Guest wireless on seperate LAN, LEDE device is not network router

I have been scouring the internet for some general information on how to do this, but haven't come up with enough information to verify if what I want to do is correct.

My goal is to put my Guest wireless access on a different network segment from the rest of my LAN.

The basic reasoning for this is to improve the security of my LAN from guests. I believe this is possible based on my limited networking knowledge, but am trying to understand how to implement it with the existing network hardware that I have. A secondary goal that I have is to use this issue to improve my understanding of networking, so a mentor's guidance is appreciated.

Note that I am constrained to solve this using my existing hardware (described below). So if it is possible, I want to learn how to do it. Only tell me to go buy other hardware if it is not possible with what I have. Yes, I understand that using other hardware may make it easier for me to do this, but that option isn't available.

Existing hardware and network diagram:

Incoming DSL line ---> TP-Link DSL Modem (bridged to gateway) ---> PC Engines APU2C4 (gateway/firewall/router) ---> Trendnet 8-port Switch (unmanaged) ---> Buffalo WZR-600DHP (dumb WAP).

Of course, I have other PCs and printers connected to the switch, but not mentioned, and should be irrelevant to the issue.

The APU2 has three interfaces; igb0 is WAN, igb1 is LAN, igb2 is currently not used.

The Buffalo WZR is running the current LEDE 17 firmware. The Buffalo WZR has a WAN interface and 5 LAN interfaces. Since it is setup as a dumb access point, just a single network cable is connected to one of the LAN interfaces.

My LAN is setup on 192.168.123.x/24 and I have wireless access working on both radio signals of the Buffalo WZR. I would like to setup the Guest wireless access on the network 192.168.234.x/24.

I think I need to configure some type of VLAN setup within the Buffalo WZR to use a second LAN interface on a separate network, then configure a new wireless access point on one of the radios to use this separate network. But I am not familiar with VLANs at all and I think that is where I can use the guidance.

Once that is configured on the Buffalo WZR, then I think if I connect this second network point on the Buffalo directly to the un-used interface on the APU2 (once it is properly configured for the second network) and bypassing the switch (since it is dumb I don't want to confuse it with packets from another network), it should provide a completely separate network for the Guest wireless access. So the diagram for the Guest network would be:

Incoming DSL line ---> TP-Link DSL Modem ---> PC Engines APU2 (igb2) ---> Buffalo WZR Guest (192.168.234.x/24).

Would this work to meet my goal? If so, can someone give me some guidance on how to setup the LAN interfaces on the Buffalo WZR? I think I can figure out the rest of it after that.

If this would not work, please explain to me why and where my network knowledge is lacking so that I can identify where I need to do more reading. Thanks.


You could make a dumb AP connected to one vlan (wlan bridged to vlan)
and another vlan for connecting to the AP for management.
Both vlans need to be tagged on the port connected to the APU2 (and the APU2 needs the same vlans configured on it's interface)
Or a simpler version - untag the management vlan on one of the unused ports (or all) and manage your AP from them, and untag the wlan's vlan on the port connected to the APU2 (in this case the APU2 will see only the clients connected to wifi).

I use this

Your idea might work, but I don't understand it enough to even begin to implement it. I appreciate your reply, but I can't even figure out how to ask for further clarification.

Once I had Google translate your blog reference from German to English, this looks like an option that I might be able to pursue. The one thing that caught my attention in that setup, that maybe you can comment on, is that I am not sure that you have complete separation between the two networks (the normal LAN network of 192.168.10.x/24 and the Guest network of 10.0.0.x/24) because in the end the packets get snat'ed and masqueraded back to the 192.168.10.x24 network. But that part of my networking knowledge is not that good, so maybe someone can clarify this for me.

I am going to look into this in a little more detail and see if I might be able to work something out, but it is going to be a few days before I have the opportunity to work on it.

In the mean time if anyone else has a different option that I should consider, please let me know. Thanks.


One text that might help a bit

Another question, whats installed on your APU2? You need to configure your 'gateway' with vlans for it to work.

I have not seen that OpenWRT how-to that you reference. On an initial scan it looks similar to others I have been reading to learn about vlans. I will take a more detailed look at it.

The APU2 is running pfSense. With 3 ethernet ports on the APU2, one is WAN, one is LAN, the third is currently un-used.

I am not sure about needing to (or how to) configure the gateway with vlans. This is where I don't understand the big picture of how to use vlans yet. But my concern is that I don't have a managed switch (and my constraint is that I am not getting one anytime soon), so that is why I was thinking the guest network would be connected directly to the APU2 third ethernet port, bypassing the switch. I would have to configure the APU2's third port to match the guest network, and have it be the guest network gateway.


@jeffboyce - the easy way to think about VLANs is essentially to consider them separate networks. There are probably limitless ways to configure and use VLANs, but usually for home type applications, they are really just two or more independent (and typically isolated) networks that share some of the same hardware.

Some of this you'll already know, but I'll start simple and build up... I hope this is useful...

Start with your internet connection (WAN) -- this is usually a singular physical connection out out of your home, and is also likely to be a single IP address (at least when using IPv4). In order to use multiple devices on that connection (and to offer some level of security), we use a router. Your router is the network controller -- it hands out IP addresses to the devices on the LAN and serves at the gateway to the internet. It uses NAT to keep track of the data coming from and going to each of the devices on the inside of the network (LAN) and masquerades it over that single WAN connection (i.e. all of your traffic is effectively going through one device from the perspective of your internet provider). We can do this over wired or wireless connections, of course.

So far, an analogy could be mail being delivered to a central mail room in an office -- the postal service doesn't have to know the location of each recipient -- they just drop everything to one location and the mail room figures it out. Anyone in the building can send or receive mail via the mail room. For the sake of this analogy, let's imagine that it is an open office where the employees can walk anywhere within the building -- they can see who is around and easily talk to any other people normally.

Now, let's add a VLAN. We are creating an independent network. Each network has it's own VLAN ID, just like floors in a building. So let's now say that each floor of the building is occupied by a different company and for security, they have physical access controls to make sure that employees can only get into their own company space. The mail room can still be the same singular location in the building, but now it handles stuff to and from multiple companies. Employees of different companies can no longer roam the halls of the other companies, so they can only talk to fellow employees. But they can still send and receive mail through the mail room.

Likewise, devices on one VLAN are (often) isolated from communicating with those on another VLAN, as long as any 2 devices are on the same VLAN, they can talk.

Why do you want this isolation? Well, guest networks where your guests are assumed to be untrusted (from a data integrity perspective), or IoT devices that may have security flaws, or any number of other reasons including network efficiency as your network grows.

Usually your router that will handle all of the major network control and traffic management functions. So in order to setup a new VLAN, you setup a new network subnet (say you had already, you could setup for the new one), along with a DHCP server to provide internal IP addresses to the new VLAN. Firewall rules will govern what is allowed in terms of traffic. For a normal LAN + guest/untrusted network, you might set up rules like these:

  • traffic may pass within each network (floor) unfiltered, but may not pass between the two networks (floors) unless specifically and explicitly authorized to do so.
  • traffic may pass for both networks to and from the internet.

You could add other rules like (just an example):

  • traffic on the LAN is higher priority (bandwidth) than the Guest network, so the guest network only gets 25% of the total available bandwidth/speed (static limit), or maybe it is dynamic and de-prioritized relative to the LAN such that it can go fast when there is little demand from the LAN, but gets progressively slower as the LAN needs more speed.

Hopefully the descriptions all made sense...

Now, adding a VLAN to your existing router should be covered in the PFSense documentation. Since your switch is unmanaged, it will not know what to do with multiple VLANs, so the best option is to set the new VLAN to operate on a spare port of your router. Once configured and isolated, anything plugged into that port will then be running on the guest network with a different address space than the LAN, and it should not be able to access devices on the LAN, but should have access to the internet.

With 2 VLANs setup on different ports, you'll then want to connect them both to your WZR. To do this, you'll set up VLANs within LEDE -- isolating the two ports (each port gets a unique VLAN, untagged to the physical port, tagged on the CPU). Now you have 2 VLANs from your router and connected to and available on your WZR. Set up a second wifi interface with a unique name (Guest), and bridge it to the appropriate VLAN.

Report back once you have your primary router setup and working with 2 VLANs and then the community can help you with the details of the LEDE config.

Thanks for the very good description, I was able to follow it.

I may be having some misunderstanding of the proper definition of some terms. Here is where I seem to be getting a little lost.

I am not sure what the fine detailed difference is here between creating VLANs on the router, and just creating another LAN subnet using the spare ethernet port of the APU2. Maybe a diagram will help describe what I am thinking in my head.

What I was thinking:
APU2 box (pfsense gateway router)
eth0 - WAN
eth1 - LAN 192.168.123.x/24 - private LAN, goes to unmanaged switch, then to WZR
eth2 - LAN 192.168.234.x/24 - guest LAN, goes directly to WZR

How I am interpreting your description:
eth0 - WAN
eth1 - VLAN1 - private LAN, but unmanaged switch doesn't understand VLAN ID or tagging.
eth2 - VLAN2 - guest LAN, goes directly to WZR, which understands VLAN ID and tagging.

Or possibly this interpretation:
eth0 - WAN
eth1 - VLAN1 - private LAN, goes directly to WZR, then goes to back to unmanaged switch?
eth2 - VLAN2 - guest LAN, goes directly to WZR, which understands VLAN ID and tagging.

Note that I am referencing LAN, while you are referencing VLAN. I am beginning to understand some of the subtle differences between them, but not completely clear yet. With either of my two interpretations above I am struggling to figure out how I would be able to communicate with the other printers and computers on my private network because they are all connected to the unmanaged switch.

At the WZR, if I setup two VLANs there (which I think I have to do in any scenario), does the one that bridges back to the APU2 directly (the guest network) have to also be defined as a VLAN at the APU2, or can it just be another LAN (following what I was thinking). So that the communication that goes back to the APU2 from the WZR is accepted, and not discarded as unknown packets. I know either way the network numbering has to match.

I hope my description gives you a better idea of what I am unclear about in the definition of VLAN vs. LAN, and trying to figure out where it is appropriate to use either one or the other.

Thanks, I appreciate the education, and I think I am getting much closer to understanding this.


I honestly have not read this in it's entirety, but I know the APU2 and it does not have a switch in it, so I do not think you can use VLANs, but not positive.

I have not stress tested the traffic rules, but know I can not get from the Guest network to anyplace but the internet, which is good enough for the few guests I have on it. I am not qualified to discuss the rules more.

The big plus for this is that it is all on a single device, no config on the main router.

the graphics were almost self explanatory. I google translated the document. If you mess up, reset the device, do not try to fix it.

@jeffboyce -

VLAN is literally just "Virtual LAN" (and LAN is "Local Area Network" or your internal network; WAN is "Wide Area Network" i.e. the internet in many cases).

The "virtual" part of a VLAN is that you can have multiple LANs in the same space, sharing some equipment (especially infrastructure such as routers, smart/managed switches, and APs), and even sometimes multiple VLANs may share one physical cable (often known as a "trunk" line).

I will concede that I may not have been careful to be precise with my terms in my previous post, so I can't promise that everything will line up to what I say now...

When I refer to LAN, I usually mean your main home network. In a non-VLAN environment, it would be your only network. When operating with 2 or more VLANs, I still call your 'trusted' home network your LAN, and then often call other networks sometimes by name ("Guest") other times by a VLAN ID, and still other times by just "the other VLAN" or whatever. Sorry if this is confusing...

Each VLAN should have a unique human readable name and must also have a unique VLAN ID (an integer between 1 and 4096, but may be smaller range depending on hardware support). Each VLAN may be mapped to 1 or more physical ports, and it is possible for multiple VLANs to share a single port where supported (i.e. VLAN aware routers/switches/APs, smart/managed switches, ethernet ports on some, but not all computers).

We can define the VLAN to physical port mapping in two major categories:

  1. Untagged/PVID (Port VLAN ID) -- this is essentially a default mapping of traffic through that port. Unless the incoming data is tagged (next category), it is automatically assigned to the PVID specified for that physical port. Outbound data for that PVID is left untagged. A physical port may only have one untagged VLAN associated. A single VLAN may be untagged (or tagged) on any number of ports.
  2. Tagged/VID (VLAN ID) -- this is data that carries a 'tag' to identify the appropriate VLAN. Standard unmanaged switches and other hardware not VLAN aware will not know what to do with this data (although I'm not sure if there is a general rule about what happens when such hardware has tagged data going through it). Any physical port(s) may have an untagged + 1 or more tagged VLANs associated, and a VLAN can be tagged on multiple physical ports.

Another analogy:
You're going to an event that has a general admission (GA) and VIP guests. Since VIP is a 'special class' of guest, you will generally assume that people are not VIP unless they have the identification type to prove they are (say a badge, ticket, wristband, etc.).
GA --> VLAN2

Now, everyone going to the event is welcome to enter through gate 1. The default assumption is GA, so everyone coming through gate 1 is untagged and assigned GA status (PVID = 2). A VIP guest comes through the same gate and shows the ID -- they are 'tagged' and are then given whatever special treatment their status gets them. (VID = 1)

Gate 2 is only for VIPs and requires the ID to get through. This port has a VID = 1 but no PVID because we are only allowing people who show their credentials to get through (in practice, I'm not certain if you can have an empty PVID or not, never tried).

Gate 3 is only for VIPs, but it is already assumed that they have already passed through a check of their credentials (maybe this gate is just to limit the number of people in a specific area, but only VIPs were allowed this far to begin with). This has a PVID of 1 and doesn't need to specify any VID's.

Gate 4 leads to an area where the is no VIP special treatment -- everyone is treated equally but all are welcome to enter. This is PVID = 2, no VID's specified. You could also view this like an unmanaged switch -- anything coming through has equal treatment as it isn't aware of the GA/VIP distinction.

Your ethernet ports work the same way as these gates.

So back to your topology:

The above is generally fine and correct in human terms. However, the pfsense router needs to know that these should be independent networks and therefore not bridged together. So we need to specify the VLAN IDs (these are example values):

eth1 = VLAN1 "Private LAN" --> eth1 PVID = 1
eth2 = VLAN2 "Guest LAN" --> eth2 PVID = 2

If what @RangerZ says is correct about the APU2 not having an ethernet switch, it may still have VLAN support in the ethernet controllers. If not, maybe you won't be using VLAN IDs after all. However, there will still be some mechanism in pfsense to make it clear that each network is independent.

When you get to the LEDE router, you will be creating VLANs so that the system knows that the traffic through each port is on one network or the other -- you have 2 different networks after all. This can actually be done via LuCI if you want -- in the "Switch" configuration page, you'll add another VLAN with a VLAN ID, name, and then port selection. The GUI will prevent you from having more than one untagged VLAN on a physical port, and will allow you to specify tagged/untagged/off for each VLAN on each port. Since you're probably going to use 2 ethernet ports on your router with untagged data, and then 2 cables to connect it to your AP, you'll want to set each respective VLAN/port to untagged (maybe Private LAN on VLAN1 untagged on port 1, on port 2 off; Guest LAN on VLAN2 untagged on port 2, port 1 off; be sure to have both tagged at the CPU).

Mechanically, you can set this up as you had already planned (private LAN @ eth1 > unmanaged switch > WZR; guest LAN @ eth2 > directly connected to WZR).

Thanks for the tagged/untagged description, that is a little clearer and more comprehensive than what I was seeing elsewhere. Also the gate descriptions you provided in the analogy are good and making me think more about how I understand this.

I think this is the problem that I was having with my thoughts:

My thinking was assuming that the pfsense router already knew that these were independent networks because of the net masking, so I didn't understand why they would need to be specified as VLANs.

I am going to go back and re-read the LEDE switch configuration page now that I have a better understanding of how it all works together.

Nice to hear that mechanically the cable routing between everything will work. I now have to find a few hours to sit down and put this all in place on the APU2 and the WZR. If the picture in my head is correct now, I should be able to get the details worked out. If not, I will come back with some detailed implementation questions.

Thanks for all your assistance.


@jeffboyce - glad the descriptions helped. I haven't used pfsense, so I'm not sure how it treats separate networks -- it might not need VLAN definitions, maybe just interfaces or something. But fundamentally, you will be creating 2 networks one way or another and then you'll treat them as VLANs in the LEDE device.

Once you get the APU2 configured for the 2nd network, try your hand at VLANs on the WZR. As @RangerZ said about pfsense is also often true about LEDE... if you mess up, it is frequently easier to just start fresh again (firstboot) so that you're not digging a deeper hole for troubleshooting.