[SOLVED] Switched the AP from swconfig to DSA: unable to create a working Guest WLAN

Hi,
I just switched from a R7800 (swconfig) to a WAX206 (swconfig), everything is fine but I'm unable to create a working guest WLAN. I configured it as always but then the connected clients are unable to get the DHCP from my main router, and also if I set their address manual, they are unable to go online.

Here are my configs:

Interfaces:

root@WAX206:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.1.2'
	option ipaddr '192.168.1.3'
	list dns '192.168.1.4'

config interface 'guest'
	option proto 'static'
	option device 'wl1-ap2'
	list ipaddr '192.168.3.1/24'
	list dns '192.168.1.4'
	option gateway '192.168.1.2'

wireless

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Magnifico Guest'
	option key 'xxx'
	option encryption 'sae-mixed'
	option network 'guest'

Then I created a firewall zone and forwarded from the router the DNS and DHCP

root@WAX206:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'guest'

config rule
	option name 'guest-DNS'
	option src 'guest'
	option src_port '53'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Block-guest-LAN'
	option src 'guest'
	option dest 'lan'
	option target 'REJECT'
	list dest_ip '192.168.1.1/24'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule
	option name 'Guest-DHCP'
	option src 'lan'
	option dest 'guest'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'udp'
	option src_port '67-68'

What I'm doing wrong?

thanks

Edit: corrected the firewall-DHCP rule.

You can not have a gateway outside of the subnets space. In addition, I assume you won't want to have it. You have set a default route on your lan interface already. If I did not misread your post that's the config of an AP and not the router?

1 Like

Thanks, I deleted it

config interface 'guest'
	option proto 'static'
	list ipaddr '192.168.3.1/24'
	list dns '192.168.1.4'
	option device 'wl1-ap2'

Yes correct this is the AP config, but I don't understand well, on the router I haven't changed anything from the old AP, the IP of the new AP is the same as the old. On the router I have only the LAN config

router config

config device
	option name 'br-LAN'
	option type 'bridge'
	list ports 'eth1'

config interface 'LAN'
	option device 'br-LAN'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.2'
	list dns '192.168.1.4'
1 Like

Is the WAX206 supported yet?

(OpenWrt support for WAX206 - I see you've made a few posts there.)

Ops I wrote sfwconfig but the WAX206 has the DSA. Anyway it’s not officially supported but you can make a build and it runs quite well, the merge process for the snapshot branch is on going. There the official thread.

Maybe this could be also my issue because to me my configuration looks correct, I can’t understand why the guest WLAN clients are unable you receive the DHCP or to go online with a static address. Also because it’s the same configuration as my old AP.

I tried lots of times, maybe is something related to the LAN switch/bridging it.

2 Likes

You're building a locally routed guest network, and that is not how those work. In a locally routed scenario, the guests will obtain DHCP addresses locally from the AP. The AP will NAT their subnet into the upstream LAN so they have Internet access. The firewall will prevent them from reaching private IPs on that LAN, so they can only use the Internet.

  • For guest DHCP and DNS to work, dnsmasq must be running. Some instructions for building a dumb AP tell you to disable it.
  • For NAT to work, set masquerade on the destination zone, which is lan. Do not set it on the guest zone.
  • Also for NAT to work, the firewall must be enabled. Some instructions for building a dumb AP tell you to disable it.
  • Build a br-guest bridge and make that the device of the guest network. In /etc/config/network, this bridge starts out empty. Wifi AP(s) will be added to it from the wireless config. Do not refer to wireless devices in /etc/config/network. If you don't have a guest bridge, only one device can be in the guest network, such as a wifi AP on one band only.
  • The guest network interface only needs device 'br-guest' and ipaddr '192.168.3.1/24'. Do not add any dns or gateway options there.

DSA has nothing to do with this since you're not running VLANs on the Ethernet cable. The Ethernet link to the main router in the locally routed guest use case is only the 192.168.1.0 network. Guests will have their .3.0 IPs NATd into 1.2 before leaving the AP.

1 Like

Thanks for the reply, I started from scratch again, now some progresses are made, the clients are able to retrieve the DHCP and DNS but the clients can't browse internet.

I'm not understanding this:

  • Build a br-guest bridge and make that the device of the guest network. In /etc/config/network, this bridge starts out empty. Wifi AP(s) will be added to it from the wireless config. Do not refer to wireless devices in /etc/config/network. If you don't have a guest bridge, only one device can be in the guest network, such as a wifi AP on one band only.
  • The guest network interface only needs device 'br-guest' and ipaddr '192.168.3.1/24'. Do not add any dns or gateway options there.

If I manually add br-guest the interface is not present, how I have to assign the WLAN to this interface?

Now my configs are

root@WAX206:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd96:6d81:03e4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.1.2'
        option ipaddr '192.168.1.3'
        list dns '192.168.1.4'

config interface 'guest'
        option proto 'static'
        list ipaddr '192.168.3.1/24'
        option device 'wl1-ap2'
root@WAX206:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option masq '1'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block guest LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	option target 'DROP'
config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Magnifico Guest'
	option network 'guest'
	option encryption 'sae-mixed'
	option key ''

DNSmasq is active and running but the firewall is running but with "no instances" that I don't know what this mean actually

root@WAX206:~# service firewall status
active with no instances

I'm following this steps: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start

About this

  • For NAT to work, set masquerade on the destination zone, which is lan. Do not set it on the guest zone.

You mean to set this?


config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

Instead of

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option masq '1'

(I tried both but not working anyways)

Typically, the radio based devices should not be defined in the network interface definition... instead, the SSID is tied to the network in the wireless config file. I'd recommend removing the device line below.

Masquerading needs to be enabled on the lan zone and disabled on the guest zone

This rule will not do what you want -- it currently will stop all access. Instead, you want to add the specific subnet that should be blocked in the destination address field (192.168.1.0/24).

1 Like

But if the uplink is on the lan doesn't the user need a forward rule to lan?

If this setup is about routing from the guest ap to/via the main router... Then why not use the defaults as lan and wan and just assign an other subnet to the guest ap lan then the main router has?

Yes, and they have one already:

If the user intends for this to be a dumb AP (for their main lan), the standard routed method would not achieve that goal. The setup as described in the guest wifi on a dumb AP is what we're aiming for here. (although, it is true that the OP hasn't explicitly stated that they want to use this as a dumb AP for their main LAN).

1 Like

Oh thank you! Now it works, but I only deleted the option device 'wl1-ap2', I've always thought it was not possible to create an interface without a zone of assignment, I don't know how to say it better, now I understood a new thing!

But is this related to the DSA config? Because I'm 100% sure on the SW config switch of the R7800 my config is/was

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'wlan0-1'
	list dns '192.168.1.4'

And this was working perfectly, now instead my /etc/config/network can/must be without lots of lines or "specifications"

config interface 'guest'
	option proto 'static'
	list ipaddr '192.168.3.1/24'

Yes sorry, my forgetfulness, I was too long trying to configure the Guest network that I forgot to add the address, I didn't even realize it, corrected and all is working as expected.

No, it's not a DSA thing. IIRC, it is possible via LuCI to add wireless as a device to the network, but it is actually not recommended. I'm not sure why it is possible in the first place. For both swconfig and DSA based devices (i.e. all devices), it is best to leave the radio < - > network connections in the wireless config file and never include it in the network config file.

Glad your config is working now!

1 Like

Using option type bridge inside a config interface is deprecated. The new syntax is to declare bridges separately.
A bridge with only one port (e.g. a single wifi AP) is not necessary, but if you start out with a bridge you can easily add an AP on the other band, or an Ethernet port.

That is just plain wrong. Use option network in the wireless config to attach an AP to an interface (or bridge, if the interface has a bridge it will be automatically added to that bridge instead).

That does nothing in an interface that is not WAN.

1 Like

Oh thanks, and yes I had configured the R7800 via LuCi, weird that it was working fine! Anyway is more "natural" to avoid to add a wireless network to the network but I've always seen in LuCi that a network interface assigned to a wireless network, and to be honest, also now in my LuCi is assigned to the Guest WLAN

BUT now, if I open the details, it is "not assigned" to it. Maybe it should be corrected, I don't know, it's weird but I lost one day for this behavior :sweat_smile:

Hope at least this will help someone else!

Yes now I know it, see my post above, but anyway it was working on the R7800, for that I thought that it is/was different from DSA to SW switch, my error!

True, I don't know why it was here, maybe is some test with the pihole (my Unbound DNS), I leave it there because "if it works don't fix it" :smiley:

If the interface is not a bridge, at the end of startup the kernel will place the IP address directly onto the AP. That does show up in the LuCI summary. But when you go to configure the interface, it doesn't have a device at that point.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.