Guest WiFi how to block WAN IP subnet

Hi there.

  1. Sorry for the confusing topic name.
  2. I successfully create a "dump" Wifi Access-Point.

My question is:

WAN port the IP is assigned automatically from my "router
Router IP range:
Guest IP range

If I connect to the Guest Wifi I get an IP e.g.

If I open any browser on a device in the Guest Wifi and enter I can access to the router. is this behavior normal? I dont want to let clients access to my "private" network. The should only stay in the network. btw. they can see each other. I dont care about this matter.

Thanks for help.

simply unplug the WAN cable ?

or is this device providing private wifi, and a guest wifi ?

Router: connected by LAN Cable (Router LAN to OpenWRT WAN port)

If I unplug LAN cable the OpenWRT would be without connection to internet.

correct, you wrote ...

The should only stay in the network.

unplugging the cable will solve this for you.

I want to let the guest access to the internet but not access to the private network.

disallow access to the 192.168.18 subnet in the guest wifi router's firewall.
you need to permit access to the 192.168.18's router IP though.

Disallow I understand. But what do you mean with permit access ? Could you explain this in detail?
Thank you.

if you block the whole upstream subnet, including the router's IP, you won't get an IP, DNS, and internet.

Write a traffic rule: source zone guest, Destination IP, action REJECT or DROP.

Actually you do not, unless guests are using it directly for DNS or another service (which they should not). A gateway IP is not part of the destination IP.

Guests running a traceroute can discover that there is a router at, but the firewall rule disallowing will prevent any attempt to log into it.

1 Like