I think I'm getting really old and tired, but the fact is I can't learn VLANs. It doesn't get into my head. I set up a mesh network and wanted to separate guest and iot into vlans. I've looked at several tutorials on YouTube and I can't get it to work. But I won't give up until I learn. Does anyone have any recommendations for study material on the subject? Thanks.
2 Likes
Thank you.
I'll try again this weekend with your approach and return with feedback. Thank you very much.
Realized that the real problem is the assignment of IP to clients, which should be done by the guest network via DHCP. I checked all the settings several times. Firewall rules for DHCP and DNS. I did the guest network via LUCI and then redid it via UCI, all according to the guidance of several people and also the official OPENWRT documentation. And I absolutely cannot get the guest interface to assign IPs to my clients. I'm on the latest version (23.05.2) set perfectly on an old TPlink Google Onhub. The LAN and everything else works perfectly. But I'm already feeling extremely stupid for not being able to set up a simple guest wifi.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
root@OnHub:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OnHub",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "TP-Link OnHub",
"board_name": "tplink,onhub",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ipq806x/chromium",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@OnHub:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdce:9b6b:b969::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth0'
list ports 'eth0.2'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 6t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 2'
option vid '2'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option gateway '192.168.10.254'
root@OnHub:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '44'
option band '5g'
option htmode 'VHT80'
option cell_density '3'
option country 'BR'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'mesh'
option encryption 'sae'
option mesh_id 'my-mesh'
option mesh_fwding '1'
option mesh_rssi_threshold '0'
option key 'XXXXXX'
option dtim_period '3'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/1b900000.pci/pci0002:00/0002:00:00.0/0002:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'FKU_nomap_optout_nosniff_nospoof'
option encryption 'sae-mixed'
option key 'XXXXXX'
option dtim_period '3'
option ieee80211r '1'
option nasid '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211k '1'
config wifi-device 'radio3'
option type 'mac80211'
option path 'platform/soc/110f8800.usb3/11000000.dwc3/xhci-hcd.1.auto/usb4/4-1/4-1:1.3'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'BR'
config wifi-iface 'default_radio3'
option device 'radio3'
option network 'lan'
option mode 'ap'
option ssid 'FKT_nomap_optout_nosniff_nospoof'
option encryption 'sae-mixed'
option dtim_period '3'
option key 'XXXXXX'
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option ssid 'noslen_convidados'
option encryption 'sae-mixed'
option isolate '1'
option key 'XXXXXX'
option dtim_period '1'
root@OnHub:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '1'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
There are numerous significant issues in your network config file. So much so that it is going to be hard to untangle.
I’d recommend starting over - reset to defaults and then you can add your guest network fresh. We just need to know if your guest network uses Ethernet or is WiFi only. After your reset, post your network config file again.
Edit: actually, I think we might be able to fix some of the issues. But let’s actually see the firewall file (which was not provided) before you reset.
1 Like
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
I need the guest just for wifi.
In fact, I need to make it work first on my router and then I will extend the guest wifi to the access points via vlan. I'm not able to make even the first step work, because the 'guest' interface doesn't provide IPs to clients.
In addition to the router, I have three more access points connected via mesh WiFi.
k... let's see if we can fix some of the issues... we'll be touching several parts:
remove eth1 from below... leave only eth1.1:
change the wan and wan6 devices to eth0.2 (instead of br-wan):
delete this section entirely:
delete the gateway line from the guest interface:
Use WPA2 or WPA3, not mixed mode... this can be an issue for many client devices that just won't connect properly to a mixed mode SSID:
I'd recommend making your guest network IPv4 only, for now anyway. Remove everything below the leasetime line.
Finally, for now, let's change the guest firewall zone to accept input -- we can tighten this down later, but we want to reduce the variables:
Then restart your router and try again.
OK. I'll do it and then get back to you with feedback. Thank you in advance.
root@OnHub:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OnHub",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "TP-Link OnHub",
"board_name": "tplink,onhub",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ipq806x/chromium",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@OnHub:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdce:9b6b:b969::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 6t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 2'
option vid '2'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
root@OnHub:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '44'
option band '5g'
option htmode 'VHT80'
option cell_density '3'
option country 'BR'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'mesh'
option encryption 'sae'
option mesh_id 'my-mesh'
option mesh_fwding '1'
option mesh_rssi_threshold '0'
option key ''
option dtim_period '3'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/1b900000.pci/pci0002:00/0002:00:00.0/0002:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'FKU_nomap_optout_nosniff_nospoof'
option encryption 'sae-mixed'
option key ''
option dtim_period '3'
option ieee80211r '1'
option nasid '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211k '1'
config wifi-device 'radio3'
option type 'mac80211'
option path 'platform/soc/110f8800.usb3/11000000.dwc3/xhci-hcd.1.auto/usb4/4-1/4-1:1.3'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'BR'
config wifi-iface 'default_radio3'
option device 'radio3'
option network 'lan'
option mode 'ap'
option ssid 'FKT_nomap_optout_nosniff_nospoof'
option encryption 'sae-mixed'
option dtim_period '3'
option key ''
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option ssid 'noslen_convidados'
option encryption 'psk2'
option isolate '1'
option key ''
option dtim_period '1'
root@OnHub:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '1'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
root@OnHub:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
Unfortunately, DHCP still doesn't work
Try removing the isolate and DTIM parameters.
root@OnHub:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '44'
option band '5g'
option htmode 'VHT80'
option cell_density '3'
option country 'BR'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'mesh'
option encryption 'sae'
option mesh_id 'my-mesh'
option mesh_fwding '1'
option mesh_rssi_threshold '0'
option key ''
option dtim_period '3'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/1b900000.pci/pci0002:00/0002:00:00.0/0002:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'FKU_nomap_optout_nosniff_nospoof'
option encryption 'sae-mixed'
option key ''
option dtim_period '3'
option ieee80211r '1'
option nasid '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211k '1'
config wifi-device 'radio3'
option type 'mac80211'
option path 'platform/soc/110f8800.usb3/11000000.dwc3/xhci-hcd.1.auto/usb4/4-1/4-1:1.3'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'BR'
config wifi-iface 'default_radio3'
option device 'radio3'
option network 'lan'
option mode 'ap'
option ssid 'FKT_nomap_optout_nosniff_nospoof'
option encryption 'sae-mixed'
option dtim_period '3'
option key ''
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option ssid 'noslen_convidados'
option encryption 'psk2'
option key ''
DHCP still dead
just to confirm, you have restarted the router since making the changes, right?
1 Like
Yes. Always