Help needed with isolated guest network setup

I have two routers : Tp-Link archer c6 (main) = router-1 & Tp-Link archer c20 (secondary) = router-2. (Both are running the latest OpenWrt stable release)

  1. I want to have a private network with router-1, containing only my devices: pc, phones etc.
  2. I want to have a guest network with router-2 containing any random devices from relatives, etc.
  3. router-1 and router-2 should be connected via ethernet, AND router-2 should NOT be a dumb AP. I want to apply restrictions and bandwidth control on router-2(Guest Network). Also DoH will be enabled on router-1.
  4. I want to isolate the two networks as much as possible,
    only the bare minimum internet should work and no client to client connection (although if I can access router-2 from private network, then it'd be nice).

What guide/steps should I follow ? Both devices are completely at stock settings. I have attached a picture for reference of the network structure. Any advice is appreciated :slight_smile:

I would usually suggest to make all policy decision on one device (router 1), keeping the rest of the network relatively dumb - VLAN aware, enforcing the policies you've configured, but not really making decisions on their own. This usually eases (long-term-) maintenance and avoids potentially dangerous misconfigurations.

(Rapidly changing lab environments could be another topic, warranting doing policy decisions on the second router - there are good reasons for either approach, this would be just my advice for 'common' (enthusiast's-)home environments).


Sure I'll try that ! I even asked on reddit, and there too I was advised to make a vlan and seperate interface for the second router, then set static from dhcp for the 2nd router and also set a static route.
I don't quite understand all of it yet, I'm still learning. Will set it up asap :slight_smile: