Complete Isolate vulnerable WiFi clients from rest of LAN but allow internet access

We have 2 vulnerable WiFi devices (End of Life / Support). The connect 2 times per day via ssh or vpn to a service on the internet and perform some tasks.

Until now these devices are in the 192.168.1.X network. I would like to protect these devices as much as possible (since they won't be getting and security updates). My thought was to put these 2 devices on a OpwnWRT access point. Then I would like to isolate these clients from each other and from any other client from 192.168.1.X. I would like to allow them internet access, but deny any access from either the internet or the LAN to these clients.

Is this possible to do this using OpenWRT? Is this a sensible approach? How can I do this on Open WRT?


In the wireless options, as far as I am aware, the advanced option "Isolate Clients" will accomplish this.

Not sure if anyone can advise if this prevents LAN devices on the same interface from communicating with wireless clients- I believe it does, but someone may have to correct me.


Set up a guest lan?


I agree with both @frollic and @Eric12 in principle here.

The isolate clients option is an all-or-nothing approach to prevent wifi devices on the same SSID from talking to each other. It will not prevent wifi devices from connections to/from the wired network, though.

Enabling this option on your main network is probably not desirable since it may break inter-device connections that you use regularly in your trusted LAN.

Therefore, the best option, IMO, is to setup a guest/IoT network and use the isolate clients option on that SSID.

Here's a guide (the interface "skin" has changed, but the principles are the same):

1 Like