It is a Linksys model and I have configured it in Bridged Mode.
The router has an option for Guest Wi-Fi, which created a new network 192.168.3.0 /24.
My problem is that all the traffic is then aggregated onto the same wired LAN link and arrives using the same source IP address - i.e. the IP address of the Linksys device.
Apart from using two different Wi-Fi routers (one for internal and one for guest) is there any method for separating the traffic and preventing Guest devices from accessing my internal network?
I was hoping that the community, who I've found to be very helpful until now, might be able to offer some advice regarding how to, ideally, separate aggregated LAN traffic based upon originating MAC/IP or, if that's simply impossible, confirm it to be impossible so that I can decide whether I need to run a separate WAP for guest traffic.
On a theoretical base, i do think so.
But we don't know (and i guess you neither) what the firmware of your ISP does allow to change.
Especially in bridge mode, where on some models even WiFi is disabled.
But when you're using the ISP router in bridge mode i assume you've got another router who does the rest. If this hypothetical router runs OpenWrt, we might be able to help you.
For this we need further informations.
I have a Raspberry Pi 4 running OpenWRT operating as a router on a stick.
The new Linksys 'router' is pretty locked down when running in bridged mode - i.e. no control over the IP addressing of the Guest network or any options to use VLAN tagging.
Unfortunately, the 192.168.3.0 Guest network is invisible to the OpenWRT router and all traffic arrives with the normal source IP of the Linksys device. I presume that it is performing some form of port based NATing.
The guest network on that device is clearly created using NAT Masquerading, just like this tutorial.
Because of this and the fact that it currently is not running OpenWrt (or if it is, is probably a variant that is not the same as the official OpenWrt), there isn't anything that can be done in these forums to resolve your issue, except for you to disable the guest network on that device and/or take other more significant actions (i.e. if supported, install OpenWrt, or just remove the device from your network).
You need to contact your ISP for questions about that device.
Apart from using two different Wi-Fi routers (one for internal and one for guest) is there any method for separating the traffic and preventing Guest devices from accessing my internal network?
Sorry... I missed this question earlier. This is a function of the firewall on the dumb AP + guest network device. So if the firewall on the Linksys device prevents access to RFC1918 addresses, you should be good. If not, no, there's nothing you can do unless you put the whole device on another network.
