I am looking to create a open guest network that is fully isolated from my main network
I am using re305 v3 and the wan will be wireless
is the default firewall config isolated?
here is my /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd85:e10d:64d3::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
config interface 'wwan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.0.0'
option gateway '192.168.1.1'
list dns '1.1.1.1'
here is my /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option channel '1'
option htmode 'HT40'
option cell_density '0'
option country 'GB'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'NETWORK'
option encryption 'psk2'
option key '###'
option bssid '###'
option disassoc_low_ack '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel 'auto'
option htmode 'VHT80'
option cell_density '0'
option country 'GB'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key '###'
option network 'lan'
option ifname '2.4GHz'
option disassoc_low_ack '0'
Current when connected to the Guest SSID, I can access the main network
main network is 255.255.0.0 subnet
guest network is 255.255.255.0 subnet
frollic
December 5, 2025, 12:02pm
2
have you been following https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface ?
config interface 'wwan'
option proto 'static'
option ipaddr '192.168.8.1'
is this internet, or some upstream device (an additional router) on your LAN ?
I wasn’t, I probably should before asking for help
frollic:
config interface 'wwan'
option proto 'static'
option ipaddr '192.168.8.1'
is this internet, or some upstream device (an additional router) on your LAN ?
that would be the main network, the main router
egc
December 5, 2025, 12:07pm
4
Better not use overlapping subnets
1 Like
frollic
December 5, 2025, 12:11pm
5
you will probably need an additional rule disallowing access to 192.168.8 from your guest lan.
I set my guest to 10.42.0.1/24 I think its /24 255.255.255.0
I can access 192.168.1.1 from the guest network
frollic
December 5, 2025, 12:23pm
7
what's the 192.168.8 subnet then, vs 192.168.1 ?
This means your guest network is within the IP range of your main network.
Fix this:
Change to 255.255.255.0.
1 Like
192.168.0.0/16
I split certain devices, most of my smart devices are at 192.168.2.X for example
10.42.0.0/24 shouldn’t be
lleachii:
Change to 255.255.255.0.
The main router is 255.255.0.0, so wouldn’t that cause connectivity issues
lleachii:
Change to 255.255.255.0.
the IP is 192.168.8.1
the main router is 192.168.1.1, so I can not change the subnet
apple airplay screen mirroring is not available with the guest network, so I think its isolated, but all the IP addresses are accessible for the whole of 192.168.0.0/16, so I how would I block the whole of that subnet to guest users, but the openwrt device would still need to be able to access it
???
I didn't say change the subnet. That was the mask:
Change this back to 255.255.255.0 so that 192.168.0.0 and 192.168.8.0 are not in the same network. Problem solved.
To be clear the mask 255.255.0.0 defines the network above as the range 192.168.0 .0 - 192.168.255 .255, meaning you placed 192.168.0 and 192.168.8 in the same logical network. That needs to be fixed .
Airplay won't work across different Layer 2 (physical network) interfaces [without a nonstandard configuration] anyways. It's not clear why you made this statement.
Kcajminer2312:
but all the IP addresses are accessible for the whole of 192.168.0.0/16, so I how would I block the whole of that subnet to guest users, but the openwrt device would still need to be able to access it
By fixing the netmask!
This will provide the correct two /24 networks, and not the improperly configured /16 on one interface and /24 with the same subnet on another.
brada4
December 5, 2025, 4:19pm
13
Hi @Kcajminer2312 , I remember you.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes
I meant subnet mask
but the 192.168.1.1 and 192.168.8.1 are not the same network, so no internet access at all
that why I change to 10.42.0.0/24
because that is isolated, but the IP address are not, maybe it is because its layer 2, I don’t really understand layers that well
lleachii:
By fixing the netmask!
the mask is correct for this setup
the guest network is 10.42.0.0/24 now
I was hoping nobody would remember that
I believe the subnet does not need to be changed now, I will re-submit system details
ubus call system board
{
"kernel": "6.6.93",
"hostname": "RE305",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link RE305 v3",
"board_name": "tplink,re305-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "ramips/mt76x8",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd85:e10d:64d3::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
config interface 'wwan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.0.0'
option gateway '192.168.1.1'
list dns '1.1.1.1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '10.42.0.2'
option netmask '255.255.255.0'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option channel '1'
option htmode 'HT40'
option cell_density '0'
option country 'GB'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'NETWORK'
option encryption 'psk2'
option key '###'
option bssid '###'
option disassoc_low_ack '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel 'auto'
option htmode 'VHT80'
option cell_density '0'
option country 'GB'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key '###'
option network 'guest'
option ifname '2.4GHz'
option disassoc_low_ack '0'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option ifname '5GHz'
option key '###'
option network 'guest'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '2'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
root@RE305:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
option dest_port '67'
option target 'ACCEPT'
the Guest network key will be removed when I know its completely isolated
brada4
December 5, 2025, 4:46pm
16
Since you are using NAT (masq 1) your guest network has to be different from the upstream network, so that all guests use single IP assigned to the router to get on the internet.
wwan netmask seems to be excessive - are you sure it is not 255.255.255.0 ? And ip should be anything but gateway IP, i am 99% certain you can use DHCP to get proper IP connection.
Derived from your location and somewhere on the internets it is huawei CPE
192.168.8.1 is the default IP address of Huawei, Telcel, STC, Zain, Zong, Telenor
DHCP would give the same result
the upstream router is set 255.255.0.0, DHCP is would be from that router
and the guest is 10.42.0.0/24 anyway now
brada4:
192.168.8.1 is the default IP address of Huawei, Telcel, STC, Zain, Zong, Telenor
strange IP choice but 192.168.1.1 is my gateway on Linksys MX5500(SPNMX55GC-UK)
so unless I change the static IP on around 14 devices, the subnet mask is staying
1 Like
brada4
December 5, 2025, 4:58pm
18
You need to change LAN IP address to be outside that range to perform routing and NAThttps://www.rfc-editor.org/rfc/rfc1918
WAN address must be acquired from DHCP, you can set up fixed reservation in that device if you like.
10.42.0.0/24 is already outside 192.168.0.0/16
the lan interface can be ignored for now, its not being used
guest is 10.42.0.0/24
lan is 192.168.0.0/24, I can probably disable it
wwan is 192.168.0.0/16, yes it overlaps to lan but that should not matter for guest
brada4
December 5, 2025, 5:05pm
20
Well - br-lan is broken, you have to move that out too..... It is pretty hard to test anything when all else is broken....
1 Like
