Question about Guest Network in Turris OS

Software SW help
1

Hello,
I don’t understand something in reForis because of the guest network.
I came to Turris from a pure OpenWRT router. Just as I had done in OpenWRT with my guest network, I also did it in Turris for the time being.
So I have created my own firewall zone, interface etc. for “guest” in the Luci interface.
Everything works perfectly, but I have been wondering something for a while.
I probably just don’t understand it properly.
When I look in the reForis interface, I have activated the guest network in the “Network Settings” - “Wi-fi” settings and assigned my own SID, everything is fine but the “guest network” itself is deactivated.

Bildschirmfoto vom 2024-12-31 16-19-51
Bildschirmfoto vom 2024-12-31 16-19-51774×433 37.7 KB

So I shouldn’t have had to create my own “Guest” interface, or? Because there was already one?
However, I have this configuration with VLAN tagging, so it probably won’t work with the standard guest network…
https://fabianlee.org/2023/01/22/openwrt-bridge-vlan-filtering-for-openwrt-21-x-with-dsa-isolated-guest-wi-fi/

2

How come great Reforis should know which “Guest” network you created? What if you named it “Visitors” or “Intruders” and still it would be simple guest network. It doesnt matter if you’ve created it using nice Reforis GUI or manually as in OpenWRT. What I did was something between. First created in Reforis and then just changed interface br-guest-turris to my br-lan.VLANNUMBER and added it to tr_guest firewall zone. So its kinda done OpenWRT style but still visible in Reforis

3

Ok, I understand that reForis cannot know my self-created guest network. I don’t know yet whether it is important to me that I can also see the guest network in reForis.
What I wonder is how you renamed the Turris Guest (br-lan.VLANNUMBER) so that you could use it for VLAN tagging?
Could it simply be enough to change the device in the “br-guest-turris” interface to “br-lan.22”?

Bildschirmfoto vom 2024-12-31 16-59-00
Bildschirmfoto vom 2024-12-31 16-59-001008×276 36.9 KB

4

Yup exactly. Like that. Just to note that if you use dev-detect there is also config to change in /etc/config/dev-detect to your own interfaces

5

That sounds easy :blush:
So first activate the guest network in reForis and then change the device in Luci. I am curious. Can only test this in the new year :slight_smile:

6

Good point with that dev-detect. Maybe it is obvious, but perhaps dev-detect service should be restarted after modification?

What is still not clear - long time ago I did exactly what was mentioned here - created guest network via reForris and then, after I created VLANs, reassigned guest-turris interface to br-lan.102 (which corresponds to my guest VLAN). But reForris does not see it and displays Guest Network as not enabled. It also seems to me that reForris does not understand VLANs at all, since it displays ports in Interfaces section as Unassigned.
Or maybe there is something else what ‘links’ reForris GUI with config files?

7

Well the only VLAN compatibility in reforis is VLAN tagging on WAN interface. The rest its not implemented yes.

8

Happy new year,
For me, it now works as discussed above. I activated the guest network in reForis and connected my VLAN br-lan.22 to the guest_turris interface in Luci. After this I changed WLANs and firewall rules and now it actually works as before and I can now see the connected clients via reForis.

When I set the option “bring up on boot” at guest_turris I had to configure it again but otherwise it worked as expected.

Bildschirmfoto vom 2025-01-01 13-21-01
Bildschirmfoto vom 2025-01-01 13-21-011018×362 49.3 KB

9

It would be nice if something would just work immediately without problems…
I have now noticed the following.

I have noticed that I can surf in the guest network but e.g. my DAV sync to Nextcloud no longer works when I connected to the guest net. In my opinion, this is also about 80/443 why this does not work now is a mystery to me.

I thought I had overlooked something in the firewall. I noticed that this standard rule has a problem.
Bildschirmfoto vom 2025-01-01 14-20-07
I’m trying to change the tcpudp, wherever that came from. But then the guest network is deactivated in the reForis interface.

Bildschirmfoto vom 2025-01-01 14-20-20
Bildschirmfoto vom 2025-01-01 14-20-20564×260 19.5 KB

Bildschirmfoto vom 2025-01-01 14-20-32
Bildschirmfoto vom 2025-01-01 14-20-32642×350 25.9 KB

If I then activate it again, all my settings on the guest_turris interface are reset.

Does this also mean that these settings will not survive a reboot? Because when the network is restarted during activation, the settings are reset.

10

Yup I also noticed tcpudp vs tcp and udp bug. Fixed it long time ago and forgot

11

What exactly do you mean by that? Did you fix it yourself and how exactly? Will this whole configuration as I have it now survive a reboot?

EDIT:
This is terrible, it seems that as soon as I press “save” in the “Firewall” in Luci, the guest network in reForis is deactivated again. Reactivating it then resets all settings on the guest_turris interface.

12

Hi @AreYouLoco, how do you fix the problem? It is realy annoying, everytime when I edit any firewall rule or add a new one the “Guest Network” in reForis will be deactivated. After activation again all settings on the “guest_turris” interface are reset…
Is there any hope that this bug will be fixed? Are we the only ones who have this guest network configuration?
I could not boot the Turris yet but I think everything will be reset after a reboot.

13

Isn’t that the point of a guest network? Guests can surf the internet, but can’t connect to anything on the internal LAN. If not, I can’t see the point of an additional network.

14

I don’t understand why you insist to work with both.
reForis is for consumers. You can drop the router at your grandmothers house and she will get along with it. She could even setup a guest-network, without calling you for help. But what happens in the system is not important.

I wouldn’t classify standard OpenWRT/Luci as a consumer devices, its made by and made for tinkerers and power users where you can implement things like VLANs and complex Firewall rules and what not, which a normal consumer device won’t.

reForis should retain its simplicity and ease of use.

There are a few exception, like the the auto-updates, installing Turris package bundles and setup mail notification, but other than that, I don’t touch reForis anymore, once I started working with Luci on a device.

Then there are other use cases or packages which don’t come with a Luci-interface, They work in SSH terminals and edit the config files directly.

I edit most configs manually for various reasons and some devices are setup by Ansible .If I would start editing those in Luci, I’m sure it would make a mess of them.

Would I consider these as bugs? On the contrary, its with reForis that Turris made it possible for non-technical people to use OpenWrt devices, while at the same time retain the full power and functionality of OpenWrt.

That is also why I don’t consider the recently launched OpenWrt One a competitor for Turris. And also why I turned away from the big professional router vendors, more complicated but less powerful, and don’t even start talking about prices and recurring licensing fees.

I manage Omnias in all of these scenarios in various private and professionals use cases, without any problems. But I would not try to mix them.

1 Like
15

Yes, that is correct. I think I made a mistake in my thinking. I access my Nextcloud and my other services via the external URL, but in the end it is still like when I access via the LAN :slightly_smiling_face: that will be the reason why it does not work i think.

To your point about reForis, you are right about everything.
For me, I just thought I would do everything I can do via reForis which is possible and only what I can’t do there via “Advanced Administration” (Luci).
I think someone here in the forum recommended this procedure to me at some point.
I like the simplicity of reForis and just wanted to use everything that is possible there.
Everything works for me, except for the point with the guest network now.
If there’s no other solution with this guest_turris interface which I describe above, I’m really thinking about doing the same as you and just doing everything via Luci or SSH like on my previous OpenWRT router.

EDIT: At the end I think this point with the guest_turris interface should be a bug. Because I do the same configuration with the “lan” interface and on this change there is not reset when the network or the firewall is saved again.
Unfortunately @AreYouLoco no longer answers, I would have been really interested in how he solved this.

16

It was long time I did not login into Reforis actually and yup it seems like now the Guest network is indeed deactivated. So I guess one or the other way tl set up Guest network.

I use Reforis only to change DNS time to time and once long time ago to generate CA for OpenVPN becuase it simple one click. And the rest I do via CLI or LuCi. Same as @milkandhoney After all I am thinking more and more to switch to vanilla OpenWRT.

17

Ok, thank you very much for your feedback. I’m wondering if I want to set up the guest_turris again after every change to the firewall, it takes seconds, or if I do it again with my own guest interface as in the past and just do everything again via Luci or Cli…