Restricting network ranges like guest-lan

Hi Community, i was now looking around a half day for the proper solution and maybe i am totally wrong. Just finally i have one idea.
But let me first explain....

Have an openwrt on Mikrotik Router which is located behind several switches in the network and providing the DSL access.
Now there is one device in the LAN (wired) which is having lets say Guest taste :wink:
My Goal was (and i cannot use VLAN because in between are several switches which are not capable) to separate this Device from my private known lan.

What i did:
Create a new interface with an DHCP on the same LAN and a static lease. So the specific device is now having a separate IP-Address. Now i wanted the Openwrt to stop route the traffic from the separated LAN also to my private secure LAN.
Tried some Firewall-Rules and finally came to the Conclusion to use the Guide from openwrt regarding creating Guest-Lan but this is only on WLAN.

My conclusion therefore was (because that doesn't worked also) it is not possible without having a physically separated device to connect.

But now i think....maybe it is possible to TAG one network segment with a VLAN-ID and so the other.....

But actually i think i am lost. Is there any Way to have a simple solution without using VLAN on the Switch? To stop the openwrt routing traffic between two different networks? :wink:
Because then i would need to replace a couple switches :wink:

Thank You very much in advance :slight_smile: for any support.

I do not know what instructions you followed to setup a guest wifi but usually it tells you to create a bridge e.g. br-guest.

It should be very easy to attach one of the ethernet lan ports to that br-guest instead of to br-lan.

If you isolate your guest network from the main network then your ethernet port is also isolated

1 Like

Oh, i wasnt to clear. There is no wifi in my problem involved

You have three options to achieve your goal:

  1. configure a port on your main router separately relative to the others, this will be assigned to a different network than your existing lan. The device that needs to be isolated from the main lan would be directly connected to that port.
  2. get one or more managed switches (depending on the physical topology) so that you can set one of the ports specifically for the device in question. On your main router (and on the switch(es), too) you'll configure VLANs and isolate the system accordingly.
  3. Use 802.1x authentication -- this is way overkill and very complex involving a RADIUS server -- this will allow devices to authenticate to the desired VLAN.

If you're using wifi, things are a bit easier insofar as you can setup a VLAN and your APs would broadcast 2 SSIDs -- one for trusted devices and the other for the 'guest' network.

Thanks for your replies. Unfortunately i dont see the solution. But i think i am to complicated. :frowning:

I have on the router 1 physical port where i have to ip subnets a and b.
I want to achieve that both a and b can reach out the internet. But i want b only access to the internet and not allowed to access network a

I can not setup a second cable on an other port.
I think i go for the vlan solution and get me some switches :slight_smile: