good catch on that one!
1 Like
Do you want the command line method or the GUI (web interface) process?
1 Like
Sorry for "overloading"... both solutions are more than welcome. I can learn two new things in one shot.
Ok, I'm going to analyse again the neighbour networks and select 1,6,11
Yes, that's true. I've just followed the "how to" published on the OpenWrt User Guide (OWrt User Guide). Actually I'm using the device as a dumbAP, as a second AP for seamless roaming. My main AP is another one in which I'll made the same changes as soon as I'll be able to get this Guest Network working. Just since yesterday I understand that with my old TD-W8970, thanks to OpenWrt, I can create more than one SSID...I'm going to save money.
uci set firewall.@zone[2].network='guest'
uci set firewall.@zone[0].network='lan'
uci commit firewall
/etc/init.d/firewall restart
1 Like
IMO, it is not generally advisable to have multiple independent dumb APs that have their own guest network configuration. You may want to look at putting the guest network on the main router and then using VLANs to distribute them to the dumb APs.
2 Likes
Thanks for this additional suggestion. I'm going to delete this Guest network. For the time being is just to try if it works before setting the final one on my main AP.
I did it but....
me@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:0e.0'
option htmode 'HT20'
option txpower '4'
option channel '1'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ft_over_ds '0'
option ssid 'MAIN-WIFI'
option ft_psk_generate_local '1'
option mobility_domain '4f57'
option key 'MAIN-WIFI-PWD'
option ieee80211r '1'
option network 'lan'
option encryption 'psk2'
config wifi-iface 'wifinet1'
option ssid 'OpenWrt_GUEST_Test'
option device 'radio0'
option mode 'ap'
option isolate '1'
option key 'GUEST-WIFI-PWD'
option encryption 'psk2+ccmp'
option network 'GUEST guest'
GUEST is still there
and
me@OpenWrt:~# /etc/init.d/firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @rule[10] (guest DNS) does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[0] (lan) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'guest DHCP'
* Rule 'guest DNS'
* Rule 'Block guest access to Private Zone'
* Forward 'lan' -> 'wan'
* Forward 'guest' -> 'lan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'guest DHCP'
* Rule 'guest DNS'
* Rule 'Block guest access to Private Zone'
! Skipping due to different family of ip address
* Forward 'lan' -> 'wan'
* Forward 'guest' -> 'lan'
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guest'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
Did anything go wrong?
my bad! I got my wires crossed and was thinking that the GUEST network was in the firewall...
please provide the output of this:
uci show wireless
I'm asking for that so I am able to give you the correct UCI syntax to fix the network definition issue on the SSID.
1 Like
me@OpenWrt:~# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11g'
wireless.radio0.path='pci0000:00/0000:00:0e.0'
wireless.radio0.htmode='HT20'
wireless.radio0.txpower='4'
wireless.radio0.channel='1'
wireless.wifinet0=wifi-iface
wireless.wifinet0.device='radio0'
wireless.wifinet0.mode='ap'
wireless.wifinet0.ft_over_ds='0'
wireless.wifinet0.ssid='MAIN_WIFI'
wireless.wifinet0.ft_psk_generate_local='1'
wireless.wifinet0.mobility_domain='4f57'
wireless.wifinet0.key='MAIN-WIFI-PWD'
wireless.wifinet0.ieee80211r='1'
wireless.wifinet0.network='lan'
wireless.wifinet0.encryption='psk2'
wireless.wifinet1=wifi-iface
wireless.wifinet1.ssid='OpenWrt_GUEST_Test'
wireless.wifinet1.device='radio0'
wireless.wifinet1.mode='ap'
wireless.wifinet1.isolate='1'
wireless.wifinet1.key='GUEST-WIFI-PWD'
wireless.wifinet1.encryption='psk2+ccmp'
wireless.wifinet1.network='GUEST guest'
uci set wireless.wifinet1.network='guest'
uci commit wireless
/etc/initi.d/network restart
1 Like
Done. It works!
Awesome!!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
Sorry Peter.....I solved the problem of the network's name.....I'm still not able to have internet access on the guest network even if I succeded in obtaining the correct IP on the dedicated subnet after having followed pavelgl suggestion
Maybe here is the issue?
Let's look at an updated set of config files.
1 Like
me@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '----:----:-deb::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option firmware '/lib/firmware/adsl.bin'
option annex 'b'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
option ipaddr '192.168.1.142'
list dns '208.67.222.222'
list dns '208.67.220.220'
config interface 'wan'
option ifname 'dsl0'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '1'
option auto '0'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
me@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:0e.0'
option htmode 'HT20'
option txpower '4'
option channel '1'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ft_over_ds '0'
option ssid 'MAIN-WIFI'
option ft_psk_generate_local '1'
option mobility_domain '4f57'
option key 'MAIN-WIFI-PWD'
option ieee80211r '1'
option network 'lan'
option encryption 'psk2'
config wifi-iface 'wifinet1'
option ssid 'OpenWrt_GUEST_Test'
option device 'radio0'
option mode 'ap'
option isolate '1'
option key 'GUEST-WIFI-PWD'
option encryption 'psk2+ccmp'
option network 'guest'
me@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option start '100'
option leasetime '12h'
option interface 'guest'
option limit '110'
config host
option mac 'xx:xx:xx:xx:xx:xx'
option name 'MyMobile'
option dns '1'
option ip '192.168.3.100'
me@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option network 'guest'
config forwarding
option dest 'lan'
option src 'guest'
config rule
option dest_port '67-68'
option src 'guest'
option name 'guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'guest DNS'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Block guest access to Private Zone'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'DROP'
list proto 'all'
everything looks fine from those config files.
What happens when you try to connect a device to the guest wifi network -- does it obtain an IP via DHCP? What does it have for the IP, subnet mask, DNS, and gateway?
1 Like
Now, it seems working. The IP obtained is on the correct subnet and internet access is running.
Now, which post do I have to mark for highlighting the solution?
Thanks to all of you. psherman, pavelgl, trendy!
2 Likes
These were the two most important posts.
1 Like