Separate Clients to Guest and normal Network on extended Router

Hi All,
I have an openWrt router successfully running for my home network. It includes a Guest network. To extend my wifi range, I connected a separate basic and cheap router as access point via ethernet.
(ethernet connected to ports, not WAN ports)
For my standard network this works fine, so all my devices end in the same network.
However, I would like to extend the guest network (or at least the functionality) to the separate router as well.
The seperate router cannot run openWRT, so I have not the capability to use a VLAN or something simmilar.
The guest account setting on the separate router is, if I understood correctly, also senseles, since I would separate my private lan as soon as I use the WAN port on the separate router.
The question is, would it be possible to do something like separating the network based on the mac adresses of the devices?
I think of some routing like: all known mac adresses connected to the separate router, are routed to the home network, all unknown mac adresses are separated and routed to internet only.

Another possiblity I'm thinking of is on the DHCP side: all known mac adresses will get an internal IP adress, all others get an IP adress from the guest network.

I'm not sure, if one of my ideas are principally working, and what is the security behind it (is a virus / malware on a guest device successfully separated if only the IP address range is different?)

Thank you for advises, maybe someone has an better idea?

best regards


If both routers were running OpenWrt, you could transport the guest VLAN inside a GRE tunnel (or similar approaches), but that falls flat while running the OEM firmware.

Trying to firewall based on device MAC addresses would be a heap of management, for very little gain (modern operating systems randomize their wireless MAC address by default, so unless you can keep very close tabs on all devices, you'd be out of luck). It's technically possible to a limited extent (you can't firewall everything, it's still one network with clients seeing each other), but not a reasonable approach (and I doubt you'd want to go the extra mile of IEEE8021X, which would also not work on most consumer routers with their OEM firmware).

1 Like

Dear slh, thank you for your answer.

Since all devices are under my control (family network), I can set all devices to not switch mac adress (unless cell phones are also doing the mac adress randomizing, I think then it might get complicated).
What about the idea to simply separate the networks based on the IP adress?
Would this be a separate network at all, or is a "virus/mallware" able to jump to other ip-adress ranges?
(Personally I have no idea how I can communicate with the router on if my pc has IP 192.168.1.x but I'm not sure if this is really a "(fire)wall" for a software which is designed to spread within a network.