I'm having issues trying to SSH (or even ping) devices on a guest network from my main network.
I've set up a guest network with the subnet 192.168.2 using the guide here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface . 192.168.1 is on "lan" and 192.168.2 is on "guest".
All seems to be working OK and I can access the internet, etc.
However, I'd like to SSH into a device on 192.168.2 from my main PC on 192.168.1.
Is there anything else I'm missing in OpenWRT, specifically the LuCI interface?
Thanks.
Do the devices on the 192.168.2.0/24 network accept requests originating outside their own IP subnet? Temporarily enable masquerading on the guest zone to check if this is the case.
1 Like
I tried enabling masquerading and no device accepted requests originating outside their subnet. I also tried setting every "reject" to "accept" and this didn't make a difference (although I wouldn't have expected this to). From what I can see, the firewall on the devices shouldn't be stopping this either.
Let's take a look at the config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
Here's the output of the commands, and hopefully sufficiently redacted as to not dox myself!
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.110",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.4",
"revision": "r28959-29397011cc",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.4 r28959-29397011cc",
"builddate": "1760891865"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddf:3f94:b87::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option username ********************
option password ********************
option ipv6 'auto'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
root@OpenWrt:~# ^C
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'guest'
config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
Everything looks fine here.
What operating system(s) are in use on the guest network (for a device to which you want to connect via ssh)?
Do you have a linux box or a Mac that you can put on the guest network (even a Rasperry Pi would be fine)?
Funnily enough this is to SSH into a Raspberry Pi. I have checked that SSH is enabled on it, and can SSH from devices on the same subnet to the Pi, but not outside. I've tested putting a phone and tablet on there and cannot ping those. I should've said that this is all over Wi-Fi.
since we haven't checked it, let's also see what's happening in the /etc/config/wireless file.
Also, please confirm that there are no VPNs or other special things running on the Pi -- we're looking for a pretty vanilla installation.
Please run this commands and check if it makes a difference.
uci set firewall.@zone[2].masq='1'
/etc/init.d/firewall restart
psherman:
/etc/config/wireless
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '1'
option htmode 'HE20'
option disabled '1'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '********_2.4G'
option encryption 'psk2'
option key '********'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '********main_5G'
option encryption 'psk2'
option key '*********************'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid '******guest'
option encryption 'psk2'
option network 'guest'
option key '*************'
Yes, the Pi is near-stock. No VPN or any other network configuration beyond connecting to Wi-Fi and enabling SSH.
Unfortunately no visible impact after running this command. I also tried restarting my router fully to no avail.
wifi looks fine, too.
What OS is the Pi running? Does it have a firewall enabled? (if so, please disable it).
Can you ssh to the Pi from the router itself?
I can ssh from the router to the Pi. It's running RetroPie, and the image is from ~2022 but I didn't think this would be an issue considering ssh from the router itself works fine. No firewall is enabled on the Pi.
Does the Pi have a default route / gateway configured? Is it setup static or DHCP?
OK this was a huge oversight. It turns out that it was the VPN on my main PC that was causing the issue. I had local network sharing turned on so I assumed that would extend to the other subnets, but clearly it didn't. Turning it off allows me to ssh from my main PC on 192.168.1 into the Pi on 192.168.2. I'll mark this as closed and get working on if it's possible for my VPN to allow access to other subnets. Thanks for the help anyway!
Thought I'd finish up by confirming it was my VPN client that was blocking connections to other subnets. The solution for the moment is to either disconnect from the VPN or define a static route, both of which are working. Thanks again for the help everyone.
