Guest WLAN on dumb AP without firewall/DHCP

Hi, I want to create a guest Wi-Fi interface on a R7800 that I’m using only as AP without firewall/DHCP/etc..

No problem in create it but I also want to put it on a different subnet to avoid the the guest clients can browse my main LAN but they should be able to get the DNS from a Unbound server that’s inside my main LAN.
I created all but if I disable the access to LAN zone via firewall, the clients inside can’t browse the web, if I enable the LAN, they’re also able to access to my other devices inside the LAN.

This tutorial is good only if you are using firewall and DHCP on the dumb AP. But I don’t. Both of them are managed from my router.

So, probably a stupid question, but what are the steps to enable a guest/isolated LAN from my main router that’s bridged to the guest WLAN on the dumb AP?

I have to create a new interface on both the devices called “Guest”, then bridge it to a new WLAN on the AP and on the router assign it to a new zone and allow it all the rules for DNS/DHCP? This is at least what I did. So my issue is: when I create a new interface on the main router, if the the bounded device is eth0, then the guest clients are still able to browse my main LAN.

Thanks

I have previously implemented my guest networks on the wireless access point. Create a "Guest" zone+interface with a unique IPV4 range, run DHCP on it and configure the firewall to prohibit packets going Guest->private IP spaces. I believe OpenWRT will magically NAT it for you by default IIRC.

Advantages: simple & portable. Only needs config on the WAP. No VLAN tagging needed.

Disadvantages: might cause issues when roaming between APs. Does require thinking about edge cases around the guest networking (ICMP, IPV6 etc) that might be unique to your setup. I have not considered IPV6, the places where I set it up don't have IPV6 available on the WAN so I add a firewall rule to the guest network blocking it completely.

General warning: packets always want to be free of your firewall rules (TM). Always test your setup after creating it -- try to access and ping stuff on the non-guest lan from a laptop connected to the guest wifi.

1 Like

If you are sending both "Guest" and normal "Non-guest" data over the same physical ethernet cable: you will need to use VLAN tagging. Otherwise the receiving end will have no idea whether the traffic is guest or non-guest.

(The solution I suggest above doesn't have this issue as it sanitises the messages before sending them over the ethernet cable, but you may prefer the VLAN tagged + central authority approach)

2 Likes

Thanks for the reply, as I was expecting, it’s impossibile to do directly on my router, it’s a R4S and has only one LAN port, but I can use my managed switch to make a VLAN. I would have preferred to do it on the router…

Yes but to use this solution I have to enable DHCP and firewall on the AP. Maybe is the easier way as it was when I was using the R7800 as a router and not only AP!

You can't enable VLAN tagging on the R4S?

Yes it’s possible but I prefer to use a real LAN port as a separate VLAN.

EDIT: Splitting this into a separate reply

Only for the "Guest" zone+interface. The normal LAN zone+interface still has DHCP disabled (and probably the firewall "disabled", depending on how you think about it, although technically it's still on unless you go to extra effort).