Wifi Guest access on a dumb IP

I have configured a guest-network, which doesn't work as expected, but lists my guest devices, like a washing machine.

To understand the situation better:

There is a Fritzbox-Router from the ISP which doesn't use openwrt. The DHCP-server on the Frizbox is deactivated.

So I connected some openwrt-routers via LAN (NOT WAN!). The Fritzbox is a DSL-router. Let's talk about 2 openwrt-routers only, the third should not be important.

This is the router which is responsible for DHCP, but does not contain the guest network.

root@R7800:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "R7800",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Netgear Nighthawk X4S R7800",
	"board_name": "netgear,r7800",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq806x/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

This is the router with the guest network:

root@C7v5-G:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "C7v5-G",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

The good news, I see some IoT devices with the configuredd IP-range in the 2,4G range.

guest-leases3842×2113 456 KB

If I use my phone to see the available SSIDs I can't see the 2.4G-SSID, but I see the 5G-SSID.

root@C7v5-G:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT40'
	option cell_density '0'
	option channel '60'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '5G-SSID'
	option encryption 'sae-mixed'
	option key '...'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '6'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ssid 'Guest-SSID'
	option encryption 'sae-mixed'
	option key '...'
	option isolate '1'

Here is the network configuration:

root@C7v5-G:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7e:e4dc:6bf9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.178.242'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.178.1'
	list dns '192.168.178.1'

config device
	option name 'eth0.2'
	option macaddr 'b0:...:aa'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.180.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option device 'phy1-ap0'

I don't know if the DHCP-configuration is correct. Note, the DHCP-server for the "main net" is on the other router, with IP range 192.168.178.x, while the guest net ist 192.168.178.180.x

root@C7v5-G:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '50'
	option limit '179'
	option leasetime '12h'

And this is the firewall configuration. Mainly I added 2 rules, which you see at the end.

root@C7v5-G:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'guestDHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'guestDNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

On the lan firewall zone of the C7 you have to enable MASQUERADING.

config zone
	option name 'lan'
..
	option masq '1'

Full firewall configuration:

root@C7v5-G:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'guestDHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'guestDNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

Strange, I did nothing and now after 20min I see the SSID, before I waited for about 10min and could not see the SSID.

I will do some tests now, if everything works as expected. Is the firewall configured correctly?

The guest-network should have a connection to the internet, but not to my local net with IP 192.168.178x. Connections between the guest-devices in 192.168.180.x should not be possible, but this is not important.

This is likely an issue for your device. Use wpa2 encryption.

No, works now. Tried mixed before fine-tuning. Changed in the meantime. Guest is WPA2, normal user WPA3.

Is it possible to setup 2 SSID for 1 radio? I mean I want to access with SSID "Normal-User" with full permissions and with SSID "Guest-User" with limited permissions.

A few miniutes it didn't work, now it works. Maybe a cache is fooling me. I am asking, if the following configuration can be set.

root@C7v5-G:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT40'
	option cell_density '0'
	option channel '60'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Normal-User-C7.5-m'
	option encryption 'sae-mixed'
	option key '...'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '6'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Normal-User-C7.4-m'
	option encryption 'sae-mixed'
	option key '...'

config wifi-iface 'guest_radio1'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ssid 'Guest-User'
	option encryption 'sae-mixed'
	option key '...'

Sorry - I’m a bit confused. Is it working now? Is this now achieving your goals or are there still some things you want to do?

For best wifi performance, always set the radios to your country code. Same option country on both radios.

Channel 60 is a DFS channel in most countries, so by regulation the radio has to pause for at least 1 minute to check for radar after a restart. During that time the 5 GHz AP will be off the air.

Yes you can have two APs with different SSIDs on one radio, simply build another wifi-iface block. In order to have two APs on the same network (dual band) you'll need to build a bridge for them (e.g. br-guest, using the same setup as br-lan) in /etc/config/network. This bridge may be initially empty if the only members will be wifi APs.

Do not reference any wifi interface in /etc/config/network. The connection of wifi to the networks is done by the option network in /etc/config/wireless.

What happens if country codes are different? Misconfigured it by copy & paste and it worked. Normally both are the same. I had problems with very high channels and then i tested different countries. The problem was, that there was something wrong with channels in wikipedia.

I know, best which is free. On the other side, I use 5GHz with this AP very rarely and never 5GHz is used as guest network.

I had the problems with 2.4 GHz, when the SSID where not found within minutes, maybe 5 or more. But the problem is gone.

root@C7v5-G:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7e:e4dc:6bf9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.178.242'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.178.1'
	list dns '192.168.178.1'

config device
	option name 'eth0.2'
	option macaddr 'b0:...:aa'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.180.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

Is it luck that this configuration above works?

Edit:

I think I did misunderstand you. There is no need for 5GH with the guest network. I need 2.4GHz only, it are mainly IoT devices, which are connected.

Should I simply replace it with this:

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.180.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

At the moment I am playing with this configuration, while the network-config is not changed as mentioned. The 2nd SSID with 2.4G is disabled, but it should be possible to enable it quickly.

For now, this is a test-router. When everything works I will configure the actually used router.

root@C7v5-G:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT40'
	option country '...'
	option cell_density '0'
	option channel '60'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Normal-User-C7.5-m'
	option encryption 'sae-mixed'
	option key '...'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option country '...'
	option cell_density '0'
	option channel '6'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Normal-User-C7.4-m'
	option encryption 'sae'
	option key '...'
	option disabled '1'

config wifi-iface 'guest_radio1'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ssid 'Guest-User'
	option encryption 'psk2'
	option key '...'

Do I have to change something with the wifi-configuration?

except don't list any ports. It works now because there is only one interface (an AP) attached to the guest network. If you want to add a wired guest port (for example for an additional remote AP) you'll need to create another VLAN in the switch first, then it would be something like eth0.3. VLAN 1 is already used by the regular LAN.

So simply I need to remove?

list ports 'eth0.1'

Do I need to do anything, If I want guest network with 2.4G only?

Probably this will be never needed.

At the moment I don't want to add VLANs, like 1 for guest and 1 for IoT. Keep it simple

I am migrating as much services as possible from the Fritzbox of the ISP. For a 1st step simply this should work what worked already.

If you are only using 2.4GHz (and never both 2.4 and 5) for your guest network, and you don't need a bridge at all (although a bridge won't hurt).

At the moment I try to avoid things, which are not necessary. Thanks!

I think I found a problem with dhcp, although it works.

This is from the router with the guest-account.

root@C7v5-G:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '179'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '50'
	option limit '179'
	option leasetime '12h'

config host
...

The guest network is 192.168.180.x

This is from the "main network" 192.168.178.x, where 1 openwrt-router is dhcp-server.

root@R7800:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '179'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '3,192.168.178.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
...

Please note: list dhcp_option '3,192.168.178.1'

For other config-files of the guest-router please see my 1st post.

So I am using 2 dhcp-server, 1 for "192.168.178.x" (R7800) and 1 for "192.168.180.x" (C7).

The own dhcp-server for the guest-network will get problematic, when I add another guest-device, which is similar configured.

How do I have to change the configuration, that the R7800 manages dhcp for the guest network?

My goal is to setup 2 openwrt devices with a guest network.

At the moment I am not sure what I want:

Let's assume, both guest-devices have the same 2.4G SSID with the same password.

Let's assume too, some guest / IoT devices should get a static lease, but not all.

It could happen too, that some android phones connect to the guest network or/and to the main network.

I want to use static leases for main and guest network.

eg
192.168.178.157
192.168.180.157 (guest)
for the same phone according to the MAC-addresse. The IP-address depends on the SSID.

It would prefer the same subnet for the 2 guest-network-devices, but it could be different.

Not sure if this is possible, maybe I will remove the 1s guest network, if guest-network 2 works alone. I will have to try.

This is not necessary.

What do you mean adding another guest device? Another AP or more client devices?

I was going to suggest this... you'd actually setup VLANs on your R7800 to do this, and then I'd recommend resetting the C7 to defaults...

On the R7800 you'd start with this:

And then we'd make a minor modification to set it up with ethernet (using VLANs) to connect the C7, where then the C7 would be purely a dumb AP with multiple VLANs and SSIDs.
Start

This was recommended by you in another thread.

The situation is, that there is a Fritzbox from the ISP which connects to the internet using dsl.

I try to reduce the "services" of the Fritzbox as much as possible, so I am free to configure things with openwrt-boxes. The last step was to deactivate dhcp at the Frtizbox and use an openwrt box as dhcp-server. I never use WAN with the openwrt-boxes and there is no WAN conncection with the Fritzbox too, since the Fritz uses DSL for internet connection.

more client devices.

I am going to reorganize the whole network in the house, but things must work as much as possible when I do changes.

There are problems with the signal strength in the house, but it could be, that I can remove 1 openwrt-router. I have to try.

The simplified situation is.
Fritzbox
3 openwrt-routers connected via Ethernet cable to the Fritzbox.
A lot of wireless connected APs to the R7800

Earlier the Fritzbox contained the guest network. Now guest at the Fritz is off.

Now I have 1 openwrt-box setup with a working guest network. It could be that I can remove this openwrt box totally.

I want to setup another existing openwrt-box in another room with a guest access, But since I don't know, if I need the other openwrt-router too, there should be 2 guest-devices and everything should work without modification, when I remove 1 guest device. The problem is that there is not another dhcp-server with the 2nd guest device.

I try to avoid VLANs for the moments. I am planning to do big changes with the network, but 1 step after another. The network in the house must work when I do changes.

The next step is to replace the R7800 with an Asus TUF-AX6000, when it is officially supported by openwrt. I can wait a few months for the AX6000, no problem. Then I have managed switches, which are waiting to be used. So I want to wait with VLAN until the new devices are used.

I want to keep the R7800 as simple as possible.

The easiest way would be to configure with the 2nd guest device another SSID and another subnet and try if the signal strength is ok, when I remove 1 box.

So is there a way to force the C7 to use the DHCP-server of the R7800 without configurig VLANs? I am not familiar with VLANs, especially I have to think about the existing cables here. There are more than 500m cables here, but as always when something is planned, something is missing. So I have to know 1st which subnets I want to use with VLANs. Is there a tool to plan VLANs with a chart or something like this?