[Solved]Wifi without internet access

Hi!

I've been messing with this issue for some days now trying to find out how I should configure it, if at all possible in the first place.

I've included a rough schematic of how my home network is connected at the moment.
What I basically want to achieve is to have a second wifi network with only access to the LAN, preferably in the same subnet. So no internet access at all. I was thinking to have a separate interface for the "no-internet" wifi and use firewall rules to reject traffic outside of the 192.168.0.x range. I'm however not so sure if this is at all possible. The WAN port is not used, hence the interface has been removed from OpenWRT.

Any help is much appreciated!
Thanks!

Network_schematic1011×579 48.4 KB

What you want to achieve is possible. Based on your schematic with unmanaged switches, the new network must be created on the Flint 2 where there will be appropriate firewall rules to realize the restrictions. If you can either directly connect the Flint 2 to the NanoPi R4S, or replace your unmanaged switch with a managed one, you could do this on your main router.

Since the Flint 2 is the only Wifi "access point" I wanted to achieve my goal using only the Flint if possible. I'm however not able to configure it properly it seems. Any hints on how this can be done is much appreciated. Should I assign a different subnet and hence a DHCP server on the "non-internet" wifi? Or is it possible to remain in the subnet of the rest of the network? The latter definitely has my preference since this already worked. Blocking the internet access though was so far unsuccessful.

yes.

No, that won't work.

Let's make sure that we have a clear description of the desired behavior of this second network:

• No access to the internet from this new subnet
• Do you want unrestricted access from the main network to the new network?
  • Or do you want it partially or totally restricted?
• Do you want unrestricted access from the new network to the main network?
  • Or do you want it partially or totally restricted?

Your assumptions are correct:

• No internet access from the new subnet
• Unrestricted access between the main and new network, all devices should be able to communicate with each other.

Ok... this means that you will need to also make a change on the main router.

What address does the AP hold on the network now?

Let's see your current config files for the AP and main router:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

This is the output from the NanoPi:

{
        "kernel": "5.15.162",
        "hostname": "OpenWrt_Main",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}






config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddd:ada5:31e7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        option ipv6 '1'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'







config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '3,192.168.0.1'
        list dhcp_option '6,192.168.0.1'
        list dhcp_option '15,lan'
        option dhcpv6 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'







config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

This is the output from the Flint2:

{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}





config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:4ebd:c8ec::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option ipv6 '0'

config device
        option name 'lan1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan4'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option name 'lan5'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
        option type 'bridge'
        option name 'br-lan-noinet'
        option ipv6 '0'
        option bridge_empty '1'

config interface 'lan_noinet'
        option proto 'static'
        option device 'br-lan-noinet'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'








config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option dns_service '0'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan_noinet'
        option interface 'lan_noinet'
        option start '100'
        option limit '150'
        option leasetime '12h'






config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'lan_noinet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan_noinet'

I just noticed that the Flint2 doesn't have any connection to the internet. When I try "opkg update" I get "opkg_download: Check your network settings and connectivity."
Also ping requests from Luci seem to fail. All devices connected(wired and wireless) seem to have internet connection just fine. I did notice in Luci status that the default gateway is missing, it is however setup in the "br-lan" interface. Maybe this is part of the problem why I can't get this to work?

I don't see any reason for this issue based on the config... how is your flint2 connected? Is it using one of the lan ports? Maybe you disabled dnsmasq and the firewall (they need to be enabled)?

meanwhile, we can get started on the changes for the non-internet lan...

Your network and dhcp files look good on the Flint2. Let's make a few additions to the firewall:

First, we'll add a forward that allows the lan to reach the lan_noinet:

config forwarding
	option src 'lan'
	option dest 'lan_noinet'

Next, we'll add these two rules to define what is accepted vs rejected for the noinet network to initiate:

config rule
	option name 'Allow-main-lan'
	option src 'lan_noinet'
	list src_ip '192.168.1.0/24'
	option dest 'lan'
	list dest_ip '192.168.0.0/24'
	option target 'ACCEPT'

config rule
	option name 'BlockInternet'
	list proto 'all'
	option src 'lan_noinet'
	list src_ip '192.168.1.0/24'
	option dest 'lan'
	option target 'REJECT'

The firewall and dnsmasq must be active for this to work (sometimes people disable them on bridged APs). Issue these commands to enable them:

/etc/init.d/firewall enable
/etc/init.d/firewall start
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq start

And, on the main router (NanoPi) add the following to the network file:

config route
	option target '192.168.1.0/24'
	option gateway '192.168.0.2'

Restart both devices and test the following:

• general connectivity from the Flint 2 to the internet
• connect to the SSID for the noinet network and make sure it gets an IP
• connectivity from the noinet network to a host in the main lan
• connectivity from the noinet network to the internet (should fail)
• connectivity from the main lan to the noinet network

Report back, and if things aren't working, post the updated files for review.

The problem with the router not being able to connect vanished after a reboot, so that's solved.

I've inserted everything you provided and got it to work partially.

This is the updated network file of the NanoPi:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddd:ada5:31e7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        option ipv6 '1'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config route
        option target '192.168.1.0/24'
        option gateway '192.168.0.2'
        option interface 'lan'

This is the updated firewall file of the Flint2:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'lan_noinet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan_noinet'

config rule
        option name 'Allow-main-lan'
        option src 'lan_noinet'
        list src_ip '192.168.1.0/24'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.0.0/24'

config rule
        option name 'BlockInternet'
        list proto 'all'
        option src 'lan_noinet'
        list src_ip '192.168.1.0/24'
        option dest 'lan'
        option target 'REJECT'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'lan_noinet'

I've disabled the "BlockInternet" rule for now as the passthrough seems to be only going in 1 direction. I'm able to ping a computer in the "lan_noinet" from the "lan" but not the other way around. Also trying to access the internet doesn't work from inside the "lan_noinet".
When I add the following everything works:

config forwarding
        option src 'lan_noinet'
        option dest 'lan'

Of course this just means that the first firewall rule is not doing it's job properly as this should have the same result in the end. I tried changing the "option dest" to "*" but that didn't work either. I also tried removing the destination network address but that didn't do anything.
If you have any more ideas I'm all ears

Try removing the src_ip from these:

Then reboot and test again. (Note that the second rule is currently disabled)

In fact, the second rule should not be necessary.

I deleted the second rule. This is now my firewall file on the Flint2:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'lan_noinet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan_noinet'

config rule
        option name 'Allow-main-lan'
        option src 'lan_noinet'
        option dest 'lan'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'lan_noinet'

I tried first removing only the src address but that didn't work so I removed both. Still not working... When I modify the "config defaults" "option forward" to "accept" then I have access both ways but of course not restricted to LAN only. I have absolutely no idea why it behaves like this...

Let's start over...

delete these:

Add this:

config rule
	option name 'inter-network-allow'
	list proto 'all'
	option src 'lan_noinet'
	option dest 'lan'
	list dest_ip '192.168.0.0/24'
	option target 'ACCEPT'

Reboot.

In theory, this should allow traffic to traverse between the two networks, but nowhere else.

IT WORKS!

I had to insert the "config forwarding" again for it to work though, this is what I added in the firewall file:

config rule
        option name 'inter-network-allow'
        option src 'lan_noinet'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'ACCEPT'
        list proto 'all'
        list src_ip '192.168.1.0/24'

config forwarding
        option src 'lan'
        option dest 'lan_noinet'

Comparing the "original" version with this one I see that "list proto 'all' " is the only difference. When I look in the Luci UI and compare the two versions I see that with "all" it shows "any" in the protocols list while it only shows "TCP" and "UDP" when it's not mentioned in the config file. The ICMP protocol is then unchecked.

Thank you very much for helping me out with this issue! You saved me a ton of frustration and I learned a lot again

You're welcome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.