How to set up guest network without other WiFi networks?

[Vandergraff]

I use my RT-AC68U (running merlin) as my router (with wireless disabled) with an Orbi system in AP mode for WiFi.

Seems like the Orbi guest networks don't isolate guests from the local network.

So I would like to have a guest network on the RT-AC68U. However if if enable the 2.4 Ghz radio (for the guest network) I cannot see a way to disable the local network wireless access?

 

[vc1234]

However if if enable the 2.4 Ghz radio (for the guest network) I cannot see a way to disable the local network wireless access?

You cannot disable an AP access to your local network without both the router and the AP supporting VLANs (ethernet frame tagging). Since neither your router (officially) nor AP support VLANs, the separation cannot be achieved. Even if you configure your router with VLANs using CLI , you'd still need an AP supporting VLAN tagging, such as TP-Link 1200 for example.

 

[Vandergraff]

You cannot disable an AP access to your local network without both the router and the AP supporting VLANs (ethernet frame tagging). Since neither your router (officially) nor AP support VLANs, the separation cannot be achieved. Even if you configure your router with VLANs using CLI , you'd still need an AP supporting VLAN tagging, such as TP-Link 1200 for example.

Maybe I phrased it badly.

I would like to use the RT-AC68U for a wireless guest network - but disable all other wireless access through the RT-AC68U.

The RT-AC68U will still be my main router and I will have an Orbi in access point mode for WiFi (connected by Ethernet to the RT-AC68U).

I

 

[ColinTaylor]

I would like to use the RT-AC68U for a wireless guest network - but disable all other wireless access through the RT-AC68U.

I don't think it's possible to do that. The guest networks are created as virtual network interfaces based on the physical (non-guest) interfaces. You might be able to use some custom scripting to make the normal Wi-Fi network behave like a guest network.

The simple answer would be to apply a unique and complex password to the primary Wi-Fi network and just ignore it.

 

[martinr]

I would like to .... disable all other wireless access through the RT-AC68U......

You’ll have a WPA2 password for the main wireless band(s) and a separate one for the associated guest network. The only way I can think of to limit access only via your guest network is only ever to put the guest-Network password into devices. You’ll have to have a WPA2 password for the main band in order to set up the correct security on the router but that’s the only time it will appear.

Would that not achieve your aim of limiting access only to your guest network?

 

[vc1234]

Maybe I phrased it badly.

I would like to use the RT-AC68U for a wireless guest network - but disable all other wireless access through the RT-AC68U.

The RT-AC68U will still be my main router and I will have an Orbi in access point mode for WiFi (connected by Ethernet to the RT-AC68U).

I

If you want to use AC68U exclusively for guests vs. ORBI for non-guests, you can try one of the following using custom scripts:

1. Make the main wireless networks behave as if they are guests by adding the following four bridging rules:
ebtables -t filter -A FORWARD -i eth1 -j DROP
ebtables -t filter -A FORWARD -o eth1 -j DROP
ebtables -t filter -A FORWARD -i eth2 -j DROP
ebtables -t filter -A FORWARD -o eth2 -j DROP

2. Or, enable the guest network in the UI and remove the main networks from the bridge:
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.1cb72ccad940 yes vlan1
eth1
eth2
wl0.1
wl1.1
brctl delif br0 eth1
brctl delif br0 eth2

Then only the guest networks wl0.1/wl1.1 would stay on the bridge.

I did not test either (1) or (2), so I am not sure whether they will work.

 

[Vandergraff]

The simple answer would be to apply a unique and complex password to the primary Wi-Fi network and just ignore it.

Yup that worked. Just using 2.4 GHz radio and long random password on primary WiFi.

At first I was thinking I would rather have primary off for less interference - but of course the radio is on anyway for the guest network. Having another unused SSID on it really isn't an issue for the guest network