The Wiki says I should create a guest bridge (br-guest) for a guest WiFi AP.
I want to have more than one guest wifi AP.
They will have different subnets (i.e. 192.168.5.x, 192.168.6.x 192.168.7.x etc.)
Should I create a different guest bridge for each guest AP/subnet?
(When configuring 23.05.x the guest wifi wiki method was different)
Generally, no. But the strategy you use depends entirely on the physical topology of your network. Can you draw a diagram that shows the network topology, including the brand+model of each of the infrastructure devices (routers, switches, APs) and if they are running OpenWrt or another firmware?
Just coming back to this part... is there a reason you want (or feel you need) to have multiple different guest network subnets? This is not recommended in most situations... a single guest network is usually the best approach.
Use vlans. I would also suggest avoiding vlan <10 and have them match the vlan:
192.168.50.x = vlan 50
192.168.60.x = vlan 60
192.168.70.x = vlan 70
One bridge with vlan filtering and intervlan routing handled by firewall:
There are still some devices out there which only support the so called swconfig. On these chips you have to crate one bridge per vlan.
Since a few years most devices support the so called DSA abstraction. And most importantly it's supports the native Linux Kernel feature of vlan aware bridges.
So you only need in 99.9 % of cases a single bridge device where you simple give each network it's vlan id and an IP network and address IF needed.
Its just a single router.(Linksys E8450/Belkin RT3200)
Just upgrading to OpenWRT 25.12.4 from OpenWRT 23.05.0.
I have it that way as it lets me turn the different guest APs on and off as and when I need.
As an example, if I have Bob on guest_bob and Alice on guest_alice and family on guest_family I can toggle Bob's AP off if he deserves having his wifi cut for whatever reason. While the other two aren't impacted. And various other permutations.
(Edit: Rereading it, that sounds vindictive, but it's just an example. Bob won't lose his wifi!).
I do it like this as its just the way I always did it. (Been using OpenWRT for 10+ years - but I am not an OpenWRT expert.)
I'm open to other solutions.
How would I substitute for turning AP on/off with vlans?
Back to my initial question, what is the guest bridge doing in that situation?
In layman's terms, is it acting like a pipe to the wan that prevent leaks to any other interface or device?
And if so, if all guest APs were on the same guest bridge (but different subnets) might they, theoretically, be able to jump the subnets?
And if on individual guest bridges would they be locked in their subnets?
Maybe confusing terminology: when you say "AP", do you mean the SSID/wifi-iface (e.g. guest_bob), or the physical Linksys E8450 unit? Personally, I'd refer only to the latter as an AP.
There are many ways of doing this. If you don't want to filter/segregate traffic from each differently, then only one Guest network is needed. You bundle all the Guest devices into one place (the 'network') and set the rules: e.g. that these units can access the internet, but can't (or can) access devices on the non-Guest network etc. You could also apply speed limits/quotas etc.
If it's one physical AP with a bunch of different local Guest SSIDs, and Simply bridge all the Guest SSIDs directly into that. No need for VLANs etc. You could turn each Guest SSID on/off as needed, as before.
If it's actually multiple physical AP units, such as for covering a larger area, then it gets more interesting. I'd still recommend having only your main/WAN-connected router/AP serve a single Guest network: one single subnet, one single DHCP server, no inter-client communication (isolated AP mode on SSIDs) etc. That way inter-AP roaming can happen without client IP address changes or other glitches.
Then, for each remote AP, you must somehow tunnel the Guest SSIDs back to the master AP and into that single Guest network. This can be via VLANs if all the APs are connected over physical ethernet cable, or via something like gretap tunnels if the remote APs are themselves connected wirelessly as an extender (i.e. WDS). From what you describe, you don't care about per-SSID discrimination, so you could first make a bridge network of the multiple Guest SSIDs on each remote AP, and then connect that one single 'Guest' bridge back to the master AP over one tunnel.
Not really a "guest network" situation when you know their names are Bob and Alice and you expect to have to continually police their internet access on a daily basis.
Source IP address:
I'm really sorry about that. I feel like an idiot.
Yes that's what I mean, SSID.
It's just one single router with multiple guest WiFi SSIDs.
I'm using them for the other use given on the Wiki: "for guests and/or untrusted devices while keeping them isolated from the main network."
Sorry if I gave the impression I was continually policing them. I'm not. I don't switch them on/off daily or at regular times.
And the Bob and Alice names were only meant as examples. The SSIDs are not called that.
Just think of them as separate SSIDs that can be switched on/off, individually, for untrusted devices while keeping them isolated from the main network.
That's it.
To clarify, are you saying just one br-guest, as in the Wiki, is enough and that I should re-use that one br-guest for the other guest SSIDs too?
There's nothing wrong with anything here. Don't worry.
Yes, a single br-guest network with all the guest SSIDs will work fine. That presumes you don't need to discriminate or treat the traffic from each differently: i.e. same IP subnet, same firewall/routing rules etc. It sounds like you want to handle access control discrimination at the SSID level, andisolated WAN-only access for the guests (internet, not LAN) .
Taking it further, you could also add individual RJ45/ethernet ports on the router into that same br-guest: guest ethernet ports. Useful for untrusted devices that only need internet like streaming sticks or smart TVs. ...that's the start of the rabbit hole of VLANs and managed switches for replicating this at a larger scale across a building.
So much flexibility, so many options, but it can be daunting to get started. Don't forget to test the guest SSIDs: not just that they 'work' and have internet access, but that they can't access the LAN subnet (if that's what you want). You can also add a firewall rule to prevent br-guest clients from accessing the ssh/http ports of the router: preventing a guest trying to log into the router itself.
Don't be sorry. Your network, your rules.
Why not a single isolated SSID for those untrusted devices, with different access controls, like WPA2/3 with MAC allowed list? or WPA2/3 Enterprise with Radius, so each user can have their own credentials? I will be easier when Charlie and Dave also needs access, when a new user comes you just add an user/pass to radius.
Not sure if this is what you mean. Each guest SSID will have a different subnet too (Just in case I'm not use that term correctly, by subnet I mean 192.168.5.x, 192.168.6.x, etc.).
As well as keeping them isolated from the main network, I was hoping to keep them isolated from each other.
I think I read somewhere that even with different subnets it's technically possible (somehow!) to cross subnets?
That is interesting. MAC address filtering is possible (with my skills!) but managing MAC addresses might be a bit fiddly. WPA2/3 Enterprise with Radius might be a bit too technical/steep learning curve for me.
I guess the beauty of separate guest SSIDs is I can just turn them off/on. Plus I can keep groups of devices separated by the SSID they're on.
That's it in a nutshell.
Only for the help from people on this forum (you guys!) and the wiki contributors I'd be done for. OpenWRT can get arcane and esoteric real quick.
On the up side, it's fantastic having an up-to-date, cutting-edge, secure, safe, open source, privacy respecting router.
Thank you. I just didn't want to be wasting @cookiemonster's time.
Good idea, I do the same
If you allow that in your firewall then yes.
But you can place each interface in its own firewall zone and allow what you want
Most chipsets support 8 SSID's per radio but lower end might support 4, higher end 16
you can get information e.g. with 
iw phy phy0 info | grep -A20 "valid interface combinations"
But if you can do with e.g. 4 different categories of access then that is surely doable
I have four: residents, guest, iot with wan access, iot without wan access
I have access from residents to both iot's but not the other way around, guest has only wan access
It's muddy but most of the times it's like... You use i.e. 192.168/16 as your network, and this contains 256 /24 subnets.
Just as a hint, sometimes you will also see supernet. That's the other way around. The supernet of a /24 is the /16. Or any other number assignments.
Companies and enterprise usually got a /20 (4 /24) networks because a /24 is the smallest prefix size you can use to announce it on global BGP networks...
Thanks. I was beginning to question my setup.
I didn't realize SSIDs were hardware limited.
Thought it was an OpenWRT software based trick.
Good to know there's a hard limit on number of SSIDs.
And it looks like Linksys E8450 is at the higher end total <= 16 
To sum up:
br-guest, reused by all guest SSIDs.Thanks everyone. I really appreciate your help.
I only just realized the title of thread is misleading. Is there a way to edit "guest WiFi AP" to read "guest WiFi SSID"?
Would be more useful for others finding it later. I can't see any way to do it.
Be aware that the more SSID are in the air the more management frames are there and those need to be sent with the lowest Bitrate so in the end you harm airtime.
@_bernd is right that is why I also mentioned 4.
Sixteen is rather much in that respect.
So try to cluster things
Done. You should see a “pencil” icon when you click on the Title to edit it in future.
Thanks, for the heads up.
I only use 5.
Do I have this right, the management frame issue impacts each radio separately?
i.e. 2 SSIDs on radio0 and 2 SSIDs on radio1 will have a lower impact than 4 SSIDs on a single radio?
Or if an SSID is available but nothing is connected to it does that have a management frame impact too?
Thank you for fixing that.
No, there is no pencil icon for me. If I click on the title nothing happens.
I'm relatively new here so maybe that's the reason? (a permission issue)