OpenWrt Forum Archive

Topic: How to keep users of guest wlan out of lan ?

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I am trying to set up two WLANs in parallel:
a) one regular for accessing wan and lan
b) one guest-wlan for accessing wan only

Both are set up and working fine,
but it is still possible to access the lan from the guest-wlan.

I would like to prevent this kind of access that. Any ideas ?

Thanks !
Itymoneus

Configuration for my guest-WLAN (TP-Link WS1043ND with Backfire (r24038)):

/etc/config/network:

config 'interface' 'guest'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'
    option 'ifname' 'wlan1'

/etc/config/wireless:

config 'wifi-iface'
    option 'device' 'radio0'
    option 'ssid' 'GUEST'
    option 'mode' 'ap'
    option 'key' 'xxxxxxxxxxxxxxxxxxxxx'
    option 'network' 'guest'
    option 'encryption' 'psk2'
    option 'eap_type' 'TLS'

/etc/config/firewall:

config 'zone'
    option 'name' 'guest'
    option 'forward' 'REJECT'
    option 'output' 'ACCEPT'
    option 'input' 'ACCEPT'

config 'forwarding'
    option 'src' 'guest'
    option 'dest' 'wan'

Use the following firewall rules to completely lock down the router itself too:

config 'zone'
    option 'name' 'guest'
    option 'forward' 'REJECT'
    option 'output' 'ACCEPT'
    option 'input' 'REJECT'

config 'forwarding'
    option 'src' 'guest'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'guest'
    option 'proto' 'tcpudp'
    option 'dest_port' '53'
    option 'target' 'ACCEPT'

Note that the input policy on "guest" is now reject too. The final udp/tcp 53 accept rule is to ensure that DNS is working for the guest clients.

Thanks, works like a charm....

One problem remains, I keep getting messages like:
05/03/11 19.00.57    Firewall[148]    Stealth Mode connection attempt to UDP 10.0.0.229:58995 from 10.0.0.1:53
when using my guest-wlan and
05/03/11 19.08.51    Firewall[148]    Stealth Mode connection attempt to UDP 192.168.77.229:64715 from 192.168.77.1:53
when using my regular wlan on the console konsole of my wlan-client (macos).
(where 10.0.0.229 is my client when using guest-wlan and 192.168.77.229 is my client when using regular wlan)

Seems to be DNS related. Any ideas ?

By the way, is there any material anywhere detailing the concept behind OpenWrt-Networks and the resulting zone_<network>_ACCEPT/REJECT etc. iptables-rules ?

Thanks
ity

(Last edited by itymoneus on 5 Mar 2011, 19:15)

Hm, I have to correct myself.

Guest-WLAN is working for my macos-client (but is using much longer for establishing link to gust-WLAN than to the regular one),
but not for my winxp-client.

While trying to connect to the guest-WLAN the winxp-client states 'Limited or no connectivity ' (after a long period of 'getting network settings'),
the regular WLAN works fine for the win-xp client.

Using the CLI  ipconfig /renew says "Could not establish connection to DHCP-server".
Does my /etc/config/ need any changes ?

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'localise_queries' '1'
    option 'rebind_protection' '1'
    option 'rebind_localhost' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'
    option 'logqueries' '1'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'dhcp' 'wan'
    option 'interface' 'wan'
    option 'ignore' '1'
    option 'dynamicdhcp' '0'

config 'dhcp' 'guest'
    option 'interface' 'guest'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

Show us your output from:
- uci export network
- uci export wireless
- uci export dhcp
- uci export firewall
- ifconfig
- route -n
- iptables -nvL

Blease use BBCode for format your pastes.

Thanks a lot. Attached is my config.

Remarks:
- The stated network 'vpn' is an (working) tcp-based openvpn-setup for accessing the internal network.
  vpn is enabled by knockd (therefore no fw-rules are in uci).

Ity

1. uci export network
 

package 'network'

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'netmask' '255.255.255.0'
    option 'defaultroute' '0'
    option 'peerdns' '0'
    option 'ipaddr' '192.168.77.1'

config 'interface' 'wan'
    option 'ifname' 'eth0.2'
    option 'proto' 'pppoe'
    option 'username' 'xxxxxxxxxxxx'
    option 'password' 'xxxxxxxxxxxx'

config 'switch'
    option 'name' 'rtl8366rb'
    option 'reset' '1'
    option 'enable_vlan' '1'

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '1'
    option 'ports' '1 2 3 4 5t'

config 'switch_vlan'
    option 'device' 'rtl8366rb'
    option 'vlan' '2'
    option 'ports' '0 5t'

config 'interface' 'vpn'
    option 'proto' 'none'
    option 'ifname' 'tun0'
    option 'defaultroute' '0'
    option 'peerdns' '0'

config 'interface' 'guest'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'
    option 'ifname' 'wlan1'

2. uci export wireless
 

package 'wireless'

config 'wifi-device' 'radio0'
    option 'type' 'mac80211'
    option 'channel' '11'
    option 'macaddr' 'xxxxxxxxxxxx'
    option 'hwmode' '11ng'
    option 'htmode' 'HT20'
    list 'ht_capab' 'SHORT-GI-40'
    list 'ht_capab' 'DSSS_CCK-40'
    option 'disabled' '0'

config 'wifi-iface'
    option 'device' 'radio0'
    option 'network' 'lan'
    option 'mode' 'ap'
    option 'ssid' 'R1'
    option 'encryption' 'psk2'
    option 'key' 'xxxxxxxxxxxx'
    option 'eap_type' 'TLS'

config 'wifi-iface'
    option 'device' 'radio0'
    option 'ssid' 'R1G'
    option 'mode' 'ap'
    option 'key' 'xxxxxxxxxxxx'
    option 'network' 'guest'
    option 'encryption' 'psk2'
    option 'eap_type' 'TLS'

3.  uci export dhcp
 

package 'dhcp'

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'localise_queries' '1'
    option 'rebind_protection' '1'
    option 'rebind_localhost' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'
    option 'logqueries' '1'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'dhcp' 'wan'
    option 'interface' 'wan'
    option 'ignore' '1'
    option 'dynamicdhcp' '0'

config 'host'
    option 'name' 'mbp15'
    option 'mac' 'xxxxxxxxxxxx'
    option 'ip' '192.168.77.229'

config 'domain'
    option 'name' 'mbp15'
    option 'ip' '192.168.77.229'

config 'dhcp' 'guest'
    option 'interface' 'guest'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'

config 'host'
    option 'name' 'fta'
    option 'mac' 'xxxxxxxxxxxx'
    option 'ip' '192.168.77.100'

config 'domain'
    option 'name' 'Mango'
    option 'ip' '192.168.77.202'

config 'host'
    option 'name' 'Mango'
    option 'mac' 'xxxxxxxxxxxx'
    option 'ip' '192.168.77.202'

config 'domain'
    option 'name' 'R1'
    option 'ip' '192.168.77.1'

config 'domain'
    option 'name' 'fta'
    option 'ip' '192.168.77.100'

4.  uci export firewall
 

package 'firewall'

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'target' 'ACCEPT'
    option '_name' 'enable_ping_for_wan-zone'

config 'include'
    option 'path' '/etc/firewall.user'

config 'zone'
    option 'name' 'vpn'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'forwarding'
    option 'src' 'vpn'
    option 'dest' 'lan'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'vpn'

config 'zone'
    option 'name' 'guest'
    option 'forward' 'REJECT'
    option 'output' 'ACCEPT'
    option 'input' 'REJECT'

config 'forwarding'
    option 'src' 'guest'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'guest'
    option 'proto' 'tcpudp'
    option 'dest_port' '53'
    option 'target' 'ACCEPT'
    option '_name' 'enable_dns_for_guest-zone'

5. fconfig
 

br-lan    Link encap:Ethernet  HWaddr 54:E6:FC:A7:C2:4E  
          inet addr:192.168.77.1  Bcast:192.168.77.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49451 errors:0 dropped:0 overruns:0 frame:0
          TX packets:116990 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4631822 (4.4 MiB)  TX bytes:165345424 (157.6 MiB)

eth0      Link encap:Ethernet  HWaddr 54:E6:FC:A7:C2:4E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122864 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54435 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:170023854 (162.1 MiB)  TX bytes:6394480 (6.0 MiB)
          Interrupt:4 

eth0.1    Link encap:Ethernet  HWaddr 54:E6:FC:A7:C2:4E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:55788 (54.4 KiB)

eth0.2    Link encap:Ethernet  HWaddr 54:E6:FC:A7:C2:4E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122864 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54068 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:168303758 (160.5 MiB)  TX bytes:6337649 (6.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:661 (661.0 B)  TX bytes:661 (661.0 B)

mon.wlan0 Link encap:UNSPEC  HWaddr 54-E6-FC-A7-C2-4E-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1617 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:127327 (124.3 KiB)  TX bytes:0 (0.0 B)

pppoe-wan Link encap:Point-to-Point Protocol  
          inet addr:xxxxxxxxxxxx  P-t-P:xxxxxxxxxxxx  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:119944 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51148 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:166718362 (158.9 MiB)  TX bytes:4908452 (4.6 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 54:E6:FC:A7:C2:4E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:117338 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5324330 (5.0 MiB)  TX bytes:167744194 (159.9 MiB)

wlan1     Link encap:Ethernet  HWaddr 5A:E6:FC:A7:C2:4E  
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3243 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3962 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:468812 (457.8 KiB)  TX bytes:3240334 (3.0 MiB)

6. route -n
 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
<provider>    0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan1
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.77.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
0.0.0.0         <provider>    0.0.0.0         UG    0      0        0 pppoe-wan

7. iptables -nvL
 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1702  160K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    4   252 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   21  1232 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
 1390  107K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1390  107K input      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 169K  171M zone_wan_MSSFIX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 168K  171M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 1051 70934 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1051 70934 forward    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1742  194K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    4   252 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  989 70188 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  989 70188 output     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  893 60822 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_forward  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0           
  158 10112 zone_guest_forward  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_guest (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1051 70934 nat_reflection_fwd  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain forwarding_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  705 50265 zone_lan   all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
   14  1142 zone_wan   all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0           
  670 54860 zone_guest  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn   all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain input_guest (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain nat_reflection_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  989 70188 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  980 67504 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_guest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (9 references)
 pkts bytes target     prot opt in     out     source               destination         
   13   720 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
  119 18042 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   21  1232 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 25/sec burst 50 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_guest (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  552 37240 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
  118 17620 input_guest  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  118 17620 zone_guest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_guest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      wlan1   0.0.0.0/0            0.0.0.0/0           

Chain zone_guest_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      wlan1   0.0.0.0/0            0.0.0.0/0           

Chain zone_guest_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      wlan1   0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain zone_guest_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  118 17620 reject     all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      wlan1   0.0.0.0/0            0.0.0.0/0           

Chain zone_guest_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  158 10112 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_guest  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_guest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  705 50265 input_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  705 50265 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
  705 50265 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    9  2684 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  893 60822 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  893 60822 zone_wan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_lan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_MSSFIX (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      tun0    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain zone_vpn_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           

Chain zone_vpn_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 forwarding_vpn  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_vpn_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   14  1142 input_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   14  1142 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0           
 2031  138K ACCEPT     all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_MSSFIX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1013 64832 TCPMSS     tcp  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   14  1142 reject     all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_wan_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Well, you only have a rule that allows DNS queries, not DHCP traffic for the wlan guest, and your winxp box says "Could not establish connection to DHCP-server".
Sounds like a good hint to me:) Add a rule for DHCP traffic just like your DNS rule...

(Last edited by Ritmo2k on 6 Mar 2011, 13:52)

works (and the wiki-entry was already updated too). Thanks a lot!

The discussion might have continued from here.