But I would like devices on my main LAN to be able to connect to devices on guest wifi (but not the other way round, obviously). What changes do I need to make?
Main router also runs OpenWRT. Main LAN is 10.0.0.*; guest LAN is 10.0.99.*.
Currently the main router knows nothing about the guest network, so presumably some change is required there.
To test I'm using ping 10.0.99.2 from the main router and/or a LAN device. (10.0.99.2 is the AP's IP address on the guest network.)
I'm using LUCI. There's nothing unusual/complex about my overall setup - the above sums it up really.
Since your main router runs OpenWrt, the optimal solution is to actually setup the guest network on that device and use VLANs to transport it to the AP. Then, the main router's firewall would be the thing that you'd use to handle everything.
That said, if you want to allow lan > guest access, you need to:
Set a static route on the main router for 10.0.99.0/24 via 10.0.0.x where x is the address that the AP holds on the main lan.
allow lan > guest forwarding on the AP
disable masquerading on the lan firewall on the AP.
First off, thanks both for almost instantaneous replies. I barely had time to correct my (several) typos.
Interestingly my first instinct was to configure this on the main router, but being somewhat out my depth I decided to just Follow The Instructions.
For now, I've followed 1, 2 and 3 above and it's working, so thanks! (At least as far as pings go; yes there are probably other things I need to consider.)
Next I need to go and learn about VLANs, and probably redo things for a more general, main-router-based solution.
