WiFi access point | DHCP failing for guest network

I am trying to configure a WHW03 V2 router as a wireless access point.

I've successfully

• Installed OpenWRT.
• Assigned a static IP address.
• Installed Luci.
• Created a VLAN on my main OpenWrt router for the Guest WiFi
• Created the same VLAN on the OpenWrt WAP router.
• Both the VLAN interfaces are configured as static IP addresses. The Main Router's interface is configured as a DHCP server and the WAP's interface is configured to use the Main Router's IP as the Default Gateway.

The VLANs appear to be working, but DHCP isn't working for the Guest WiFi.

I've created some firewall zones, but everything is currently set to 'allow'.

Main router

WAP router

image969×139 12.1 KB

Firewall zone for VLAN interface.

Firewall zone for Guest WiFi adaptor.

The two routers can ping each other's VLAN IPs.

Main Router pings WAP

WAP pings Main Router

Despite the firewall zone on the WAP being set to 'allow', I can't access Lucy via the Guest WiFi subnet.

image721×189 8.48 KB

When I try to connect to the Guest WiFi, it fails to obtain an IP address via DHCP.

If I assign a static IP address to the Guest device, it connects to the network, but lacks internet connectivity.

Any ideas? Am I going about this all wrong?

It soundsl ike you're trying to setup the scenario described by the dumb AP with Guest Wifi wik article... is that correct? Or does your main router already have the guest network configured such that the one you're working on here should just be truly a dumb AP?

Does VLAN50 represent the guest network?

Let's see your complete text config.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for taking the time to reply. I got things working by creating a bridge interface.

WAP Configuration

image472×531 17.7 KB

This was added to the same firewall zone as the VLAN interface.

The Guest Wi-Fi was associated with the bridged interface.

image889×909 42.7 KB

The WAP firewall is set to drop, but I don't think these rules do anything because no forwarding zone is configured.

Main Router Configuration

Firewall is configured to only allow output.

There are individual rules to allow DHCP and DNS queries.

Guest Wi-Fi devices now have full internet access, but can't connect to any IPs on my internal network.

Please let me know if you think I've configured anything incorrectly.

You may have some things incorrectly configured (in fact, it's very likely based on the screenshots).
Please post the text configs (the screenshots are harder to use for verification/debug, and they don't always tell the whole story.

WAP Config

 -----------------------------------------------------
 OpenWrt SNAPSHOT, r22256-14334c222e
 -----------------------------------------------------

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:48ae:65f2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        list ports 'wan.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.20'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config device
        option name 'wan'
        option ipv6 '1'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '1'
        option name 'wan.1'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '50'
        option name 'wan.50'
        option ipv6 '0'

config interface 'V1_LAN'
        option proto 'static'
        option device 'wan.1'
        option ipaddr '192.168.0.21'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'V50_WiFi_Guest'
        option proto 'static'
        option device 'wan.50'
        option ipaddr '192.168.50.2'
        option netmask '255.255.255.0'
        option gateway '192.168.50.1'
        option type 'bridge'

config device
        option name 'phy2-ap0'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'Guest_WiFi'
        list ports 'wan.50'

config interface 'BR_Guest_WiFi'
        option proto 'static'
        option device 'Guest_WiFi'
        option ipaddr '192.168.50.3'
        option netmask '255.255.255.0'
        option gateway '192.168.50.1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '149'
        option band '5g'
        option htmode 'VHT80'
        option country 'GB'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Home_Network'
        option encryption 'psk2'
        option key ' '

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'wifinet3'
        option device 'radio2'
        option mode 'ap'
        option ssid 'Home_Network_Guest'
        option encryption 'psk2'
        option key ' '
        option network 'BR_Guest_WiFi'

config wifi-iface 'wifinet4'
        option device 'radio2'
        option mode 'ap'
        option ssid 'Home_Network_5G2'
        option encryption 'psk2'
        option key ' '
        option network 'lan'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Home_Network_5G2'
        option encryption 'psk2'
        option key ' '
        option network 'lan'

root@OpenWrt:~# cat /etc/config/dhcp


config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config relay

config dhcp 'BR_Guest_WiFi'
        option interface 'BR_Guest_WiFi'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

config dhcp 'V50_WiFi_Guest'
        option interface 'V50_WiFi_Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'V1_LAN'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'


config zone
        option name 'Guest_WiFi'
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        list network 'V50_WiFi_Guest'
        list network 'BR_Guest_WiFi'```

Main Router Config

 -----------------------------------------------------
 OpenWrt 21.02.3, r16554-1d4dea6d4f
 -----------------------------------------------------
root@RP4-OpenWrt:~# cat /etc/config/network

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'wlan0'

config interface 'V50_Guest_WiFi'
        option proto 'static'
        option device 'eth0.50'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'

root@RP4-OpenWrt:~# cat /etc/config/wireless



root@RP4-OpenWrt:~# cat /etc/config/dhcp


config dhcp 'V50_Guest_WiFi'
        option interface 'V50_Guest_WiFi'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

root@RP4-OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'


config zone
        option name 'V50_Guest'
        option output 'ACCEPT'
        list network 'V50_Guest_WiFi'
        list device 'eth0.50'
        option family 'ipv4'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'V50_Guest'
        option dest 'wan'

config rule
        option src 'V50_Guest'
        option target 'ACCEPT'
        option name 'Guest WiFi | VLAN50 | DHCP 67'
        option dest_port '67'

config rule
        option src 'V50_Guest'
        option dest_port '853'
        option target 'ACCEPT'
        option name 'Guest WiFi | VLAN50 | DNS 853'

config rule
        option name 'Guest WiFi | VLAN50 | DNS 53'
        option src 'V50_Guest'
        option dest_port '53'
        option target 'ACCEPT'


root@RP4-OpenWrt:~#

Thanks. I do see some issues.

wan.1 is being used here as well as in another intervace (V1_LAN) - it should only be in one place...

This is where you're using wan.1 outside the bridge... You already have the lan defined as 192.168.0.20 and using br-lan for wan.1, you don't need to have this. I'd recommend deleting it.

the bridge must be defined outside the interface stanza. Further, the guest network does not need an address. Instead, it should look like this:

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'wan.50'

config interface 'V50_WiFi_Guest'
        option proto 'none'
        option device br-guest'

Delete this entirely.. the AP/radio/WLAN devices should not be referenced in the network config (only in the wireless config).

These should also be deleted... your guest wifi will now be on br-guest.

Replace the network here -- instead of BR_Guest_WiFi it will now be V50_WiFi_Guest

You can delete this. It has no purpose.

the V1_LAN can be deleted from the firewall. It also has no purpose.

I've made the suggested changes but it's killed the internet for the Guest network.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        list ports 'wan.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.20'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config device
        option name 'wan'
        option ipv6 '1'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '1'
        option name 'wan.1'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '50'
        option name 'wan.50'
        option ipv6 '0'

config interface 'V50_WiFi_Guest'
        option proto 'none'
        option device 'br-guest'
        option type 'bridge'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'wan.50'

config wifi-iface 'wifinet3'
        option device 'radio2'
        option mode 'ap'
        option ssid 'Home_Network_Guest'
        option encryption 'psk2'
        option key 'password'
        option network 'V50_WiFi_Guest'

Are you sure about deleting this configuration?

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'V1_LAN'

If I delete the rules for LAN 'input', won't that immediately lock me out of the device and necessitate a hard reset?

I can no longer ping the Guest VLAN IP 192.168.50.2 that was previously assigned to an interface. With the new configuration, none of the interfaces have an IP address on VLAN 50. Is this correct?

You must remove the bridge line here. That is very likely the reason the guest wifi isn't working.

I was only sayingto remove the V1_LAN from the lan zone (since that network no longer exists).

Thanks. I had actually already deleted that line of config via the CLI.

It's a bit embarrassing, but my laptop's connection dropped when I rebooted the WAP and it wasn't set to 'automatically connect' to the Guest WiFi.

Everything is now working and it's certainly a lot cleaner config than I was using before.

One last question, there are two 5G radios on my device. What is the purpose of this - e.g. MIMO Wi-Fi / higher bandwidth?

One 5 GHz for mesh uplink and the other one as a local AP. This avoids the problem of usable bandwidth being reduced to half when a single radio is shared for both functions.

I presume, because the end device can only connect to one hotspot at a time, that they can't be combined into a single higher bandwidth service?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.