How to set a Guest wifi but no wan?

grenouille · May 7, 2019, 10:29am

Hi there !

I have a homehub 5a with openwrt.
I dont use it has a router, but has a second wifi hotspot + lan switch.

dsl modem is disable.
wan port is converted as a 5th lan port (currently not used).

The device is connected by lan to my ISP router (gateway 192.168.1.254 toward internet).

I followed the guides to create a guest SSID and a guest "interface"
not I'm stuck at the firewall section, because the guide are made to allow connexion from guest wifi to wan and not lan...

Any idea how to handle this ?

more or less, I wan my guests to have access to 192.168.1.254 (as it is the gateway to internet), but no access to any other devices on 192.168.1.x
Guest network is 192.168.252.x

Best regards,

mikma · May 7, 2019, 10:45am

Using firewall zones alone won't be enough to control access to the lan since you don't have any wan interface. You'll have to add firewall traffic rules that controls access from the guest network and which allows access to 192.168.1.254 and block access to 192.168.1.0/255.255.255.0.

grenouille · May 7, 2019, 12:23pm

yes, I was thinking to something like this but I have no idea how to set such rules.
is this in "custom rules" section of firewall menu?

mikma · May 7, 2019, 1:56pm

It's in the "traffic rules" section. Use "New forward rule". In the rule you can for example change the destination address and action.

grenouille · May 7, 2019, 4:57pm

it seems it works.

So in firewall, I have set this:

My android phone can connect to internet, but not to my local servers.

Only strange thing is that the phone says the wifi is not connected to internet (there is "!" on wifi logo in notificiation bar)

mikma · May 7, 2019, 7:11pm

Are you sure it uses wifi? I think you need an second rule which blocks traffic to 192.168.1.0/255.255.255.0, and then allow forwarding from guest to lan

grenouille · May 7, 2019, 9:20pm

arf well guessed it was using 4G (very efficient guest connexion, no risk to connect on my LAN )
something is wrong on my setup, go to recheck this.

grenouille · May 8, 2019, 9:45am

ok, I almost killed my config...
I wanted to put the guest in same subnet as lan to check if it's easy to create rules....But I kind of killed access to luci and ssh
I recover using failsafe boot and ssh (at least I learnt how to do this ).
This area is a bit sensitve for my knowledge....

mikma · May 8, 2019, 10:33am

Why do you want the guest network and lan to use the same subnet?

If you want to use the same subnet then you have to bridge the interfaces since you can't use the same subnet on multiple interfaces. But traffic between devices on the same interface will be handled by the switch or bridge directly and won't reach netfilter/iptables. Though you may be able to use ebtables to implement a bridging firewall.

grenouille · May 8, 2019, 7:02pm

Why do you want the guest network and lan to use the same subnet?

because I was not aware it was a bad idea
I tried because so far my gateway (192.168.1.254 on my LAN) was not visible on the guest wifi.

I think I have missed something to connect my "guests" interface to outside.

grenouille · May 9, 2019, 10:20am

Hi! I found a nice howto here:

But I think I cannot achieve this now.
if I understood correctly, it needs to set a route in the router (at § Tell your router about the new network ).
But my current router (from my ISP) does not offer any option to define a route.

I plan to change my setup soon to add a firewall (maybe opnsense)...things may change after that.

mikma · May 9, 2019, 10:42am

If you can't then you have the option to instead enable masquerade (SNAT) on the interface connected to the router.

grenouille · June 13, 2019, 12:00pm

I'm back ! ok, got some changes
I was not able to understand how to handle masquerade....
But in the mean time, I dropped my ISP router (I mean I set it to bridge mode) and I setup an opnsense device as main firewall / router / dhcp.

So I set a route as suggested in the tutorial.

unfortunatly, I was not able to make the guest wifi work.

Here is where I'm stuck:

Trace route from LAN (192.168.1.17) to guest (192.168.4.106) works..I can reach my guest phone from my lan.
Trace route from my phone (connected on guest) as 192.168.4.106 to my router (192.168.1.254) does not work. it's stops at the 192.168.4.1 which the "guest" interface associated to the guest wifi AP

grenouille · June 13, 2019, 12:56pm

hmm I tried the following from my openwrt device (by ssh):


root@LEDE:~# traceroute 192.168.1.254 -i eth0.1
traceroute to 192.168.1.254 (192.168.1.254), 30 hops max, 38 byte packets
 1  lede.lan (192.168.1.252)  2997.133 ms !H  2998.499 ms !H  2999.660 ms !H
root@LEDE:~# traceroute 192.168.1.254 -i wlan1-1
traceroute to 192.168.1.254 (192.168.1.254), 30 hops max, 38 byte packets
 1  192.168.4.1 (192.168.4.1)  2997.577 ms !H  2997.817 ms !H  2999.696 ms !H
root@LEDE:~#

So, apparently, I can reach my gateway 192.168.1.254 from the guest wifi (wlan1-1)....but then, why not from a connected device?