User Tools

Site Tools


Configure a guest WLAN on a dumb AP

This documentation is written to help you set up a guest WLAN on a dumb AP.

The changes below assume an OpenWrt default configuration.

For more information on setting up only a dumb AP see Dumb AP / Access Point Only.

This writeup is a documentation of the following forum post: Guest Wlan on dumb AP It also contains a picture of the desired setup.

We assume that you have a private WLAN set on and want a guest WLAN on

Manual configuration

The changes below assume an OpenWrt default configuration, the relevant files are:

Step 1: Define a new network

Edit /etc/config/network and define a new interface section:

config interface 'guest'
        option proto 'static'
        option ipaddr ''
        option netmask ''

Step 2: Copy the existing wireless network

In /etc/config/wireless, define a new wifi-iface section by copying the existing one and changing its network option to point to the newly created interface section.

config wifi-iface
        option device '???'
        option network 'guest'
        option ssid 'guestwifi'
        option mode 'ap'
        option encryption 'none'

For option 'device' '???' you should put the device listed in your 'wifi-device' section. For example, if your 'wifi-device' says config 'wifi-device' 'wifi0' then the wifi-iface section should be option 'device' 'wifi0'

To prevent connections between clients of the guest network, add the following line at the end of the configuration block

        option isolate 1

Some hardware or drivers might not support this option.

Step 3: Define a new DHCP pool

In order to support DHCP on 'guestwifi' wireless, a new dhcp pool must be defined in /etc/config/dhcp:

config dhcp 'guest'
  option interface 'guest'
  option start '50'
  option limit '200'
  option leasetime '1h'

Step 4a: Adjust firewall settings

Edit /etc/config/firewall and add new zone section covering the 'guest' interface.

Enable masquarade in the lan zone


config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'

Add a new guest zone

config zone
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

Forward the guest zone to lan zone

config forwarding
        option src 'guest'
        option dest 'lan'

Step 4b: Additional firewall settings

To wall off your guest network from your private network add the following.
Because we set the input on the guest zone to `REJECT` we have to set the ports which we will allow.
In this case we block access to the range and only allow DHCP and DNS.


# Disable guests to access devices in the range
config rule
        option name 'Diable Guest LAN Access'
        option dest 'lan'
        option dest_ip ''
        option target 'DROP'
        option proto 'all'
        option src 'guest'

# Allow DHCP for guests
config rule
        option dest_port '67-68'
        option src 'guest'
        option name 'Guest DHCP'
        option target 'ACCEPT'
        option proto 'udp'
# Allow DNS for guests
config rule
        option dest_port '53'
        option src 'guest'
        option name 'Guest DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'


Web interface configuration

Below are the same steps described above but in the web interface.

Step 1: Define a new network

Add a new wireless radio

Give it an SSID and add it to the `guest` network.

Step 2: Edit the newly created interface

At the interfaces, edit the `guest` interface that you just created.

Switch the protocol to a static address.

Fill in the static IP, subnet mask and enable DHCP.
Make sure the static IP is on a different subnet.

Step 3a: Set up the firewall zone

At firewall settings, create a new guest firewall zone.

At the firewall settings, edit the newly created guest zone.

Set Input to REJECT, Output to ACCEPT and Foward to REJECT. Allow forward to destination zone: `lan`.

It should look as follows

Also enable masquarading for lan

Step 3b: Set up the firewall traffic rules

Now go to the traffic rules tab inside firewall and add the following three rules:

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap.txt · Last modified: 2020/03/11 19:17 by wrtuser