Creating a guest wifi fails

Dear experts

I’m a proud owner of a brand new TP-Link C2600 that got instantly improved with latest LEDE; brilliant software on powerful hardware, but to both I’m new Installation and setup worked flawlessly as I’ve followed the given instructions, but now I face a problem: the instructions regarding setting up a guest wifi don’t work as expected.

Symptoms are:
· When I run the unaltered script from https://lede-project.org/docs/user-guide/guestwifi_configuration, the new guest interface is created and instantly populated with a new „Ethernet adapter (guest)“;
· when I add a new wifi device in the guest network, the wifi is added to the network and instantly bridged with the new ethernet adapter using a newly created „bridge (guest)“;
· when I connect my client to the new guest wifi network, I can access the internet - as well as all my clients in the lan; not what I expected;
· as the corresponding OpenWRT recipe shows in its screenshots, the guest network should only contain the guest wifi device and nothing else; so I remove its physical devices „Ethernet adapter (guest)“ and „bridge (guest)“;
· still, I can acces any lan device from the guest network.

So I wonder whether the cited instructions are correct? I also realized that when creating the new guest wifi following these instructions, weird things will happen:

· I add the new wifi device and enter the new SSID (replacing the default „OpenWRT“);
· I add the new device to the „guest“ network, while not checking „lan“
· When I switch to the security tab and back to general, I can see a newly created network „root“ with an active checkmark, so I uncheck this and only keep „guest“ checked;
· I switch back to security, choose WPA2-PSK and find the passphrase field is filled with the root user’s LUCI password (!);
· I replace this with the chosen password for the guest wifi;
· Save & apply leads me to acces to wan as well as to lan again.

What am I doing wrong? What instructions do work and lead to a guest wifi network that will be completely isolated from my lan?
Please note: I'm writing this post from memory, as I'm on the road right now. So maybe the terminology used is not quite correct.

Thank you for any input.

I think you need the isolate option, ssh in, navigate to /etc/config/wireless and add -

option isolate '1'

to the guest network iface.

Thank you mike, I'm gonna try this.
May I ask you to tell me what physical devices should be contained in a correct guest network?
Thanks a bunch

I'm not sure if this is what you mean, but you should have a new wifi network and interface, along with a few new firewall rules. Regarding the weird things you mentioned, if you're using chrome or chromium and have saved your router password (root), it will insert it into a lot of fields it shouldn't when you're using Luci, it may happen in other browsers too, I don't know, but that sounds like what you're describing.

This is a relatively new wiki and the first I am hearing about this You may want to track down the author.

The old OpenWrt pages for configuring a guest lan work, at least the Luci one does. You will also better understand the concepts by configuring it your self.
https://wiki.openwrt.org/doc/recipes/guest-wlan?s[]=guest&s[]=lan
https://wiki.openwrt.org/doc/recipes/guest-wlan-webinterface

If you need to have the guest LAN on a separate wired (dumb) AP this also works.
https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/
You will need to translate, but the pictures are almost enough.

Thank you @mike and @RangerZ. I guess I'll add some screenshots later to better explain my findings and concerns. I know the cited blog post allready as I'm of german mothertongue
I'll let you know about my proceeding as soon as there is something to report.
Thank you again for this awesome forum.