Block access from wifi to LAN except gateway?

Hi There!
I have an openwrt router that I use as a dumb wifi AP + ethernet switch (I do not use any wan)
my internet access is managed by an other device (opnsense).

I have create a guest wifi AP and now I would like to block any access from this AP to my LAN.

I have created a dedicated AP, interface and firewall zone, following this howto:

So the configuration looks like this:

[Guest]------wifi----[ guest ap (openwrt)]----RJ45----[ opnsense]----the internet

What I would like to do is blocking any access from to except, of course, the internet gateway
I assume a couple of firewall rules could do the job, but I was not able to find which ones :frowning:

That wording was somewhat confusing. It seems you do have a WAN somewhere.

Since you placed the AP on the LAN, there is no firewall involved, you will have to use WAN and then firewall what you desire.

Also, if you're not using WAN, I'm unclear on how you have 2 different numbered subnets - as there's no router for the subnet to reach network (and hence, no firewall either).

Hello @lleachii
Maybe I was confusing, sorry for that!
regarding WAN: I mean I do not use WAN port or anything related to WAN in my openwrt device.
I do not use it as a router, but as ethernet switch + dumb AP

I have made this little drawing to try to show how all this is connected, but maybe it's not so clear.

[Guest]------wifi----[ guest ap (openwrt)]----RJ45----[ opnsense]----the internet

To be honest, I'm not sure to understand how is made the connexion internally to openwrt between my guest subnet (on guest wifi) and the LAN.
I assume it's done by the inter-firewall zone parameters.
I mean this step of the howto:

in case you like to check the howto, I do have a similar setup, only adapted a couple of IP:
"" which openwrt IP on LAN in the"Howto" is on my side.
"" which the internet gateway IP on LAN in the"Howto" is on my side.

Everything's 100% clear...but if you are not routing on your AP, how do you expect traffic between and to pass?

Also, how do you expect to firewall it?

I hope you see the issue now.

But in your LAN AP config, you are not passing a router or firewall zone. Again, one suggestion is to configure your AP as a normal router with default OpenWrt configs, then you can firewall traffic as you desire between the 2 subnets.

well, I cannot tell exactly how, but the connexion is made between both subnets: I can reach the internet from my guest AP.

Isn't it done by the Zone forwarding section in firewall/general settings in Luci ?

Because it seems to be kind of similar as lan to wan connexion in normal router use,no ?

You are forwarding from the .4.x guest network to the .1.x LAN, which acts as a WAN in this case. It's exactly the same as a typical default setup except the names and numbers have changed.

You can block guests from any dest_ip of IP. Make holes for DNS and DHCP. This still works even though the gateway is in there somewhere, because it is the final destination that is checked. (Guest to guest links may be possible, though if they are all wifi, the wifi driver's isolation feature will isolate them).

The order of firewall rules is important. Put the DNS and DHCP exceptions in the list first before the catch all else block all 192.168.

1 Like

Bingo !!

just added a rules like this:

The rules for DNS & DHCP was already set following the "howto" mentionned in 1st post, as well as isolate function on wifi.

It seems to work perfectly: I cannot access LAN devices, neither ping them but internet is working.


ps: I also learnt something about the gateway/final destination :slight_smile:

1 Like