I'm trying to setup a Guest network with separate Guest Wireless SSID's.
Currently I'm running a local dns server in my LAN network. And I'd like to connect the Guest network over that same dns device without the Guest network having access to the other LAN devices.
How should I tackle this?
I was thinking of creating 2 separate VLAN's one for LAN devices and one for the DNS device (the DNS device is connected on port 1 of my router). The Guest network doesn't really need a VLAN as those devices will all be connected over the wireless guest interface (no physical connection).
But in doing so I lose connectivity with the DNS device.
Additional info: (subnet mask 255.255.255.0)
Router at 192.168.0.3
DNS at 192.168.0.4
Other LAN devices start from 192.168.0.10 and onwards
Guest IP range is still to be determined (probably a different subnet).
Will I need to setup the DNS device to be in another subnet for this to work?
Put your wireless guest network on one subnet (and firewall zone).
Put your wired LAN network on a different subnet (and different firewall zone).
Optionally, put your DNS server in a third subnet (and a third firewall zone). This is not absolutely necessary, but you may choose to do so depending on the firewall policies you decide to implement.
Configure your firewall to permit only the traffic you want in the directions you want.
The interception shouldn't be needed if you use DHCP to configure the correct DNS server.
And the firewall traffic rule is only needed if you explicitly configure a DNS server for the guest network in the DHCP options.
If you configure OpenWrt with the custom DNS server instead of the ISP's DNS server then you can use the default which is for DHCP clients to use the OpenWrt router as DNS server (powered by dnsmasq). In this case you the firewall traffic rule needs to allow DNS traffic (port 53) from the guest network to the router itself, unless you allow all input from the guest zone.