Can you edit iptables rules on Factory firmware to isolate guest network in AP mode?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


Regular Contributor
Currently I am running merlin build on my Ax86U in router mode, but I am thinking about switching Ax86U to AP mode with factory firmware, with my netgear running openwrt as router/gateway. Since I have frequent visitors Guest network is a must for me and in AP mode guest network is useless in AX86U. I am thinking of editing iptables rules for isolating guest network by allowing guests to only talk to router for DNS and DHCP and nothing else. So my questions, can something like this be done? If yes, has anyone done it and can you please share iptables rules please.

My iptables skills are very very poor. I might be able to come up with something if I'll bang my head on keyboard long enough, but with work-from-home / learn-form-home, I can't have my network down for long.


Very Senior Member
Why not using the Netgear as a guest router, w/ its WAN patched to a LAN port on the AX68U. All you need is some firewall rules on the Netgear to prevent access to the upstream private network of the AX68U over the Netgear's WAN.

Of course, you could reverse the roles of the routers, but seems to me better to make the more powerful router+firmware the primary router.


Regular Contributor
Why not using the Netgear as a guest router, w/ its WAN patched to a LAN port on the AX68U
Because netgear router is going to be located in basement right next to my modem from where i have ethernet going to almost every room in the house. And my asus ap is going to on 2nd floor between kitchen and family room which is approximately the center of my house. It allows me to put all my networking equipment in the basement and also plug in all the rooms to the router in case i ever want to use ethernet for something.

Right now i am using old n66u in media bridge mode sitting in basement and all the rooms plugged into it. This setup works fine but a better solution would be to have router down there and ap in kitchen*.

This is how it use to be in past when i was using unify and ddwrt/openwrt before that.


Part of the Furniture
The short answer to your question is No. In AP mode there is no routing therefore there are no iptables rules to edit.
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!