Trouble setting up guest WLAN via web interface

salomvary · June 6, 2020, 12:00pm

Hey folks,

I'm new to OpenWrt and have the following trouble setting up a guest WLAN following the user guide here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

The system is a fresh install with defaults using OpenWrt 19.07.3 r11063-85e04e9f46. The "normal" networking is working fine, the problem I am having is only related to the guest network.

Symptoms:

Wireless network is joined OK
DHCP assigns the expected IP address and sets up DNS and default route
However the client is neither able to access the configured DNS nor the internet (tried from an iPhone and a MacBook)

What do the experts think? I suspect it might have something to do with how the defaults has changed since the user guide was written (the UI on the screenshots looks a bit different but I was able to "map" everything to the current web interface). I also suspect it might have something to do with VLANs (used on the default "lan" interface) but I have not yet explored this topic deep enough to understand what is going on.

Any help/opinions would be appreciated. Thanks!

uci export wireless

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'xxx'
	option encryption 'psk2'
	option ssid 'My Wifi'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option htmode 'HT20'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'xxx'
	option ssid 'My Wifi'
	option encryption 'psk2'

config wifi-iface 'wifinet2'
	option ssid 'My Wifi Guest'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option key 'xxx'
	option network 'guest'

uci export network

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:6fdf:3976::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth1_1_dev'
	option name 'eth1.1'
	option macaddr '8c:59:73:f9:d1:9e'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '8c:59:73:f9:d1:9f'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guest'
	option proto 'static'
	list ipaddr '192.168.2.1'

uci export firewall

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'guest'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'Guest DNS '
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'guest'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	list proto 'udp'

On the client (macOS):

ifconfig

[...]
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 4c:32:75:98:41:e7 
	inet6 fe80::1824:132b:71a4:6393%en0 prefixlen 64 secured scopeid 0x6 
	inet 192.168.2.179 netmask 0xffffff00 broadcast 192.168.2.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.2.1        UGScI           3        0     en0       
[...]

dig google.com @192.168.2.1

; <<>> DiG 9.10.6 <<>> google.com @192.168.2.1
;; global options: +cmd
;; connection timed out; no servers could be reached

ping 172.217.19.78

PING 172.217.19.78 (172.217.19.78): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

sunnymonday · June 6, 2020, 12:08pm

Hi,

Is there a dhcp assigned for interface “guest” in /etc/config/dhcp?

salomvary · June 6, 2020, 12:13pm

Yes and DHCP seems to be working fine!

uci export dhcp

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'
	option netmask '255.255.255.0'

salomvary · June 6, 2020, 12:21pm

This might also be useful:

ls -l /sys/class/net

lrwxrwxrwx    1 root     root             0 May 16 18:32 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth0 -> ../../devices/platform/soc/37200000.ethernet/net/eth0
lrwxrwxrwx    1 root     root             0 May 16 18:32 eth0.2 -> ../../devices/virtual/net/eth0.2
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth1 -> ../../devices/platform/soc/37400000.ethernet/net/eth1
lrwxrwxrwx    1 root     root             0 May 16 18:32 eth1.1 -> ../../devices/virtual/net/eth1.1
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Jun  6 11:23 wlan0 -> ../../devices/platform/soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
lrwxrwxrwx    1 root     root             0 Jun  6 11:23 wlan0-1 -> ../../devices/platform/soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0-1
lrwxrwxrwx    1 root     root             0 Jun  5 08:37 wlan1 -> ../../devices/platform/soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0/net/wlan1

sunnymonday · June 6, 2020, 12:26pm

In etc/config/firewall, did you specify the option network for ‘wan’ zone?

salomvary · June 6, 2020, 12:32pm

Although I did not set up this zone myself, I believe this was the default.

trendy · June 6, 2020, 4:48pm

Guest interface doesn't have netmask. I guess it defaults to /32 thus making it unusable.

salomvary · June 7, 2020, 7:47am

And indeed, setting the netmask solved the problem. Thanks a lot for spotting the problem @trendy and for offering help everyone else!

I re-read the user guide how I could have skipped this and in does actually remind you to set the netmask. The reason I skipped over is that unlike the screenshots in the guide, the new user interface does not have a separate input for the netmask and one has to use the 192.168.2.1/24 notation.

salomvary · June 7, 2020, 8:02am

I edited the user guide to clarify setting the netmask and also added a troubleshooting section: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface#configure_the_new_interface

trendy · June 7, 2020, 9:00am

Then maybe at some point you clicked on the button to set the CIDR notation, because I have latest Luci too and it initially appears with the mask as separate field.

salomvary · June 7, 2020, 9:34am

That might have indeed happened, I probably did not even notice This is a bit confusing UX by the way, on one hand "..." on the button suggest you will get to choose from further options after clicking it, which is not true, on the other hand there seems to be no way to switch back. Anyway, I'm glad we solved the mystery.

trendy · June 7, 2020, 10:25am

I agree it can be confusing if you don't hover and read what the button does. And there should be a way to revert it back to the previous state, although I prefer the CIDR than typing masks.

system · June 17, 2020, 10:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.