Guest Wi-Fi on an AP couldn't reach the internet

I have an openwrt router and a separate openwrt dumb access point.

I'd like to create a guest Wi-Fi on the AP.

I followed the official tutorial, but it doesn't work for me because it seems to assume that the router and the AP are on the same device.

On the AP, the guest network interface ( is allowed to forward to the lan, and the guest Wi-Fi uses that interface. After a client (192.168.2.X) connects to that Wi-Fi, it couldn't reach the router ( or the internet.

From tcpdump it seems the issue stems from ARP: on the router, keeps broadcasting who is at 192.168.2.X, but never gets any answer, and on the client, it only answers to ARP broadcast from

On the router, I have firewall rules that allow lan/wan to forward to and from, so I don't think the packets are filtered.

Should I somehow employ a proxy ARP or something?

Is there only supposed to be a guest wifi on the AP, or is there also a non-guest WLAN ?
and if you allow guest WLAN users on the LAN, why even bother setting one up ?

There will be both guest and non-guest WiFis. Eventually guest WiFi shouldn’t be able to talk to LAN, but I’m taking baby steps, I’d like to make guest WiFi be able to access the internet first.

Since the AP is connected to the router wired, I figure guest WiFi has to go through router’s LAN and then be forwarded to WAN. Leaving ARP unanswered doesn’t seem right to me.

If I ping on the WiFi client, LAN on the router will send the echo request to with client IP (, then WAN on the router will send the echo request to with WAN IP and receive the echo reply, but it then sends a destination unreachable ICMP to WAN has masquerading enabled. I wonder if masquerading is unable to deal with IP range not bound to an interface ( on the router?

I did add a route on the router:

ip route add dev br-lan

but it doesn't help.

You need to setup vlans.
See this tutorial:

1 Like