Thoughts about "Guest Wi-Fi on a dumb wireless AP"

I do have the use-case covered in

Guest Wi-Fi on a dumb wireless AP using LuCI

I do have two points I would like to discuss:

I do feel uncomfortable enabling Masquerading on "lan" as it is described in the doc linked above.
Why? I can not say exactly. In my brain, Masquerading somehow has to be set on the wrong side. Another reason might be the visualization "lan => wan" and "wan =>" that then have Masquerading set on "both directions".

I created an additional, separate zone as shown in the following pictures:

g_zones953×291 20.7 KB

g_guest_masq883×693 27.1 KB

It feels better to me, but does it make sense? A fake zone also feels wrong. But modifying "lan => wan", that has nothing to do with guests feels wrong too. At least this way everything regarding guests is an obvious addition, that can easy be identified and deleted when necessary.

The second point is regarding the traffic rules.

I also added "::/0" to block any IPv6 traffic from the guest zone to my lan.

g_traffic379×153 2.92 KB

My ISP (modem in bridge mode) does (still) not support IPv6 along with IPv4, so I use IPv4 only to connect to the internet and so do the guests.
I guess packets in the guest network with link-local destinations do not get forwarded to the lan. But what about any "special" IPv6 addresses? Aren't there multicast or special addresses for servers of specific types like gateways, dns, ntp...? So I blocked them all.
If I ever get IPv6 internet access, my devices on the lan would get public IPv6 addresses. Without the "::/0", guests could access the lan devices using their public IPv6 addresses. right?

When guest should get public IPv6 addresses, everything would then get much, much more difficult. It could would be worth to extend the OpenWrt doc for that scenario.

Hard to address something where you can't say why you're uncomfortable. But to be clear, the masquerading is enabled on the upstream zone only... in the case of a guest wifi on a bridged/dumb AP, that would be the lan zone, not the guest zone.

You don't need that guest_masq zone at all... not sure where that came from (it's not part of the tutorial).

In your case, yes... you've set it incorrectly.

As I said before, it belongs only on the upstream. In the case of a normal routing situation, it would be the wan zone. However, in the case of a bridged AP, it would be the lan, as the wan is unused.

Leaving the wan network interface and firewall zone as-is will not cause any issues since the wan interface is unused in this scenario.

Why have you added a 'fake zone'? Yes, it's wrong.

It's a no-op in that it does nothing, but also has no effect either way because the wan is not used.

Sure... but this isn't necessary if you don't have IPv6 enabled on the lan (upstream) network and you don't have IPv6 related DHCP server options enabled.

And therefore the IPv6 stuff is even less relevant. No IPv6 upstream means nothing downstream either.

There are IPv6 link local and a few other special categories... but it's not relevant in your config. You don't need to block them.

No, not unless the guest network also has IPv6 enabled.

IPv6 subnetting is documented... it's a bit of a different animal, but the same concepts would apply for a guest network.

Why don't use separate network / VLAN?, and connect the VLAN to the guest SSID in the dumb AP to have isolated lan there.

That is the recommended solution when possible. But that requires an upstream router that is both controlled by the user and is capable of VLANs. Not all routers offer such features -- take for example an ISP router that must be used or an existing consumer router (unsupported by OpenWrt) that the user doesn't want to replace. For those, situations, the "guest wifi on a dumb AP" a valid solution.

Yes, I know, you can either use Vlan, or create a separate network in the Dumb AP...
DumbAP will act as DumbAP for the lan, and create a separate network with your router as default route, you can also add a blocking rule so guest network not being able to access lan ip's.

in this scenario wan is not being used and the main router lan is conected to the Lan in the dumb AP:

# Create guest network interface (static IP, not bridged)
uci set network.guest="interface"
uci set network.guest.proto="static"
uci set network.guest.ipaddr="192.168.3.1"
uci set network.guest.netmask="255.255.255.0"
uci set network.guest.device="wlan1"  # Adjust interface if needed

# Add firewall zone for guest
uci set firewall.guest="zone"
uci set firewall.guest.name="guest"
uci set firewall.guest.network="guest"
uci set firewall.guest.input="REJECT"
uci set firewall.guest.output="ACCEPT"
uci set firewall.guest.forward="REJECT"

# Allow DNS and DHCP in guest zone
uci add firewall.rule
uci set firewall.@rule[-1].name="Allow-DNS-Guest"
uci set firewall.@rule[-1].src="guest"
uci set firewall.@rule[-1].dest_port="53"
uci set firewall.@rule[-1].proto="tcp udp"
uci set firewall.@rule[-1].target="ACCEPT"

uci add firewall.rule
uci set firewall.@rule[-1].name="Allow-DHCP-Guest"
uci set firewall.@rule[-1].src="guest"
uci set firewall.@rule[-1].dest_port="67-68"
uci set firewall.@rule[-1].proto="udp"
uci set firewall.@rule[-1].target="ACCEPT"

# Block guest to LAN access
uci add firewall.forwarding
uci set firewall.@forwarding[-1].src="guest"
uci set firewall.@forwarding[-1].dest="lan"
uci set firewall.@forwarding[-1].enabled="0"  # Explicitly disabled

# Optional: Block all IPv6 from guest
uci add firewall.rule
uci set firewall.@rule[-1].name="Block-IPv6-Guest"
uci set firewall.@rule[-1].src="guest"
uci set firewall.@rule[-1].dest="*"
uci set firewall.@rule[-1].proto="ipv6"
uci set firewall.@rule[-1].target="DROP"
uci set firewall.@rule[-1].dest_ip="::/0"

# Enable DHCP on guest network
uci set dhcp.guest="dhcp"
uci set dhcp.guest.interface="guest"
uci set dhcp.guest.start="100"
uci set dhcp.guest.limit="150"
uci set dhcp.guest.leasetime="1h"
uci set dhcp.guest.ignore="0"

# Commit and reload all services
uci commit
/etc/init.d/network reload
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart

create and bind the guest SSID to the guest network.

Steps to configure Guest SSID with network isolation on a Dumb AP using LuCI:

1. Disable WAN (optional)

   • Go to Network > Interfaces.
   • Edit wan and wan6.
   • Set "Protocol" to "Unmanaged" or disable them.
   • Unplug WAN cable if connected.

2. Create Guest Interface

   • Go to Network > Interfaces > Add new interface.
   • Name: guest.
   • Protocol: Static address.
   • Device: Select the wireless device (e.g., wlan1, not part of LAN).
   • Set IPv4 address: 192.168.3.1.
   • Netmask: 255.255.255.0.
   • Leave IPv6 unchecked.
   • Click Save.

3. Configure DHCP for Guest

   • After creating the interface, click Edit > DHCP Server tab.
   • Enable DHCP server.
   • Start: 100, Limit: 150, Lease time: 1h.
   • Click Save & Apply.

4. Create Guest Wireless SSID

   • Go to Network > Wireless.
   • Click Add on a radio (preferably not used by LAN).
   • Mode: Access Point.
   • SSID: GuestWiFi.
   • Network: Check guest only (uncheck lan).
   • Encryption: WPA2-PSK.
   • Key: Set a password.
   • Click Save & Apply.

5. Create Guest Firewall Zone

   • Go to Network > Firewall > Add.
   • Name: guest.
   • Input: reject, Output: accept, Forward: reject.
   • Covered Networks: check guest.
   • Masquerading and MSS Clamping: leave unchecked.
   • Click Save.

6. Allow DNS and DHCP for Guest

   • Go to Network > Firewall > Traffic Rules.

   • Click Add.

   • Name: Allow-DNS-Guest.

   • Source zone: guest.

   • Destination zone: Device.

   • Destination port: 53.

   • Protocol: TCP+UDP.

   • Action: accept.

   • Click Add again.

   • Name: Allow-DHCP-Guest.

   • Source zone: guest.

   • Destination zone: Device.

   • Destination port: 67-68.

   • Protocol: UDP.

   • Action: accept.

   • Click Save & Apply.

7. Block Guest to LAN Access

   • Go to Firewall > Traffic Rules.
   • Click Add.
   • Name: Block-Guest-to-LAN.
   • Source zone: guest.
   • Destination zone: lan.
   • Action: reject.
   • Click Save & Apply.

8. (Optional) Block IPv6 from Guest

   • Go to Firewall > Traffic Rules.
   • Click Add.
   • Name: Block-IPv6-Guest.
   • Source zone: guest.
   • Destination zone: any.
   • Destination address: ::/0.
   • Protocol: any.
   • Action: drop.
   • Click Save & Apply.

9. Finalization

   • Ensure LAN is bridged and connected to main router.
   • Do not use WAN port.
   • Restart network, dnsmasq, and firewall services.

This results in a guest Wi-Fi on a separate subnet, isolated from LAN, using the main router for upstream access.

Given that there is already a wiki article, not sure why you created this additional tutorial.

But... some comments

No, the device should either be omitted or it should be a bridge (it can be an empty bridge). The reason is that the wireless hardware should never be specified in /etc/config/network. Instead, the SSID is specified in /etc/config/wireless and the network is attached via option network in the SSID definition.

Meanwhile this is incomplete. As written, it will block the internet, too.

It needs to have the upstream (lan) subnet such as 192.168.1.0/24 specified as the destination IP.

You've also omitted two critical elements:

• the lan zone must be masqueraded (unless the upstream router supports static routes, in which case a static route can be installed there accordingly).
• you must enable guest > lan forwarding. Combined with the above point about specifying the lan subnet will enable the guest network to reach the internet via the upstream while simultaneously blocking the upstream lan network itself.

Masquerade is set on the destination zone. This is a common rookie mistake. As the packet reaches the destination zone, its source IP will be changed to the IP of the outgoing interface in that destination zone. This is used in cases where the upstream router is unaware of IP addresses in the source zone. It only knows the IP of the interface directly facing it, that belongs to an interface in the destination zone, which is the output of the OpenWrt router.

It took me a while to get a better understanding of the stuff.

What I did with the extra zone if functionally identical to enable Masquerading for the lan zone.
(Status -> Firewall to show the resulting rules was very helpful)

However I missed something in my initial post that is much more relevant that I thought: I would keep the wan operation intact, even though I currently use the box as AP. If the main internet router would fail, I would like to connect the modem to this box and with as minimal configuration changes on it, get a basic internet access as a backup.

With this in mind, just setting Masquerading on lan or my extra zone is equally wrong. (NAT in both directions) I think it can be fixed by setting the guest-subnet as "Restrict Masquerading to given source subnets". But I was not able to test it.

A related question I have regarding this is that following the guide will not actually work unless you enable dhcp and firewall as a service on the dumb ap, which makes it a not so dumb ap. Any workarounds on this?

No, you need DHCP to serve IP addresses to the guest network, since these addresses are not part of the main (LAN) network. The masquerade function is part of the firewall. I suppose you could place a SNAT rule directly into the kernel nftables, but that sort of defeats the purpose of having a high-level network configuration system like UCI.

I prefer to call this use case "locally routed guest network" to distinguish that it is indeed a router no longer just an AP bridge.

Very well, but I should note that in none of the parts of the Openwrt guide does it state that you need dhcp functionality enabled. Maybe adding that part would help?

Also I have a 802.11r setup with 2 ap’s hardwired to a wired router (all are running openwrt). Doesn’t this mean when I set that up on both ap’s that there are two dhcp servers for a single guest SSID? This did not cause any issues for now but I’m unsure as to how this is viable/feasible in the long run?

802.11r only works if all the APs are bridged together in the same network. It's not applicable to locally routed. Locally routed even with the same SSID works fine in most situations because the guests do not move around a lot.