Wi-Fi Guest Network : no internet access

Currently reading
Wi-Fi Guest Network : no internet access

19
1
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
Mobile operating system
  1. Android
  2. iOS
Hello everybody !

I'm looking for some help regarding an issue I have with the Wifi guest network on my Synology router.

My Setup

  • 1x RT2600ac running the latest SRM 1.3.x
  • 2x MR2200ac Wifi mesh points connected to the main router

The problem

Clients connected trough the guest network cannot reach the internet network, while the rest works fine ( see summary table below )


Code:
            Wifi connection | IP acquisition | DNS queries | Internet access

Primary     OK                OK               OK            OK
Guest       OK                OK               OK            TIMEOUT

It really looks like all the packets sent via the clients connected trough the guest network are discarded :unsure: ( ex : ping requests to public addresses will timeout, HTTP requests will timeout etc. )

If someone is using a similar setup or has an idea about the possible root cause of the problem I'm facing, I'd gladly have their thoughts on the subject :)
 
Last edited:
On the router, go to Local Network, Choose Network 2 (Guest Network)), go to IP4 DHCP. Presumably the start ip address is 192.168.2.2, and the gateway is 192.168.2.1. Is it?

There are 3 subnets managed via the router :

Code:
primary : 10.1.1.1/24
guest   : 176.16.1.1/24
OpenVPN : 172.22.0.0/24
 
Here's the screenshot
 

Attachments

  • Screenshot from 2023-09-20 20-17-02.png
    Screenshot from 2023-09-20 20-17-02.png
    81.2 KB · Views: 27
As stated in the original post, DNS queries do work : clients connected to the guest network are able to resolve any given host.

It's when a client attempts to reach a public/internet address that the timeout occurs..
 
What's in your firewall rules?

Only inbound rules for the VPN ports/subnet.

The firewall isn't the issue ( SRM fw only blocks traffic coming in from the WAN. Outbound traffic is allowed by default unless you add rules to block traffic between subnets and/or specific ports )
 
Yes, I'm well aware, but I have no way of knowing what you might have changed from the defaults, which is why I was asking.

As an experiment, I added a fw rule allowing all traffic from the guest subnet to the internet : although useless, I do see all the hits registering every time I try to reach a public address, but the requests still timeout on the guest client ....
 
Just out of interest, why isn’t the guest subnet set to a reserved subnet (search for RFC 1918). Currently you are using 176.16.1.0 which is publicly routable and assigned.

This shouldn’t be an issue if you are NATing at the router and you don’t want to access the same subnet. But it’s not usual practice to use IP ranges that you don’t own or aren’t in the reserved ranges. Even with reserved ranges it is quite normal for ISPs to use them in their infrastructure paths between home connections to their Internet breakouts, often they use the 10.0.0.0 and 172.16-31. ranges for this. So a 192.168.0.0 assignment at home is what people most often use, and defaulted in ISP routers.
 
Well spotted ! This was indeed supposed to be a private, class B network range ( 172.16.1.x )

Seing your post, I really thought that it finally was the root cause of the connection timeouts for the guest clients........ unfortunately, it appears we're still missing something :confused:

Ranges

Ii did try to set the guest network to the following ranges :

  • 172.16.1.0/24
  • 172.18.1.0/24
  • 10.250.250.0/24
Behavior

In all the cases, the behavior remained the same as the one described in the original post for the guest network clients :

  • Wifi connection / IP acquisition / DNS queries : OK ✓
  • Internet access : TIMEOUT ✗
Attempting a traceroute on a guest network client shows that the timeout starts after reaching the guest network gateway ( ex : 172.16.1.1 )

Are there any command-line tests I could run to try to understand what's happening ? :unsure: ( because I feel I'm running out of options from the SRM-ui )
 
You can try traceroute or tracert depending on the OS you use.

Have you got Safe Access enabled? That may be set to block access. The other thing is the SRM firewall, which you’ve looked at, but maybe try a specific rule that allows the source as the internal guest LAN.

DNS probably works if you have set the DNS server to be the router. The router would resolve the request.
 
You can try traceroute or tracert depending on the OS you use.

Have you got Safe Access enabled? That may be set to block access. The other thing is the SRM firewall, which you’ve looked at, but maybe try a specific rule that allows the source as the internal guest LAN.

DNS probably works if you have set the DNS server to be the router. The router would resolve the request.

I did try traceroute ( see post above )

Safe access is not enabled, so that's ruled out.

As for the firewall, I tried to put a rule at the top, allowing any network to any destination : the rule catches the guest network hits, but the client's request still timeout ....
 
I didn’t re-read all the thread and it’s a busy day for us. There is curl command but I don’t hold any hope for it.

The nuclear option would be to backup the router and packages and do a factory restore.

Before that you can try configuring one of the extra three internal networks. See if that works or similarly fails.
 
I don't have a Synology router so am not familiar with their UIs...is it possible to view the routing table on the router? I'd look there to ensure that the guest subnet has the appropriate entry(s) there.

Similarly, presuming you are using NAT i'd check for an appropriate NAT / masquerade rule in the firewall for the subnet in question, if such a thing is possible on this router.
 
I didn’t re-read all the thread and it’s a busy day for us. There is curl command but I don’t hold any hope for it.

The nuclear option would be to backup the router and packages and do a factory restore.

Before that you can try configuring one of the extra three internal networks. See if that works or similarly fails.

I'd prefer to understand why the guest network internet connection isn't working before going for the nuclear approach.

As for a third network test, I have configured a dedicated OpenVPN subnet, which does allow clients to connect and even route all their traffic using the gateway internet connection.
-- post merged: --

I don't have a Synology router so am not familiar with their UIs...is it possible to view the routing table on the router? I'd look there to ensure that the guest subnet has the appropriate entry(s) there.

Similarly, presuming you are using NAT i'd check for an appropriate NAT / masquerade rule in the firewall for the subnet in question, if such a thing is possible on this router.

Here's the routing table :

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.1.1.0        *               255.255.255.0   U     0      0        0 lbr0
172.16.1.0      *               255.255.255.0   U     0      0        0 gbr0
172.21.0.0      *               255.255.255.0   U     0      0        0 vbr3
172.22.0.0      172.22.0.2      255.255.255.0   UG    0      0        0 tun0
172.22.0.2      *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.1     *               255.255.255.255 UH    0      0        0 eth0

As for the masquerade rule, I'm not sure how to check it via the Synology shell :unsure:
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

  • Question
Hi. As a newbie I may be totally misunderstanding the concept of how Tailscale works but anyway here goes...
Replies
0
Views
467
  • Question
Reset, mode one, as suggested above should restore your connection. Going forward, create a reserved IP...
Replies
3
Views
671
  • Solved
hi im having the same problem can you tell me what you changed? I only my router to a tplink router it was...
Replies
4
Views
2,885
What I've found out: 1.) If I turn off the Kill Switch, then I'm good to go with the local devices 2.) If...
Replies
2
Views
2,004
  • Question
FWIW, I use WebDAV to map folders from my DS110j to a Win10 laptop. Perhaps importantly for this thread...
Replies
16
Views
4,988
  • Question
looking to setup adGuard home on a raspberry pi 4b to block ads for every client on LAN network. I use...
Replies
0
Views
1,131
I don't recommend exposing the NAS directly to the internet. Modem>Powerline>Router>Devices (wired/Wi-Fi)
Replies
18
Views
2,327

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top