This documentation is written to help you set up a guest WLAN on a dumb AP. For more information on setting up a dumb AP see Dumb AP / Access Point Only.
This writeup is a documentation of the following forum post: Guest Wlan on dumb AP It also contains a picture of the desired setup.
We assume that you have a private WLAN set on 192.168.1.xxx and want a guest WLAN on 192.168.2.xxx.
The changes below assume an OpenWrt default configuration, the relevant files are:
config interface 'guest' option proto 'static' option ipaddr '192.168.2.1' option netmask '255.255.255.0'
In /etc/config/wireless, define a new wifi-iface section by copying the existing one and changing its network option to point to the newly created interface section.
config wifi-iface option device '???' option network 'guest' option ssid 'guestwifi' option mode 'ap' option encryption 'none'
option 'device' '???' you should put the device listed in your 'wifi-device' section. For example, if your 'wifi-device' says
config 'wifi-device' 'wifi0' then the wifi-iface section should be
option 'device' 'wifi0'
To prevent connections between clients of the guest network, add the following line at the end of the configuration block
option isolate 1
Some hardware or drivers might not support this option.
In order to support DHCP on 'guestwifi' wireless, a new
dhcp pool must be defined in
[..] config dhcp 'guest' option interface 'guest' option start '50' option limit '200' option leasetime '1h' [..]
/etc/config/firewall and add new zone section covering the 'guest' interface.
Enable masquarade in the lan zone
[..] config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option network 'lan' option masq '1' [..]
Add a new guest zone
config zone option name 'guest' option network 'guest' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT'
Forward the guest zone to lan zone
config forwarding option src 'guest' option dest 'lan'
To wall off your guest network from your private network add the following.
Because we set the input on the guest zone to `REJECT` we have to set the ports which we will allow.
In this case we block access to the 192.168.1.xxx range and only allow DHCP and DNS.
[..] # Disable guests to access devices in the 192.168.1.xxx range config rule option name 'Diable Guest LAN Access' option dest 'lan' option dest_ip '192.168.1.0/24' option target 'DROP' option proto 'all' option src 'guest' # Allow DHCP for guests config rule option dest_port '67-68' option src 'guest' option name 'Guest DHCP' option target 'ACCEPT' option proto 'udp' # Allow DNS for guests config rule option dest_port '53' option src 'guest' option name 'Guest DNS' option target 'ACCEPT' option proto 'tcp udp' [..]
Below are the same steps described above but in the web interface.
At the interfaces, edit the `guest` interface that you just created.
Switch the protocol to a static address.
Fill in the static IP, subnet mask and enable DHCP.
Make sure the static IP is on a different subnet.
At firewall settings, create a new guest firewall zone.
At the firewall settings, edit the newly created guest zone.
Set Input to REJECT, Output to ACCEPT and Foward to REJECT. Allow forward to destination zone: `lan`.
It should look as follows
Also enable masquarading for lan