ASUS-Merlin isolated guest router

[shbek1]

TLDR: I'd like a dedicated guest router, behind another router, that is unable to access the intranet of the router in front of it. So I need to keep a wired device off my local intranet, but it still needs to have internet access.

In more detail:
I have two routers, an AC3200 and an N66U behind it for guests, both running ASUS-Merlin. I occasionally have idiot, teenage house guests, that need a dedicated network that is forced through a VPN and maybe speed throttled, and does not have access to my main router's intranet.

On the N66U: Enabling isolated AP keeps guests from contacting each other, but they can still access the intranet of the router in front of them, same of course with a guest AP with intranet off, the intranet of the router in front is still accessible. This is of course totally understandable.

So I assume that I need to find some sort of solution on the main AC3200 to block the N66U's IP/MAC/Ethernet port on the AC3200 from accessing the AC3200's intranet. Perhaps I need to relook at VLAN on Merlin. Suggestions?

 

[kfp]

Just to be clear, the N66 is also in router mode correct? Edit: never mind, you mention Guest Networks so this should be the case

I have a similar setup but my second router is running OpenWRT. Just block off intranet on N66 using iptables, should be simple as that, don’t need to mess with VLANs.

 

[ColinTaylor]

Just use the Firewall > Network Services Filter on the N66U to block access to the AC3200's subnet. Simple.

 

[shbek1]

Blocking the subnet works perfectly! Thank you!