Add guest network to Access Point

I have a wifi router that has a private network (192.168.0.x) and a guest network used for IoT devices and family/friends (192.168.1.x). I have additional wifi access points "Dumb APs" connected around my house by ethernet to to give good wifi coverage to the private network. The router is the only device that has wifi for the guest network but now I'd like to add that to the APs due to wifi coverage issues with some IoT devices. I've looked but I can't figure out how. Can any one give any tips?

  • All access points are connected to the router via ethernet. They have addressed in
  • Devices on the guest network should never have access to devices on other than the router because the traffic has to travel over this network to get to the internet. The router is the DNS and DHCP servers for the guest network. I don't want to run two ethernet cables per AP.
  • Ideally devices on should be able to speak to each other even if connected to different APs. Some IoT devices require my phone to be on the same local network to work. I want to be able to use my phone from anywhere in the house (so any access point) by just switching to the guest/IoT network. This is a nice to have. Each AP's guest network could be isolated if needed but it wouldn't be ideal.
  • I really don't trust some of the IoT devices so I want to keep separate networks from the servers and PCs that are trusted.

Here's a picture showing that I want to add (red line) the guest network on the AP(s).

A point in the right direct would be appreciated. I searched and found a ton of posts that looked similar but not exactly what I wanted to do. Maybe I'm using the wrong search terms.

  • I'm confused at what the lines actually mean
  • Are you saying the two networks have not yet been created; or just that you haven't created the guest SSID yet?

Follow this guide. Do all the steps one more time for the iot.
1 Like

Thanks but does that work for putting two networks on a dumb AP? I saw that guide when searching but didn't think it would work for what I wanted to do. Specifically, how does the part where it says block guest access to the private network work in this setup when all of the traffic flows over the private network? The router and the AP connected via ethernet are communicating via the private network. If I create a new guest network on the AP and set up a firewall on the AP to block traffic to the private network then I don't see how traffic passes from the guest network on the AP to the router to get out to the internet or the other devices on the existing guest network on the router.. Can you explain a little more so I see what I'm missing?

Thinking about this a bit more, I need the guest network to be accessible over ethernet. Right now all of the switch ports on the router are for the private/trusted network's VLAN. The guest/IoT's network VLAN is only accessible from wifi from the router. I don't want anything on the guest/IoT's network to be able to reach the private/trusted device network that the router and AP(s) currently have.

I did almost exactly what you want. I wrote down what I did here

baslically use vlan tagging to separate the traffic.


At the very bottom there is a rule to block traffic from guest to the lan hosts.
If the router supports vlans, then you can create a guest vlan and an iot vlan to expand the broadcast domain of the guest and iot from the access points to the router. Then the router will be handling all the traffic, serve DHCP and DNS. I don't think we have such guide in the wiki, so you could try @Ramon's tutorial.