I want to have a guest wifi SSID with will be no need for physical ethernet cables to be on it. I am confused about whether or not I need to setup bridge VLAN configuration. My setup is simple with just one OpenWRT device that will be the router/firewall/wifi transmitter. Do I need to use VLANs or can I just make a guest interface and give it its own firewall zone and IP range for isolation from the main lan zone?
If you have no "high security" requirements you can just create a guest wifi, and enable client isolation and you could even attach it to the default lan bridge...
If you however want to restrict guests from connecting to other lan devices then you should create a guest Vlan, a guest firewall zone and a DHCP config for this guest network....
Edit: yes you can run multiple layer 3 networks on a layer 2 but running multiple DHCP subnets on the same layer2 will create a lot of mess, so yes, setup a Vlan for guests...
Strictly speaking, VLANs are ethernet-only: you use VLANs when you want to use the same ethernet wire for several independent networks, by tagging the packets; however, the term "VLAN" is usually abused (specially in this forum) to refer to "separate networks".
If you do not have wired devices on your guest zone, then you definitively do not need to worry about VLANs.
1 Like
But don't you still need a Vlan for guest if you want to achieve layer3 isolation? Or does the wifi option for client isolation gives you also separation on layer3?
Curious question: how do you would setup a dedicated DHCP pool for the guest wifi?
I went back to the Guest Wi-Fi basics, Guest Wi-Fi extras, Guest Wi-Fi using CLI, and Guest Wi-Fi using LuCI guides. All four of them create an isolated network, with a dedicated DHCP pool; I think all the guides meet OP's and your criteria, but none of them makes use of VLANs.
3 Likes
Face palm. Yeah alright they create another bridge and of course attach only the guest network to it... Fair enough.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.