Hello,
I'm trying to figure out if is somehow possible to combine Bridged AP/LAN with GuestWifi separated from rest of the network.

I have main router which serves ip/ipv6/firewall etc. Then I have OpenWrt as AP/LAN switch in lower floor to serve wifi and switch for few lan devices here.

I'm perfectly capable to set it as bridged AP/LAN to main router of course, but when I'm trying to combine it with guest wifi, which will obtain IP from openwrt I'll get stuck.
I can have functional guestwifi, but lan is not accesible or i have functional lan/ap and guestwifi can't reach internet.

I can't figure how this can be done.

can someone advise me about that?
really appreciated.

(Last edited by kriznik on 22 Nov 2015, 13:08)

You need to define two VLANs, with IP interfaces configured, in networks on your router. This will provide and control access.

Next configure two VLANs on your access point, the guest interface doesn't need an IP; the guest VLAN will be communicating with a tagged VLAN ID between the two.

Then bind the guest WiFi SSID to the tagged vlan interface and the other to the untagged (i.e VLAN 1).

Finally configure firewall rules on your router to allow the communication between subnets that you want. Note that mDNS services like AirPlay will not work across the two networks unless you open the firewall ports and also implement an mDNS reflector.

Some experimentation and care needed to set up the VLANs as it's possible to lock yourself out very easily. Also an intermediate switches need to support 802.1q VLANs.

J1mbo, would you agree that this article, including the "Multiple network devices" section, covers it?
https://wiki.openwrt.org/doc/recipes/guest-wlan

That part is uber-confusing to me, so I haven't attempted it yet. I wish it didn't have to involve VLANs, like the procedure linked to at the top of the article.

Yes that is essentially the same configuration as my brief summary.

There is another way though. You could plug another OpenWRT device into your network, create the Guest SSID on that, and have the *WAN* port of it connected to your LAN. Either use DHCP on it's WAN interface or configure a static IP on your network (i.e. 192.168.1.10 or whatever) with it's default gateway being the IP address of your main router.

Use a different network range for it's DHCP server (say 192.168.2.0/24, if your current network is 192.168.1.0/24).

Then add to it some firewall rules to drop traffic from it's internal network to yours, i.e.

Source: 192.168.2.0/24
Destination: 192.168.1.0/24
Action: Drop

Also configure a interface bandwidth cap if you like eg wshaper.

(Last edited by J1mbo on 9 Dec 2015, 23:19)

I simply dont get it why this (guest wifi) isnt possible to do just in the DUMB AP....

With DD-WRT I have several AP providing a guest WIFI

Basicly doing this:
alexlaird.com/2013/03/dd-wrt-guest-wireless

but with these firewall rules:

#Firewall Rules
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

Been trying to make OpenWRT work with this since this firmware does give me better Wifi performance than ddwrt, but no Wifi Guest sucks

(Last edited by gajotnt on 27 Dec 2016, 03:30)

Not sure it's what you're looking for, but I eventually found that this link (which was actually linked from the page in my last post) does in fact work if followed very carefully. I say "carefully" because the procedure is pretty subtle about one or two steps (it doesn't show screenshots for absolutely everything).
https://wiki.openwrt.org/doc/recipes/gu … binterface

That tutorial surely works if youre using the wan port. Not My case --'
I have a ISP provided router, and use several tp-link wr841N for Wi-Fi Access arround the building.

I've been trying to migrate to openwrt and done so on the wr841 that dont need guest Access, been trying using several tutorials but cannot get the guest Wi-Fi To connect to the internet. Read somewere that i had to make a static route on the ISP router, but o dont have access to it in order to try that "solution"

Will have to keep using ddwrt for the guest Wi-Fi, to bad, since openwrt seams so much better.

This post https://forum.openwrt.org/viewtopic.php?id=68915 points to a configuration more like DD-WRT (Guest DHCP on the AP).  You need to translate this page if you do not speak German:  https://blog.doenselmann.com/gaeste-wla … ess-point/

I have not tried this.

Tried that one also.

I have literally tried every tutorial i have seen online...

I can get the guest WLAN to provide DHCP to the clients, but cannot get the clients to "talk" to the internet.
I can ping and access the AP while connected to the Guest Wifi

ISP Router - 192.168.1.254
AP - 192.168.1.2
Guest Wifi - 192.168.2.1

Clients that connect to the guest wifi, get an IP adress in the range 192.168.2.100 to 192.168.2.150
The problem is that the AP isnt fowarding any traffic to the main LAN and most of the tutorials assume you're using the WAN port for internet acess... but it should work if you changed the destination to LAN instead of WAN.

w w w . steven-england.info/2014/11/01/openwrt-how-to-create-a-public-network-without-using-the-wan-interface

This guy makes a tutorial for guest wifi with lan, but he says we have to tell the Router about the guest wifi, and in my case i dont have permitions to do that. So for now only DDWRT can acheive this on its own.

EDIT:

Found this

forum.turris.cz/t/guest-and-intranet-wifi-configuration/973/13

Will try this, maybe this is what's giving problems.

(Last edited by gajotnt on 27 Dec 2016, 14:57)

I found this link wiki.openwrt.org/doc/recipes/guest-wlan-webinterface to be very usefull. It addresses the problem correctly. In other words, it worked for me ;-)

Are you using the openwrt router has your main internet router?

Do i have to plug the ethernet cable on the wan port instead of one of the ethernet ports?

Well, if I understood you correctly... yes! If you're asking whether the router I have openwrt on is my main router (Gateway).

Just connect your LAN (local Net) and WAN (for Internet) cables as you normally have them connected and follow the instructions.

The thing is i dont use the WAN interface.

Here is an example of one of the networks were I use guest networks (using DDWRT):

feppv.pt/wp-content/uploads/network.png

The ISP Router has restricted access, so I cant do much there. But using DDWRT i can acomplish what i need, its just that overtime i have found that openwrt is so much more reliable than ddwrt, the guest network over the LAN interface instead of the WAN is just this one thing that i cant seam to acomplish.

Like i said above, in ddwrt i create a new virtual SSID, then create a new bridge (br1) with DHCP server and with a few firewall rules everything works.

#Firewall Rules
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

#Block torrent and p2p
 iptables -I FORWARD -p tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 50 -j DROP
 iptables -I FORWARD -p ! tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 25 -j DROP

#Block guest access to router services
 iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset

#OpenDNS Family Shield
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 208.67.222.123 
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 208.67.220.123