OpenWrt Forum Archive

Topic: no internet for guest network

The content of this topic has been archived on 13 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
naphelge
18 Jan 2018, 07:05

Hi,

I followed the openWrt cli guide for setting up a guest network (have a big bday party this weekend and I expect multiple simultaneous requests for internet access). I can connect to the guest network but I cannot access the internet.

I am trying to add config file details for network, wireless and firewall hoping someone might see an obvious or glaring error or omission preventing this network zone from working as intended, but I keep getting this warning message:

Warning! The following errors must be corrected before your message can be posted:

    Too more links in message. Allowed 0 links. Reduce number of links and post it again.

What does that mean? I am not trying to add anything other than config file details, none of which contain any links. How can I get past this?

(Last edited by naphelge on 18 Jan 2018, 07:05)

Post #2
eduperez
18 Jan 2018, 07:24

New users cannot post links, to avoid spam; look for "http" strings inside your config files, and change it to something else.

Post #3
naphelge
18 Jan 2018, 15:55

Ok let's see if this works, I took out all comment references including h t t p or h t t p s, forward slashes [/] and arrows [->] that might misleadingly be misinterpreted as embedded links.

/etc/config/network:

config interface 'guest'
                option proto 'static'
                option ipaddr '192.168.1.50'
                option netmask '255.255.255.0'

/etc/config/wireless:

config wifi-iface
                option device 'radio0'
                option network 'guest'
                option mode 'ap'
                option encryption 'psk2'
                option key 'happyBd@y'
                option ssid 'guest'
                option isolate 1

/etc/config/firewall

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'guest'
        option input 'REJECT'

# Allow guest INET access
config forwarding
        option src 'guest'
        option dst 'wan'

# Allow DNS for guest
# Client DNS queries ordinate from dynamic UDP ports (>1023)
config rule
        option name 'Allow DNS Queries'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

# Allow DHCP for guest
# DHCP communication uses UDP ports 67-68
config rule
        option name 'Allow DHCP request'
        option src 'guest'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'guest'

# Prevent guest from accessing lan
config rule
        option src 'guest'
        option dest 'lan'
        option name 'Deny LAN access to guest'
        option proto 'all'
        option target 'DROP'

# Allow guess access to internet port 80
config rule
        option target 'ACCEPT'
        option src 'guest'
        option dest 'wan'
        option name 'Allow guest WAN port 80 access'
        option proto 'tcp'
        option dest_port '80'

# Allow guess access to to secure internet port 443
config rule
        option target 'ACCEPT'
        option src 'guest'
        option dest 'wan'
        option name 'Allow guest WAN port 443 access'
        option proto 'tcp'
        option dest_port '443'

# DROP all other traffic for guest
config rule
        option src 'guest'
        option dest 'wan'
        option name 'DENY guest access to all but internet port 80 and 443 '
        option proto 'all'
        option target 'DROP'

(Last edited by naphelge on 18 Jan 2018, 15:56)

Post #4
naphelge
18 Jan 2018, 16:13

Looking a little closer I saw that I had

dst

instead of

dest

in one of my rules, which I corrected, but after reloading /etc/init.d/firewall, guest network still cannot access the inet (wan port 80).

I also had another typo that the firewall reload flagged: I spelled

atrget

instead of

target

. But again, after correction and reloading the firewall no inet access for guest zone.

Post #5
eduperez
19 Jan 2018, 00:04

I would revert back to the basic configuration for a guess network, and when that works, add the rules to allow only HTTP/HTTPS.

Post #6
RangerZ
19 Jan 2018, 15:46

Is you guest IP range (192.168.1.50) inside your home IP range?

Post #7
eduperez
19 Jan 2018, 18:34

Post the complete files, not just parts of them.

Post #8
beachbum
19 Jan 2018, 21:36

/etc/config/network:
config interface 'guest'
                option proto 'static'
                option ipaddr '192.168.1.50'
                option netmask '255.255.255.0'


If you have the standard OpenWrt ip of 192.168.1.1, I think your guest interface should be something like 192.168.*.1 (ex - 192.168.2.1) instead of 192.168.1.*

The discussion might have continued from here.