TOS 6 - guest wifi cannot reach internet

michalko58 · December 2, 2021, 7:16pm

Hi all with TOS 6 (for now still in HBD)!

My AX cards have arrived, so I had to switch to TOS 6 (Omnia from Indiegogo). I was using it about one week before mounting new cards and except one update, which screwed up wifi, it was quite stable (at least for my use case: samba, adblock).
I have used guest wifi successfully before the update. I have noticed, it is not working properly, only after installing new cards during testing if all is ok.

I have tried many guides for setting guest wifi for OpenWRT LuCI - no luck.
I have reinstalled whole router.
2a. I have tried HBD medkit, which is actually TOS 5 and updates itself to TOS6, but during the update it destroys something in network and it is impossible to connect to the router - tried for 3x)
2b. After reinstallation from TOS5 HBS medkit and update to TOS 6 and settin all from the zero - no luck.

According to 2b, I suppose, there is a bug in TOS 6 or OpenWRT 21.02.

My actual wifi settings are:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option cell_density '0'
	option band '2g'
	option htmode 'HT20'
	option channel '9'
	option country 'SK'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key '*****************'
	option ssid 'Michalkove!!!'
	option encryption 'sae-mixed'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option cell_density '0'
	option htmode 'HE160'
	option country 'SK'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key '************'
	option ssid 'MichalkoveAX_160'
	option encryption 'sae-mixed'

config wifi-iface 'guest_iface_0'
	option disabled '0'
	option device 'radio0'
	option mode 'ap'
	option network 'guest_turris'
	option encryption 'sae-mixed'
	option key '********'
	option ifname 'guest_turris_0'
	option isolate '1'
	option ssid 'Michalkove!!!-guest'

network settings - this option option bridge_empty '1' is strange for me, but really dont know what to add there, in LuCI, there is associated guest wifi to guest_turris network interface…

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd42:fa36:1286::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option bridge_empty '1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option device 'eth2'

config interface 'guest_turris'
	option enabled '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option bridge_empty '1'
	option ip6assign '64'

config interface 'wan6'
	option proto 'none'
	option device '@wan'

config device
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option type 'bridge'
	option name 'br-lan'

firewall settings - this opttion option input 'REJECT' doesn´t change anything ACCEPT/REJECT - no change

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option sentinel_dynfw '1'
	option sentinel_fwlogs '1'
	option haas_proxy '1'
	option sentinel_minipot '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'guest_turris'
	option enabled '1'
	option name 'guest_turris'
	list network 'guest_turris'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding 'guest_turris_forward_wan'
	option enabled '1'
	option name 'guest to wan forward'
	option src 'guest_turris'
	option dest 'wan'

config rule 'guest_turris_dns_rule'
	option enabled '1'
	option name 'guest dns rule'
	option src 'guest_turris'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

config rule 'guest_turris_dhcp_rule'
	option enabled '1'
	option name 'guest dhcp rule'
	option src 'guest_turris'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule 'guest_turris_Allow_DHCPv6'
	option src 'guest_turris'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '546-547'
	option dest_ip 'fe80::/10'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'guest_turris_Allow_MLD'
	option src 'guest_turris'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'

config rule 'guest_turris_Allow_ICMPv6_Input'
	option src 'guest_turris'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'

config rule 'wan_ssh_turris_rule'
	option name 'wan_ssh_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '22'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_http_turris_rule'
	option name 'wan_http_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '80'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_https_turris_rule'
	option name 'wan_https_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '443'
	option proto 'tcp'
	option src 'wan'

config rule 'turris_wan_6in4_rule'
	option enabled '0'

config rule 'turris_wan_6to4_rule'
	option enabled '0'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config include 'sentinel_firewall'
	option type 'script'
	option path '/usr/libexec/sentinel/firewall.sh'
	option family 'any'
	option reload '1'

All which are running TOS 6, could you please try to create guest wifi and try if it is working?
All others, do you have some idea how to make guest wifi working?

Turris support: It would be great if it will be fixed before TOS 6 reaches HBL branch

Thanks for any advice.

cynerd · December 3, 2021, 8:53am

We discovered this in internal testing as well. I created issue for this herre Guest network does not work correctly on TOS 6.0 (#224) · Issues · Turris / Foris Controller / foris-controller · GitLab. Thank you for reporting this.

michalko58 · December 3, 2021, 11:22am

Ok, thank you.

Another problem/bug I have found is that one notebook (Windows 10 21H2) with Intel 7260 (supports up to AC wave 1) wifi card cannot see any wifi network set to AX mode. doesn´t matter if it is 2,4 or 5 GHz.
At the same time, cellphones and other devices can see it and connect to it without any problem even they do not support wifi 6.

Maybe bug is in old intel drivers (that card is discontinued), maybe in OpenWRT 21.02.

It is necessary to set network to N mode and then, the notebook is able to discover the network and connect to it.

cynerd · December 3, 2021, 3:56pm

This would have to be tested with the card itself. We do not have knowledge about some issues with wifi… rather the opposite. For some of the cards, we have we finally were able to get them working with OpenWrt 21.02 thanks to newer kernel. I can pass this to our testers to see if they can reproduce that somehow.

michalko58 · December 3, 2021, 8:20pm

Ok, that problem with intel 7260 wifi card was caused by old driver. Now it is able to connect to 2,4 and 5 GHz AX network.

system · June 2, 2022, 7:38pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.