Wireless guest network - no internet - using other router as gateway

As the subject says, I'm trying to get my access point to host a guest network. My configuration is slightly different because the openwrt unit isn't directly connected to the internet (192.168.1.3) and uses my ISP router as a gateway (192.168.1.1). This works fine for the regular wifi networks but not for the guest network when I follow the wiki.

By the way, the command WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)" gives the error uci: Entry not found so I used *uci set wireless.guest.device="radio0"

Things I've checked:

  • IP address - works, the clients gets the ip address 192.168.3.182, gateway 192.168.3.1
  • DNS lookup - works (checked with an Android tool)

Next, I enabled logging and I noticed a lot of rejects like:

Wed Aug 30 10:29:06 2023 kern.warn kernel: [ 917.818097] reject guest forward: IN=br-guest OUT=br-lan MAC=52:eb:f6:87:6d:c0:fe:a1:69:9e:0b:db:08:00 SRC=192.168.3.182 DST=142.250.179.170 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=16504 DF PROTO=TCP SPT=39788 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

I assume that the client is trying to reach the gateway which, in my case, is located in the LAN and not the WAN. So as a test I added LAN to the forward zone (which entirely defeats the purpose of a guest network) and the firewall errors a gone but I still don't get internet access from my phone.

Other things I've tried: add the DHCP option 3,192.168.1.1" , create firewall rules to allow all traffic.


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd08:4dee:e8c8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<snip>'
        list addresses '10.14.0.1/24'
        option listen_port '51820'

config wireguard_wg0
        option description 'S23 Ultra'
        option public_key 'mpsl5tJ5yvCgUmV5JuCkNrfSiC4jJze0Ai+JnyWQYCQ='
        list allowed_ips '10.14.0.3/32'
        option route_allowed_ips '1'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

firewall config

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'WireGuard'
list proto 'udp'
option src 'wan'
option src_dport '51280'
option dest_ip '192.168.1.3'
option dest_port '51280'

config forwarding
option src 'guest'
option dest 'lan'

config forwarding
option src 'guest'
option dest 'wan'

config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'

config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'

config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'



Any help to get this to get my setup to work is much appreciated, thanks!

Then it's not an AP, but a router ?
Or are those IPs for the guest lan, specifically ?

My ISP unit is just a router which makes the network 192.168.1.0/24 available. My openwrt unit is connected to the same LAN network on one of the LAN interfaces and has 192.168.1.3 set as it's ip address.

The 192.168.3.0/24 network is only used for the guest network.

If it really is a dumb Switch/AP you have to enable FORWARD to the LAN as that is your way out.

To isolate your LAN from the Guest you have to add a traffic rule denying access to your main network

Furthermore you have to enable MASQUERADING on the LAN zone as your main router has no return to the guest subnet (alternatively set a static route on the main router)

But your config is a bit messy

1 Like

Enabling masquerading for the LAN zone finally made the internet work on the guest network, thanks! :+1:

I've created a firewall rule which denies guest traffic from 192.168.3.0/24 to LAN but then the internet connection stops working again as the gateway is situated in the same network. It's not possible to add a range there to exclude 192.168.1.1 from being blocked.

You have to allow some traffic see:

Scroll down to the traffic rules :slight_smile:

Going for lunch, can take a while but when you still have problems @frollic will certainly help (he is the one we turn to if we are clueless :slight_smile: )

I used the same traffic rule, the problem is, that the gateway is situated in the private network. If it was possible I would use a cable connected to a specific port on the openwrt unit to the ISP router but the ISP router is placed in a specific location for optimal wifi coverage and laying a new cable isn't an option.

Thanks for the help, I hope there will be a solution to block all addresses. :slight_smile:

I'm thinking of using an ip set containing all addresses except 192.168.1.1 but that would be really messy if I start adding several networks and ip address to a set like: 192.168.1.128/25 and 192.168.1.2 etc. :upside_down_face:

So hopefully there are some better alternatives possible. Maybe a seperate zone or vlans? I'd like to keep the setup as simple as possible of course.

I have to take a closer look bur it should not be a problem.
The gateway of your guest clients should be 192.168.3.1.

You should be blocking access to 192.168.1.0/24 on the FORWARD chain so your clients cannot reach anything with a destination in that net.

The guest router itself can reach your mean router as the router is subject to INPUT/OUTPUT.

Now your guests should be isolated from the main subnet.

The next step is to isolate you guests from the guest router.
This is done on the INPUT chain. But you have to make an exception for DNS and DHCP as described.
The order of the rules is important

Thanks for looking into this, so the guest clients will still have access to the ISP router on 192.168.1.1 because the openwrt unit will handle the traffic?

However, it seems that I've run into another issue with the guest network: when masquerading is enabled and I enable my wireguard client I can only access the LAN clients and internet sites have become unreachable. Now one of my purposes of securing my internet access when on a public hotspot isn't usable anymore. Sadly, the Cisco ISP router doesn't have an option to configure a static route to the guest network. As the VPN option is more important to me then a guest network I have to turn masquerading of for now and I'm back to square one.... :thinking: