Creating a guest LAN (not WLAN)

Hi all :slight_smile:

I'm not really experienced with configuring OpenWRT, and alas, I didn't find any howto for what I want to do. Maybe, someone can point me in the right direction.

What I'd like to achieve is similar to the "Guest LAN" feature of the AVM Fritz-Box. An isolated LAN (not WLAN – for a guest WLAN, there are plenty instructions) which has access to the internet, in which all clients can communicate – but not reach the "real" LAN.

I have an Ubiquiti EdegeRouter X, with 5 LAN ports (that are accesible as different devices eth0 to eth4 if I see this correctly; no switch).

The default preset behavior is almost what I want:

The router fetches an IP address from the real router ( when I plug a cable in the first (eth0) port. A device connected to one of the other ones (eth1 to eth4) gets an IP address of OpenWRT's default subnet ( and is able to reach the internet.

What I would like to change (and don't know how) is:

  • The clients in this LAN should be isolated from the "real" LAN. At the moment, not only the internet is reachable, but e.g. also my "real" router ( Only the internet shold be accessible.
  • The "sub"-router should be accessible from the "real" LAN (, but not from the internet, and not from the isolated sub-LAN (

What's the most elegant/easy way to do this? Thanks for all help!

This is very similar to a guest wlan.

  1. Split the switch using a separate vlan for the guest network.
  2. Create a separate interface for it.
  3. Setup firewall for forwarding according to your plan.

I think such a split is already the default setup: The WAN interface refers to the first (eth0) port, and the LAN interface is a bridge for the other ports (eth1–eth4).

Thus I wonder if I need a VLAN? Can I use the default setup (by only tweaking the firewall settings)?

As far as I can tell, you have already separate cabling for your LANs. A VLAN would not offer further separation advantages. A firewall rule blocking the guest to access the main LAN should suffice. Depending how it’s configured you may want to leave dhcp and dns protocols open…

Maybe lan1-lan4 is it is a DSA driver? Then it is a bit easier.

This model has a switch, but it is configured by DSA. The DSA system for the most part hides that there actually is a switch, and for a simple use case like this one you can treat it as separate Ethernet ports.

If you want exactly one Ethernet port to be guest, you could put an interface directly on it, but it would be better to make the guest network a bridge. Additional ports can then be added.

config device
   option name 'br-guest'
   option type 'bridge'
   list ports 'eth4'
config interface 'guest'
   option device 'br-guest'
   option proto 'static'
   option ipaddr ''

Remove eth4 from the lan bridge.
The DHCP and firewall setup for guest is the same as for a wireless guest network.


Actually, I want all ports but one to be the guest LAN (one has of course to be the uplink to the actual LAN).

So can I leave the default bridge as-is?

Then guest definitely needs to be a bridge. Leave lan as it is in case you want to go back to it. There's no noticeable performance loss from having an empty unused bridge left around.

The typical guest firewall blocks guests from attempting to log into the router. If you detach all ports from the regular LAN that leaves no way to log into the router (other than serial). You would need to either leave one port as LAN or open the firewall on the WAN side and log in from WAN. Since WAN is your upstream LAN, it is trusted and there's no issue with opening the firewall.

So if I open the firewall so that the router will be accessible from the WAN side (which is my upstream LAN), the router still can't be accessed from "outside", as the real router won't route port 80 requests to the "guest" router, right?

So … if I get this correctly, I simply have to change the firewall settings for the existing WAN (eth0) and the existing LAN (eth1–eth4 bridge) and I'm done?!

It is unclear what you got. But I wouldn't suggest anything to change for lan.

Okay, for now, I added the following to /etc/config/firewall to allow access to ssh and http(s) from the actual LAN:

config rule
        option name             Allow-WAN-ssh
        option src              wan
        option src_ip 
        option dest_port        22
        option target           ACCEPT
        option proto            tcp

config rule
        option name             Allow-WAN-http
        option src              wan
        option src_ip 
        option dest_port        80
        option target           ACCEPT
        option proto            tcp

config rule
        option name             Allow-WAN-https
        option src              wan
        option src_ip 
        option dest_port        443
        option target           ACCEPT
        option proto            tcp

That seems to work (is it okay this way?!).

Blocking everything but the internet from LAN is still to do …

Okay, with this here:

config rule
        option name     isolate-LAN-from-real-LAN
        option src      lan
        option dest     *
        list dest_ip
        list proto      all
        option target   DROP

I can prevent a LAN client to access my real LAN.

With this:

config rule                                     
        option name         reject-LAN-ssh
        option src          lan
        list proto          tcp
        option dest_port    22
        option target       DROP

I can prevent a LAN client to access the router via SSH.

But despite having those:

config rule
        option name         reject-LAN-http
        option src          lan
        list proto          tcp
        option dest_port    80
        option target       DROP
config rule                                    
        option name         reject-LAN-https
        option src          lan
        list proto          tcp
        option dest_port    443
        option target       DROP

a LAN client still can access luci. How do I prevent that?

You didn't create a guest interface. It is hard to explain when you don't have any knowledge.

You need to create a separate interface, then play with firewall.

Sorry, but I don't get that:

I want to use all non-WAN-ports for the guest LAN, which are eth1–eth4. The LAN interface already is a bridge for those ports.

So I have to create another "guest" bridge, using the same ports?

As was mention4ed before, you need to use 3 ports for a guest network. Create an interface for them and a firewall zone. Leave one port as a regular lan, etc. It is how I see what you want.

So it's not possible to use all 4 remaining ports for this setup? I do have to keep one for the normal LAN interface?

It seems to work with the firewall changes I posted above, I'd only like to additionally block luci access for the LAN interface and only allow it from the WAN … with this firewall settings, I almost have what I want: A LAN client can access the internet, but not my real LAN. Also, ssh access to the router is rejected. Only luci is still accessible …

It is possible, but usually one needs normal interface to control the device.

Sure, but if I allow this through the WAN interface (as posted above), I can access the router through it's "external" IP in my "real" LAN. This way, I thought I could simply make the whole LAN the "guest" LAN.

So is the firewall setting posted above okay for this (maybe a bit special) setup? If so, why do the DROP rules prevent LAN access to the router's SSH server, but not to it's HTTP server?