Main LEDE/OpenWrt router + Tomato Router as Guest AP

I'm currently using a WRT3200acm as my main Router doing pppoe + my old Asus RT-N16 as another guest AP + switch.
I've defined 2 vlan's, vlan1 for normal LAN+Wifi and vlan3 for guest Network (only wifi atm).
On my RT-N16@Tomato i've also created 2 vlan's @LAN Port1 (VID 1+3).

WRT3200:, guest network:
RT-N16:, guest network:

I'm running a few fw scripts on my RT-N16 to prevent clients to talk to each other and access the routers web gui (ebtables + iptables + wifi isolation)
Everything is working fine so far, if i connect via wifi to my guest AP i get an IP within the range of 192.168.55.x with default gateway Internet access works fine as well !
I've blocked access@ guest network to the openwrt gui, SSH and my normal privateLAN via firewall - traffic rules and this is also working so far.
So when a client connects to my main routers guest Wifi he's not able to access anything but the internet.

But one problem occours.... my Modem IP is so i've added an interface called modem to WAN with the IP to access my modem GUI and record line stats of my DSL connection.
Access from my private LAN works fine and clients on the OpenWRT guest Network@WRT3200 are not able to access this IP/GUI.
But when a client is connected over my Guest AP (RT-N16) hes able to access my Modem IP/GUI via browser and i dont want those clients to access anything but the internet.

I really dont know how to fix this.
If i remember right i've had a little bit diffrent setup running in the past with 2 AP's + Lede Router but i cant remember how i got it done.
At the moment im looking for the old config files but so far i have had no success finding them.... :frowning:
I would be be quite thankful if someone could help me with this problem.

Best regards, Kherby

There are a couple of ways one can approach "modem access". I'll give you the simple one first, as it's the one I use:

  • Configure an additional address on the WAN on the same subnet as the modem's management interface
  • Deny forwarding in/out of the modem's "zone"
  • Port forward the modem's management interface to your local machine using ssh (example assumes that the modem is on and uses HTTP-S on the standard port 443)
ssh -L8443: you@your.router.address
  • Access the management interface at https://localhost:8443/

The complicated one involves creating a special VLAN for modem access, setting up the switch to handle the VLAN, setting up firewall rules to permit forwarding for that VLAN for only the modem management interface and only my "trusted" computers, and configuring those trusted computers for that VLAN. I've never felt it worth the time myself.


First of all thanks for your input.
Im able to access my modem as i allready configured my WRT3200 the way u described above.
The only problem that i have is when a client connects over my Guest AP (second Router RT-N16) hes able to browse the modem GUI via and that is what im trying to deny.
Deny forwarding in/out of the modem zone is something ill try, but to be honest im not sure if ill get it done.

The special vlan for the modem access sounds quite interesting. I'll try to get some infos about that...