Firewalling guest network with 2nd OpenWrt


I`m using a openwrt (router 1 192.168.2.x) to manage my network behind the dumb router supplied by my provider.

Now I need a guest network out of wifi range of router 1 so I set up a second router (router 2 192.168.3.x) with openwrt. I connected the router 2 wan port to router 1 lan port. On router 2 I want to be able to deny some predefined IOT clients internet access and access to my clients connected on router 1. Random clients at router 2 shall not be able to connect to my clients at router 1, but 2 predefined clients. Every client on router 1 shall be able to connect to any client on router 2.

My idea was, that I allow everything incoming at router 2 wan port, because it is basically my router 1 lan and router 1 is doing the firewalling to the real wan. Then I created a firewall rule at router 2 (allow all to, to allow everything outbound to my predefined ip adresses from router 1 clients. The next rule drops everything else (drop all to

Turns out, that clients at router 2 are still able to connect to every client on router 1.

Can someone help me to achive what I`m trying to do?

By your description, I assume that you have a wired ethernet connection directly between these routers (without an unmanaged switch inbetween)?

If so, I would usually recommend to make all the policy decisions on your main router, using the second one merely to execute them in form of a slightly smarter 'dumb AP' and managed switch, with VLANs and port trunking between them. This would mean you'd set up the guest/ IoT VLAN and its firewall zone on the main router and then merely pass it through by the second device.

This approach usually makes management a lot simpler (unless you need a campus style network for multiple departments, each with their own independent policies).

thank you for your help.

You assume right. Router 2 is a direct ethernet link to router 1.

If I make the lan port at router 1 a vlan and try to manage everything there, how can I treat different clients from router 2 differntly? My guess was, that router 1 can not distinguish between different clients connected to router 2.

Can I use the mac adress filter for firewalling on router 1 if the client is connected to router 2?

shouldn`t the firewall work as expected with a allow rule for 2 ip's followed by drop rule for the whole subnet?

The trick would be to set up the guest/ IoT network on the main router and then pass the desired VLANs via port trunking to the second router. There you merely decide which VLANs go to which ethernet (access-) ports and which AP interfaces to bridge with which VLAN (most wireless hardware allows at least 4 concurrent AP interfaces per radio, but the interface combinations reported by iw list will tell you).

Router 2 needs to be setup as a dumb AP for this

There are some good videos on this topic:

Thanks for the input.

At my first try I was hooking up a direct ethernet cable for testing purposes. Thats when I created the first posts. While watching the videos I realized, that I actually will not have a direct connection later. Sorry about that.

I will have a managed switch between router 1 and router 2 and will not be able to connect directly. I only have 2 ethernet cables to the router 1. First is connected to the WAN and the second to the managed switch where most of the cable bound clients are connected. At the point where I would have to single out a port for vlan I would fail, because all traffic except outbound is at the same port on router 1. ;(

Is my goal still achivable?


You need to trunk the vlans.

This means to place more than one vlan on the lan port going to the managed switch. This is done by adding each vlan to that lan port and ensuring it is TAGGED.

The tags identify the vlan at the managed switch end where you do a similar setup to split the vlans to different ports on the managed switch.

Is the second video wrong then when it states at 4:40 that every port can only serve one interface?

However, I`ll read into trunking, thank you for the hint.