Unable to succesful setup WLAN guest network with OpenWrt in dumb AP and LAN switch mode

Continuing the discussion from [SOLVED] Unable to setup WLAN guest network with OpenWrt in dumb AP and LAN switch mode via LuCI due to broken routing:

In my case the config of the LAN network is:
Interface: LAN
IP: 192.168.1.0/24
IP Gateway 192.168.1.1

And the Guest Network
Interface: Guest
IP: 10.0.0.0/24
IP Gateway 10.0.0.1

According to user lleachii , I should set the routing right via the following config:

config route                                      
	option interface 'xxx'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway 'xxx.xxx.xxx.xxx'

This seems to be an example. What is the exact configuration in my case?

In dumb AP mode there is no routing. It just forwards packets based on MAC addresses.

1 Like
  • Local networks normally don't have gateways.

  • In dumb AP mode, you really only need one Interface to possess a gateway. That's usually LAN (so not firewall reconfiguration is needed).

If you only setup one gateway, an additional route rule becomes unnecessary.

I believe you are misquoting my post as the solution to your problem.

Thank you for your quick respons.

I think I didn't describe the configuration good enough. The OPENWRT router acts as a dumb access point for the non guest hosts, and acts as router (dhcp server, gateway) for guest hosts, routing packets from the guest network (with interface: guest) to the LAN and vice versa, using firewall rules to prevent connectivity form guest hosts to LAN hosts. When I did this in the past, using https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/ I experienced comparable routing problems as described in post https://forum.openwrt.org/t/solved-unable-to-setup-wlan-guest-network-with-openwrt-in-dumb-ap-and-lan-switch-mode-via-luci-due-to-broken-routing/26329/5. I think I have to adjust the routing, but I don't know exactly how.

It seems the usual method for this is to use vlans rather than routing your guests through the LAN. Is the device wired to upstream or is it wireless on both ends?

Please describe:

  • The subnets that you are using for your "guest" and "LAN" networks
  • The gateways that already exist on your "upstream"
  • What connectivity you want (if any) between your guest and LAN networks
  • What connectivity you want to prohibit (if any) between your guest and LAN networks

There are two basic approaches to this:

  1. Bridge the guests back to the main router on an isolated network using VLANs, GRE tunnels, etc. The main router issues DHCP addresses to the guests and independently NATs them to its Internet connection.
  2. Have the AP "locally route" and NAT the guests into the LAN network. The main router (seeing the traffic coming from the LAN port of the AP) then NATs them again to the Internet. Firewall rules are necessary on the AP to prevent the guests from reaching any LAN machines.

Lately I have been favoring method 2, because then the backhaul LAN links can be simple AP-STA connections, and nothing at all special is required of the main router.

So, to implement method 2 on an OpenWrt router that has a LAN-based connection to a main router and the Internet, you will need to set up:

  • A br-guest network with a DHCP server. The br-guest addresses are different from the LAN.
  • A Wifi AP and / or wired connections to guest network.
  • NAT / forwarding from guest to lan. Enable masq and mtu_fix on the lan zone.
  • Firewall rules to block the guests from any LAN IP addresses, other than the DHCP and DNS server in the AP.
  • Optionally, sqm rules on the guest network to prevent guests from using all the Internet bandwidth.

The firewall rules I use are below:

config zone
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	
config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'Guest-DHCP'
	option family 'ipv4'
	option proto 'udp'
# DHCP requests are input to port 67
	option dest_port '67'

config rule
	option src 'guest'
	option proto 'tcp udp'
	option name 'Guest-DNS'
	option family 'ipv4'
	option dest_port '53'
	option target 'ACCEPT'

# This denies the guests any local ports of the router, other than the 
#  DHCP and DNS which are explicitly allowed above.
config rule
	option enabled '1'
	option name 'Deny-Guest-Local'
	option src 'guest'
	option target 'REJECT'

# This will deny guests every other machine in the LAN, assuming it has IPs in the 192.168.x.x range
config rule
	option src 'guest'
	option proto 'all'
	option dest_ip '192.168.0.0/16'
	option target 'REJECT'
	option name 'Deny-Guest-Upstream'
	option dest '*'

config forwarding
	option src 'guest'
	option dest 'wan'
1 Like

In the past I used your second approach, with a comparable configuration. I stopped using guest networks because of strange routing behaviour in the OPENWRT router. When I performed a tracert I noticed that the traffic from WLAN hosts connected to the non-guest network (WLAN bridged with LAN) were routed via the guest interface. I don't know why, but when I read the earlier mentioned post I recognised the problem.

I also wonder if approach 2 is preferred when having multiple AP's with guest networks.

This is lost me greatly.

If you are using the router as a dumb AP with a non-guests on upstream:

  • Just make the SSID for non-guests - you will bridge this SSID to WAN
  • Open Port 80/tcp on WAN to access LuCI (for security - only permit the local IPs on that network)
  • Setup the downstream LAN on OpenWrt as the "guest" network - SSID the guests to this Interface

Unless I'm missing something, this is quite straightforward.

NAT should never be a substitute for a firewall, even if it limits some connections.

Once you understand the concepts of VLANs and how to get them from device to device, at least in my opinion, the greatly preferred approach is:

  • Subnets for each "class of client"
  • Separation of traffic from each subnet on a given link using VLANs
  • Static routing, if needed
  • Firewall rules to control the traffic between each subnet, to the Internet in general, and access to services

I understand the concept of VLANs very well, but that doesn't mean that I implement them at home, only if really necessary. In the end I think they are necessary, if I want to support 'seamless' roaming in the guest network to different access points. However, this is currently not the case.

In my current setup I have an ISP router as Internet gateway, which doesn't support VLANs on the LAN Interface. Therefore I am not able to separate the guest Network from the non-guest network on the Internet gateway. The work around is to use the second apprach as proposed by the user mk24 in the OPENWRT AP:

  • A br-guest network with a DHCP server. The br-guest addresses are different from the LAN.
  • A Wifi AP and / or wired connections to guest network.
  • NAT / forwarding from guest to lan. Enable masq and mtu_fix on the lan zone.
  • Firewall rules to block the guests from any LAN IP addresses, other than the DHCP and DNS server in the AP.
  • Optionally, sqm rules on the guest network to prevent guests from using all the Internet bandwidth.

As a result both the guest network as the LAN network traffic will be mixed together, the ISP router will not notice the difference, and handles it as LAN traffic. The firewall rules in the OPENWRT AP prevent that guest clients gain access to non guest clients.

I tried this workaround in the past, but I noticed very strange routing behaviour, as mentioned before. Then I saw the post about routing, and I thought that this could solve my problems. But perhaps I am mistaken

I will configure my APs with the proposed configurations by mk24, and see what happens.