Hi,

Configure a guest WLAN using the Luci web-interface

Router: Linksys WRT1900AC v1
Firmware Version: ExpressVPN v1.4.1 (OpenWrt Chaos Calmer 15.05.1 r49389 / LuCI for-15.05 branch (git-16.206.66468-6f5c466))
Kernel Version: 3.18.44

I found this article which is basically exactly what I want to achieve:

OpenWrt website (I can't post links yet):

doc/recipes/guest-wlan-webinterface

I have followed everything exactly - with the only exception being I have the following SSIDs:

Marvell 88W8864 802.11bgn (radio0)
SSID: Bifrost | Mode: Master

Marvell 88W8864 802.11nac (radio1)
SSID: Bifrost | Mode: Master
SSID: Bifrost-Guest | Mode: Master

As per the article 'guest' is the name of the new Interface and Firewall Zone, and I added the Traffic Rules for DNS and DHCP. The Zone has: guest => wan

What happens:

I can connect to 'Bifrost-Guest' on an iPhone, and then I can't get out to the Internet. I am assuming the Firewall is blocking this somehow, although I followed the steps as described.

I saw some other articles suggesting there could be issues with multiple SSIDs across the two radios?

Anyone got any ideas/suggestions?

Thanks,

Michael Taylor

(Last edited by michaeldtaylor on 4 Jan 2018, 17:30)

I have a guest network configured from the same instructions and it's working fine, if you didn't do anything "custom" and followed the instructions exactly, the only suggestion I can think of would be to try a reboot. I also remember that there was an issue with configs getting messed up when adding a guest network in CC 15.05.1 on the new WRT devices, I think it was option hwmode that would get changed somehow when adding a guest network on my wrt1200, possibly something else but I can't remember unfortunately, so you might check your wifi configs (/etc/config/wireless) to make sure they're still ok. If everything looks fine and it still doesn't work you might try switching to LEDE stable build.

edit - should point out I'm currently using lede 17.01.4, not openwrt

(Last edited by beachbum on 4 Jan 2018, 17:56)

Thanks for the response. No, nothing custom. The only thing I did wrong on the first pass was to add Google DNS servers to the 'guest' interface, when they should only be set on 'wan'. I removed them when I realized.

I tried a full reboot, but no joy so assume the config has a problem somewhere. I'm using an ExpressVPN build just to make life easier, so I want to try and get it working with their cut of 15.05 before doing anything drastic. I'll take a look at what /etc/config/wireless says.

Thanks

Wireless config doesn't look unreasonable?

config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11g'
    option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
    option htmode 'HT20'
    option disabled '0'
    option channel 'auto'
    option txpower '20'
    option country 'GB'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option encryption 'psk2'
    option ssid 'Bifrost'
    option key '<redacted>'
    option network 'lan'

config wifi-device 'radio1'
    option type 'mac80211'
    option hwmode '11a'
    option path 'soc/soc:pcie-controller/pci0000:00/0000:00:03.0/0000:03:00.0'
    option htmode 'VHT80'
    option disabled '0'
    option channel 'auto'
    option txpower '20'
    option country 'GB'

config wifi-iface
    option device 'radio1'
    option network 'lan'
    option mode 'ap'
    option encryption 'psk2'
    option ssid 'Bifrost'
    option key '<redacted>'

config wifi-iface
    option device 'radio1'
    option mode 'ap'
    option ssid 'Bifrost-Guest'
    option network 'guest'
    option encryption 'psk2'
    option key '<redacted>'

Sorry, I somehow completely missed that you're using Express vpn, in that case you're probably right that one of their firewall settings may be interfering, I'm not familiar with their firmware so can't be much help unfortunately, maybe someone who is will be able to help.

The only odd thing about your config that I see is there are no Mac addresses in your ifaces, the guest iface doesn't need one as it uses the addy of the radio it's added to I believe, but the other two should both have addys, I'm guessing you just removed them before posting for security reasons though.

Wireless configuration is correct if your iphone can connect.
What I can think of is DNS and DHCP firewall rules for guest network. You can try same configuration with Vanilla CC15.05.1 to rule out impact introduced by Express VPN.

I will give that a go if all else fails.

My firewall settings look like this:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option disable_ipv6 '1'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option input 'REJECT'
    option forward 'REJECT'
    option network 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config zone
    option mtu_fix '1'
    option name 'vpn0'
    option masq '1'
    option input 'REJECT'
    option forward 'REJECT'
    option network 'vpn0'
    option output 'ACCEPT'

config include 'xvpndns'
    option type 'script'
    option path '/usr/lib/expressvpn/firewall.include'
    option family 'any'
    option reload '1'

config forwarding
    option dest 'vpn0'
    option src 'lan'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'tcp udp'
    option src_dport '8080'
    option dest_ip '192.168.42.1'
    option dest_port '80'
    option name 'Router'

config forwarding
    option dest 'wan'
    option src 'lan'

config zone
    option name 'guest'
    option output 'ACCEPT'
    option network 'guest'
    option input 'REJECT'
    option forward 'REJECT'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option dest_port '53'
    option name 'Guest DNS'
    option src 'guest'

config rule
    option enabled '1'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '67-68'
    option name 'Guest DHCP'
    option src 'guest'

config forwarding
    option dest 'vpn0'
    option src 'guest'

config forwarding
    option dest 'wan'
    option src 'guest'