[UNSOLVED] Guest WiFi SSID on 23.05.2 -- gets valid ip - no internet

neapasianwrt · February 9, 2024, 4:35am

Hi, I have genuinely tried to figure this out on my own for a few days, scoured all forums... followed several openWRT tutorials from the docs and on YouTube. The furthest I got this working is having clients connect with valid IPs but not getting access to the internet.

exactly as stated at the bottom of this tutorial: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface#troubleshooting

make sure the Guest interface has a netmask configured

which I have set according to the instructions but clients connected to the SSID simply cannot access anything on the local network or outside to the internet.

I have tried all of the following tutorials with the same issue

Here are is my current setup

OpenWrt 23.05.2, r23630-842932a63d
Model: Dynalink DL-WRX36

state:
clients connect, get an IP in the right range but not access.

Here is the usual config dump:

bus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Dynalink DL-WRX36",
	"board_name": "dynalink,dl-wrx36",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq807x/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:44c0:46b2::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '1.1.1.1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi+1'
	option channel 'auto'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '<SSID-24G>'
	option encryption 'psk2'
	option key '****'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid '<SSID-5G>'
	option encryption 'psk2'
	option key '****'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '<SSID-GUEST>'
	option encryption 'psk2'
	option isolate '1'
	option key '****'
	option network 'guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option noresolv '0'
	option port '54'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns 'fd09:44c0:46b2::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'HOSTNAME1'
	option ip '192.168.1.121'
	option mac 'XX:XX:XX:AF:CD:0B'

config host
	option name 'HOSTNAME2'
	option ip '192.168.1.126'
	option mac 'XX:XX:XX:43:8A:72'

config host
	option name 'HOSTNAME3'
	option ip '192.168.1.100'
	option mac 'XX:XX:XX:6D:5B:A3'

config host
	option name 'HOSTNAME4'
	option ip '192.168.1.194'
	option mac 'XX:XX:XX:5E:A5:A6'

config host
	option name 'HOSTNAME5'
	option ip '192.168.1.176'
	option mac 'XX:XX:XX:10:FC:7A'

config host
	option name 'HOSTNAME6'
	option ip '192.168.1.248'
	option mac 'XX:XX:XX:EA:21:E3'

config host
	option name 'HOSTNAME6'
	option ip '192.168.1.246'
	option Mac 'XX:XX:XX:EA:21:E2'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'guest-DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'guest-DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

Thank you kindly for your help!

psherman · February 9, 2024, 4:48am

I don't see any obvious errors.

Please confirm that the OpenVPN config is a server... if it is a client, that could explain the issues.

What address does your computer get when it joins the guest wifi? What is the subnet mask, dns, and router/gateway address that is provided via DHCP?

From a computer on the guest network, what are the results of:

ping 8.8.8.8
ping openwrt.org

neapasianwrt · February 9, 2024, 5:13am

thanks for the quick reply!

openVPN is a server, has been working great
IP received from 2 clients on the guest ssid

client A: 192.168.8.122
client B: 102.168.8.129

router: 192.168.8.1

the other SSIDs listed SSID-24G, SSID-5G, are working fine
pings:

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2

ping openwrt.org
ping: cannot resolve openwrt.org: Unknown host

ifconfig for en0

inet 192.168.8.122 netmask 0xffffff00 broadcast 192.168.8.255

cat /etc/resolv.conf
search lan
nameserver 192.168.1.1

ping openwrt.org
ping: cannot resolve openwrt.org: Unknown host

psherman · February 9, 2024, 5:35am

What is upstream of this router? Do you happen to have another router and is it at all possible that it is also using the same subnet as the guest network (192.168.8.0/24)?

neapasianwrt · February 9, 2024, 5:40am

the setup

<ISP>--\
        \
         \__<modem>--\
                      \
                       \__<dynalink (this)>

this subject 192.168.8.X is unique for this guest. Its not used anywhere else on this network.

psherman · February 9, 2024, 5:41am

Ok... thanks for confirming.

I assume your main network is working properly?

Have you restarted the router since making the changes to setup the guest network?

neapasianwrt · February 9, 2024, 5:43am

I assume your main network is working properly?

yes, SSID-24G and SSID-5G (from the prior post) are working fine

Have you restarted the router since making the changes to setup the guest network?

yes, several times.

psherman · February 9, 2024, 5:48am

Although it should not matter, can you stop and disable the OpenVPN service, reboot, and then see if that fixes anything on the guest network?

neapasianwrt · February 9, 2024, 5:54am

disable the OpenVPN service, reboot

sure, ill report back in the following post after everything is up.

in the meantime hoping some screenshots can shed some light

neapasianwrt · February 9, 2024, 6:05am

disable the OpenVPN service, reboot

I ran:

service openvpn stop
service openvpn disable
reboot

experienced the same issue on SSID-GUEST, same ips same pings

ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1): 56 data bytes
92 bytes from 192.168.8.1: Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 257d   0 0000  40  01 c360 192.168.8.122  192.168.8.1

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
Request timeout for icmp_seq 0

psherman · February 9, 2024, 6:07am

I'm stumped at the moment.... I see that you have some non-default DNS related items, but that wouldn't affect the ability to ping 8.8.8.8.

Let me keep thinking about this... and maybe someone will spot what I am msissing.

neapasianwrt · February 9, 2024, 6:13am

hopefully so, but thank you kindly for your time.

in the meantime for my guests Im cloning SSID-5G which is working, checking [isolate clients] altho ssh and others still are allowed... and at least I can have some guest control

psherman · February 9, 2024, 6:57am

Are there any other packages installed on your router that could affect routing like PBR or similar? I don't see anything in the firewall or network configs that would suggest it, but just want to check.

(for that matter, maybe the better question to ask is: what non-default packages are installed on your router -- just to be sure we cover all the bases).

grrr2 · February 9, 2024, 9:12am

hi,

root@OpenWrt:~# cat /etc/config/dhcp


config dnsmasq
[..]
	option port '54'
	list server '192.168.1.1'

port 54 indicates you are not using default config, what is your real DNS server?
server option mean who is your upstream dns (if not the auto-detected one coming from wan config), but your lan interface's ip is 192.168.1.1 too, so this is a loop.

neapasianwrt · February 9, 2024, 9:18am

im not familiar enough with PBR type packages... but maybe AdGuard might be related?

packages installed:
root@OpenWrt:~# opkg list-installed

adguardhome - 0.107.36-1
ath11k-firmware-ipq8074 - 2023-03-31-a039049a-1
attr - 2.5.1-1
avahi-dbus-daemon - 0.8-8
base-files - 1550-r23630-842932a63d
block-mount - 2023-02-28-bfe882d5-1
bmon - 4.0-1
btop - 1.3.0-1
busybox - 1.36.1-1
ca-bundle - 20230311-1
ca-certificates - 20230311-1
cgi-io - 2022-08-10-901b0f04-21
confuse - 3.3-1
curl - 8.5.0-1
dbus - 1.13.18-12
ddns-scripts - 2.8.2-42
ddns-scripts-noip - 2.8.2-42
ddns-scripts-services - 2.8.2-42
dnsmasq - 2.89-4
dropbear - 2022.82-5
e2fsprogs - 1.47.0-2
firewall4 - 2023-09-01-598d9fbb-1
fstools - 2023-02-28-bfe882d5-1
fwtool - 2019-11-12-8f7fe925-1
getrandom - 2022-08-13-4c7b720b-2
hostapd-common - 2023-09-08-e5ccbfc6-6
hostapd-utils - 2023-09-08-e5ccbfc6-6
htop - 3.3.0-1
ipq-wifi-dynalink_dl-wrx36 - 2023-11-10-0c2e810e-1
iw - 5.19-1
iwinfo - 2023-07-01-ca79f641-1
jansson4 - 2.14-3
jshn - 2023-05-23-75a3b870-1
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 5.15.137-1-c0be4d8060b09729c42faeda72adef10
kmod-ath - 5.15.137+6.1.24-3
kmod-ath11k - 5.15.137+6.1.24-3
kmod-ath11k-ahb - 5.15.137+6.1.24-3
kmod-cfg80211 - 5.15.137+6.1.24-3
kmod-crypto-acompress - 5.15.137-1
kmod-crypto-aead - 5.15.137-1
kmod-crypto-ccm - 5.15.137-1
kmod-crypto-cmac - 5.15.137-1
kmod-crypto-crc32c - 5.15.137-1
kmod-crypto-ctr - 5.15.137-1
kmod-crypto-gcm - 5.15.137-1
kmod-crypto-gf128 - 5.15.137-1
kmod-crypto-ghash - 5.15.137-1
kmod-crypto-hash - 5.15.137-1
kmod-crypto-hmac - 5.15.137-1
kmod-crypto-manager - 5.15.137-1
kmod-crypto-michael-mic - 5.15.137-1
kmod-crypto-null - 5.15.137-1
kmod-crypto-rng - 5.15.137-1
kmod-crypto-seqiv - 5.15.137-1
kmod-crypto-sha512 - 5.15.137-1
kmod-fs-exfat - 5.15.137-1
kmod-fs-ext4 - 5.15.137-1
kmod-fuse - 5.15.137-1
kmod-gpio-button-hotplug - 5.15.137-3
kmod-hwmon-core - 5.15.137-1
kmod-leds-gpio - 5.15.137-1
kmod-lib-crc-ccitt - 5.15.137-1
kmod-lib-crc16 - 5.15.137-1
kmod-lib-crc32c - 5.15.137-1
kmod-lib-lzo - 5.15.137-1
kmod-libphy - 5.15.137-1
kmod-mac80211 - 5.15.137+6.1.24-3
kmod-nf-conntrack - 5.15.137-1
kmod-nf-conntrack6 - 5.15.137-1
kmod-nf-flow - 5.15.137-1
kmod-nf-log - 5.15.137-1
kmod-nf-log6 - 5.15.137-1
kmod-nf-nat - 5.15.137-1
kmod-nf-reject - 5.15.137-1
kmod-nf-reject6 - 5.15.137-1
kmod-nfnetlink - 5.15.137-1
kmod-nft-core - 5.15.137-1
kmod-nft-fib - 5.15.137-1
kmod-nft-nat - 5.15.137-1
kmod-nft-offload - 5.15.137-1
kmod-nls-base - 5.15.137-1
kmod-phy-aquantia - 5.15.137-1
kmod-ppp - 5.15.137-1
kmod-pppoe - 5.15.137-1
kmod-pppox - 5.15.137-1
kmod-qca-nss-dp - 5.15.137+2022-04-30-72e9ec41-1
kmod-qca-ssdk - 5.15.137+2022-09-12-628b22bc-2
kmod-qrtr - 5.15.137-1
kmod-qrtr-smd - 5.15.137-1
kmod-scsi-core - 5.15.137-1
kmod-slhc - 5.15.137-1
kmod-thermal - 5.15.137-1
kmod-tun - 5.15.137-1
kmod-usb-core - 5.15.137-1
kmod-usb-dwc3 - 5.15.137-1
kmod-usb-dwc3-qcom - 5.15.137-1
kmod-usb-ehci - 5.15.137-1
kmod-usb-storage - 5.15.137-1
kmod-usb-storage-extras - 5.15.137-1
kmod-usb-storage-uas - 5.15.137-1
kmod-usb-xhci-hcd - 5.15.137-1
kmod-usb2 - 5.15.137-1
kmod-usb3 - 5.15.137-1
libatomic1 - 12.3.0-4
libattr - 2.5.1-1
libavahi-client - 0.8-8
libavahi-dbus-support - 0.8-8
libblkid1 - 2.39-2
libblobmsg-json20230523 - 2023-05-23-75a3b870-1
libc - 1.2.4-4
libcap - 2.69-1
libcomerr0 - 1.47.0-2
libcurl4 - 8.5.0-1
libdaemon - 0.14-5
libdbus - 1.13.18-12
libevdev - 1.13.0-1
libevent2-core7 - 2.1.12-1
libexpat - 2.5.0-1
libext2fs2 - 1.47.0-2
libgcc1 - 12.3.0-4
libgmp10 - 6.2.1-1
libgnutls - 3.8.0-3
libiwinfo-data - 2023-07-01-ca79f641-1
libiwinfo20230701 - 2023-07-01-ca79f641-1
libjson-c5 - 0.16-3
libjson-script20230523 - 2023-05-23-75a3b870-1
liblua5.1.5 - 5.1.5-10
liblucihttp-lua - 2023-03-15-9b5b683f-1
liblucihttp-ucode - 2023-03-15-9b5b683f-1
liblucihttp0 - 2023-03-15-9b5b683f-1
liblzo2 - 2.10-4
libmbedtls12 - 2.28.5-2
libmnl0 - 1.0.5-1
libncurses6 - 6.4-2
libnettle8 - 3.9.1-1
libnftnl11 - 1.2.6-1
libnghttp2-14 - 1.57.0-1
libnl-core200 - 3.7.0-1
libnl-route200 - 3.7.0-1
libnl-tiny1 - 2023-07-27-bc92a280-1
libopenssl-conf - 3.0.12-1
libopenssl3 - 3.0.12-1
libpam - 1.5.2-1
libpcre2 - 10.42-1
libpopt0 - 1.19-1
libpthread - 1.2.4-4
libreadline8 - 8.2-1
librt - 1.2.4-4
libsmartcols1 - 2.39-2
libss2 - 1.47.0-2
libstdcpp6 - 12.3.0-4
libtasn1 - 4.19.0-2
libtirpc - 1.3.3-1
libubox20230523 - 2023-05-23-75a3b870-1
libubus-lua - 2023-06-05-f787c97b-1
libubus20230605 - 2023-06-05-f787c97b-1
libuci20130104 - 2023-08-10-5781664d-1
libuclient20201210 - 2023-04-13-007d9454-1
libucode20230711 - 2023-11-07-a6e75e02-1
libudev-zero - 1.0.1-1
liburing - 2.3-1
libusb-1.0-0 - 1.0.26-3
libustream-mbedtls20201210 - 2023-02-25-498f6e26-1
libuuid1 - 2.39-2
libuv1 - 1.45.0-1
logd - 2022-08-13-4c7b720b-2
losetup - 2.39-2
lua - 5.1.5-10
luci - git-23.051.66410-a505bb1
luci-app-ddns - git-23.346.52990-28c4a65
luci-app-firewall - git-23.306.38853-a0466cd
luci-app-opkg - git-23.311.75635-769b30c
luci-app-samba4 - git-23.142.65904-c0478f0
luci-base - git-23.306.39416-c86c256
luci-lib-base - git-22.308.54612-9118452
luci-lib-ip - git-23.311.79290-c2a887e
luci-lib-jsonc - git-23.298.74571-62eb535
luci-lib-nixio - git-23.338.82551-ea30bd9
luci-light - git-23.024.33244-34dee82
luci-lua-runtime - git-23.233.52805-dae2684
luci-mod-admin-full - git-19.253.48496-3f93650
luci-mod-network - git-23.313.56166-6da284d
luci-mod-status - git-23.306.52197-bdcd3e0
luci-mod-system - git-23.306.39416-7d3abf8
luci-proto-ipv6 - git-21.148.48881-79947af
luci-proto-ppp - git-21.158.38888-88b9d84
luci-ssl - git-23.035.26083-7550ad6
luci-theme-bootstrap - git-23.306.39416-c86c256
mtd - 26
netdata - 1.33.1-4
netifd - 2023-11-10-35facc83-1.1
nftables-json - 1.0.8-1
ntfs-3g - 2022.5.17-1-fuseint
odhcp6c - 2023-05-12-bcd28363-20
odhcpd-ipv6only - 2023-10-24-d8118f6e-1
openssl-util - 3.0.12-1
openvpn-easy-rsa - 3.0.8-4
openvpn-openssl - 2.5.8-3
openwrt-keyring - 2022-03-25-62471e69-2
opkg - 2022-02-24-d038e5b6-2
ppp - 2.4.9.git-2021-01-04-4
ppp-mod-pppoe - 2.4.9.git-2021-01-04-4
procd - 2023-06-25-2db83655-2
procd-seccomp - 2023-06-25-2db83655-2
procd-ujail - 2023-06-25-2db83655-2
px5g-mbedtls - 10
rpcd - 2023-07-01-c07ab2f9-1
rpcd-mod-file - 2023-07-01-c07ab2f9-1
rpcd-mod-iwinfo - 2023-07-01-c07ab2f9-1
rpcd-mod-luci - 20230123-1
rpcd-mod-rrdns - 20170710
rpcd-mod-ucode - 2023-07-01-c07ab2f9-1
samba4-libs - 4.18.8-1
samba4-server - 4.18.8-1
terminfo - 6.4-2
tmux - 3.3a-1
ubi-utils - 2.1.5-1
uboot-envtools - 2023.04-1
ubox - 2022-08-13-4c7b720b-2
ubus - 2023-06-05-f787c97b-1
ubusd - 2023-06-05-f787c97b-1
uci - 2023-08-10-5781664d-1
uclient-fetch - 2023-04-13-007d9454-1
ucode - 2023-11-07-a6e75e02-1
ucode-mod-fs - 2023-11-07-a6e75e02-1
ucode-mod-html - 1
ucode-mod-lua - 1
ucode-mod-math - 2023-11-07-a6e75e02-1
ucode-mod-nl80211 - 2023-11-07-a6e75e02-1
ucode-mod-rtnl - 2023-11-07-a6e75e02-1
ucode-mod-ubus - 2023-11-07-a6e75e02-1
ucode-mod-uci - 2023-11-07-a6e75e02-1
ucode-mod-uloop - 2023-11-07-a6e75e02-1
uhttpd - 2023-06-25-34a8a74d-1
uhttpd-mod-ubus - 2023-06-25-34a8a74d-1
urandom-seed - 3
urngd - 2023-11-01-44365eb1-1
usbutils - 014-1
usign - 2020-05-23-f1f65026-1
wget-ssl - 1.21.4-1
wireless-regdb - 2023.09.01-1
wpad-basic-mbedtls - 2023-09-08-e5ccbfc6-6
zlib - 1.2.13-1

neapasianwrt · February 9, 2024, 9:20am

54 indicates you are not using default config, what is your real DNS server?

Im sorry but Im not sure how to get that information. What can I log to indicate the real DNS server?

neapasianwrt · February 9, 2024, 9:28am

Possibly AdGuard is related?

I see the following in adguads settings page

Bootstrap DNS servers Bootstrap DNS servers are used to resolve IP addresses of the DoH/DoT resolvers you specify as upstreams.

9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10

grrr2 · February 9, 2024, 9:45am

you know your infra we don't. from the things you share we can make guesses only.

so, let's go back to square one: pls make a simple drawing about your infra, add all components such as: owrt pyhsical connections to other peers, relevant ip addressing and describe what non-default setup you have.

e.g. you seem to have some kind of dns and potentially routing issue based on

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
Request timeout for icmp_seq 0

this can be firewall related, e.g. your guest zone don't have access to the adguard (you only mentioned in your prev comment). according to fw settings you have a reject input policy on guest zone and an exception input rule on port 53 which might be insufficient if your adguard server has a different ip and or not listening on guest's interface ip address.

psherman · February 9, 2024, 4:27pm

I don't believe this is entirely adguard related because the ping to 8.8.8.8 failed, too. There are no firewall rules that would otherwise block any traffic from the guest network, so a direct IP address ping operation (that does not require DNS resolution) would be expected to succeed.

With that said, it might make the most sense to make a backup and then reset the router to defaults. From there you can either restore the backup and see if it works, or start fresh (either using the backup as a reference or just simply stored safely so that it is available if you need it). You'll obviously need to reinstall your user-installed packages like OpenVPN and AGH, but that is pretty easy to do.

neapasianwrt · February 9, 2024, 6:29pm

the things you share we can make guesses only

Yes and Im very grateful for the community and help. If there's anything I left out prior (adguard) it's because I really didn't think of it or due to my inexperience. Im completely stumped at this point as ive tried for a few days to find a solution. Im certain well come to a resolution and post it here to help others in the future.

pls make a simple drawing

hardware and software this is all I have that's not a client. All of the clients can be moved to any router with the same wifi since they just consume and not manipulate the "pipe"

<isp>----<modem>----<openwrt router>----<clients>

all relevant packages I can think of running on the router directly, no other hardware like raspberry pi router etc.

- adguard
- openVPN server
- DDNS (just reporting IP to online server)
- netdata
- misc services (samba/ssh)

This is the guide I used to setup adguard which mentions a reverse dns rDNS using port 54 as you found as well: https://openwrt.org/docs/guide-user/services/dns/adguard-home.
but under AdGuard > settings > Private reverse DNS servers > entry is empty

Could it be related to the IPTables prerouting mentioned here: https://openwrt.org/docs/guide-user/services/dns/adguard-home#iptables_firewall3 .... altho I don't see a /etc/firewall.user file and I don't see a config redirect entry in /etc/config/firewall either.

Copy and paste these iptables rules in Network → Firewall → Custom Rules Tab or directly to /etc/firewall.user.

iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1:53

I looked through the logs for anything port 54 and nothing but this showed up for 53
root@OpenWrt:~# logread -e 53

Fri Feb  9 17:08:21 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 17:08:21 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 17:08:21 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Feb  9 17:08:21 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Feb  9 17:08:21 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 17:08:21 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 17:10:49 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 17:10:49 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 17:10:49 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Feb  9 17:10:49 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Feb  9 17:10:49 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 17:10:49 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:07:21 2024 kern.info kernel: [32716.724535] br-lan: port 7(phy0-ap2) entered disabled state
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:07:22 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:07:23 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:13:07 2024 kern.info kernel: [33062.748353] br-lan: port 7(phy0-ap2) entered disabled state
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 192.168.1.1#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 9.9.9.9#53
Fri Feb  9 18:13:07 2024 daemon.info dnsmasq[1]: using nameserver 149.112.112.112#53

more searching around seemingly aimlessly but maybe there's a clue:
please note: clients connected to the LAN, SSID5G, SSID24G work fine, as they are running on network=lan

I know the problem is deeper but at a starting point if I change the wireless network SSID-GUEST from network=guest to network=lan it starts working.

# /etc/config/wireless

## change from:
uci set wireless.wifinet3.network='guest'

## change to:
uci set wireless.wifinet3.network='lan'

thus im figuring there's an interface config issue between lan and guest interfaces.
here are some screenshots to help. Only reason I have these setup is based on the guides. Ive never had guest working. This is a new interface based on the guides and tutorials I found.
here's the 2 interfaces compared where im pointing out the differences. Ive tried copying settings from lan interface to guest interface but haven't found the issue yet.