I've recently set up my guest wireless network on a separate LAN and firewall zone to isolate it from my home network. I thought I would document it here in case it helps someone else. I am sure that you can find this information in other places.
I used LuCI and a text editor while setting it up but, for simplicity, I am going to list the changes, and just the changes, to the text files involved.
/etc/config/network
config device
option name 'br-guest'
option type 'bridge'
option mtu '1500'
option macaddr '4A:F6:A8:3C:A7:2B'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '172.22.0.1'
option netmask '255.255.255.0'
NOTE: I took the MAC address of the lan interface and added one in the end e.g. 34 became 35. What you see here is just an example.
/etc/config/dhcp
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
/etc/config/wireless
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'Guest SSID'
option encryption 'psk2+ccmp'
option key 'whateverkeyyouwant'
option network 'guest'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'Guest SSID'
option encryption 'psk2+ccmp'
option key 'whateverkeyyouwant'
option network 'guest'
config wifi-iface 'wifinet6'
option device 'radio2'
option mode 'ap'
option ssid 'Guest SSID'
option encryption 'psk2+ccmp'
option key 'whateverkeyyouwant'
option network 'guest'
NOTE: my router has 3 radios but you have to check yours. You also don't have to have the guest SSID on all of them, you decide.
/etc/config/firewal
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
With this configuration I am able to connect to the guest SSID, get an IP via DHCP, and connect to the internet. However, I am not able to see or connect to other devices in my home LAN.
- Bonus: reject access to the router from guest.
/etc/config/firewall
config rule
option name 'no-guest-access-22'
list proto 'tcp'
option src 'guest'
option dest_port '22'
option target 'REJECT'
list dest_ip '172.22.0.1'
list dest_ip '192.168.1.1'
config rule
option name 'no-guest-access-80'
list proto 'tcp'
option src 'guest'
option dest_port '80'
option target 'REJECT'
list dest_ip '172.22.0.1'
list dest_ip '192.168.1.1'
config rule
option name 'no-guest-access-443'
list proto 'tcp'
option src 'guest'
option dest_port '443'
option target 'REJECT'
list dest_ip '172.22.0.1'
list dest_ip '192.168.1.1'
NOTE: notice that we add the IP addresses of the router on each network, guest and home.
A final comment is that I use IPv6 everywhere I can, but this time I used IPv4 only to keep it very simple. I just wanted a bit of peace of mind when someone connects a computer to my network that might be infected with malware and whatnot.