Guest Wireless net


I have the ISP router connected to LAN port 1 in my OpenwWrt router (For the moment I cannot connect it to the WAN port as I still haven't been able to set the bridge mode in the ISP router, and I need them because it don't have access to the whole configuration).
I want to create 3 wireless networks in 3 different vlans and 1 wired network in a 4 vlan (the idea is to avoid each of them to reach the others).
I have created the wireless networks without issues, with the following configuration (this is only for the guest, but I have done the same for the other wireless):

ISP router:
OpenWrt router:
Guest wifi net:

I have also set DHCPs and created a firewall zone for each of them, but I'm not sure how should I create the firewall rules.
As it is configured now, I can connect to my guest network and the connected devices have 192.168.1.x IPs, which are assigned by the ISP router, and they can certainly browse the web. But when I stop the DHCP in the router ISP, no 192.168.2.x IP address is assigned. What am I doing wrong here?

You could renumber either LAN - then you can plug into the OpenWrt's WAN port (e.g.

I'm not sure if I have understood you. This is only to make a use of the WAN port of the OpenWrt, right? I should be able to set the ISP router in bridge mode soon. The thing is that I want to set the guest wireless and I haven't been able to do it

  • Did you add guest to a firewall zone?
  • Did you permit guest to WAN firewall traffic?

On the main firewall page.

You can plug the WAN into the ISP router but you need to be sure your LAN is not conflicting with it. So change LAN to something outside of 192.168.1.X that the ISP modem / router makes you use.

Then if / when you do bridge the ISP you will have a public IP instead of 192.168.1.X as the WAN, but since neither one conflicts with your LAN or guests it will continue to work. Having the public IP coming in means that you can accept incoming connections and run servers if you want to.

Get this working first so you have a clear path to the future. Then start with the guest networks.

Guest networks need their own IP range that does not overlap your LAN or WAN. They have a DHCP server which serves the guests with IPs in that network's range. They need a separate firewall zone and a firewall rule to forward from guest to WAN. The rules are much like how LAN forwards to WAN only a new separate set.

1 Like

Yes, I have already added firewall rules. I said I was unsure how to do it because, in this case, there is no wan port in use (because I'm using the LAN port to connect to the ISP router) so I am not sure how to treat "wan" as zone. Perhaps, I should use LAN as forwarding zone in my last rule here.

If you're in the same zone, there is no firewall to pass. If different zones, traffic must go from zone x to zone y.

So if I understand, you want guest to LAN...and you'll have to setup masquerade for SRC - since you're choosing to use LAN.

(It would be so much easier if you just setup the router for future bridging.)

It is a good idea to have it all set up in order to easily switch to bridge mode when the time comes. Thanks for that @mk24.
Here is my current LAN interface set up. So what you are suggesting is moving LAN to anything else like How would I reach the default gateway (ISP router) in that case?

1 Like

I don't understand thoroughly, write only simple consideration.

  1. In you case LAN 'becomes' WAN, so you should disable DHCP for LAN, and set GW.
  2. For guest wireless you should create additional network, and forward packages to LAN with masquerading. Try to find discussion, it was about month ago.

As recommended, I plugged the ISP router to the WAN port of the OpenWrt router (and changed the LAN).

I have also configured the WAN interface using the network that is set in the ISP router (I can change it later to the public net, after the bridge is set). I have set the WAN interface IP by DHCP, should I better put a static IP, and disable DHCP of net 192.168.1.x in ISP router?
Now I am able to set the guest network without issues.

I'm willing to use OpenWrt as a means to better understand networking. What would you recommend me to do ? I'm starting with the documentation in the OpenWrt website and forum.

It doesn't matter. In your configuration your router makes NAT in any case (in discussion there was option to NAT only one network).

I recommend you to remove accept input from guest zone (guests should not connect to your OpenWRT device)
I would also remove forwarding on guest zone, I generally don't want guests to be able to connect each other
Also I personally like more block (drop) than reject (reject will send a packet back revealing there's a firewall, drop will just ignore the packet and the sender will timeout)

Why masquerading on guest zone?

It takes place when router is connected to another router lan-to-lan.

Set masquerading on the destination zone, which is lan in this case. Don't set masquerading on the guest zone.

Guests will need to make incoming connections to the router OS for DHCP and (by default, but you can change this) DNS services. Rules should be made to allow that but block all other input.