SOLVED Guest wlan not working

hi guys,

I wanted to configure a guest wlan (with guest ssid) so that ppl can use my wlan at home without the need to enter my private network.

this is my config:

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0'
        option country 'AT'
        option txpower '20'
        option channel '36'
        option htmode 'VHT20'

config wifi-iface
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '5ghz31'
        option key 'secretprivate'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/qca955x_wmac'
        option htmode 'HT20'
        option country 'AT'
        option txpower '20'

config wifi-iface
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '2ghz31'
        option key 'secretprivate'
        option encryption 'psk2'

_config wifi-iface_
_        option device 'radio0'_
_        option mode 'ap'_
_        option network 'guest'_
_        option isolate '1'_
_        option ssid 'gast5ghz'_
_        option key 'secretguest'_
_        option encryption 'psk2'_

_config wifi-iface_
_        option device 'radio1'_
_        option mode 'ap'_
_        option network 'guest'_
_        option isolate '1'_
_        option ssid 'gast2ghz'_
_        option key 'secretguest'_
_        option encryption 'psk2'_

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb5:bb28:a52e::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.52.0.31'
        option gateway '10.52.0.254'
        option broadcast '10.52.0.255'
        option dns '8.8.8.8'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6'

_config interface 'guest'_
_        option ifname 'wlan'_
_        option bridge 'false'_
_        option proto 'static'_
_        option ipaddr '172.23.10.1'_
_        option netmask '255.255.255.0'_
_        option dns '208.67.220.220 208.67.222.222'_

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ignore '1'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

_config dhcp 'guest'_
_        option start '100'_
_        option interface 'guest'_
_        option limit '10'_
_        option leasetime '1h'_

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

_config zone_
_        option forward 'REJECT'_
_        option output 'ACCEPT'_
_        option input 'ACCEPT'_
_        option network 'guest'_
_        option name 'guest'_
_        option masq '1'_

_config forwarding_
_        option dest 'lan'_
_        option src 'guest'_

_config redirect_
_        option target 'SNAT'_
_        option src 'guest'_
_        option dest 'lan'_
_        option proto 'all'_
_        option src_dip '10.52.0.31'_
_        option name 'Allow Guest Internet'_

_config rule_
_        option src 'guest'_
_        option dest 'lan'_
_        option name 'Disable Guest LAN Access'_
_        option proto 'all'_
_        option dest_ip '10.52.0.0/24'_
_        option target 'DROP'_

_config rule_
_        option src 'guest'_
_        option target 'DROP'_
_        option dest_port '80'_
_        option proto 'tcp udp'_
_        option name 'Disable Guest AP HTTP Access'_

_config rule_
_        option proto 'tcp udp'_
_        option name 'Disable Guest AP SSH Access'_
_        option src 'guest'_
_        option dest_port '22'_
_        option target 'DROP'_

the problem is: when I connect to ssid "2ghz31" or "5ghz31" I receive a dhcp ip address immediately from my windows server...when I connect to "gast2ghz" or "gast5ghz" I do not receive a 172 IP address, I just get an APIPA address.

Does somebody know any solution for this? The hardware is a TP Link Archer C7 with LEDE Reboot 17.01.2 r3435-65eec8bd5f which is part of the LAN (10.52.0.31 / 24). the device is not connected to wan port!!!

also in the webif I see:

 wlan0-1	gast	E4:A4:71:42:D7:18	?	 -30 / 0 dBm	173.3 Mbit/s, 20MHz, VHT-MCS 8, VHT-NSS 2, Short GI
6.0 Mbit/s, 20MHz

which is my laptop (windows 10 pro client) with the APIPA address...

thank you very much in advance! regards, Hubert

Why do you want to forward the guests to your lan? Makes it way more complicated than necessary. I've done something similar, but my guest network just has forwarding to wan. Doesn't ever touch my private lan.

hi mroek,

well, I think this is the problem - I don't have the wan connected. My tplink is just a device in my lan (10.52.0.0/24) which generates two wlans (in 2.4 and 5ghz). these wlan clients receive their network config right out of the windows server network.

but basically if there is a way to configure wan in a way that guest network is working that would be great too...I just don't want to start different subnets or networks for my private (w)lan...

does this make my config a bit clearer? :slight_smile:
thanks in advance, Hubert

This will create a standalone guest WLAN on the router. The router will get it's IP from you Windows server for the main lan. and wlan

For the guest WLAN (no lan) it will have it's own DHCP server.

https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/

If you have not seen it, there is the basic OpenWrt wiki.
https://wiki.openwrt.org/doc/recipes/dumbap

hi RangerZ,

thanks for your help. the funny thing of the complete story is that I worked with this German manual before but I never got it working. I just had luck within the last 15 min and got that thing running ... the problem was the FW rules for DNS and DHCP... that was the reasing I was getting APIPA addresses... unfortunately these two things are not mentionend in the manual.. :slight_smile:

anyway it's working pretty good now...thanks everybody for helping!
regards

I had to run this twice, but if you think that there are some fine points about the rules that you needed to change please document them here.

hi RangerZ,

well basically I needed two firewall rules to get DHCP / DNS running:

config rule
option target 'ACCEPT'
option name 'Guest DNS'
option src 'gastwlan'
option dest_port '53'

config rule
option target 'ACCEPT'
option name 'Guest DHCP'
option src 'gastwlan'
option dest_port '67-68'

thanks, Hubert