[SOLVED] Guest network - how to communicate between clients

apologies in advance, i am probably using the wrong terms, sorry about it, i have a mechanical background, i know what i need (kind of... :wink: ) but i am not sure how it is called...

i have setup a guest network (guest interface @ / while lan is @ /
everything is working fine apart from the fact that i cannot ping/ssh from one client on the main network to one client on the guest network (and vice versa)

actually, i am not concerned by ping/ssh, i have tried and i can
client on guest network --> ssh --> router --> ssh --> client on main network (and the other way round)
but i am trying to access my son's minetest (open source game similar to minecraft) on (guest network) from my computer on (main network)
minetest runs on port 30000, so i would be happy to open/forward only this port and make it accessible from the main network

i have been playing with firewall, i don't mind reading some manuals but i am not sure of what i have to look for.
is there anyone that could point me in the right direction?

thanks a lot


Why do you need a guests network, if you do not want to isolate the devices? Depending on your answer, the solution will be one or another.

thanks eduperez, i should have mentioned it

guest network is to force the clients on this network (which is meant for my son and friends if they come over) to use opendns as dns server and always go through google safe search (this is where i learnt about poisoning dns names... https://forum.openwrt.org/t/solved-dnsmasq-addnhosts-ignored-no-local-hostnames/26191

hope this helps


You would need to have a separate firewall zone for Guest network, then add a forward from LAN to Guest for that port

Or you could just allow all from LAN to Guest

Have a look at this. It's form older interface (presuming you are using GUI), but should do. At the end, you will see creating port forwarding, so you can make another rule same way to forward 30000 from LAN to guest.

I think based on your use, you could just allow all LAN to forward to GUEST, but not the other way.

I am in exactly the same situation. I guess now you need the guest clients to reach some device (a printer, perhaps?) on the LAN. I would give static IP addresses to those devices, then allow to forward traffic from the guest network to those devices.

I think it can be easier.
Connect son's PC in LAN. Send with DHCP different namerver to it.
Let his friends (and other guests) continue to use the guest network.

My guess is the son and friends will want to play LAN games which send broadcast or multicast for game host discovery etc, this means they should all be in same broadcast domain, same network

thank you all guys, much much appreciated...

i am not sure if i have ended with an oversimplified solution, but i just tested and it seems to work
i have added the following forwarding:

config forwarding
    option  src         'lan'
    option  dest        'guest'

and all seems good, i can access my son's minetest server (on the guest network) from my computer (on the main network) and the same goes for ssh

for the moment there are no fancy lan games involved so this should be enough

i hope i have not compromised the security of the network
I am not sure if it makes sense, i was looking into limiting "src" and "dest" to a specific IP (all addresses are static in both networks) but i don't believe that forwarding accepts src_ip or dest_ip
in the firewall page i I see it only for "rules"
am i missing something obvious?

i will study more and if all is ok i will mark this as solved

thanks a lot



This forwarding is one way, no different from treating the guest Network as part of the internet. Doesn't seem to be a problem.


just edited the title and marked as solved

thank you everybody, much much appreciated


You can also mark the relevant post as the solution (click the pencil behind the topic).



@trendy, sorry i am super late...i forgot about marking the post...

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.