I like to create a wireless VLAN for some clients that I need to be able to access from my LAN but which cannot access the internet.
Has anyone an example as I didn't find anything useful and blocking with firewall rules is what I'm not sure about.
Create a guest network per the tutorial below. Instead of creating a guest > wan forward in the firewall, make one that is guest > lan.
3 Likes
But that will route that guest over lan to the outside world because of the known default route.
The guest network, along with the modifications I mentioned, will route locally because both networks exist on the same router so the router knows how to route between them. No outside path is required or ever used in that scenario.
Doesn't matter if the router knows, if it asks for an outside address there is nothing that holds it from going to. Default route/gateway for 0.0.0.0/0
The firewall will prevent that traffic from egressing. That is the whole point of the firewall.
Yeah sure but that is the way you would like to go? I would love to have some ACL or so.
OpenWrt uses a zone based firewall. The access/ACL is expressed in terms of zones at the high level (you can obviously set much more granular rules, if desired).
That said, the recommendations I made will do exactly what you have requested -- it will not allow the new network to access the internet, but it will allow it to reach the other lan.
Does this not match the requirements/goals for your network? Or do you have another concern?
Will test out in some hours and report back!
OK, I was on the same approach - which I thought - but with the howto I get the same issue as what I was doing; DHCP won't hand out an address to my connected client(s). I don't see anything in log about it so I'm curious again about that part as that happened also in my own approach.
Let’s take a look at your configs.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Fixed! There was a listening issue on DHCP interfaces because I changed the interface-name.
Thanks!
1 Like
If i use this in a Mesh setup does my mesh router need this guest bridge as well?
Please define what you mean by "mesh" -- the term is often used incorrectly due to marketing.
How do the additional devices connect to the main one? Are they also running OpenWrt or something else?
Depends on your goals and the specifics of the additional hardware and the connections between them.
No marketing: just 802.11s as where it's made for.
All OpenWRT ofcourse!
Ok... so yes, if you want to transport this network via an 802.11s mesh to other APs, it's certainly possible. That would be the subject for another thread.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.