Wireless not working on guest network

Hi all,

I'm trying to create a guest network on my tp link archer c7 using vlans.

What I've done:

• Created vlan3 where I assigned port 2 and 3 to be untagged
• Configured the guest firewall rules
• Configured the guest interface (assigned vlan3 (eth0.3) as the device)

The guest vlan seems to be working correctly when I connect via UTP cable. However, assigning a wireless interface does not work. When I try to connect with my mobile phone to the wireless network, I see it appearing in the openwrt user inteface for a few seconds. After this, it disconnects. When I connect my computer to the wireless network, it seems to get an ip out of the normal lan range.

I'm looking for a few hours now, did a full reset of the settings, but I cannot figure out what I'm doing wrong. I expect that for some reason I cannot assign a wireless interface and a vlan at the same time to the "guest interface".

Hereby my configuration files:

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde6:c147:1cb7::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '40:3f:8c:99:9c:ef'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 4 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2 3'
	option vid '3'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.44.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'eth0.3'

Wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option channel 'auto'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt2'
	option encryption 'psk2'
	option key 'secret'
	option network 'guest'

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'gust DHCP and DNS'
	option src 'guest'
	option target 'ACCEPT'
	option src_port '53 67 68'

Use the new syntax when creating a bridge.

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth0.3'

config interface 'guest'
	    option proto 'static'
	    option ipaddr '192.168.44.1'
	    option netmask '255.255.255.0'
	    option device 'br-guest'

Check the bridge status using brctl show br-guest
You should see two bridge members - eth0.3 and the guest wifi interface.

Hi @pavelgl,

Thank you very much for the reply. This seems to solve the problem.

However, one strange thing left. When I connect to the router with an ethernet cable, it seems like I do not have DNS. I can go for instance to 1.1.1.1 without any problem, but going to google.com does not work. On the wireless network, this problem does not exists. I don't see how this can be the case as we are both connecting to the same interface.

Matthias

It looks like a problem of that specific wired machine.

What OS does it run? Is there a possibility some old static DNS settings to be still active?

Good point. I'm connecting with an Ubuntu machine. I can connect to the wired lan network without any problems.

Just tried it with a macbook and the guest network is working fine, so it must have to do something with my machine ... strange.

Explicitly setting the DNS server on my ubuntu seems to work:

Strange that I need to do this for the guest network and not for the lan network.

Switch the DNS mode to Automatic and run the following command to check what is set as DNS server IP address.

nmcli dev show eth0 #or whatever the interface name is

Hi , about this: https://forum.openwrt.org/t/using-precompiled-toolchain
Did you resolve it?

Change src_port to dest_port.

Hi @pavelgl thnx again, for some reason it fixed itself. Now my computer gets the correct DNS server.

@vgaetera Well seen, this was indeed wrong. Did already fix it, but did not yet reply to the forum.

Yes. The solution is in that topic as well.