OpenWrt Forum Archive

Topic: Access Point with a second SSID for Guest Access to Internet only

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello

I have set up a TP-Link TL-WR1043ND with 10.03.1-rc4 as an internal access point that is connected via a cable to my existing gateway.

I want the access point to serve two WLANs: MAIN (fully bridged to internal lan) and GUEST (with access to internet via gateway only).

           AP (LAN IP 10.0.0.7)    --------------------------------------- ethernet ------------------------------------- Gateway (LAN IP 10.0.0.1)
                (WLAN MAIN bridges to LAN)
                (WLAN GUEST IP 192.168.100.1 - DHCP Range 100 - 150)


The first WLAN with SSID MAIN is working as expected. Clients are fully integrated into the LAN and can access the internet.

The second WLAN with SSID GUEST is working only halfway. Clients can connect, get an IP in the range 192.168.100.x, GW and DNS is set to 192.168.100.1, but the traffic is not routed from the access point to the the gateway: "no route to...".

Is there a howto for this case?
How can I enable routing of packets from WLAN GUEST to the gateway? Should I add custom iptables rules?

Tnx
Tom

iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere             anywhere
input      all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
zone_wan_MSSFIX  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forward    all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere
output     all  --  anywhere             anywhere

Chain forward (1 references)
target     prot opt source               destination
zone_lan_forward  all  --  anywhere             anywhere
zone_guest_wlan_forward  all  --  anywhere             anywhere

Chain forwarding_guest_wlan (1 references)
target     prot opt source               destination

Chain forwarding_lan (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination

Chain input (1 references)
target     prot opt source               destination
zone_lan   all  --  anywhere             anywhere
zone_guest_wlan  all  --  anywhere             anywhere

Chain input_guest_wlan (1 references)
target     prot opt source               destination

Chain input_lan (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination

Chain output (1 references)
target     prot opt source               destination
zone_lan_ACCEPT  all  --  anywhere             anywhere
zone_wan_ACCEPT  all  --  anywhere             anywhere
zone_guest_wlan_ACCEPT  all  --  anywhere             anywhere

Chain output_rule (1 references)
target     prot opt source               destination

Chain reject (5 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_guest_wlan (1 references)
target     prot opt source               destination
input_guest_wlan  all  --  anywhere             anywhere
zone_guest_wlan_ACCEPT  all  --  anywhere             anywhere

Chain zone_guest_wlan_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_guest_wlan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_guest_wlan_MSSFIX (0 references)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_guest_wlan_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_guest_wlan_forward (1 references)
target     prot opt source               destination
zone_lan_ACCEPT  udp  --  anywhere             10.0.0.2
zone_lan_ACCEPT  udp  --  anywhere             10.0.0.1
zone_lan_ACCEPT  tcp  --  anywhere             10.0.0.1
zone_lan_ACCEPT  tcp  --  anywhere             10.0.0.2
zone_wan_ACCEPT  all  --  anywhere             anywhere
forwarding_guest_wlan  all  --  anywhere             anywhere
zone_guest_wlan_REJECT  all  --  anywhere             anywhere

Chain zone_lan (1 references)
target     prot opt source               destination
input_lan  all  --  anywhere             anywhere
zone_lan_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_ACCEPT (6 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_lan_MSSFIX (0 references)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_lan_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
zone_wan_ACCEPT  all  --  anywhere             anywhere
forwarding_lan  all  --  anywhere             anywhere
zone_lan_REJECT  all  --  anywhere             anywhere

Chain zone_wan (0 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:68
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
input_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere

Chain zone_wan_ACCEPT (3 references)
target     prot opt source               destination

Chain zone_wan_DROP (0 references)
target     prot opt source               destination

Chain zone_wan_MSSFIX (1 references)
target     prot opt source               destination

Chain zone_wan_REJECT (2 references)
target     prot opt source               destination

Chain zone_wan_forward (0 references)
target     prot opt source               destination
forwarding_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere

Edit: Sorry for having opened a new thread here, as I have found another one with quite the same scenario and problem. (https://forum.openwrt.org/viewtopic.php?id=28306)

(Last edited by swiss_tom on 25 Jan 2011, 21:17)

/etc/config/firewall:

config 'zone'
    option 'name' 'wlan1'
    option 'network' 'wlan1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config forwarding
    option src    wlan1
    option dest       wan

Thank you fyi.

As the Access Point is connected through LAN and not WAN (AP is fully internal, no direct link to Internet), did you mean lan instead of wan:

config forwarding
    option src    wlan1
    option dest   lan

I tried that now, still no routing.

Maybe I have to reset and start with a fresh configuration...

You should look at dhcp, wireless, network and firewall all together at the same time.

/etc/config/network:

config interface wlan1
    option proto      static
    option ipaddr     192.168.100.1
    option netmask    255.255.255.0

/etc/config/wireless:

config wifi-iface
    option device     radio0
    option network    wlan1
    option mode       ap
    option ssid       GUEST

Hi,

I have the same problème on a Nanostation2 loco, but I can't find any solution.
Dis somebody can help me to fix it.

My configuration is a server running ClearOs with 2 network cards.
The first eth0 for internet.
The second with a Vlan.
I have eth1 for the LAN
and eth1.99 for the client VLAN.

In My access point I only have 1 ethernet port eth1
I would like Two SSID, Private and Guest.
The Private works perfect, IP address quive by the clearOs Server, access internet etc...

Bit for the second SSID Guest, I got nothing.

I have a guest WLAN called "Hotspot" that only gives internet access:

network:

config 'interface' 'HotSpot'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'
    option 'dns' '208.67.222.222 208.67.220.220'

wireless:

config wifi-iface
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'RSPro'
    option encryption 'psk2'
    option key 'xxxxxxxx'

config wifi-iface
    option device 'radio0'
    option network 'HotSpot'
    option mode 'ap'
    option ssid 'HotSpot'
    option encryption 'psk2'
    option key 'xxxxxxxxx'

firewall:

config 'zone'
    option 'name' 'HotSpot'
    option 'input' 'REJECT'
    option 'forward' 'REJECT'
    option 'output' 'ACCEPT'

config 'forwarding'
    option 'src' 'HotSpot'
    option 'dest' 'wan'

config 'rule'
    option '_name' 'HotSpotDNS'
    option 'src' 'HotSpot'
    option 'dest_port' '53'
    option 'proto' 'tcpudp'
    option 'target' 'ACCEPT'

(Last edited by robrob on 3 Apr 2012, 18:56)

For future reference: you need a separate VLAN for the guest WLAN if you have multiple network devices.

I have included the instructions in the wiki entry for a guest WLAN.

I read that wiki entry, but is the creation of a VLAN necessary for an isolated SSID even when an AP has no existing VLANs?  I have one that has only an uplink port. /etc/config/network has no VLANs defined, and Network/Switch doesn't exist in the UI. The article seems to be in the context of switched ports existing.

There is also a main router, so that's technically "multiple network devices," but I'm unclear whether the "Configure a guest WLAN using the Luci web-interface" article would be sufficient for the AP or not.

The discussion might have continued from here.