Topic: After adding Guest Wifi: "Wireless is disabled or not associated"

The content of this topic has been archived on 3 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

dirk1312

9 Jul 2017, 18:18

Hi all,

today I followed the openwrt wiki "Configure a guest WLAN using the Luci web-Interface" entry. (https://wiki.openwrt.org/doc/recipes/gu … binterface).

After I restarted the router, I see the following info on Luci's "Overview" page:

"Wireless is disabled or not associated"

This message is shown below both of my "Generic 802.11bg Wireless Controller (radio0)" wifi Networks (the non-guest one still worked before adding the guest Network).

My wifi Network "Generic 802.11an Wireless Controller (radio1)" still works as expected.

There's noch state change when I disable the guest Network. As found here in the Forum, Setting a Band Channel from "Auto" to a Manual one should help, this is not possible. The "Operating frequency" Dropdowns are all empty.

Do you have any idea or Need any additional Information from my config files? It would be very Kind if you could help me, so my friends can use my wifi, too.

Thanks and Kind regards,

Dirk

Post #2

rj-45

9 Jul 2017, 18:44

screenshots of the config page or the files under /etc/config/* are helpful

Post #3

dirk1312

9 Jul 2017, 19:39

Thanks for your fast response!

Here are my settings:

network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd49:8e60:7962::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'vpn0'
option _orig_ifname 'tun0'
option _orig_bridge 'false'
option ifname 'tun0'
option proto 'none'
option auto '1'
config interface 'vpn'
option ifname 'tun0'
option proto 'static'
option delegate '0'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
config interface 'guest'
option _orig_ifname 'radio0.network2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.0.155'
option netmask '255.255.255.0'

firewall (guest is configured at the end)

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option dest_port '1194'
option name 'Allow Inbound VPN0'
config include
option path '/etc/firewall.user'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option dest 'vpn'
option src 'lan'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
option enabled '1'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
option enabled '1'

wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'mbus/mbus:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option txpower '27'
option country 'US'
option noscan '1'
option hwmode '11a'
option channel 'auto'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key '3$$617D7f174b8eeb555b75$A38848b0'
option ssid 'MY_WLAN'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'mbus/mbus:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel 'auto'
option country 'US'
option htmode 'HT40'
option txpower '23'
config wifi-iface
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key '3$$617D7f174b8eeb555b75$A38848b0'
option ssid 'MY_WLAN_N'
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'none'
option ssid 'MY_WLAN_GAST'
option network 'guest'

encryption is none for guest network, because I initially wanted to test without being in need to enter a password on several devices.

Thanks and kind regards,

Dirk

(Last edited by dirk1312 on 11 Jul 2017, 08:50)

Post #4

Antek

10 Jul 2017, 07:48

dirk1312 wrote:

This message is shown below both of my "Generic 802.11bg Wireless Controller (radio0)" wifi Networks (the non-guest one still worked before adding the guest Network).
My wifi Network "Generic 802.11an Wireless Controller (radio1)" still works as expected.

Do I understand correctly that you have one 2.4 GHz radio (radio0) and one 5 GHz radio (radio1)?

From your config:

config wifi-device 'radio0'
    option type 'mac80211'
    option path 'mbus/mbus:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
    option txpower '27'
    option country 'US'
    option noscan '1'
    option hwmode '11a'  # <- Either this is wrong...
    option channel 'auto'

... omitted for brevity ...

config wifi-device 'radio1'
    option type 'mac80211'
    option hwmode '11a'   # <- ... or this is wrong. 
    option path 'mbus/mbus:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
    option channel 'auto'
    option country 'US'
    option htmode 'HT40'
    option txpower '23'

I believe you need to change one of these radios to work on '11g' hwmode. If both radios are 2.4 GHz, then both of them are wrong. But since you say one of the wireless radios is working correctly, then I believe you have one 2.4 GHz radio and one 5 Ghz radio. The 5 Ghz one is working, and the other one is not.

The 'hwmode' option selects the radio band (2.4 GHz or 5 GHz), not the 802.11 standard. Most likely your 2.4 GHz radio will refuse to work if it is requested to operate on the 5 GHz band. See http://w1.fi/cgit/hostap/tree/hostapd/hostapd.conf and search for 'operation mode' to find the explanation what this option does.

You should be able to verify if this is the root cause by observing the kernel ring-buffer (dmesg) after restarting your router. Most likely you will see an error related to setting up the wireless device. Change the option, and the problem should go away.

You should also look at the 'htmode' option you supply to the second radio device. If this radio is the 5 GHz one, then you can get more throughput by using one of the 'VHT' options listed in https://wiki.openwrt.org/doc/uci/wirele … ce_options if your device supports them.

(Last edited by Antek on 10 Jul 2017, 07:50)

Post #5

dirk1312

10 Jul 2017, 17:22

Antek wrote:

I believe you need to change one of these radios to work on '11g' hwmode. If both radios are 2.4 GHz, then both of them are wrong.

You are right, one is 2.4 GHz, the other one 5 GHz. very strange, this seems to be a bug in Luci, because until I configured my guest wifi, both SSIDs (MY_WLAN and MY_WLAN_N) worked properly. I know this for sure, because the 5 GHz is the one I (daily) use with my laptop, but this one is not found by my iPhone. For my iPhone I (daily) use the 2.4 GHz connection.

As recommended by you, I change the hwmode value for radio0 connection to 11g, rebootet my router and now my MY_WLAN works again.

My guest wifi with SSID MY_WLAN_GUEST is the one I'm right now connected with. It took quite long, until the connection was established. When I now want to connect to the internet, it doesn't work. A point quite strange looking to me: I configured the guest wifi to use dhcp. My wifi has static ip 192.168.0.155. My dhcp range goes from 156 to 175. But when I check the ip given to my iPhone either the iPhone itself and the router "Overview" page show my 192.168.0.17 as ip for my iPhone.

Could you perhaps help me once more, what is wrong? Are there still any firewall rules that block the connection from the guest wifi to the internet? That shall be the only thing guest wifi user are allowed to do. They shall not be able to connect to any local network device. If one guest wlan client can connect to another is something I don't care. I tried to check my firewall rules and as far as I understood that looks ok - but I don't have that much experiences.

Antek wrote:

You should also look at the 'htmode' option you supply to the second radio device. If this radio is the 5 GHz one, then you can get more throughput by using one of the 'VHT' options listed in https://wiki.openwrt.org/doc/uci/wirele … ce_options if your device supports them.

Thanks for that hint. This is something I'll try immediately.
EDIT: Perhaps you can give me a hint. I tried VHT20, 40 and 80. With 80 I couldn't see my wifi in the windows "connect to wifi" view. With VHT20 and VHT40 I made a speedtest on the internet (not sure if that makes any sense), but my speed was ~20 MBit (VHT20) and 24 MBit, (VHT40) but with HT40 it was 34 MBit. Is there a way I can easily test my wifi speed or do you know the recommended setting for Linksys EA4500 router?

Thanks and kind regards,

Dirk

(Last edited by dirk1312 on 10 Jul 2017, 17:45)

Post #6

Antek

11 Jul 2017, 07:43

dirk1312 wrote:

My guest wifi with SSID MY_WLAN_GUEST is the one I'm right now connected with. It took quite long, until the connection was established. When I now want to connect to the internet, it doesn't work. A point quite strange looking to me: I configured the guest wifi to use dhcp. My wifi has static ip 192.168.0.155. My dhcp range goes from 156 to 175. But when I check the ip given to my iPhone either the iPhone itself and the router "Overview" page show my 192.168.0.17 as ip for my iPhone.
Could you perhaps help me once more, what is wrong? Are there still any firewall rules that block the connection from the guest wifi to the internet? That shall be the only thing guest wifi user are allowed to do. They shall not be able to connect to any local network device. If one guest wlan client can connect to another is something I don't care. I tried to check my firewall rules and as far as I understood that looks ok - but I don't have that much experiences.

Looking at your firewall config, I see the following:

config zone
    option name 'guest'
    option output 'ACCEPT'
    option network 'guest'
    option input 'REJECT'
    option forward 'REJECT'

config forwarding
    option dest 'wan'
    option src 'guest'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '53'
    option name 'Guest DNS'
    option src 'guest'
    option enabled '0'

config rule
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '67-68'
    option name 'Guest DHCP'
    option src 'guest'
    option enabled '0'

This configuration allows packets generated by the router to travel out to the "guest" network (OUTPUT). Traffic from the "guest" network to the router (INPUT) is rejected. Traffic forwarded from "guest" network to another network (FORWARD) is rejected.

You have then added an explicit forwarding rule, which allows packets to travel from "guest" to "wan" network. All fine and well here.

Then you have two firewall rules which open up ports 53 TCP & UDP and ports 67-68 UDP in the "guest" network. However, for both of these firewall rules, the "enabled" option is set to "0", which inherently disables the rules.

Conclusion: clients in your "guest" network cannot use DHCP or DNS services hosted by your router, since the INPUT direction is blocked, and the additional firewall rules are not enabled. Try setting the "enabled" option to "1", and see what happens then.

dirk1312 wrote:

EDIT: Perhaps you can give me a hint. I tried VHT20, 40 and 80. With 80 I couldn't see my wifi in the windows "connect to wifi" view. With VHT20 and VHT40 I made a speedtest on the internet (not sure if that makes any sense), but my speed was ~20 MBit (VHT20) and 24 MBit, (VHT40) but with HT40 it was 34 MBit. Is there a way I can easily test my wifi speed or do you know the recommended setting for Linksys EA4500 router?

Unfortunately I have not configured any 5 GHz radios so far, so I cannot help you with this one

(Last edited by Antek on 11 Jul 2017, 07:43)

Post #7

dirk1312

11 Jul 2017, 08:49

Hello Antek,

thanks for your response.

Antek wrote:

You have then added an explicit forwarding rule, which allows packets to travel from "guest" to "wan" network. All fine and well here.
Then you have two firewall rules which open up ports 53 TCP & UDP and ports 67-68 UDP in the "guest" network. However, for both of these firewall rules, the "enabled" option is set to "0", which inherently disables the rules.
Conclusion: clients in your "guest" network cannot use DHCP or DNS services hosted by your router, since the INPUT direction is blocked, and the additional firewall rules are not enabled. Try setting the "enabled" option to "1", and see what happens then.

I'm sorry for the "confusion". I made a mistake and added my config files, after I tried to make my MY_WLAN work again. One step trying to make it work again was disabling "everything" I set up / activated for my guest wifi. Therefore I also disabled both rules for port 53 and 67-68.

When I added your mentioned "hwmode" fix, I also enabled again both rules. I just checked my firewall config. For both rules there was no line "option enabled '1'" anymore (also no "option enabled '1'" which I added manually), but Luci showed both being enabled. I now restarted my router via vpn and will let you know, if it works.

EDIT: I edited my initial config file post, so that people perhaps read here later won't be confused.

Thanks and kind regards,

Dirk

(Last edited by dirk1312 on 11 Jul 2017, 08:51)

Post #8

Antek

11 Jul 2017, 10:29

dirk1312 wrote:

I now restarted my router via vpn and will let you know, if it works

If it doesn't work, then post the full and up-to-date content of the following files:

/etc/config/network
/etc/config/wireless
/etc/config/firewall
/etc/config/dhcp

Screen the files, and remove possible passwords or usernames if you have those.

Post #9

dirk1312

11 Jul 2017, 19:00

Hi again,

this didn't work, what a pitty. I found one additional thing in my dhcp config file: the ip ranges overlapped for guest and vpn. The one started with 156 to 175, the other one with 170 to 200. This is fixed now. The last one now starts with 176 to 200.

My ip setting connecting to the guest lan is 192.168.0.17, but the ip range for the dhcp is 156 to 175. As gateway I see 192.168.0.155, the static ip of my guest wlan interface. Is this correct, too? I cannot ping it.

Here's my config:

dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
list server '/surname.lan/192.168.0.1'
list server '/pi.lan/192.168.0.2'
list server '/hp-print.lan/192.168.0.3'
list server '/home.lan/192.168.0.5'
option nonwildcard '0'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '10'
option limit '50'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest'
option interface 'guest'
option limit '175'
option leasetime '4h'
option start '156'
config dhcp 'vpn0'
option leasetime '12h'
option interface 'vpn0'
option start '176'
option limit '200'
config domain
option name 'hp-print.lan'
option ip '192.168.0.3'
config domain
option name 'pi.lan'
option ip '192.168.0.2'
config domain
option name 'home.lan'
option ip '192.168.0.5'
config domain
option name 'surname.lan'
option ip '192.168.0.1'

firewall

config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option dest_port '1194'
option name 'Allow Inbound VPN0'
config include
option path '/etc/firewall.user'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config zone
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option dest 'vpn'
option src 'lan'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
option enabled '1'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
option enabled '1'

network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd49:8e60:7962::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'vpn0'
option _orig_ifname 'tun0'
option _orig_bridge 'false'
option ifname 'tun0'
option proto 'none'
option auto '1'
config interface 'vpn'
option ifname 'tun0'
option proto 'static'
option delegate '0'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
config interface 'guest'
option _orig_ifname 'radio0.network2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.0.155'
option netmask '255.255.255.0'

wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'mbus/mbus:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option txpower '27'
option country 'US'
option noscan '1'
option hwmode '11g'
option channel 'auto'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key '3$$617D7f174b8eeb555b75$A38848b0'
option ssid 'MY_WLAN'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'mbus/mbus:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel 'auto'
option country 'US'
option htmode 'HT40 '
option txpower '23'
config wifi-iface
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key '3$$617D7f174b8eeb555b75$A38848b0'
option ssid 'MY_WLAN_N'
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'none'
option ssid 'MY_WLAN_GAST'
option network 'guest'

Thanks and kind regards,

Dirk

Post #10

Antek

12 Jul 2017, 07:57

dirk1312 wrote:

I found one additional thing in my dhcp config file: the ip ranges overlapped for guest and vpn. The one started with 156 to 175, the other one with 170 to 200. This is fixed now. The last one now starts with 176 to 200.
My ip setting connecting to the guest lan is 192.168.0.17, but the ip range for the dhcp is 156 to 175. As gateway I see 192.168.0.155, the static ip of my guest wlan interface. Is this correct, too? I cannot ping it.

Looking at your configuration files, you seem to have a serious conflict related to overlapping address ranges.

Your LAN network is defined as 192.168.0.0 / 24. These settings come from the static IP address and the netmask setting. This configuration states that addresses from 192.168.0.1 to 192.168.0.255 belong to the LAN network.

Similarly, your Guest network is also defined as 192.168.0.0 / 24. Again, this setting comes from the static IP address and the netmask. This configuration claims that addresses from 192.168.0.1 to 192.68.0.255 belong to the Guest network.

I'm sure you can see the problem emerging now. From the routing perspective, your router does not know which addresses belong to which networks because the address ranges of the networks are overlapping. The routing table of your device is completely messed up; the kernel does not know which physical interface it should use for sending and receiving traffic related to a specific network.

The easy fix is to change the static IP address of the router in the Guest network to "192.168.10.1" while keeping the netmask as is, and then adjust the DHCP settings of the Guest network to start from "10" and limit to "50" or "25" or however many addresses you want to deal out through DHCP. This will set the LAN network to 192.168.0.0 / 24 and the Guest network to 192.168.10.0 / 24. The networks are no longer in conflict, and everything should work as expected.

If you want to do things the harder way and split the single-octet network (192.168.0.X) in half, then you'll need to calculate netmasks and know exactly how you configure the "start" and "limit" variables so each network has enough addresses to operate correctly. The minimum number of addresses required by a network is usually 3: the network address, one address for a single host and one address for a multicast endpoint.

If you want to go the harder way, then begin by reading http://www.enterprisenetworkingplanet.c … d-CIDR.htm and then use the CIDR calculator at http://www.subnet-calculator.com/cidr.php to determine the correct static IP address and netmask values.

Post #11

dirk1312

12 Jul 2017, 10:27

Antek wrote:

Looking at your configuration files, you seem to have a serious conflict related to overlapping address ranges.
Your LAN network is defined as 192.168.0.0 / 24. These settings come from the static IP address and the netmask setting. This configuration states that addresses from 192.168.0.1 to 192.168.0.255 belong to the LAN network.
Similarly, your Guest network is also defined as 192.168.0.0 / 24. Again, this setting comes from the static IP address and the netmask. This configuration claims that addresses from 192.168.0.1 to 192.68.0.255 belong to the Guest network.
I'm sure you can see the problem emerging now.

Thanks for your detailed description. I now see the problem / conflicts. For me I defined a "lan" that has a static ip 192.168.0.1 and if anyone connects to "lan", the user gets an ip within the range of 192.168.0.10 and 192.168.0.50, depending which is the first one available.
The same for "guest". The interface has the static 192.168.0.155 and the user connecting gets an ip in the range of 192.168.0.156 and 192.168.0.175. So there were - in my eyes - no conflicts.
That in the configuration in the "background" the whole 192.168.0.x network was already reserved for the "lan" network", I didn't know.

Antek wrote:

From the routing perspective, your router does not know which addresses belong to which networks because the address ranges of the networks are overlapping. The routing table of your device is completely messed up; the kernel does not know which physical interface it should use for sending and receiving traffic related to a specific network.

That sounds logical, now and is probably also the reason why I got an ip not within my defined "guest" network limits.

Antek wrote:

The easy fix is to change the static IP address of the router in the Guest network to "192.168.10.1" while keeping the netmask as is, and then adjust the DHCP settings of the Guest network to start from "10" and limit to "50" or "25" or however many addresses you want to deal out through DHCP. This will set the LAN network to 192.168.0.0 / 24 and the Guest network to 192.168.10.0 / 24. The networks are no longer in conflict, and everything should work as expected.

That's what I did (via vpn) now. I cannot test it, yet, because, but will do so when I'm at home.

Antek wrote:

If you want to do things the harder way and split the single-octet network (192.168.0.X) in half, then you'll need to calculate netmasks and know exactly how you configure the "start" and "limit" variables so each network has enough addresses to operate correctly. The minimum number of addresses required by a network is usually 3: the network address, one address for a single host and one address for a multicast endpoint.
If you want to go the harder way, then begin by reading http://www.enterprisenetworkingplanet.c … d-CIDR.htm and then use the CIDR calculator at http://www.subnet-calculator.com/cidr.php to determine the correct static IP address and netmask values.

I think it makes no sense for me to do it the harder way, because it's only a home network. Nevertheless I will start reading - if I come to a point where I don't understand anything anymore or I get too border, I can skip reading. But I'm interested, even if, as I said, I don't think it makes sense for me to set up a "business network".

Thanks a lot once again and kind regards,

Dirk

Post #12

Antek

12 Jul 2017, 11:07

dirk1312 wrote:

I think it makes no sense for me to do it the harder way, because it's only a home network. Nevertheless I will start reading - if I come to a point where I don't understand anything anymore or I get too border, I can skip reading. But I'm interested, even if, as I said, I don't think it makes sense for me to set up a "business network".

There is one caveat to this that you might not've considered: the address pool size of a network is related to potential network load.

With that said, consider that your Guest network now has up to 255 addresses available. One is reserved for your router, and one is a broadcast address. A few from the remaining 253 addresses fall inside the DHCP address pool, and are managed by it.

The remaining addresses which are not reserved and fall outside the DHCP address pool are free for the taking; while you might've assigned only, say 25 or 20 addresses into the DHCP pool, then this does not limit the number of clients that your network can actually support. Since the wireless interface that is associated with your Guest network has no encryption or authentication requirements, anyone who is within range can hop on-board. If the DHCP pool is exhausted, then using DHCP on the client will not work, but that does not prevent the client from assigning a static address and then using your network.

Limiting the maximum size of the address pool by using a more restrictive netmask will effectively limit the maximum number of clients supported by your network, and thus reduce potential network load. A client can still assign itself a static address, but if the maximum limit has already been reached (i.e. all non-reserved addresses are assigned to a DHCP pool, and all of them are leased out at the moment), then traffic collisions are imminent and the "rogue" client could not communicate with the network.

(Last edited by Antek on 12 Jul 2017, 11:10)

Post #13

dirk1312

12 Jul 2017, 22:02

Thanks. I got it - I guess

Now, my guest network is working, too and I'll give it a authentication method.

Thanks and kind regards,

Dirk

The discussion might have continued from here.

Page 1 of 1