Complete Isolate vulnerable WiFi clients from rest of LAN but allow internet access

We have 2 vulnerable WiFi devices (End of Life / Support). The connect 2 times per day via ssh or vpn to a service on the internet and perform some tasks.

Until now these devices are in the 192.168.1.X network. I would like to protect these devices as much as possible (since they won't be getting and security updates). My thought was to put these 2 devices on a OpwnWRT access point. Then I would like to isolate these clients from each other and from any other client from 192.168.1.X. I would like to allow them internet access, but deny any access from either the internet or the LAN to these clients.

Is this possible to do this using OpenWRT? Is this a sensible approach? How can I do this on Open WRT?


In the wireless options, as far as I am aware, the advanced option "Isolate Clients" will accomplish this.

Not sure if anyone can advise if this prevents LAN devices on the same interface from communicating with wireless clients- I believe it does, but someone may have to correct me.


Set up a guest lan?


I agree with both @frollic and @Eric12 in principle here.

The isolate clients option is an all-or-nothing approach to prevent wifi devices on the same SSID from talking to each other. It will not prevent wifi devices from connections to/from the wired network, though.

Enabling this option on your main network is probably not desirable since it may break inter-device connections that you use regularly in your trusted LAN.

Therefore, the best option, IMO, is to setup a guest/IoT network and use the isolate clients option on that SSID.

Here's a guide (the interface "skin" has changed, but the principles are the same):

1 Like

Hi @psherman,

In my quest to find a device that suit my need of isolating devices, I had started by thinking that what I needed was different VLANs, then I discovered that it is possible to isolate devices on the same wifi network ... and now I am wondering what your sentence means:

If devices are connected to the wifi and isolated, they can still see and connect to the whole wired network (and vice versa) ?
In such a case, VLANs would totally isolate devices connected to wifi?

Long explanation:
The reason for my question is that initially, I wanted to fully isolate some IoT device from the rest of the home network (it only needed internet connection). Then I started thining that it would be nice to isolate other devices (example: work / home PCs, mobile devices ... since they only need internet connection too), so if there is an issue, the rest of the network is safe.
On the market, I saw some routers (example: Synology RT6600ax) that supported different VLANs (5), several SSID (15), and can isolate devices on the same SSID. I was wondering what is the best (and easiest) option to just allow devices to be connected to the internet without seeing each other: a specific VLAN / a specific SSID / isolated devices on the same SSID (what what about the wired part of the network?)
Thank you in advance