Setting up a bridged ap with multiple networks

Hi all, im new one here. I would be very happy if someone could help me solve my problem, I've been struggling with it for over a month. The situation is as follows: i have one main router and 2 AP's (they are configured as dumb AP's). I have configured fast roaming and that is working pretty great. My problem is i'm trying to set up a guest network, the guest network is now working only on the main router, but i never get an IP address from the AP. I have tried do the setup with VLAN but they won't connect me on the AP's. What im i doing wrong. Thanks

Is same VLAN enabled in all access points and the resulting bridge selected as device in all wifi configs?

Please provide following (one device at a time)

ubus call system board
cat /etc/etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall # Main AP only
cat /etc/config/dhcp # Main AP only

Removing mac/ip/serial numbers/passwords/other secrets.
Probably one checkbox/line missing in all

1 Like


This is my main router, should i now send the screenshot of bridging?

This is not what was requested. You should have run the above suggested commands from the CLI after logging into the router and APs via ssh.

That doesn't seem right. After configuring VLANs in the Bridge VLAN Filtering tab (if the device is DSA at all), you must set VLAN tagged/untagged port membership and then use dot (.) notation for all devices in the Interfaces tab.

Check out the examples in the DSA tutorial.

1 Like
ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrtCudy",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Cudy WR2100",
	"board_name": "cudy,wr2100",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}


cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fde0:183f:faeb::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'
	option gateway '192.168.1.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'nordvpntun'
	option proto 'none'
	option device 'tun0'

config interface 'Gosti'
	option proto 'static'
	option ipaddr '10.20.30.40'
	option netmask '255.255.255.0'
	option device 'br-lan.4'


cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '9'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT40'
	option cell_density '0'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Karamanovic'
	option encryption 'psk2'
	option dtim_period '3'
	option key 'nCu37vwbzCYNxQX'
	option ieee80211r '1'
	option mobility_domain '123F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'lan'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Karamanovic'
	option encryption 'psk2'
	option dtim_period '3'
	option key 'nCu37vwbzCYNxQX'
	option ieee80211r '1'
	option mobility_domain '123F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'lan'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Gosti'
	option encryption 'psk2'
	option key '12345678'
	option ieee80211r '1'
	option mobility_domain '345F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'Gosti'
	option dtim_period '3'
	option macaddr 'random'



cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

config forwarding
	option src 'vpnfirewall'
	option dest 'lan'

config zone
	option name 'GostiZona'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Gosti'

config forwarding
	option src 'GostiZona'
	option dest 'wan'

config rule
	option name 'Gosti DHCP i DNS'
	list proto 'udp'
	option src 'GostiZona'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'GostiZona'



cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '103.86.96.100'
	list server '103.86.99.100'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Gosti'
	option interface 'Gosti'
	option start '100'
	option limit '150'
	option leasetime '12h'

br-lan.4 is not tagged on any wire, which means it never leaves the device.
Does not hurt to upgrade sofrware sometimes, try luci-app-attendedsysupgrade for least painful user experience.

ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrtCudy",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Cudy WR2100",
	"board_name": "cudy,wr2100",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

Thanks for the reply. Update is done, should i first do setting up like is shown on the video on youtube then put here the config parameter?

1 Like

Congrats with the update.
You need to mark vlan 5 tagged on ports where extenders are connected. Also if there is a switch (non-openwrt) you need to make sure VLAN 5 is linking those ports tagged. The untagged traffic can flow as is.

1 Like

Here are new changes..

at /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fde0:183f:faeb::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'
	option gateway '192.168.1.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'nordvpntun'
	option proto 'none'
	option device 'tun0'

config interface 'Gosti'
	option proto 'static'
	option ipaddr '10.20.30.40'
	option netmask '255.255.255.0'
	option device 'VLANS.30'

config device
	option type 'bridge'
	option name 'VLANS'
	list ports 'lan1'
	list ports 'VLANS.20'
	list ports 'VLANS.30'
	list ports 'VLANS.40'

config bridge-vlan
	option device 'VLANS'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'VLANS.20:t'

config bridge-vlan
	option device 'VLANS'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'VLANS.30:t'

config bridge-vlan
	option device 'VLANS'
	option vlan '40'
	list ports 'lan1:t'
	list ports 'VLANS.40:t'


cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '9'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT40'
	option cell_density '0'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Karamanovic'
	option encryption 'psk2'
	option dtim_period '3'
	option key 'nCu37vwbzCYNxQX'
	option ieee80211r '1'
	option mobility_domain '123F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'lan'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Karamanovic'
	option encryption 'psk2'
	option dtim_period '3'
	option key 'nCu37vwbzCYNxQX'
	option ieee80211r '1'
	option mobility_domain '123F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'lan'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Gosti'
	option encryption 'psk2'
	option key '12345678'
	option ieee80211r '1'
	option mobility_domain '345F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'Gosti'
	option dtim_period '3'
	option macaddr 'random'


cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

config forwarding
	option src 'vpnfirewall'
	option dest 'lan'

config zone
	option name 'GostiZona'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Gosti'

config forwarding
	option src 'GostiZona'
	option dest 'wan'

config rule
	option name 'Gosti DHCP i DNS'
	list proto 'udp'
	option src 'GostiZona'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'GostiZona'


cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '103.86.96.100'
	list server '103.86.99.100'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Gosti'
	option interface 'Gosti'
	option start '100'
	option limit '150'
	option leasetime '12h'

this are settings for main router. I can connect to the Guest wi fi and i get 10.20.30.xx IP, that is what i want, now i will send settings from AP..

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9d:c7a1:6079::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'GostiWiFi'
	option proto 'dhcp'
	option device 'br-lan'

config device
	option type 'bridge'
	option name 'Gosti'
	list ports 'eth0'

config bridge-vlan
	option device 'Gosti'
	option vlan '1'
	list ports 'eth0:t'


cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'ffe0a000.pcie/pcia000:02/a000:02:00.0/a000:03:00.0'
	option channel '44'
	option band '5g'
	option htmode 'HT40'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'ffe09000.pcie/pci9000:00/9000:00:00.0/9000:01:00.0'
	option channel '9'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Karamanovic'
	option encryption 'psk2'
	option dtim_period '3'
	option key 'nCu37vwbzCYNxQX'
	option ieee80211r '1'
	option mobility_domain '123F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Karamanovic'
	option encryption 'psk2'
	option dtim_period '3'
	option key 'nCu37vwbzCYNxQX'
	option ieee80211r '1'
	option mobility_domain '123F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'lan'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Gosti'
	option encryption 'psk2'
	option key '12345678'
	option ieee80211r '1'
	option mobility_domain '345F'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'GostiWiFi'

Main router is conected with AP with only one cable, but i have set up 2 Wi-Fi's and i don't wanna the Guests to see all my devices on the private network..

Bridging vlans together defeats their primary purpose.
And same port can not participate in 2 bridges.
It is so much mess in the configs that i'd say reset.

In DSA, there can only be one bridge involving the switched Ethernet ports. Typically the existing br-lan is used. Create bridge-vlans inside that one bridge.

Also create a bridge-vlan for lan (by convention numbered 1, unless you need that number tagged on an external port), and change the lan interface device to br-lan.1

You may want to set up an admin interface which allows you to log into OpenWrt directly by wifi should Ethernet become misconfigured. This interface would not be part of any bridge or VLAN; it would have its own IP subnet and DHCP server.

1 Like

ok, to be clear, my main router get internet connection trough WAN port from ISP.. My AP is connected with main switch on the LAN1 port.. Wich port do i have to bridge? Just port LAN1 port and then in this bridging i have to se up VLANS?

If there is no local wifi from the main router you could conceivably declare VLANs on one port with the syntax lan1.N as the Device for each guest network. An IP address will be placed directly on the port.

But this will not work if you want to have anything else on the network such as a wifi AP running on the main router's wifi hardware, or an additional Ethernet port to be hardware switched into the network. For that case you must go full Monty with DSA and create bridge-vlans within a single bridge.

To employ lan1.5 you have to remove that port from br-lan, and you will lose DSA quickpaths.
Best for DSA is to make br-lan.5 then tag that on the port towards extender.
(I enable DSA bridge vlans over editing conf files and rebooting, probably some has recipe to do it in stable manner over luci)

1 Like

After few hours still no sucess.

I have main router with Wi-Fi, and im using now that Wi-fi, and i can see all the devices connected to this device because i have AP attached with LAN cable to this router. AP is set as dumb AP, he becomes IP from main router, and that is working great now. What i wanna to do is that i will set up second Wi-Fi for guests, and the guest wi-fi have to do same this but only guest can’t see devices as my main router.. (Guest can't access my main router)..

Thanks

For my learning and understanding (and may help the OP :slightly_smiling_face:) does he need VLANs for his set up?
Can he not just follow this https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap for his APs and the last step in the firewall will achieve his aim of isolating guests from the Lan?

I am probably being too simplistic but I would like to try and understand :thinking:

let's see your config files as they stand right now.

ISP is connected in WAN port. From LAN1 cable goes to the Switch because AP needs power and trough that LAN is internet conectivity also set up. AP have 2 Ethernet connections but only one is working.. Fast roaming for one Wi-Fi is already set up, when i try to set up another WI-fi for guest i have to pick another interface..

Is the switch a managed type? Have you set up VLANs inside the switch?
If you can't use VLANs on your Ethernet switch there is still the option of locally routed guests. This will fulfill the basic objective of giving guests Internet access while blocking them from your LAN, though fast roaming by guests will not be possible.

Yes, this is managed switch, but it is not configured, i use it only for PoE. No, i did not set up VLANS inside the switch..