access to my main network.
I'm trying to do this on a BUFFALO WBMR-HP-G300H and I'd like to do the same even on a TP-LINK TD-W8970 (the first is running OpenWrt "19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-22.019.56061-cc8ba6e" while the second "OpenWrt 19.07.4 r11208-ce6496d796 / LuCI openwrt-19.07 branch git-22.019.56061-cc8ba6e".
For AP isolation I simply checked the related box in the Advanced settings tab in the newly created wifi network.
For separating the guest wifi from my main network, I've just finished to follow this guide, Guest Wi-Fi on a dumb wireless AP using LuCI and it seemed to work immediately but.....I can connect to the guest wlan with internet access but, even if I assigned a different subnet IP (i.e. 192.168.X.1) to the new guest network interface, as soon as I connect my mobile, I still get an IP on the main subnet (e.g. 192.168.Y.136) and, obviously, I can reach all the other IPs on my main network. May I ask you some help to solve this issue?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
list network 'guest'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option dest 'lan'
option src 'guest'
config rule
option dest_port '67-68'
option src 'guest'
option name 'guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'guest DNS'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Block guest access to Private Zone'
option dest 'lan'
list dest_ip '192.168.X.0/24'
option target 'DROP'
list proto 'all'
I should have listed all the info, with redacted values. Consider that I still have the wan interfaces because I never decided to delete them even I use this device only as an AP.
I thank you in advance for any suggestion you would give me.
Thanks for the suggestion. I tried but it doesn't work. Yesterday evening the issue was limited to the wrong IP assignment with internet connection working. After your proposed modification, the IP is still assigned on my main subnet and, moreover, there isn't internet connection.
I'm not sure to have understood what do you mean with "renew the DHCP" . Anyway, here you are the output you asked about:
me@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.0024a5bdb0d4 no eth0.1
wlan0
wlan0-1
me@OpenWrt:~# /etc/init.d/log restart
me@OpenWrt:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
me@OpenWrt:~# sleep 3
me@OpenWrt:~# netstat -nlpu | grep 67
udp 0 0 0.0.0.0:67 0.0.0.0:* 9499/dnsmasq
me@OpenWrt:~# logread -e dhcp
Thu Jan 27 15:08:35 2022 daemon.info dnsmasq-dhcp[9499]: DHCP, IP range 192.168.Y.aaa -- 192.168.Y.bbb, lease time 12h
Thu Jan 27 15:08:35 2022 daemon.info dnsmasq[9499]: read /tmp/hosts/dhcp.cfg01411c - 1addresses
Thu Jan 27 15:08:35 2022 daemon.info dnsmasq-dhcp[9499]: read /etc/ethers - 0 addresses
Finally, a furhter detail.... when I tested this morning the guest network, I saw on the mobile (via a dedicated app) that the IP assigned was still on my main network (Reserved 192.168.X.aaa IP set in my main router) but, now, I can see in Luci section "DHCP and DNS", "Static Leases" tab, that my mobile has a reserved IP 192.168.Y.aaa for 9,5hrs left.
The guest wireless interface is still a member of the lan bridge. Execute /etc/init.d/network restart && wifi and run brctl show again. You should see only eth0.1 and wlan0 as bridge members.
And don't obscure the private (rfc1918) IP addresses. It's not a sensitive information.
Edit: Just to make sure everything is correct:
uci delete wireless.wifinet1.network
uci set wireless.wifinet1.network="guest"
uci commit wireless
/etc/init.d/network restart
wifi
brctl show
The config you posted has all the wifi disabled, so it must not be what you're actually running.
You probably want to make the guest network a bridge so you can have guests on more than one physical interface, e.g. wired and wireless. But it will also work as not a bridge as long as there is only one physical device.
Also, your radio's channel is odd -- this should be 1, 6, or 11. The other channels are basically guard bands and shouldn't really be used. I don't think this is related to your issue, but it is something that should be addressed.
If I understand the OP's configuration and intent correctly, I am pretty sure the OpenWrt device is acting as a dumb AP + guest network. This would mean that the lan interface is the upstream connection, and therefore the masquerading and guest > lan forwarding (as well as the blocking of guest > private zone rule) would be required.
Yeah, in some ways it is odd that the intermediate channels exist as user-selectable options (across all wifi devices), when they really aren't supposed to be used. Stick with 1, 6, or 11 -- whichever has the lowest interference in your building.
