VLAN + Guest WIFI configuration

Hello, I am trying to configure a VLAN and set up a guest wifi network but i'm having some trouble with its configuration and hoping someone could shed some light on what i am doing wrong.

Currently, I can get my phone to connect to the guest network and it's assigned an IP address of 192.168.3.221. So it seems like DHCP works. But there is not DNS it seems like. I can't ping google but I can ping 8.8.8.8.
The other issue is that it still seems to have access to the devices which are on the other vlan and vice versa.

Router: Netgear R7800
Openwrt version: hnyman build 23.05 swconfig
New vlan id/tag = 3
I used the web gui (luci) for configuration following https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

/etc/config/network should show my changes to the bridge and vlan config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:5792:44ec::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config interface 'wg'
	option proto 'wireguard'
// snip private key
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_wg
	option description 'phone'
// snip keys
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.3/32'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '4 6t'
	option vid '3'

config interface 'vlan3'
	option proto 'static'
	option device 'vlan3-br'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '192.168.1.1'

config device
	option type 'bridge'
	option name 'vlan3-br'
	list ports 'eth1.3'

/etc/config/firewall changes

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Allow-Wireguard'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.1.1'
	option dest_port '51820'

config zone
	option name 'vlan3'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan3'

config forwarding
	option src 'vlan3'
	option dest 'wan'

config rule
	option name 'vlan3-dns'
	option src 'vlan3'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'vlan3-dhcp'
	option src 'vlan3'
	option dest_port '67-68'
	option target 'ACCEPT'

/etc/config/wireless changes

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'vlan3'
	option mode 'ap'
	option ssid 'GUESTWIFI'
	option encryption 'psk2'
	option key 'key'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'not-guest-wifi'
	option encryption 'psk2'
	option key 'key'
	option network 'lan'

The dns entries above have no effect. They can be removed.

Please post your dhcp file.

I tried to put those in there to see if it would change anything about the dns but yes, they didn't have any effect. I will remove them.

Here is dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option port '54'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns '2600:4040:77d1:6e00::1'
	list dns 'fd7b:5792:44ec::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan3'
	option interface 'vlan3'
	option start '100'
	option limit '150'
	option leasetime '12h'

And now for something completely different :wink:
This rule is not optimal and might not work work depending on circumstances

The better rule:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Now on to your problem:

This is not the default DNSMasq setting.
DNSMasq normally listens on port 53, your guest wifi clients are using port 53 to request DNS, not sure what is listening there but it probably does not respond?

4 Likes

Re: Wireguard: thanks! I will try that once i figure out the vlans but that was just from the luci config :see_no_evil:

And Re: port 53:

I run adguardhome on port 53 based on this guide which moves the default dnsmasq port to 54. But it responds to my other devices on the regular wifi network and vlan on both wifi and ethernet:

$ nslookup google.com
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	google.com
Address: 142.250.80.78
Name:	google.com
Address: 2607:f8b0:4006:821::200e

So i kind of solved the dns connectivity issue like this by setting up dns with cloudflare:

uci add_list dhcp.lan.dhcp_option='6,1.1.1.1'

so I am assuming that this vlan can't access 192.168.1.1 since my phone can't connect to the router anymore.

however, what's strange to me now is that

  1. ssh 192.168.1.200 (laptop) shows that the connection is refused which means that it can reach the other subnet?
  2. can't load 192.168.3.1 either (should be router on the vlan, which i guess i'm fine with guests not hitting the router)

I would love some help or clarification on either. thanks!