Yeah I'll need a new one for it, it'd be 192.168.4.0/24
Ok... start with the process of creating a guest WiFi network, but skip over the parts where you actually create an SSID. What we need is the network interface definition, the DHCP server, and the firewall configurations to be complete. Then we'll make the modifications to assign this network to the appropriate Ethernet port using VLANs.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
When you're done, post your complete config for review and then we'll make the necessary modifications.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd38:7784:d57b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth2'
config device
option name 'wan'
option macaddr 'Redacted'
config device
option name 'eth2'
option macaddr ''Redacted'
config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username 'Redacted'
option password 'Redacted'
option ipv6 'auto'
option keepalive '0 1'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
config device
option type 'bridge'
option name 'cctv'
list ports 'eth1'
config interface 'cctv'
option proto 'static'
option device 'cctv'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'Redacted'
option listen_port '51820'
list addresses '10.0.0.1/24'
option force_link '1'
option defaultroute '0'
option mtu '8940'
config wireguard_wg0
option description 'Redacted'
option public_key 'Redacted'
option private_key 'Redacted'
option preshared_key 'Redacted'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg0
option description 'Redacted'
option public_key 'Redacted'
option private_key 'Redacted'
option preshared_key 'Redacted'
list allowed_ips '10.0.0.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg0
option description 'Redacted'
option public_key 'Redacted'
option private_key 'Redacted'
option preshared_key 'Redacted'
list allowed_ips '10.0.0.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config device
option type 'bridge'
option name 'br-alarm'
option bridge_empty '1'
config interface 'alarm'
option proto 'static'
option device 'br-alarm'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option defaultroute '0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'cctv'
option interface 'cctv'
option start '100'
option limit '150'
option leasetime '12h'
config host
option ip '192.168.3.174'
list mac 'Redacted'
config dhcp 'alarm'
option interface 'alarm'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'cctv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'cctv'
list device 'cctv'
config forwarding
option src 'lan'
option dest 'cctv'
config rule 'wg'
option name 'Allow-WireGuard'
option src '*'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-cctv'
option src 'cctv'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-cctv'
list proto 'udp'
option src 'cctv'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-alarm'
option src 'alarm'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-alarm'
list proto 'udp'
option src 'alarm'
option dest_port '67'
option target 'ACCEPT'
config zone
option name 'alarm'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'alarm'
config forwarding
option src 'alarm'
option dest 'wan'
root@OpenWrt:~#
Hmm my wireguard setup is still acting weird, can't do a handshake after reboot unless qr code is scanned again, even tho none of the keys have changed at all
Maybe something is wrong with your mobile device. If the QR codes are the same every time (as would be expected), scanning the code only updates the device that does the scan (I.e the phone) - and if there is no practical update, maybe something is wrong with the phone.
Please try another device.
I've tried 3 phones, ig I'll try a laptop
What do I do from here
What happened with the laptop?
I need to try, just got a bit busy for a second
same issue
Please look at every parameter of the QR code before and after a reboot to see if anything at all is changing. There must be something changing, otherwise this would not be necessary. The QR code scanning does nothing to the router, but it could be refreshing some element of the config. Also check the endpoint host that is being set in the QR code -- are you using a dynamic DNS domain name or a raw IP address?? If you're using an IP address, is that changing from reboot to reboot?
Another thing you can check... (don't post the actual values here, though):
run the following command:
ifstatus wan | grep address
make note of that address and then restart the router. Run the command again. Is the address the same?
ok will do
Yep you're correct it's the endpoint IP address that changes
Any way to make it static possibly
The ip address comes from your isp, so no, you cannot make it static. But you can use a dynamic dns service so you always use a domain name which will be updated whenever your ip address changes.
1 Like
ok ill sort that out, how do we continue with the vlan for my home alarm
got wireguard working properly
Great. Now back to the alarm network...
We first need to create bridge-vlans and edit the interfaces accordingly.
On the main router, add these:
config bridge_vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'wan:u*'
config bridge_vlan
option device 'br-lan'
option vlan '4'
list ports 'lan2:t'
Now, edit the lan interface to use br-lan.1:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
Delete the alarm bridge:
And edit the alarm interface to use br-lan.4:
config interface 'alarm'
option proto 'static'
option device 'br-lan.4'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option defaultroute '0'
From there, restart your main router and post the network config here for review. We should be ready to move onto the MX4200 -- post the network config from that device and we'll finish that up..
I've lost internet connection but it's done
Managed to SSH in via VPN
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd38:7784:d57b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth2'
config device
option name 'wan'
option macaddr ''
config device
option name 'eth2'
option macaddr ''
config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username ''
option password ''
option ipv6 'auto'
option keepalive '0 1'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
config device
option type 'bridge'
option name 'cctv'
list ports 'eth1'
config interface 'cctv'
option proto 'static'
option device 'cctv'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'wg0'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses '10.0.0.1/24'
config wireguard_wg0
option description ''
option public_key ''
option private_key ''
option preshared_key ''
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg0
option description ''
option public_key ''
option private_key ''redacted
option preshared_key 'redacted
list allowed_ips '10.0.0.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg0
option description ''
option public_key 'redacted'
option private_key 'redacted' '
option preshared_key 'redacted'
list allowed_ips '10.0.0.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config interface 'alarm'
option proto 'static'
option device 'br-lan.4'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option defaultroute '0'
config bridge_vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'wan:u*'
config bridge_vlan
option device 'br-lan'
option vlan '4'
list ports 'lan2:t'
root@OpenWrt:~#
Linkys configuration
BusyBox v1.37.0 (2024-12-08 23:38:13 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r0-fda78df
-----------------------------------------------------
OpenWrt recently switched to the "apk" package manager!
OPKG Command APK Equivalent Description
------------------------------------------------------------------
opkg install <pkg> apk add <pkg> Install a package
opkg remove <pkg> apk del <pkg> Remove a package
opkg upgrade apk upgrade Upgrade all packages
opkg files <pkg> apk info -L <pkg> List package contents
opkg list-installed apk info List installed packages
opkg update apk update Update package lists
opkg search <pkg> apk search <pkg> Search for packages
------------------------------------------------------------------
For more https://openwrt.org/docs/guide-user/additional-software/opkg-to-apk-cheatsheet
root@linksys:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd66:3172:ecea::/48'
option packet_steering '2'
option steering_flows '256'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
option mtu '9200'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
root@linksys:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@linksys:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option synflood_protect '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
root@linksys:~#