Setup second router as bridge/wifi AP not letting devices connected to both routers see each others

pierluigi-iezzi · June 29, 2025, 2:02pm

Hello, I want to use a router as a wifi repeater or bridge, with a differenti SSID.
I'm not good at networking.
I would like to isolate the devices connected to main router (with OEM firmware) and to wifi repeater (openWRT). My main router has no VPN functions.

How can I do that?
Maybe put on 192.168.1.x the devices connected on main router and on 192.168.2.x the devices on wifi repeater? I'm not sure the main router DHCP can be set to work like this.
Firewall rules? VPN set on the bridge/ap?

The last option is to install openWRT on main router and just set the second wifi antenna on a different vpn then the first antenna. But I don't want to mess with my main router.

psherman · June 29, 2025, 2:16pm

If this device should broadcast both the trusted and the untrusted networks, you’ll want to set up a guest WiFi on the device. If it is untrusted only, you’ll set this up as a basic router (with a different subnet for the second lan) and then add a firewall rule to block access to the upstream (that rule can be found in the guest wifi tutorial).

pierluigi-iezzi · June 29, 2025, 4:52pm

I followed the guide and it worked perfectly. I have just one issue.
Now the guest are on the 192.168.2.x subnet, and cannot see devices on the 192.168.1.x.
The only problem is that even on the main lan (main router, 192.168.1.x) I have no access to 192.168.1.253 (the openWRT static ip).
If I connect both routers via ethernet, I can access LuCi configuration page. So the problem is just when routers are connected via WiFi. Any hint?

psherman · June 29, 2025, 9:55pm

How are you connecting the two routers when you use ethernet? lan->wan, or lan->lan?

While I'm not sure about the details of your config, it's likely that you've setp your upstream against the wan firewall zone (or something setup similarly). That would, by default, mean that input is rejected. If you fully trust your upstream network, you can set input to ACCEPT on the wan/upstream zone. (this is only safe to do if you trust the network; never do this if the upstream is the internet or otherwise untrusted).

If that doesn't solve the problem, post your complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

pierluigi-iezzi · June 30, 2025, 9:15am

Thanks a lot, it worked. I would like to learn more about networking

pierluigi-iezzi · June 30, 2025, 9:41am

Ok no, it didn't really worked. There is something I'm missing, here's my setup:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Zyxel LTE5398-M904",
        "board_name": "zyxel,lte5398-m904",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}




root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd14:bfbc:594a::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.253'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'

config interface 'wwan'
        option proto 'static'
        option ipaddr '192.168.1.253'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'

config device
        option type 'bridge'
        option name 'br_guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br_guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'





root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option ssid '300 Passi Wi-Fi'
        option encryption 'sae-mixed'
        option key 'foo bar'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'sta'
        option network 'wwan'
        option ssid 'DP House'
        option encryption 'psk2'
        option key 'bar foo'





root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '150'
        option leasetime '12h'






root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wwan'
        list network 'lan'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option src 'guest'
        option name 'Guest_DHCP'
        list proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Guest_DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option dest 'lan'
        option name 'Block_Guest_from_LAN'
        list proto 'all'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

psherman · June 30, 2025, 6:25pm

This is wrong:

pierluigi-iezzi:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.253'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'

config interface 'wwan'
        option proto 'static'
        option ipaddr '192.168.1.253'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'

The wwan and lan interfaces are both using the same address and subnet, thus causing a conflict.

From what I can tell, this device is operating as an STA (client) mode wifi device for its connection to the upstream and then setting up a wifi guest network. Nothing more.

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.157.1'
        option netmask '255.255.255.0'

Next, you need to fix the firewall:

Remove the wwan network and the masquerading from below:

pierluigi-iezzi:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wwan'
        list network 'lan'

Create a new zone for the wwan (I'm assuming that the wwan is fully trusted):

config zone
        option name 'wwan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wwan'

Modify the following rules with wwan instead of lan:

pierluigi-iezzi:

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option src 'guest'
        option name 'Guest_DHCP'
        list proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Guest_DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option dest 'lan'
        option name 'Block_Guest_from_LAN'
        list proto 'all'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

Reboot and test again.