Seperate VLANs / LANs - LAN and Guest LAN


I've been running LEDE snapshots on Archer C7 v4.
I'm new to LEDE and OpenWRT. I've read and learned a lot recently, but I'm still confused about the firewall rules when trying to create separate LANs - One for our use, the other for guests via WLAN.
I'll try to give as much details as possible to be clear.

I'm connected to the internet via PPPoE, and I had this interfaces (default):

Default PPPoE interfaces

With the current firewall configurations:

I've added new bridge interface called guest_lan. As first step, I've used the same VLAN interface bridged with the guest WLAN. Everything worked fine, I couldn't access the clients from both interfaces (lan and guest_lan) and got Destination port unreachable, but I could access the DHCP server from them.
After some reading, I figured I might need to create new VLAN interface - called eth0.3 in my case, so I did, but got the same result as before.

Here's my current interfaces and firewall settings:



Is there a way to block any communication between the interfaces, so I get request timed out when pinging clients and DHCP server?

I hope I covered the problem well and it's clear enough.


Hi there I just did this 2 weekends ago and I followed this instructions

I had some issues about the settings at the end with the headline

Tell your router about the new network:

This was better described in this webpage it's in german so:


Hope this helps.




I uploaded a screenshot of my rules and zones and traffic rules

Thanks for sharing!

I'm following the guide in German, but I don't understand what IP I should write in the Source NAT section (Allow Guest Internet). The guide says it's the IP of the WLAN, but how do I know what IP it is?

That's mean WLAN ip subnet, ex:

The IP of your router

I've tried both, but couldn't get internet access.
What are the advantages to forward the traffic through LAN?
Is there a way to do the same thing with WAN interface?

Hi Dor,
The traffic has to go through lan on my setup due to the wan connection is on another router.


I've managed to block any communication to my LAN network by creating a forward rule that applies to all of the zones, and the mask, with the action drop. However, I can still access the LAN Gateway (is it the router IP?) on I couldn't block this communication.

The firewall configuration looks the same as in the images I've uploaded in the original post.
Do you have an idea why it doesn't drop the packets from and to

You can use traffic rule block access port 80,443,22 to gateway, example look like:

config rule
        option proto 'tcp udp'
        option family 'ipv4'
        option src 'guest'
        option dest_port '80 443 22'
        option target 'REJECT'
        option name 'Block_Access_From_Guest'