Sounds to me like the OP wants a "guest network" and a "home network" (or something similar) so that one can be throttled separately from the "home network" (or just not allowed to access it).
I have some APs setup this way at work on some TPLink 1043ND APs,
To reply to @vieri's questions:
- You do not need any rules on the client AP to allow DNS, or anything else through.
- You do not need an interface IP on more than one network, so you just need to have a static address for your client AP on SUBNET1 and a rule on your main firewall to allow devices on SUBNET2 to access ports 80 and 22 on your client AP.
- You will need to setup a rule on the main firewall to allow devices on SUBNET2 to access ports 80 and 22 (or whatever you use for web and SSH) on the client AP. Then any traffic from SUBNET2 to SUBNET1 goes through SUBNET2 to your main firewall, then back out to SUBNET1.
Do this while connected to LAN port 4, "Save and Apply" after each step:
- Setup your VLANS
- See: https://openwrt.org/docs/guide-user/network/vlan/switch_untaggedvlan_howto for a basic what needs to be done, or https://openwrt.org/docs/guide-user/network/vlan/switch_configuration for how to do it by editing the config files
*For this, we will use 2 new interfaces, VLAN1 (eth1.1, SUBNET1) and VLAN2 (eth1.2 SUBNET2) - Assuming that your device uses ports 0-5 with port 0 being the CPU, 1-4 being LAN ports 1-4 and port 5 being the WAN port, add 2 new interfaces as follows:
- VLAN1 0-tagged 1-untagged 3-tagged
- VLAN2 0-tagged 2-untagged 3-tagged
- You will need to switch ports 1 and 2 to "off" for the existing VLAN
- Note that the port on your main router that connects to port 3 needs to have that port setup with the same VLAN ids, you might need to use higher numbers such as 3 and 4 instead of 1 and 2 if the existing VLANs use VLAN IDs 1 and 2
- See: https://openwrt.org/docs/guide-user/network/vlan/switch_untaggedvlan_howto for a basic what needs to be done, or https://openwrt.org/docs/guide-user/network/vlan/switch_configuration for how to do it by editing the config files
- Setup your interfaces to match your VLANS
- Add a new interface that "Covers" the new "Switch VLAN: eth1.1" and call it INTERFACE1
- Set the protocol to "Static address"
- Add a new interface that "Covers" the new "Switch VLAN: eth1.2" and call it INTERFACE2
- Set the protocol to "Unmanaged"
- Add a new interface that "Covers" the new "Switch VLAN: eth1.1" and call it INTERFACE1
- Setup your firewall zones and rules to match your interfaces
- Add a zone called ZONE1, set defaults to be: Input: Accept. Output: Accept. Forward: Reject
- Add a zone called ZONE2, set defaults to be: Input: Accept. Output: Accept. Forward: Reject
- Setup your SSIDs to connect to the interfaces from step 2
- Add a SSID called SSID1, mode AP, network: INTERFACE1
- Add a SSID called SSID2, mode AP, network: INTERFACE2
- Setup your interface address:
- Network>Interfaces>INTERFACE1>General Setup>
* Protocol: Static
* IPV4 Address: 192.168.1.10
* IPV4 Netmask: 255.255.255.0
* IPV4 Gateway:192.168.1.254
* DHCP server: Ignore interface
- Tie your firewall rules to the interface
- Network>Interfaces>INTERFACE1>Firewall Settings>Assign to ZONE1
- Network>Interfaces>INTERFACE2>Firewall Settings>Assign to ZONE2
I think that is it, I usually just paste in my config files via SSH/SCP and change the IP addresses and AP names. If you want to test, in step 2, choose DHCP instead of Static or Unmanaged for your protocol, then you can that that you have access by seeing if it picks up an IP address.
Aaron Z