Guest Wi-Fi using LuCI
Guest Wi-Fi provides internet access to your network members. It also provides firewall security rules to isolate your guest network from the rest. This recipe is based on the more comprehensive Guest Wi-Fi basics, providing a more user-friendly approach through the LuCI web interface.
Note that all MAC addresses have been redacted from the screenshots.
Create and configure a new wireless controller
After logging into the web-interface, manoeuvre to the Wireless page under Network. Click Add over the wireless controller (e.g., the 2.4 GHz radio) you want to have your guest network on. A new interface will be added as shown here:
As you can see, our new wireless controller is created, and we named it guest. Next up is configuring it. Choose the Edit option for the controller. You will need to create a new network, as you can see we named our new network guest here:
Also, be sure to set up wireless security if you want to protect the connection.
Configure the new interface
Now if you manoeuvre to the Interfaces page under Network, and you should see your new interface, looking similar to this:
You will need to configure your interface before it is useful. Choose Edit, pick the protocol Static address, and fill out your chosen IPv4 address. We chose 192.168.3.1 here, but you may have different preferences. However, avoid using 192.168.1.1 or 10.0.0.1 as they may already be in use and prevent your guests from acquiring IP-addresses. Remember to set the netmask. If you are using a newer version of the web interface, the netmask must be entered together with the IPv4 address, for example 192.168.3.1/24. You will also need to enable DHCP, we chose to go with the default options here except for the Leasetime which is only one hour, suitable for environments where a large number of guests connect and leave through a day.
Notice that you have a Firewall Settings tab to the far right of the General Setup tab. Make sure you visit this tab, and create a new zone for your guest, like we have done here:
Configure the firewall
Now you are just about done. That last thing we need to do is to allow traffic between your guest network and WAN in the firewall. Go to the Firewall page under Network, choose Edit for your guest zone. Set Input to REJECT and tick wan under Allow forward to destination zones. Correctly configured it should look like this:
Remember to click Save & Apply. The last thing we need to do is to give our guests access to the Internet.
Right now neither DNS nor DHCP traffic will be accepted. We need to create two rules, which we can do from the Traffic rules tab under the Firewall tab. Both rules can be put in under Open ports on router:. We name the first one Guest DNS here (you can name it what you want), setting both TCP and UDP traffic and port 53:
We need to configure the rule, so choose to edit it. Set Source zone to guest, and set Destination zone to Device (input) like shown here:
Similarly, create a new rule to allow DHCP for guests. We name this rule Guest DHCP, choose UDP as protocol, and set 67 for port. Again edit the rule, setting Source zone to guest, and set Destination zone to Device (input). When you are done it should look like this:
If you had firewall rules to implement Parental Control, you might have to review them now. If the Reject rules were defined with LAN as Source Zone, they will not apply to the Guest network.
Troubleshooting
If you are able to connect to the Guest wireless network and also do get an IP address from the DHCP server but can not access the internet, make sure the Guest interface has a netmask configured. If you forget to set this, the default /32 netmask will not work.