Help with network and wifi interface config

I'm trying to setup a free wifi hotspot where users see a splash page and are prompted to login. I've got all the other bits of the hotspot working, however im having alot of trouble with configuring and separating the networks.

I've got a normal ISP modem/router (also has a switch for multiple devices) and a linksys WRT1200ac with LEDE (latest ver) installed. My ISP modem/router connects a server pc and a few computers together and are on the network At the moment I've read a few guide on vlans and guest wlan but I cant seem to get them to work. I tried to set the lan interface to be bridged with the wan, I was able to access the router then but I could not ping from ssh.

I need my server pc to be able to communicate with the linksys WRT1200ac because I need to run a ssh command every 6 hours from a bat file execution on the server pc. I also need to prevent any wireless clients on the WRT1200ac to be able to access the Preferably any traffic wired or wireless cant access that network but devices from should be able to access the WRT1200ac. Are there any guides that cover this setup or anyone willing give some advice on this type of configuration. By the way everything should be able to connect to the internet.

@AvalonTechnologies - Ideally you'll want to setup 2 VLANs -- one for your primary (trusted) network and the other for and guests. The best way to do this on the primary network router (the one connecting to the modem). Is that possible? If not, is there any reason you couldn't install the WRT1200ac in place of the existing router? LEDE supports VLANs well, but without VLAN configurations at the main router, isolating the two networks may be more challenging.

Can you provide a diagram of your network?

Heres a diagram of the network. I cant use the WRT1200ac as my primary router since the ISP modem/router has some functionalities that I need from it in times of internet line failure. The ISP router does not support VLAN so I cant separate the network on the main router anyways. But I want my server PC to be able to communicate with the WRT1200ac, wouldnt having that on a separate VLAN make it impossible for the server to communicate with the WRT1200ac. I can accept that the WRT1200ac will be part of my LAN network but I can separate the guest WIFI interface on VLAN with LEDE configuration. I can get that working but problem is I cant get WAN access on the actual router it self. Also if theres a better way to do this setup please advise me.

@AvalonTechnologies -

First, to confirm the arrow going form the LEDE router to the WAN/internet -- I assume that it is not a literal connection to the outside world like that, but rather that the clients on the LEDE router can indeed access the internet. Is that correct? Presumably there is only one connection to the internet (via the modem/router @

Next, you seem to have a one-way arrow from the primary modem/router to the LEDE router. I would think that this configuration would actually result in the arrow pointing the other way.

Here's what I think you have happening...

  1. The LEDE router is actually double-NAT'd. This is not always bad, but is not an ideal situation.
  2. The server probably cannot talk to the LEDE router -- this can be fixed with a firewall rule.
  3. Generally speaking, devices on the main network segment ( will be unable to communicate with the devices behind the LEDE router (
  4. Despite #3, your networks may not be properly isolated unless you've added a firewall rule. It is presumably possible for the devices behind the LEDE router to connect to the devices on the main network. Automatic discovery via Rendezvous/mDNS and other multicast probably won't happen across the two networks, but if you try to connect to the server (using the IP address), for example, from a device behind the LEDE router (say the laptop), you will probably find that it will work. This can be blocked with another firewall ruleset, but I'm not sure if it is the best solution.

Fixing #2 should just be a matter of opening some ports on the LEDE firewall -- if your server needs ssh access to the LEDE router, make a rule that opens port 22 to the WAN port (on the LEDE router only).

Fixing #4 will work with a firewall rule that basically just rejects or drops all traffic to It will allow forwarding to the internet, though. I just tested this one and it seems to work, just not sure if it could cause any problems.

Firewall Rule

config rule
option src 'lan'
option dest 'wan'
option name 'block-lan'
option target 'DROP'
option dest_ip ''

Also,don't forget that users on the LEDE router will, theoretically have access to that router in terms of attempts to reach it via the web (LuCI) or ssh. Make sure you have a good password on the router, or better yet, use a separate VLAN on the LEDE router for guest access that does not allow access to the router itself except for DNS and DHCP.

Indeed, the arrow between the LEDE Router and WAN is just a passthrough connection, uses the WAN from the primary modem.

How i've tried setting up the connection is by bridging the LAN interface with the WAN interface which allowed me to make the LEDE Router a part of my network, but the problem with that configuration is that the router cant access the internet (cant do ping I havent gotten to trying the other things yet, still trying to get the router to have a internet connection and allowing connection from a device in the network. Don't really mind how this is achieved but just need this part working for further configuration.

What I find strange is that with the default LEDE setup, I can access the main modem/router gateway from the router I even tried to allow everything in the firewall rules, any source input and this device output (ACCEPT) firewall rule.

@AvalonTechnologies -

There is no reason to bridge the LAN and WAN interfaces on the LEDE router. You might just simply go back to defaults, connect the LEDE device WAN port to one of the LAN ports on your main router, and just work with the double-NAT (see if it causes any headaches, if not, just go with it).

If you want to restrict LEDE router clients from accessing your main LAN, add the firewall rule I mentioned. And then open the appropriate ports on the LEDE firewall to allow your server to access the LEDE router.

Once that stuff is working, you can always create a VLAN for the guests that really just goes straight to the internet and that's it.