I'm trying to create a fully separated guest wifi with a dedicated DHCP/DNS on my wifi router while the switch ports and the normal wifi are fully integrated into my normal network. Maybe the following diagram describes it better. Sorry for the large image, but as a new user I'm not allowed to post multiple images in one post.
I've created a separate guest wifi interface with a static IP + local DHCP and in the firewall settings I enabled "masquerading":
After connecting to the "guest24" wifi I get an address from DHCP and I'm able to resolve DNS queries but I can't ping anything outside the 192.168.128.0/24 network but the wifi routers LAN IP.
Is there some setting I'm missing that prevents masquerading to work?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
It looks like you setup a guest wifi on a bridged AP.
You need to masquerade on the LAN interface as brada4 already said.
All other connected clients will only pass the router on its way to the main router, so will not be subjected to the masquerading
Edit : masquerading is not necessary per se, you can also set a route for return traffic on the main router, however you must make sure you will not fall into the "invalid" traffic trap
Now I need to setup some firewall rules as I can currently also ping devices from my local network from the guest wifi, but that shouldn't be an issue.