Setup guest wifi on a dumb AP with VLAN (solved)

Dear community,

I would like to request your help to create a Guest Wifi network (for IOT devices) on a separate subnet (..188.x) with internet access but no access to my private local network (..178.x).

The private LAN and guest network are fully functional on the main router with OpenWrt v19.07.4 by following this guide

On the 2nd access point device with OpenWrt (with DHCP disabled in private LAN) the private LAN is working but the guest network is connecting without having internet access. After connecting a device with this AP I get the message: ‘connected, no internet’. I can ping 8.8.8.8 but not www.openwrt.org.

I tried multiple guides from the wiki and red multiple forum topics. See some examples below. I expect the source is somewhere in the firewall settings or in the traffic rules. For troubleshooting I disabled the ‘Block Guest access to private network’ firewall rule for know, but I cannot fix the issue.

Some helpful guides used:
I found this a helpful LuCi guide (tried the adding the masquarading option in LAN):

Helpful forum topic (resulted in updated wiki):

Tried adding a ‘Allow-Guest-Forward rule’ without success:

Any help is much appreciated, because currently I am stuck.

The plan:

My current config files:

root@mywrtc7:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.178.250'
        option ipaddr '192.168.178.253'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.188.50'

root@mywrtc7:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config rule 'guest_dhcp'
        option name 'guest_DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guest_dns'
        option name 'guest_DNS'
        option src 'guest'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '53'

config rule
        option src 'guest'
        option name 'Block Guest access to private network'
        option dest 'lan'
        list dest_ip '192.168.178.0/24'
        option target 'DROP'
        option enabled '0'

config forwarding
        option dest 'lan'
        option src 'guest'
---

root@mywrtc7:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option leasetime '12h'
        option limit '150'
        option start '60'

---
root@mywrtc7:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'xxx'
        option encryption 'psk2'
        option ssid 'wrt5g'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option channel '6'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'wrt'
        option encryption 'psk2'
        option key 'xxx'

config wifi-iface 'wifinet2'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option key 'xxx'
        option ssid 'guestwifi'

When a guest client connects to the second AP, which dns server does it get from dhcp? It should be 192.168.188.50.
Does the secondary AP have a valid dns forwarder? Normally it should get it from the wan interface, but if it is not utilized, then you'll need to add one in lan interface.

2 Likes

That means that routing works but DNS cannot look up names. As @trendy said, your dumb AP (now not so dumb) should be offering a DNS service to the guests and forwarding requests up the line, either to your main router or directly to a third party. For this to work, an option dns must be set in its lan configuration.

1 Like

@Trendy and @mk24 Thank you for your reply.

When a client connects to the second AP on the guestwifi it's getting the IP: 192.168.188.128, with gateway 192.168.188.50, subnet mask 255.255.255.0 and DNS: 192.168.188.50.
I am not fully sure if my DNS forwarder is set correctly, I have only setup a firewall trafic rule for DNS (port 53) on both devices.

Could you elaborate how I set this option dns to the lan configuration to allow for this forwarding up the line?

In the AP's /etc/config/network, in the interface 'lan' section, add option dns '192.168.178.250', assuming that is your main router and it is running a DNS server.

2 Likes

@mk24, adding the option with vi to /etc/config/network was the trick that fixed my issue. The guestwifi can now indeed browse the internet! Many thanks.

One follow-up question. Now I also activated the firewall rule to block the access from guest subnet to the private LAN. The strange thing is that from the .188.x devices I can still ping a 178.x device. I was expecting this to be blocked by this rule. Is this normal behavior or do you need to isolate the guest subnet further?

config rule
        option src 'guest'
        option name 'Block Guest access to private network'
        option dest 'lan'
        list dest_ip '192.168.178.0/24'
        option target 'DROP'

What is the output of iptables-save -c -t filter | grep "Block Guest" and fw3 restart?

The output is indeed giving some errors:

root@mywrtc7:~# iptables-save -c -t filter | grep "Block Guest"
[0:0] -A zone_guest_forward -d 192.168.178.0/24 -p tcp -m comment --comment "!fw3: Block Guest access to pri                                                                                                                                 vate network" -j zone_lan_dest_DROP
[0:0] -A zone_guest_forward -d 192.168.178.0/24 -p udp -m comment --comment "!fw3: Block Guest access to pri                                                                                                                                 vate network" -j zone_lan_dest_DROP

root@mywrtc7:~# fw3 restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[11] (Block Guest access to private network) does not specify a protocol, assuming TCP                                                                                                                                 +UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guest_DHCP'
   * Rule 'guest_DNS'
   * Rule 'Block Guest access to private network'
   * Forward 'lan' -> 'wan'
   * Forward 'guest' -> 'lan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guest_DHCP'
   * Rule 'guest_DNS'
   * Rule 'Block Guest access to private network'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Forward 'lan' -> 'wan'
   * Forward 'guest' -> 'lan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

Yes, you have not specified protocol so it assumes TCP and UDP, pings are ICMP though hence they are not blocked. Just select all protocols and it will be fine.

1 Like

@trendy,
thanks for the help. Setting the protocol to 'any' fixed the issue. Now indeed the subnet 188.x cannot ping 178.x anymore. The wifi guest network is now fully functional on both openwrt devices.

Next step for me would be adding the wired RJ45 connections to the 188.x subnet on both devices. After looking trough, the forum and wiki VLAN and tagging seems to be the correct approach. I see many users struggling with this setup. Do you have a good starting point (easy to follow) you would recommend in setting this up correctly for my situation?

Make a new VLAN, number 3. Move one of the LAN hardware ports (2, 3, 4, or 5) out of VLAN 1 and into VLAN 3. Attach eth0.3 to the guest network. Guest network must be a bridge to have more than one physical interface (here it is an AP and an eth port).

3 Likes

@mk24, again thanks for the guidance. I got it figured out and fully working including RJ45 LAN ports to the guest network.
Edit: Due to both devices are using the same SSID and DHCP server, now I also enabled 802.11r to improve the wifi fast roaming between the two devices.

After diving in a bit deeper I discovered one issue on the network.
The private LAN is fully functional and always getting an IP from the 192.168.178.250 DHCP server and connecting to DNS and Gateway 192.168.178.250

The guest WLAN on the 2nd Access Point (192.168.188.50) is not using the DHCP server of the guest main router (192.168.188.1) correctly. When having a 2nd DHCP server on this AP the devices are connecting (but not seamless). When I disable the DHCP server at the AP guest interface this device is not functional anymore. I tried to set a custom DNS and/or gateway to the main router 192.168.188.1 or 192.168.178.250 without success to link them.

What would be the correct approach to set DHCP, DNS, gateway (use masquerading?) to get the guest LAN (188.x) on the AP and router correctly linked?

Then make sure the 2nd DHCP server doesn't have overlapping pool with the DHCP server of OpenWrt. Also it should advertise the correct gateway and dns 192.168.188.50 ( I had the wrong IP here).

1 Like

The firewall needs to allow guests ports 53 and 67 on the AP. Their DHCP and DNS should be the AP's OpenWrt via it's guest interface 192.168.188.50. (To reduce confusion, conventionally gateways are configured at .1 rather than some IP in the middle of the network).

If you wanted guests to DNS directly from the main router (which I would not recommend) then the firewall that blocks guests from all of 192.168.178 would need that exception.

1 Like

The IP allocation is bad. You are using the 192.168.188.X on both routers even though they are not bridged. Luckily there is no conflict because they are isolated and NATed, but still it causes some confusion.

Guys thanks for all your help I am learning a lot. After your advice, I changed my setup to use for the guest both different subnets (188.x) and (198.x). The issue is now isolated to the guest AP (..198.1). When I connect a device to this AP I get:

IP: 192.168.198.168
Gateway: 192.168.198.1
Subnet: 255.255.255.0
DNS: 192.168.198.1

From this device I have no internet access or cannot ping 8.8.8.8 or a website not even the main router at 192.168.178.250.

My revised plan:

These are my current setup file. Were I have a firewall rule for DHCP and DNS enabled.

root@mywrtc7:~# ip route
192.168.178.0/24 dev br-lan scope link  src 192.168.178.253
192.168.198.0/24 dev br-guest scope link  src 192.168.198.1

---

root@mywrtc7:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxx'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.178.253'
        list dns '192.168.178.250'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 1'
        option vid '2'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth1.3'
        option ipaddr '192.168.198.1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 5'

---
root@mywrtc7:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config rule 'guest_dhcp'
        option name 'guest_DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guest_dns'
        option name 'guest_DNS'
        option src 'guest'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option dest_port '53'

config rule
        option src 'guest'
        option name 'Block Guest access to private network'
        option dest 'lan'
        list dest_ip '192.168.178.0/24'
        option target 'DROP'
        list proto 'all'

config forwarding
        option dest 'lan'
        option src 'guest'

---
root@mywrtc7:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option leasetime '12h'
        option limit '150'
        option start '100'

---
root@mywrtc7:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'xx'
        option ssid 'xx'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option channel '6'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'xx'
        option ssid 'xx.'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ieee80211r '1'

config wifi-iface 'wifinet2'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option key 'xx'
        option ssid 'guestwifi'

Any help is really appreciated.

I think I have isolated this issues.
Due to the many changes and testing my /etc/config/network has changed at the 'lan' interface. After correcting the settings as below I have regained internet access at the AP.

The only function I cannot get to work for the guest wifi account is 802.11r (fast roaming) due to the guest network share the SSID but not the DHCP server anymore.

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.178.250'
        option ipaddr '192.168.178.253'
        option dns '192.168.178.250'

You don't need a third network. Your second AP should be truly dumb. It should bridge guests from its wifi back to the first AP (also known as the guest router) using the guest VLAN on the cable*. The first AP will assign wifi guests (on either AP) IP's in the 192.168.188 range and NAT them to the Internet using the main LAN router as gateway.

I think that the dumb AP needs to hold an IP on the guest network for 802.11r to work. Other than that function, it does not. Definitely, you must roam on the same network-- regardless of how inter-AP communication occurs.

Typically these are set up with an unmanaged bridge between wifi and a wired VLAN but again I don't know if that breaks 802.11r.

  • The cable between the two APs should be a true trunk with two tagged VLANs: VLAN1 for the main trusted LAN and VLAN3 for the guests. Do not try to run untagged and tagged packets on the same cable.

Thanks, Setting up VLAN 3 and VLAN1 over the connecting wire will be my next step and going back to one subnet with one DHCP server. Found a nice guide for guidance I will follow:

Guest VLAN setup