User Tools

Site Tools


Configure a guest WLAN using mainly command line (with sample shell script)

This page provides a script that creates an additional separated guest network and a new guest firewall zone for your OpenWrt device. That is, to create a guest WiFi network, that only has Internet access but cannot access your existing LAN.

The script does not need any manual customization for your device (!), as it only has one hard-coded reference to the obvious “fwd.dest=wan” zone (which will already exist on your OpenWrt router by default)

The script does not perform the last (simple) step, to create the actual Wifi radio config (as this is a simply step and also requires some custom parameters that are better suited for manual setup in the web GUI than for a script. That final manual step is also part of this description.

Step by step

  1. Take your time, to read this whole page, before starting any configuration. Get at least a rough idea, of what below's code is configuring.
  2. Copy the whole following code block (from “NET_ID=guest… including up to the final …commit) without the need for any changes or customization into a SSH command prompt of your OpenWrt device and press enter. (Alternatively if you prefer: create and run it as shell script on your OpenWrt device).
  3. When done, open the Web GUI of your OpenWrt router and go to the Wireless section → and manually create an additional WiFi network on one of your device WiFi radios:
    1. on the “General Setup” setup tab, enter a reasonable ESSID for your guest WiFi
    2. then (Special attention please) checkmark the new “guest” network directly below it and do not checkmark your “LAN” network. “guest” is the new network that below's script has created and the checkmark will link your guest WiFi to the new guest firewall zone.
    3. on the Wireless Security tab preferably go for encryption WPA2-PSK
    4. preferably use cipher “CCMP AES” and
    5. finally enter some good secret for your guest network in the Key field
    6. and you are good to go to “Save & Apply”. (It could take 1-2 minutes for your WiFi to restart on slow devices)

Note: Create the WiFi network as additional config on either your 2,4 or 5 GHz radio. You can even create 2 additional guest wifi's to cover both frequencies. The new guest networks will share the channel/frequency with your probably already existing LAN WiFi's.

The code has been created/successfully tested with OpenWrt 17.01.xx

uci batch << EOF
set network.${NET_ID}=interface
set network.${NET_ID}.proto=static
set network.${NET_ID}.ipaddr=
set network.${NET_ID}.netmask=
set dhcp.${NET_ID}=dhcp
set dhcp.${NET_ID}.interface=${NET_ID}
set dhcp.${NET_ID}.start=100
set dhcp.${NET_ID}.leasetime=12h
set dhcp.${NET_ID}.limit=150
set firewall.${FW_ZONE}=zone
set firewall.${FW_ZONE}.name=${FW_ZONE}
set firewall.${FW_ZONE}.network=${NET_ID}
set firewall.${FW_ZONE}.forward=REJECT
set firewall.${FW_ZONE}.output=ACCEPT
set firewall.${FW_ZONE}.input=REJECT 
set firewall.${FW_ZONE}_fwd=forwarding
set firewall.${FW_ZONE}_fwd.src=${FW_ZONE}
set firewall.${FW_ZONE}_fwd.dest=wan
set firewall.${FW_ZONE}_dhcp=rule
set firewall.${FW_ZONE}${FW_ZONE}_DHCP
set firewall.${FW_ZONE}_dhcp.src=${FW_ZONE}
set firewall.${FW_ZONE}
set firewall.${FW_ZONE}_dhcp.proto=udp
set firewall.${FW_ZONE}_dhcp.dest_port=67-68
set firewall.${FW_ZONE}_dns=rule
set firewall.${FW_ZONE}${FW_ZONE}_DNS
set firewall.${FW_ZONE}_dns.src=${FW_ZONE}
set firewall.${FW_ZONE}
add_list firewall.${FW_ZONE}_dns.proto=tcp
add_list firewall.${FW_ZONE}_dns.proto=udp
set firewall.${FW_ZONE}_dns.dest_port=53
uci commit network
uci commit dhcp
uci commit firewall
service network reload
service dnsmasq restart
service firewall restart

Explanation of this config code

  • a guest network called “guest” is created
  • a dhcp configuration is created for the “guest” network (assuming that is not conflicting with something else on your home network)
  • a firewall zone called “guest” is created for the “guest” network
  • a firewall zone forwarder from the “guest” to the “wan” zone is created (not the other direction)
  • a firewall rule allowing your guests to access your OpenWrt DHCP service is created
  • a firewall rule allowing your guests to access your OpenWrt DNS service is created

(all of the customizations will be visible in the web GUI afterwards)

user Saturn: Forward rule for the guest firewall zone in the above configuration wasn't working for me. After following the above guide, I made the following change in /etc/config/firewall: original line: ”config forwarding 'guest_fwd'“ changed line: ”config forwarding


There are endless of personal customization options.

  • Be aware that there are no special Internet firewall restrictions active for your guests in this default config. If you want to restrict your weird guests to http(s) protocol or block UDP or do whatever fancy restriction, you have to add some additional customized firewall rules yourself.
  • Also you may have to find individual rules/network setups for your personal situations, e.g. if your guests would like access to your printer or need to stream stuff from their smartphones to your Smart-TV. Unfortunately there is not a single one-fits-all solution for that.
  • You could go even further and split of a LAN-jack using a custom VLAN configuration and link that split-of LAN jack to that guest net as well, if your guests prefer a wired connection.
  • If you have a cable modem web interface at, block guest access to it:
uci -q delete firewall.guest_modem
uci set firewall.guest_modem="rule"
uci set"Guest-Block-Cable-Modem"
uci set firewall.guest_modem.src="guest"
uci set firewall.guest_modem.dest="wan"
uci set firewall.guest_modem.dest_ip=""
uci set"ipv4"
uci set firewall.guest_modem.proto="all"
uci set"REJECT"
uci commit firewall
service firewall restart


To enable IPv6 on the guest network:

uci set dhcp.guest.dhcpv6="server"
uci set dhcp.guest.ra="server"
uci commit dhcp
service odhcpd restart
uci set network.lan.ip6assign="64"
uci set network.guest.ip6assign="64"
uci commit network
service network reload

Add these firewall rules.

Manual Rollback

If you ever want to get rid of the customization created by this script, simply open your OpenWrt web admin GUI

  • Delete the network interface “guest” in the interface tab
  • Delete the firewall zone “guest” in the firewall tab
  • (All firewall rules will be deleted automatically, once the firewall zone has been deleted. The DHCP config will be autodeleted, once the guest interface is gone)
  • Then click “Save & Apply”.

On demand usage

You may not have guests hanging out in your house all week long.
You do not have to delete the whole config, when your guests are leaving. You can just enter the OpenWrt web GUI and simply enable or disable the guest WiFi at will.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/network/wifi/guestwifi/configuration.txt · Last modified: 2020/04/18 16:30 by lucenera