TPLink OnHub 23.05.03 guest DHCP fails

I have a guest wifi network setup to use a different subnet block, but nothing connecting to that SSID is able to get an IP address. I can see the MAC address associating, but then it times out and dissociates without an IP address getting issued. I've disabled the guest network on the two additional APs so I know I'm connecting to the one also functioning as the router with DHCP enabled, etc. My normal LAN and WiFi connections that are bridged to the LAN get addresses without any issues. I have the firewall rules accepting DHCP and DNS on the guest zone. Any ideas on where I should look to figure out why it's not working?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "BasementRouter",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "TP-Link OnHub",
        "board_name": "tplink,onhub",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq806x/chromium",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:6ca2:af56::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.70.1/24'
        option ipv6 '0'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth0.2'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2'
        option vid '2'
        option description 'WAN'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.71.1'
        option netmask '255.255.255.0'
        option device 'br-guest'
        list dns '192.168.71.1'
        option ipv6 '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option description 'GuestWiFi'
        option ports '6t 1t'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.3'
        option bridge_empty '1'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option channel '11'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'La Casa del Fuego'
        option encryption 'psk2'
        option key 'XXX'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel '40'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'soc/1b900000.pci/pci0002:00/0002:00:00.0/0002:01:00.0'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Public La Casa del Fuego'
        option encryption 'psk2'
        option key 'XX'
        option network 'guest'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'La Casa del Fuego'
        option encryption 'psk2'
        option key 'XXX'
        option network 'lan'

config wifi-iface 'wifinet6'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Public La Casa del Fuego'
        option encryption 'psk2'
        option key 'XXX'
        option network 'guest'

config wifi-iface 'wifinet7'
        option device 'radio0'
        option mode 'ap'
        option ssid 'La Casa del Fuego Basement'
        option encryption 'psk2'
        option key 'XXX'
        option network 'lan'

config wifi-iface 'wifinet8'
        option device 'radio1'
        option mode 'ap'
        option ssid 'La Casa del Fuego Basement'
        option encryption 'psk2'
        option key 'XXX'
        option network 'lan'

config wifi-iface 'wifinet9'
        option device 'radio0'
        option mode 'ap'
        option ssid 'La Casa del Fuego IOT'
        option network 'lan'
        option wmm '0'
        option encryption 'psk2'
        option key 'XXX'

/etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list notinterface 'guest'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Tower'
        option dns '1'
        option mac 'X'
        option ip '192.168.70.2'

config host
        option name 'homeassistant'
        option mac 'X'
        option ip '192.168.70.3'

config host
        option name 'TickRedux'
        option dns '1'
        option mac 'X'
        option ip '192.168.70.6'

config dhcp 'guest'
        option interface 'guest'
        option start '64'
        option limit '150'
        option leasetime '1h'
        list dhcp_option '6,192.168.71.1'

config host
        option name 'rpidesktop'
        option mac 'X'
        option ip '192.168.70.7'

config host
        option name 'USL22-PW027ET7'
        option mac 'X'
        option ip '192.168.70.8'

config host
        option name 'AmericanMaid'
        option mac 'X'
        option ip '192.168.70.9'

config host
        option name 'ChairfaceChip2'
        option mac 'X'
        option ip '192.168.70.10'

config host
        option name 'diehardSlacker'
        option mac 'X'
        option ip '192.168.70.11'

config host
        option name 'Silas'
        option mac 'X'
        option ip '192.168.70.12'

config host
        option mac 'X'
        option ip '192.168.70.15'
        option name 'lower-bearded-dragon-tank'
        option dns '1'

config host
        option name 'HDHR-103D7678'
        option mac 'X'
        option ip '192.168.70.20'

config host
        option name 'HDHR-1045D213'
        option mac 'X'
        option ip '192.168.70.21'

config host
        option mac 'X'
        option ip '192.168.70.22'
        option name 'tr8520'
        option dns '1'

config host
        option name 'octopi'
        option mac 'X'
        option ip '192.168.70.24'

config host
        option name 'birdnetpi'
        option mac 'x'
        option ip '192.168.70.25'

config host
        option mac 'X'
        option name 'AmazonFirestick'
        option dns '1'
        option ip '192.168.70.30'

config tag 'adblock'
        list dhcp_option '6,192.168.70.4'

/etc/config/firewall


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.70.2'
        option dest_port '51820'
        option name 'Wireguard'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'
        option input 'REJECT'
        option family 'ipv4'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '67-68'
        option family 'ipv4'

config rule
        option name 'Allow mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option src 'guest'
        option src_dport '53'
        option dest_ip '192.168.71.1'
        option dest_port '53'
        option name 'Intercept Guest DNS'

config rule
        option name 'Drop Guest DNS over TLS'
        option src 'guest'
        option dest '*'
        option dest_port '853'
        option target 'REJECT'

First thing to test is the firewall to confirm/refute that this is a firewall issue.

Set the input policy on the guest zone to ACCEPT and then restart the device. If this fixes the problem, we'll review the firewall in more detail so that you can harden the router against the guest network. If it doesn't fix it, we'll look elsewhere.

In this context, "list dns" is the list of DNSs available on that network, that the router should use; it is not the list of DNSs that the clients on that network should use. Remove this option.

Changed input to ACCEPT and restarted the firewall with no change in behavior.

Removed that line and restarted the network. No change in the DHCP behavior.

You have explicitly disabled the DHCP server on that interface, and I cannot see any other DNSMASQ instance configured... why?

2 Likes

That was not intentionally added. I removed that line and after a few rounds of restarting services, I was able to get an IP address on guest! Thanks!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.