It seems the usual method for this is to use vlans rather than routing your guests through the LAN. Is the device wired to upstream or is it wireless on both ends?
Bridge the guests back to the main router on an isolated network using VLANs, GRE tunnels, etc. The main router issues DHCP addresses to the guests and independently NATs them to its Internet connection.
Have the AP "locally route" and NAT the guests into the LAN network. The main router (seeing the traffic coming from the LAN port of the AP) then NATs them again to the Internet. Firewall rules are necessary on the AP to prevent the guests from reaching any LAN machines.
Lately I have been favoring method 2, because then the backhaul LAN links can be simple AP-STA connections, and nothing at all special is required of the main router.
So, to implement method 2 on an OpenWrt router that has a LAN-based connection to a main router and the Internet, you will need to set up:
A br-guest network with a DHCP server. The br-guest addresses are different from the LAN.
A Wifi AP and / or wired connections to guest network.
NAT / forwarding from guest to lan. Enable masq and mtu_fix on the lan zone.
Firewall rules to block the guests from any LAN IP addresses, other than the DHCP and DNS server in the AP.
Optionally, sqm rules on the guest network to prevent guests from using all the Internet bandwidth.
The firewall rules I use are below:
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option target 'ACCEPT'
option src 'guest'
option name 'Guest-DHCP'
option family 'ipv4'
option proto 'udp'
# DHCP requests are input to port 67
option dest_port '67'
config rule
option src 'guest'
option proto 'tcp udp'
option name 'Guest-DNS'
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'
# This denies the guests any local ports of the router, other than the
# DHCP and DNS which are explicitly allowed above.
config rule
option enabled '1'
option name 'Deny-Guest-Local'
option src 'guest'
option target 'REJECT'
# This will deny guests every other machine in the LAN, assuming it has IPs in the 192.168.x.x range
config rule
option src 'guest'
option proto 'all'
option dest_ip '192.168.0.0/16'
option target 'REJECT'
option name 'Deny-Guest-Upstream'
option dest '*'
config forwarding
option src 'guest'
option dest 'wan'
In the past I used your second approach, with a comparable configuration. I stopped using guest networks because of strange routing behaviour in the OPENWRT router. When I performed a tracert I noticed that the traffic from WLAN hosts connected to the non-guest network (WLAN bridged with LAN) were routed via the guest interface. I don't know why, but when I read the earlier mentioned post I recognised the problem.
I also wonder if approach 2 is preferred when having multiple AP's with guest networks.
I understand the concept of VLANs very well, but that doesn't mean that I implement them at home, only if really necessary. In the end I think they are necessary, if I want to support 'seamless' roaming in the guest network to different access points. However, this is currently not the case.
In my current setup I have an ISP router as Internet gateway, which doesn't support VLANs on the LAN Interface. Therefore I am not able to separate the guest Network from the non-guest network on the Internet gateway. The work around is to use the second apprach as proposed by the user mk24 in the OPENWRT AP:
A br-guest network with a DHCP server. The br-guest addresses are different from the LAN.
A Wifi AP and / or wired connections to guest network.
NAT / forwarding from guest to lan. Enable masq and mtu_fix on the lan zone.
Firewall rules to block the guests from any LAN IP addresses, other than the DHCP and DNS server in the AP.
Optionally, sqm rules on the guest network to prevent guests from using all the Internet bandwidth.
As a result both the guest network as the LAN network traffic will be mixed together, the ISP router will not notice the difference, and handles it as LAN traffic. The firewall rules in the OPENWRT AP prevent that guest clients gain access to non guest clients.
I tried this workaround in the past, but I noticed very strange routing behaviour, as mentioned before. Then I saw the post about routing, and I thought that this could solve my problems. But perhaps I am mistaken
I will configure my APs with the proposed configurations by mk24, and see what happens.