Hi,
I just switched from a R7800 (swconfig) to a WAX206 (swconfig), everything is fine but I'm unable to create a working guest WLAN. I configured it as always but then the connected clients are unable to get the DHCP from my main router, and also if I set their address manual, they are unable to go online.
Here are my configs:
Interfaces:
root@WAX206:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
option ipaddr '192.168.1.3'
list dns '192.168.1.4'
config interface 'guest'
option proto 'static'
option device 'wl1-ap2'
list ipaddr '192.168.3.1/24'
list dns '192.168.1.4'
option gateway '192.168.1.2'
You can not have a gateway outside of the subnets space. In addition, I assume you won't want to have it. You have set a default route on your lan interface already. If I did not misread your post that's the config of an AP and not the router?
config interface 'guest'
option proto 'static'
list ipaddr '192.168.3.1/24'
list dns '192.168.1.4'
option device 'wl1-ap2'
Yes correct this is the AP config, but I don't understand well, on the router I haven't changed anything from the old AP, the IP of the new AP is the same as the old. On the router I have only the LAN config
router config
config device
option name 'br-LAN'
option type 'bridge'
list ports 'eth1'
config interface 'LAN'
option device 'br-LAN'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.2'
list dns '192.168.1.4'
Ops I wrote sfwconfig but the WAX206 has the DSA. Anyway it’s not officially supported but you can make a build and it runs quite well, the merge process for the snapshot branch is on going. There the official thread.
Maybe this could be also my issue because to me my configuration looks correct, I can’t understand why the guest WLAN clients are unable you receive the DHCP or to go online with a static address. Also because it’s the same configuration as my old AP.
I tried lots of times, maybe is something related to the LAN switch/bridging it.
You're building a locally routed guest network, and that is not how those work. In a locally routed scenario, the guests will obtain DHCP addresses locally from the AP. The AP will NAT their subnet into the upstream LAN so they have Internet access. The firewall will prevent them from reaching private IPs on that LAN, so they can only use the Internet.
For guest DHCP and DNS to work, dnsmasq must be running. Some instructions for building a dumb AP tell you to disable it.
For NAT to work, set masquerade on the destination zone, which is lan. Do not set it on the guest zone.
Also for NAT to work, the firewall must be enabled. Some instructions for building a dumb AP tell you to disable it.
Build a br-guest bridge and make that the device of the guest network. In /etc/config/network, this bridge starts out empty. Wifi AP(s) will be added to it from the wireless config. Do not refer to wireless devices in /etc/config/network. If you don't have a guest bridge, only one device can be in the guest network, such as a wifi AP on one band only.
The guest network interface only needs device 'br-guest' and ipaddr '192.168.3.1/24'. Do not add any dns or gateway options there.
DSA has nothing to do with this since you're not running VLANs on the Ethernet cable. The Ethernet link to the main router in the locally routed guest use case is only the 192.168.1.0 network. Guests will have their .3.0 IPs NATd into 1.2 before leaving the AP.
Thanks for the reply, I started from scratch again, now some progresses are made, the clients are able to retrieve the DHCP and DNS but the clients can't browse internet.
I'm not understanding this:
Build a br-guest bridge and make that the device of the guest network. In /etc/config/network, this bridge starts out empty. Wifi AP(s) will be added to it from the wireless config. Do not refer to wireless devices in /etc/config/network. If you don't have a guest bridge, only one device can be in the guest network, such as a wifi AP on one band only.
The guest network interface only needs device 'br-guest' and ipaddr '192.168.3.1/24'. Do not add any dns or gateway options there.
If I manually add br-guest the interface is not present, how I have to assign the WLAN to this interface?
Now my configs are
root@WAX206:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd96:6d81:03e4::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
option ipaddr '192.168.1.3'
list dns '192.168.1.4'
config interface 'guest'
option proto 'static'
list ipaddr '192.168.3.1/24'
option device 'wl1-ap2'
root@WAX206:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
option masq '1'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Block guest LAN'
list proto 'all'
option src 'guest'
option dest 'lan'
option target 'DROP'
Typically, the radio based devices should not be defined in the network interface definition... instead, the SSID is tied to the network in the wireless config file. I'd recommend removing the device line below.
Masquerading needs to be enabled on the lan zone and disabled on the guest zone
This rule will not do what you want -- it currently will stop all access. Instead, you want to add the specific subnet that should be blocked in the destination address field (192.168.1.0/24).
But if the uplink is on the lan doesn't the user need a forward rule to lan?
If this setup is about routing from the guest ap to/via the main router... Then why not use the defaults as lan and wan and just assign an other subnet to the guest ap lan then the main router has?
If the user intends for this to be a dumb AP (for their main lan), the standard routed method would not achieve that goal. The setup as described in the guest wifi on a dumb AP is what we're aiming for here. (although, it is true that the OP hasn't explicitly stated that they want to use this as a dumb AP for their main LAN).
Oh thank you! Now it works, but I only deleted the option device 'wl1-ap2', I've always thought it was not possible to create an interface without a zone of assignment, I don't know how to say it better, now I understood a new thing!
But is this related to the DSA config? Because I'm 100% sure on the SW config switch of the R7800 my config is/was
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'wlan0-1'
list dns '192.168.1.4'
And this was working perfectly, now instead my /etc/config/network can/must be without lots of lines or "specifications"
config interface 'guest'
option proto 'static'
list ipaddr '192.168.3.1/24'
Yes sorry, my forgetfulness, I was too long trying to configure the Guest network that I forgot to add the address, I didn't even realize it, corrected and all is working as expected.
No, it's not a DSA thing. IIRC, it is possible via LuCI to add wireless as a device to the network, but it is actually not recommended. I'm not sure why it is possible in the first place. For both swconfig and DSA based devices (i.e. all devices), it is best to leave the radio < - > network connections in the wireless config file and never include it in the network config file.
Using option type bridge inside a config interface is deprecated. The new syntax is to declare bridges separately.
A bridge with only one port (e.g. a single wifi AP) is not necessary, but if you start out with a bridge you can easily add an AP on the other band, or an Ethernet port.
That is just plain wrong. Use option network in the wireless config to attach an AP to an interface (or bridge, if the interface has a bridge it will be automatically added to that bridge instead).
That does nothing in an interface that is not WAN.
Oh thanks, and yes I had configured the R7800 via LuCi, weird that it was working fine! Anyway is more "natural" to avoid to add a wireless network to the network but I've always seen in LuCi that a network interface assigned to a wireless network, and to be honest, also now in my LuCi is assigned to the Guest WLAN
BUT now, if I open the details, it is "not assigned" to it. Maybe it should be corrected, I don't know, it's weird but I lost one day for this behavior
Yes now I know it, see my post above, but anyway it was working on the R7800, for that I thought that it is/was different from DSA to SW switch, my error!
True, I don't know why it was here, maybe is some test with the pihole (my Unbound DNS), I leave it there because "if it works don't fix it"
If the interface is not a bridge, at the end of startup the kernel will place the IP address directly onto the AP. That does show up in the LuCI summary. But when you go to configure the interface, it doesn't have a device at that point.