Since I have successfully configured WPA2 Enterprise, the next step is to try configure both Personal & Enterprise on the same WiFi radio. That's where problems emerge.
Basically, it seems that WPA2 Enterprise and WPA2 Personal cannot reside within the same network range, which will make WPA2 Enterprise not able to get an ip address, logread showed:
Wed Apr 7 11:34:18 2021 daemon.warn dnsmasq-dhcp: DHCP packet received on wlan1-1 which has no address Wed Apr 7 11:34:21 2021 daemon.warn dnsmasq-dhcp: DHCP packet received on wlan1-1 which has no address Wed Apr 7 11:34:25 2021 daemon.warn dnsmasq-dhcp: DHCP packet received on wlan1-1 which has no address
Then I tried to use another guest network for WPA2 Enterprise usage, the corresponding configuration in /etc/config/firewall is as follow:
config zone option name 'guest2' option network 'guest2' option device 'wlan2' option input REJECT option output ACCEPT option forward REJECT config forwarding option src 'guest2' option dest 'lan'
and allowing 'guest2' with DHCP and DNS stuff. Now the WPA2 Enterprise can get ip address and successful get a WiFi connection, but the client cannot access internet somehow.
I am not sure what went wrong, perhaps it's related to 'option device' set to 'wlan2' which does not exist? Checked route, it shows
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 0 0 0 br-lan 172.16.1.0 * 255.255.255.0 U 0 0 0 wlan1-1 172.16.3.0 * 255.255.255.0 U 0 0 0 wlan0 192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
in which 172.16.1.0/24 is the range of new established 'guest2' network interface, indicated as wlan1-1, I don't know where it came from.
Any ideas why the forwarding rule in /etc/config/firewall not working as expected?