Create 2 separated networks on LAN interface

Hello everyone,

I have the following situation, setup.

  • Router with OpenWRT 19.07.3 connected to internet.
  • A lan port of the router connected to a 24 port switch.
  • Several wired devices connected to the switch.
  • A mesh wifi network (3 devices) connected by Ethernet cables to the switch (wired backhaul).
    • The wifi network is in access point mode.
    • The wifi devices are configured with a guest network.

My problem is that the wifi devices (access points) offer a guest network (in access point mode), but connected devices (to the normal wifi network or the guest wifi network) are treated equally. DHCP offers are handled by my OpenWRT router.
I want to achieve that guests cannot access devices on my network. I want my own devices to be able to access other devices on the network.
My wifi devices do not offer vlan, or other settings to separate.

I was think to separate by creating 2 ip ranges. I know it is not very secure, but better than nothing....

I was thinking in the following direction to achieve this:

  • Create a second fixed ip address on the lan interface of the router.
  • Normal lan would be 192.168.1.1, guest lan would be 192.168.11.1
  • Configure dhcp to offer ip address in the range 192.168.1.0 for 'known' devices / mac addresses. Offer ip address in the range 192.168.11.0 when not known.

I do not know how to set this up. Is this possible? If so, how can it be configured? Preferably via the GUI/ Luci?

I am open for other suggestions and/or better solutions. But 'buying other wifi devices' is not one of them :slight_smile: I want to 'solve' it with the hardware I have.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start

That only works when using the wifi of the router. I am using separate access points. From the routers perspective, there is no difference between wired devices, my wireless devices and guest wireless devices.

1 Like
2 Likes

That works. Only, however, if I do not set the subnets on the firewall zones.
I used 192.168.1.0/24 for lan zone and 192.168.11.0/24 for guest zone. When only one of these is set, it (still) works. However, if both are set, devices cannot reach the dhcp server. Renewals are fine, new ip's not.

Instead of the "Covered subnets" I set the "Covered devices" option to:

  • br-lan and tun0 for lan zone
  • br-guest for guest zone

I am not sure if this actually adds any security.

1 Like

Probably an additional rule is required for DHCPDISCOVER/DHCPREQUEST:

NET_IF="lan"
. /lib/functions/network.sh
network_flush_cache
network_get_device NET_DEV "${NET_IF}"
uci -q delete firewall.guest_dhcp
uci -q delete firewall.dhcp
uci set firewall.dhcp="rule"
uci set firewall.dhcp.name="Allow-DHCP-LAN/Guest"
uci set firewall.dhcp.src="*"
uci set firewall.dhcp.extra="-i ${NET_DEV}"
uci set firewall.dhcp.dest_port="67"
uci set firewall.dhcp.family="ipv4"
uci set firewall.dhcp.proto="udp"
uci set firewall.dhcp.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Hi,
Unfortunately that did not make a difference. When both interface have a subnet filter set, the only rule that seems to open the port for dhcp discover and request is a rule that allows ALL traffic (no proto filter, no port filter, no interface filter, etc.). That basically disables the firewall. So that is not an option.
I think I will have to leave it where it is now. It is already better, a bit more secure, than it was before.
Thanks for the support.

1 Like

I have updated and tested the DHCP rule, and now it works for me.

Actually, it also works with the default permissive global input policy.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.