IP range based guest VLAN isolation from main LAN devices

Phorvek · April 25, 2026, 9:08pm

Hello everyone,

I must prevent devices on guest VLAN from accessing some devices on main LAN and vice versa based on IP range. I'm doing this for security hoping it would still prevent an infection from spreading accross both networks if anything goes wrong. By not using full VLAN isolation I will still have access to my routers and servers (192.168.2.0-192.168.2.11) without compromising both networks which is great.

I saw a few similar topics on the forum but not the exact same thing. This is the setup I have: [Solved] Need help creating a dumb wireless AP with Guest Wi-Fi + VLAN (DSA) [Solved]

I'm sharing the firewall rules I've been using in DD-WRT / FreshTomato to do that. In OpenWrt "br1" is "guest" and the main network is not "br0" but simply "Lan". I've been told that such rules are deprecated in OpenWrt. I disabled the Traffic Rule that fully isolates the guest VLAN from the main network. Now I guess I might have to convert the following as Traffic Rules in OpenWrt but I'm not sure how to do this properly yet:

#Block inbound traffic from a specified source IP range:
iptables -I FORWARD -i br1 -m iprange --src-range 192.168.2.12-192.168.2.244 -j DROP
#Block outbound traffic to a specified destination IP range:
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.2.12-192.168.2.244 -j DROP
#Allow inbound traffic from a specified source IP range:
iptables -I FORWARD -i br1 -m iprange --src-range 192.168.2.0-192.168.2.11 -j ACCEPT
#Allow outbound traffic to a specified destination IP range:
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.2.0-192.168.2.11 -j ACCEPT

Thanks!

psherman · April 25, 2026, 9:56pm

Can you put into plain words the goals - what are the source and destination addresses of interest, and are there any other restrictions (i.e. only ports x and y on one of the destination addresses; wide open on another destination address, etc).

Phorvek · April 26, 2026, 1:12am

Hi! I'm actually doing my best to translate the following so that it can be added into OpenWrt more easily:

#Block inbound traffic from a specified source IP range:
iptables -I FORWARD -i br1 -m iprange --src-range 192.168.2.12-192.168.2.244 -j DROP
#Block outbound traffic to a specified destination IP range:
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.2.12-192.168.2.244 -j DROP
#Allow inbound traffic from a specified source IP range:
iptables -I FORWARD -i br1 -m iprange --src-range 192.168.2.0-192.168.2.11 -j ACCEPT
#Allow outbound traffic to a specified destination IP range:
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.2.0-192.168.2.11 -j ACCEPT

psherman · April 26, 2026, 1:31am

Right... so yes, we could read through the iptables, but if you can simply put it into words, we can guarantee we get the rules exactly as you want them based on your description (this prevents any errors in 'transcribing' the iptables and/or any issues due to differences from what was there to what you want to do now).

For example (I'm making these up entirely, not using your iptables or config):

allow 192.168.5.0/24 --> 192.168.3.12 tcp+udp port 53, block all else to this host.
allow 192.168.5.14 ---> 192.168.3.4 tcp 8123, block all else to this host.
allow 192.168.5.5 --> 192.168.3.26 all protocols+ports (i.e. wide open to this specific host)

Phorvek · April 26, 2026, 12:51pm

There it is, I hope its gonna work:

1: Drop anything from Lan (192.168.2.12-192.168.2.244) to guest.

Protocol: Any
Source: Lan
Source address: 192.168.2.12-192.168.2.244
Source port: any
Destination: guest
Destination address:
Destination port: any
Action: drop

2: Drop anything from guest to Lan (192.168.2.12-192.168.2.244).

Protocol: Any
Source: guest
Source address:
Source port: any
Destination: Lan
Destination address: 192.168.2.12-192.168.2.244
Destination port: any
Action: drop

3: Accept anything from Lan (192.168.2.0-192.168.2.11) to guest.

Protocol: Any
Source: Lan
Source address: 192.168.2.0-192.168.2.11
Source port: any
Destination: guest
Destination address:
Destination port: any
Action: accept

4: Accept anything from guest to Lan (192.168.2.0-192.168.2.11).

Protocol: Any
Source: guest
Source address:
Source port: any
Destination: Lan
Destination address: 192.168.2.0-192.168.2.11
Destination port: any
Action: accept

lleachii · April 26, 2026, 1:15pm

I'm assuming you've researched at how to reduce these rules to UCI (OpenWrt) syntax?
Just an observation, I noticed your rules specify IP ranges that are not a complete /24 network.
I see you're using the (indeed deprecated) -m argument that was previously exposed in earlier versions of OpenWrt using iptables/fw3 - you specifically employ this to note IP ranges that dont seem to end on 'bit barrier' for network numbering.

Is there a reason you cannot use CIDR notation to specify these IP ranges?

Phorvek · April 26, 2026, 7:30pm

-Actually I just translated the rules in my head just by looking at how the Trafic Rules are made in LuCI. Once saved I'll be able to SSH and see them in UCI (OpenWrt) syntax.

-Yeah I know, there have been some weird bug in some firmware where I couldn't use a complete /24 network so I've been using up to 244 ever since just to be safe everywhere.

-I don't know, I'm not gonna use these deprecated things in OpenWrt, I just want to reproduce the same effects.

-CIDR notation would look much cleaner but I couldnt find some to closely match 192.168.2.12-192.168.2.244 (the machines at risk on infection) and 192.168.2.0-192.168.2.11 (the safe machines I want to access).

Thanks!

pavelgl · April 26, 2026, 8:18pm

fw4 supports intervals, just like nftables.

Phorvek:

1: Drop anything from Lan (192.168.2.12-192.168.2.244) to guest.

Protocol: Any
Source: Lan
Source address: 192.168.2.12-192.168.2.244
Source port: any
Destination: guest
Destination address:
Destination port: any
Action: drop

#/etc/config/firewall

config rule
        option name 'Drop-LAN-to-Guest'
        option src 'lan'
        option dest 'guest'
        list proto 'all'
        list src_ip '192.168.2.12-192.168.2.244'
        option target 'DROP'

Phorvek · April 28, 2026, 2:07pm

-Downside of VLAN hosted on WAP:
Non-isolated Inter-VLAN upstream access works but downstream access doesn't.

-LuCI traffic rules for VLAN hosted on WAP:
Disable "Guest_DHCP", "Guest_DNS" and "Block_Guest_from_Lan" traffic rules then add the following rules:

Name: Allow_Guest_to_Router
Protocol: Any
Source: guest
Destination: Device
Action: accept

Name: Block_Lan_to_Guest
Protocol: Any
Source: Lan
Source address: 192.168.2.12-192.168.2.244
Destination: guest
Action: drop

Name: Block_Guest_to_Lan
Protocol: Any
Source: guest
Destination: Lan
Destination address: 192.168.2.12-192.168.2.244
Action: drop

Name: Allow_Lan_to_Guest
Protocol: Any
Source: Lan
Source address: 192.168.2.0-192.168.2.11
Destination: guest
Action: accept

Name: Allow_Guest_to_Lan
Protocol: Any
Source: guest
Destination: Lan
Destination address: 192.168.2.0-192.168.2.11
Action: accept