Both Guest and Lan over same local DNS


I'm trying to setup a Guest network with separate Guest Wireless SSID's.
Currently I'm running a local dns server in my LAN network. And I'd like to connect the Guest network over that same dns device without the Guest network having access to the other LAN devices.

How should I tackle this?

I was thinking of creating 2 separate VLAN's one for LAN devices and one for the DNS device (the DNS device is connected on port 1 of my router). The Guest network doesn't really need a VLAN as those devices will all be connected over the wireless guest interface (no physical connection).

But in doing so I lose connectivity with the DNS device.

Additional info: (subnet mask
Router at
DNS at
Other LAN devices start from and onwards

Guest IP range is still to be determined (probably a different subnet).
Will I need to setup the DNS device to be in another subnet for this to work?

Put your wireless guest network on one subnet (and firewall zone).

Put your wired LAN network on a different subnet (and different firewall zone).

Optionally, put your DNS server in a third subnet (and a third firewall zone). This is not absolutely necessary, but you may choose to do so depending on the firewall policies you decide to implement.

Configure your firewall to permit only the traffic you want in the directions you want.


The interception shouldn't be needed if you use DHCP to configure the correct DNS server.

And the firewall traffic rule is only needed if you explicitly configure a DNS server for the guest network in the DHCP options.

If you configure OpenWrt with the custom DNS server instead of the ISP's DNS server then you can use the default which is for DHCP clients to use the OpenWrt router as DNS server (powered by dnsmasq). In this case you the firewall traffic rule needs to allow DNS traffic (port 53) from the guest network to the router itself, unless you allow all input from the guest zone.

1 Like

Why not run the NS on Openwrt router and forward everything to the NS in LAN? This way you don't allow anything from GUEST to LAN.

My current DNS is a Raspberry Pi running Pi-Hole. My router doesn't have the hardware to run Pi-Hole as far as I know.

It is running dnsmasq though, which can do this simple forwarding.

1 Like