Creating a guest LAN (not WLAN)

upsangel · November 2, 2023, 3:49am

Thank you for your insight! Yes that's indeed more secured, I have modified as your suggestion and it works:

guestzone: input _> reject

traffic rule: allow guestzone input at port 53 67 68

Oh I see. Am I correct to assume that if someone has a sub-router or sub-switch that needs segregation of guest vs non-guest ports: i.e. two sub-switch ports on guest LAN and two sub-switch ports on non-guest LAN, then better go with the VLAN tag method because it allows both guest and non-guest "stream" on the same cable.

psherman · November 2, 2023, 4:18am

Correct. VLANs allow you to carry multiple networks over a single cable to the next device. Then a VLAN aware AP and/or a managed switch enables those networks to be accessed as needed via wifi (usually one SSID per network; possible to make a single SSID with unique passwords to direct to different VLANs) or per-port on an ethernet switch.

michaelvv · February 17, 2024, 3:31pm

I have been following this guide and It works great for me.
But I have this issue...

When I made a forwarding rule from guestzone to lan , I do not get the correct
ip from the PC located on the guestzone but the IP from my router.

Any way to solve this ???

Thanks Michael,

mk24 · February 17, 2024, 3:40pm

That would happen if you have masquerade enabled on the lan zone. If you are adding a guest network to a basic lan->wan main router, masquerade should not be enabled on any guest or lan zone, only on wan. Then symmetric routing (source IP address preserved) will occur between the LANs.

michaelvv · February 17, 2024, 11:14pm

Thanks It works fine