Guest Network for Guest WiFi

I updated my router to the latest LEDE version. That worked pretty well.
After I got our local network up and running I wanted to configure a WLAN for guests.
I found the article on the WIKI and followed it. it works partly, I can connect via WLAN, get an IP with the right network range but could not reach the Internet.
I have a separate DSL router, ethernet switch and several access points (LEDE routers). My guess is that I need a separate IP range for my guests, e.g. with seperate DHCP server providing IPs. So far I think I understand.

Now things get confusing. Why do I need a WAN interface, I have only one plug/cable, router to switch. I assume that both IP ranges 192.168.1.x and 192.168.3.x use that cable. What do I need to configure on the DSL router? Shouldn't IP be enough? Sorry, I'm confused. Thanks for help

The WAN interface is what gets you on the Internet.

Take a look at this section of the LEDE User Guide...

Get an understanding of the basics before moving on to Guest WiFi.

1 Like

It may help if you diagram your LAN, but if your DSL "Box" is both a modem and router and it is doing the DHCP for your LAN all the other boxes behind it should be set as "Dumb APs" and have an IP in the same subnet as the main router. (HINT: set a static IP on the actual dumb ap or you may not be able to access it if it is not on the LAN)

This recipe covers building the "Dumb AP" as part of a Guest AP on the Dumb AP. The dumb AP will use the primary router (your DSL box) for non-guest clients, but will have ON IT it's own DHCP server for the Guest LAN. You can also find the "Dumb AP" recipe on the OpenWrt wiki.
It's in German, but there are plenty of translation tools and the pictures may be good enough.

A few thoughts about guest networking...

  1. Make sure your LEDE boxes have radios that support multiple simultaneous SSIDs (wifi networks) if you plan to run a guest and trusted network on the same physical hardware.

  2. It is possible to run guest networks using double-NAT, but you need to make sure you properly isolate the network from the trusted LAN using either firewall rules and/or wifi guest isolation. Ironically, the default state of a double-NAT guest network is that the guest network would be inaccessible from the trusted LAN, but the trusted LAN may be accessible by the guest network.

  3. If you can replace the main network router with a LEDE device, you can setup VLANs (virtual LANs) which give you much better control over the level of isolation and/or inter-VLAN routing, in addition to a generally more efficient network design.