Isolating a device without creating a guest wifi

Hi Everyone,

I live in a very congested area where adding another Wifi would have noticeable degradation on my network, I was wondering if adding a traffic rule or something similar for specific devices or any new devices that do not have a static lease would mostly be the same thing?

If this is possible, what would be the best way to go about it?

define "isolating".

What exactly is the goal here? Prevent devices from connecting? Prevent them from accessing resources on your lan? Prevent them from accessing the internet?

Prevent the device from connecting to anything on the same network. It would be allowed to only talk to the internet.

You can enable WiFi client isolation, but that is all or nothing. You cannot isolate only one device.

Adding a guest network is easy and will not materially affect your wireless performance.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Thanks for the information, I have one setup already, I saw a noticeable drop in my performance when it got started.

Can you explain a little about how setting a traffic rule to drop all queries not meant for the router port 53,67,68(DHCP/DNS) and thus the internet will not work?

Maybe we should review your config. The effect should be minimal.

What exactly are you asking? DHCP should usually be allowed, and dns in most cases, too. Those are the only two services the guest network needs of the router itself, the rest gets routed to the internet.

setting where ?
there's no firewall between the client and the router, if you use the default config.

What would you like to see in terms of config?

I am asking if setting up a rule that says drop all connections that are not meant for the router from the source device would be enough to isolate it from rest of the devices.

connections not bound for the router doesn't pass the router part of your router, and can't be firewalled.

No. That would only prevent it from accessing the administrative features of the router (ssh, web ui). It would not change the ability for it to reach other devices on the same network.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

That sucks, I guess I was under the wrong impression.

Here is the config.

root@OpenWrt:~# ubus call system board
at /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "MERCUSYS MR90X v1",
        "board_name": "mercusys,mr90x-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcd:5e63:0ea0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan0'
        list ports 'lan1'
        list ports 'lan2'

config device
        option name 'lan0'
        option macaddr '00:eb:d8:f9:b0:d3'

config device
        option name 'lan1'
        option macaddr '00:eb:d8:f9:b0:d3'

config device
        option name 'lan2'
        option macaddr '00:eb:d8:f9:b0:d3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 '0'
        option type 'bridge'
        option delegate '0'
        option peerdns '0'
        list dns '192.168.1.6'

config interface 'Guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '13'
        option band '2g'
        option htmode 'HE40'
        option cell_density '2'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'wan lan'
        option mode 'ap'
        option ssid ''
        option encryption 'sae-mixed'
        option key ''

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '48'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country ''

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'wan lan'
        option mode 'ap'
        option ssid ''
        option encryption 'sae-mixed'
        option key ''

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid ''
        option encryption 'sae'
        option isolate '1'
        option key ''
        option network 'Guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'
        list dhcp_option '6,192.168.1.6'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,8.8.8.8'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Pi-Hole'
        option src 'lan'
        option src_ip '!192.168.1.6'
        option src_dport '53'
        option dest_ip '192.168.1.6'
        option dest_port '53'

config nat
        option name 'PiHole'
        option src 'lan'
        option dest_ip '192.168.1.6'
        option dest_port '53'
        option target 'MASQUERADE'
        list proto 'all'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Pihole ipv6'
        option family 'ipv6'
        option src 'lan'
        option src_dport '53'
        option dest_ip 'fe80::6ada:5a15:993c:a13a'
        option dest_port '53'
        option enabled '0'

config zone
        option name 'GuestZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'Guest'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config rule
        option name 'Guest-DHCP-DNS'
        option family 'ipv4'
        option src 'GuestZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

This should only have one network - lan. Remove wan.

I also recommend using wpa2 or wpa3, but not mixed mode encryption because it tends to cause problems with some client devices.

Same issues here:

Remove the bridge line from the wan interface:

Turn off masquerading in the guest zone:

Restart after making those changes and see how things operate.

I want to add that I can't set any channels above 48 before I get requested to change the channels, the 5Ghz stops working altogether, Same thing happens with 160mhz width, I have not been able to find the issue.

The LAN is being used as the DHCP server, removing it causes devices to get stuck while trying to get an IP address and they get stuck in a connection loop.

were you told to remove it ?

I got the same issue of not getting an ip address when removing LAN as you requested, so I reverted that, all other changes were followed, I still see the same jumpy speeds with the guest wifi network enabled.

Either way, thanks for trying to help. I think I will have to fix the channel issue first and put both networks in separate channels in order to mitigate the issue.

I seem to have misread it, you are correct indeed.