Guest network config with/without "access to intranet" like on Asus router


Could anybody help me to configure a Guest network like on my existing Asus router (RT-N18U running stock firmware) with easy turning on/off the "access to Intranet" and using the same network range and DHCP like basic LAN?

I've been successfull to configure a Guest network, isolated from the basic LAN, using separate network range (also DHCP), different from the basic LAN. Going step-by-step thru the docummentation, I was required to avoid using the basic LAN network range, so I did. Thats OK for a standard Guest networks, but I would like to have some modification (or create new network for WiFi smart home devices):

I want to use that Guest network (lets call it SmartHomeDevices network) for cameras and other smart devices, which usually uses their own vendor specific cloud services, to use the connection to Internet via the same network range used for basic LAN (dedicated static IP leases - static leases for smart devices already ready), avoiding direct communication towards my devices running on basic LAN, with only ocassional need to turn that communication on => "access intranet" check button on existing Asus router (same network range for basic and guest network with only turning on/off the access to the intranet).

So normal status => WiFi Smart Devices cannot communicate to other devices on the basic network

Ocassional usage (e.g. debugging/pinging) => WiFi Smart Devices can communicate to other devices on the basic network

Could you please recommend if the Guest network is the right configuration for that purpose (and how to reach the goal if so - probably to configure and turn on/off some dedicated route ???) or if there is a better or easier configuration in OpenWrt by not using the Guest network as the same network range usage is required (and how to reach the goal if so - probably to configure somehow the isolation of specific WiFi devices from the rest of the network ???).


Some people do it like this - the "IoT Network" (or in your case, "Guest Network") cannot initiate any communications to the basic network, whereas devices on the basic network can see and initiate communications to anything in the IoT Network, i.e. one-way traffic.

Use case: You have a "Home Assistant" smart home system that sits in your LAN that talks to the IoT devices locally to control their setting, turns lights on/off, etc etc. It can because of this setup. The IoT devices (or guest devices / phones / PCs for that matter) however won't be able to scan and see what's in your basic network even if it wants to.

Then, no need to manually flip something on for "occasional usage"...

Of course, you may already know about this concept, but still want to do "occasional usage" instead because of whatever reason. Doable of course with firewall config changes.

1 Like

Mind the gap:

  • devices with Broadcom WiFi chipsets have limited OpenWrt supportability
  • WiFi does not work

(that note likely is still up to date)

You might need to consult an Asus discussion forum for guest config on vendor firmware or look for a more OpenWRT-capable device (and I doubt that you will be happy installing OpenWRT on your device considering that Wifi limitation)

Thats exactly what I need (as you wrote, then no need for ocassionals :grin: if the communication from sensors towards my LAN is blocked).

Preferably if I could have separate SSID for the IoT devices (not to use the same SSID used for mobile phones).

Could you help/hint how to configure?

I am actually running OpenWrt on similar router RT-N14U (single wan) => preparing the configs to switchover from Asus stock firmware (with no more security updates) to OpenWrt. WiFi is running OK so far...

Thanks I will check the OpenWrt compatibility/differences between RT-N14U and RT-N18U.

Oh, broadcom....

Yeah not much of a reason to be flashing Openwrt then. reason #1
...only 64 static leases on Asus stock fw #2

RT-N18U platform bcm53/generic

RT-N14U platform ramips/mt7620

Is the N14U more suitable for OpenWrt than N18U?

I can see releases for both of them and I expected N18U will be better as it has more features (e.g. dual wan)

the N18 will have no Wifi once OpenWRT is installed. „Suitable“ as in „yes, but will be a wired router only“

The N14 is old and its 64MB RAM are not much. Its Wifi will work, as Ramips/Mediatek is supported.
„suitable“ as in „yes, but the hardware will stay outdated and feel slow“. Confoguring it as pure access point might save some RAM.

Thanks for the info. I did not expected the N18U will not support WiFi. I will stay on OpenWrt with N14U, and probably I will use the N18U only as a wired switchower unit for two ISPs.

Any help with the N14U configuration?

BTW, is not it possible on N14U to configure one of its four LAN ports as a secondary WAN port? (I think no, but just asking)

Wifi: I have neither of the 2 devices, I am only alerting about what others have noted on that wiki page in the past.

multi WAN: I would say pretty much all of the supported devices can have as many ports used for WAN as there are RJ45 ports available on the device, as long as the device has multiple dedicated network interfacd cards or a builtin switch with VLAN and/or DSA support.
As OpenWRT gives you low level config access to all network ports, you are not limited to what certain config wizard click paths of the vendor have implemented.


Sorry for not coming back sooner.

Discussion went to the N18 with the Broadcom chip - forget it. I have also applicable newer TP-Link Archer C50 v4 for OpenWrt.

So how to use/configure the same network range (also DHCP server with static leases) for two separate SSID, where SSID for IoT can communicate to Internet and cannot scan internal network or do "bad/wrong things" :slight_smile: towards devices on LAN and MainSSID?

Any hints/example configs?


this is wrong approach
without deep networking talk
SSIDs are Layer2
IP are Layer3
so, if you wish to have both SSID serving same IP range, they need to be in same L2 segment
to separate them, you need L2 filtering, which wont work without days of trial&error

furthermore, what is a reason to have same IP range on IoT/LAN ?

best thing is to make GUEST network, assign different IP range (ex: and filter on Layer3 with standard, build in OpenWRT firewall

1 Like


Please see my first info in this topic - it is described there.

Later seemebreakthis user described the reason in the IoT usecase perfectly (if configured that way, no ocassional use would be needed).

The reason to have the IoT devices on separate SSID is simple - I do not want to share my primary SSID credentials (SSID&password) with IoT devices which communicates with their vendor cloud.

Can you help me to reach the goal by proper example configuration or step-by-step instructions?


that was my question, why do you want to IoT and LAN have same, for example, range ??

Because I would like to use the same single DHCP server (during ocassional situations I wanted to allow IoT devices the communication towards LAN), also because of preserving the same IP settings on my network (IoT and PC LAN) during "the migration" from existing Asus RT-N18U router running stock firmware (where all devices uses the same network and I can enable/disable "access Intranet") to Asus RT-N14U router.

The final stage after migration might be probably on different networks (later move from the same network to another) if the ocassional need to "access Intranet" could be simply done by turning on/off some prepared route (???).