Wifi guest on AP dumb... help me please!

I have a BT Home Hub 5.0 Type A with Openwrt 21.02.0 as main router and I connected via ethernet cable a TD-W8970 with Openwrt 19.07.8 that I would like to use as AP dumb for both the private and guest network, as it already works on the main router.

On the dumb AP I can connect to the guest wifi but I get the message: Connected, internet not available. No ping is possible.
I would like to solve, possibly without using vlan.

I inform that the two routers have been installed by preparing the .bin files by me using Image Builder, so I'm not sure if all the necessary packages are there.

I attach the configuration files of the TD-W8970 and some tests, hoping to find some help from someone, thanks.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxx'

config atm-bridge 'atm'
	option vpi '8'
	option vci '35'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option line_mode 'vdsl'
	option ds_snr_offset '0'
	option xfer_mode 'ptm'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'	

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'xxxxxxxxxx'

config interface 'wan'
	option ifname 'dsl0.835'
	option proto 'pppoe'
	option username 'xxxxxxxxx'
	option password 'xxxxxxxxx'
	option ipv6 '0'
	option service 'xxxxxxxxx'
	option peerdns '0'
	option mtu '1492'
	option auto '0'

config device 'wan_dev'
	option name 'dsl0.835'
	option macaddr 'xxxxxxxxxx'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option auto '0'
	option reqaddress 'none'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 5 0 2 4'
	option vid '1'

config interface 'guest'

	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.2'
	option ifname 'wlan0-1'

config device 'guest_dev'
	option name 'wlan0-1'
	option macaddr 'xxxxxxxxxx'


package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel 'auto'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option txpower '10'
	option country 'IT'
	option htmode 'HT20'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXX'
	option encryption 'psk2+ccmp'
	option key 'xxxxxxxxxx'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'XXX1'
	option encryption 'psk2+ccmp'
	option key 'xxxxxxxxxx'
	option isolate '1'
--------------------------------

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option ignore '1'

config host
	option name 'RN7'
	option dns '1'
	option mac 'xxxxxxxxxx'


FIREWALL
--------------------------------
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'guest'
	list network 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'lan'
	option src 'guest'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Guest_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Guest_DHCP'
	option src 'guest'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block guest to lan Network'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	list proto 'all'
	option target 'DROP'

-----------------------------------


head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*


root@OpenWRT_W8970:~# head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.2/24 brd 192.168.3.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-lan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.2
192.168.3.0/24 dev wlan0-1 proto kernel scope link src 192.168.3.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.2
local 192.168.1.2 dev br-lan table local proto kernel scope host src 192.168.1.2
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.2
broadcast 192.168.3.0 dev wlan0-1 table local proto kernel scope link src 192.168.3.2
local 192.168.3.2 dev wlan0-1 table local proto kernel scope host src 192.168.3.2
broadcast 192.168.3.255 dev wlan0-1 table local proto kernel scope link src 192.168.3.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Oct  9 08:54 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct 18 16:42 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct 18 16:42 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.auto <==

Thanks in advance!

uci -q delete dhcp.guest.ignore
uci set dhcp.guest.start="100"
uci set dhcp.guest.limit="150"
uci set dhcp.guest.leasetime="1h"
uci commit dhcp
/etc/init.d/dnsmasq enable
/etc/init.d/dnsmasq restart
/etc/init.d/firewall enable
/etc/init.d/firewall restart
uci -q delete network.guest_dev
uci -q delete network.guest.ifname
uci set network.guest.type="bridge"
uci commit network
/etc/init.d/network restart

vgaetera, Thanks, now it works !!!

From what I have been able to see, the dhcp for the guest cannot come from the main router.
If I don't bother too much, I have a few questions:

• the start-limit dhcp range set on the AP dumb compared to that on the main router is better that it is the same, different or indifferent?
• Is it better to set the dhcp sup AP dumb also for the private lan?

Thank you again

It doesn't matter as long as it fits the configured /24 subnet.

It should be one DHCP server/instance per subnet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.