Set the WAN port to be for guest access - internet only

I just started with OpenWRT a few days ago on my TP-Link AC1200, and I'm using it as an Access Point (not my main router). I'm new to it, and I would really appreciate your help.

For background on my knowledge, I'm a software engineer, and I use Linux comfortably and I understand basic networking (subnets, routing, firewalls, etc) and manage my Linux servers security myself. OpenWRT has too many options above my pay grade . So far, I'm using LuCI. No command line for me yet .

The problem

Currently I'm using Guest wifi from this tutorial. Can you help me use the extra, unused WAN port I have for the same purpose? I have a device that needs better connection that I don't trust to give access to my home network.

Move the WAN port to br-lan ?

It won't be any secureer just because you use the WAN port.

Using WAN port isn't about security. The purpose is to make it harder to do human error when plugging ports.

What does "moving WAN port to br-lan" mean? Doesn't this give WAN the same access as normal LAN? This doesn't achieve what I'm looking for. I want WAN to be for guest access. Internet only.

In firewall:

• Remove LAN to WAN forward setting
• Add Guest to WAN forward setting

I followed your instructions It looks like this now. Doesn't work... I attempted to connect a computer to WAN, and I got "No route to host" when I attempted to telnet or do any connection.

To clarify, in case I didn't do it well, I want to be able to connect a computer to the WAN port, and it should be able to get Guest network (internet access only).

image2018×474 47.5 KB

You confused me.

• Have you reconfigured the WAN port in any way?
• If you connect a computer to the WAN port, where's your Internet connection then?

Apologies for the confusion. This router is configured as an access point as per this tutorial followed by this tutorial for guest wifi. The internet comes from one of the LAN ports.

You shoulda been able to more WAN port to LAN config as noted before.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Do you want a device which is connected wired by Ethernet to your Access point to be in part of the Guest network ?

Here's the information you requested. I didn't see anything to redact.

Please note that this is the configuration after the change I did after you asked me.

# ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C6 v2 (EU/RU/JP)",
	"board_name": "tplink,archer-c6-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}


# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:f3ee:315b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.119'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.1'
	option gateway '192.168.1.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'Guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.66.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option broadcast '192.168.66.255'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'


# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'

config rule
	option name 'Guest-Allow-DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest-Allow-DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest-Block-LAN'
	list proto 'all'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.1.0/24'
	option target 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi5'
	option encryption 'sae-mixed'
	option key '<Password>'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi2.4 GHz'
	option encryption 'sae-mixed'
	option key '<Password>'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guests'
	option encryption 'sae-mixed'
	option key '<Password>'
	option network 'Guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guests'
	option encryption 'sae-mixed'
	option key '<Password>'
	option network 'Guest'

Not exactly, but close. I want the one device, that's connected to the WAN Ethernet port of that AP to be part in the Guest network. The other 4 normal LAN ports should give normal LAN access.

• Your gateway has a mismatch here. That's invalid.
• It's still not clear how you get "Guest" network and "LAN" network
• Did you omit the wireless configuration?

It doesn't appear you've configured any ports for guest.

My network is also 1 computer can connect to wan port for guest network.

from above reply of LLeachii and Escapable , maybe remove wrong gateway and using auto default gateway and add 'wan' to br-guest's bridge ports.

I fixed the earlier response and added wifi configuration. Apologies for that mistake.

About the gateway, that's supposedly the correct gateway. It's the ip address of my router. What am I missing?

wan_showup761×567 40.7 KB

is Wan already show in br-guest of guest interfaces?

Nope. It's not there. Excuse me for the stupid question, but how do I add it?

image1868×920 131 KB

brguest_wan498×565 23.7 KB

on devices tab of br-guest , select only wan

Done. But that's apparently not enough. What zone information are you using? I tried enabling wan to guest, but that seems to not be enough.

It may assist if you explain how these networks physically connect to this AP.

I noticed you have all AP wireless configurations (no STAs), so it's unclear how you provide 2 the networks (Guest and LAN) to the AP.

You also noted you use a WAN port for a physical Guest - but never explained your upstream Internet connectivity for both networks (we already know about the invalid gateway).

Perhaps this is a misunderstanding of network configuration, but it's difficult to know without details and answers to the inquires.

There's nothing special I'm doing. The network connection to my main router (public facing router) comes from the wall in that room (building design, you know). I just connect that ethernet connection coming from my main router (which has internet + LAN) to one of the 4 LAN ports on the router. This is how everything gets internet on that router. So the router is acting as a switch, and an AP for wireless.

With that setup, the WAN port is useless. I want to use it for guest connections. This is helpful, because I need one guest port, and I need to make it memorable to avoid mistakes in the future.

Please let me know if you have any other questions. And I apologize in advanced for being this ignorant.