Isolated network interface

Installing and Using OpenWrt
1

Hello, I have a flint 2, openwrt 24.10.4, where I set up proton wireguard vpn. Everything works great, but I wanted to have a guest network that is isolated from the rest of the network (and then one for 2.4ghz - iot). The thing is, the guest network doesn't work (stuck on getting network address - then disconnects), what can I do about it? Thanks for any insight, here are the steps I took after I reset my router:

  1. Set root password
    System → Administration → set password

  2. Configure WAN
    Network → Interfaces → Edit wan → PPPoE → username and password

  3. Configure Wireless
    2.4GHz: AX, channel 1, 40MHz, 20dBm, country RO
    5GHz: AX, channel 36, 160MHz, 23dBm, country RO
    WPA2-PSK encryption on both

  4. Hardware acceleration
    Network → Firewall → Routing/NAT Offloading → Hardware flow offloading

  5. ProtonVPN WireGuard (https://protonvpn.com/support/openwrt-wireguard)
    System → Software → update lists → install luci-proto-wireguard → reboot
    Network → Interfaces → Add new interface → WireGuard VPN → import configuration
    Peers → Edit → Route Allowed IPs: enabled
    Firewall → Zones → Add vpn (input reject, output accept, forward reject, masquerading on, covered networks: proton0, allow forward from: lan)
    Edit lan zone → remove wan, keep only vpn, enable MSS clamping
    Network → Interfaces → wan → Advanced → disable "Use DNS servers advertised by peer" → add custom DNS 10.2.0.1

  6. Creating isolated interface
    Create br-guest device
    Network → Devices → Add device → Bridge device, name: br-guest, bring up empty bridge: enabled
    Create guest interface
    Network → Interfaces → Add → Static address, IP 192.168.2.1/24, device br-guest, DHCP enabled (start 100, limit 150)
    Firewall guest zone
    Zones → Add guest (input reject, output accept, forward reject, masquerading on, covered networks: guest, allow forward to: vpn)
    Edit vpn zone → allow forward from source zones → add guest
    Configure 5GHz guest SSID
    Network → Wireless → Add on radio1 → SSID: OpenWrt-Guest, Network: guest, WPA2-PSK, Isolate clients: enabled

2

Advice based on a description and not on a posted configuration is pure speculation, but did you create traffic rules allowing DHCP and DNS requests originating from the guest zone.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface#firewall

Also note that you don't need masquerading here.

1 Like
3

If you need help, please post your complete config in text form. This is more effective because we can see the whole context and details, not just the process for getting there.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
4

@pavelgl @psherman Thanks for the insights, it seems the problem was caused by me not creating traffic rules and having to add listening ports to lan and guest, as i had nonwildcard enabled.

1 Like