Possible to have Guest WiFi network with separate DHCP?


I'm using the default firmware for now, but am wondering if Merlin will provide me the capability to have this organization:
  • Asus router in Access Point Mode connected to a PFSense box
  • PFSense supplies DHCP to internal network, including clients on the standard WiFi
  • Asus router has a guest network set up
  • =-=> This is where the problem comes in with stock firmware. The router is in AP mode, so it has no DHCP, and the Guest network is cut off from the intranet, so there is no DHCP from PFSense <=-=
  • Guest network gets DHCP from... somewhere? Anywhere?
I have found https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/ so perhaps that could do something like what I want?



What router model? What specific firmware is installed?

If you double-NAT the router so that you can enable Guest Wi-Fi, it will handle DHCP requests in router mode but can then only be used for guests.

Have you looked at YazFi by @Jack Yaz? That may give you a start on this setup to work.


Asus router put into AP mode(regardless if stock or merlins fork) does not support guest wifi or alternate subnets or any of the merlin plug-in features such as Yazfi. Putting the router into AP mode eliminates its layer 3 and higher functions.
It will of course pass through to your pfsense FW all packets but all in a flat (single) LAN method.
So the short answer is no. Putting an Asus router into AP mode removes it from supporting guest wifi features.
You will probably want to look into UniFi APs or other method to get mulitple vlans on an AP.


Not that I am aware of.
As L&LD mentioned above you could use it in router mode (double NAT) then do any necessary trickery in pfsense to route/block internet access once the guest wifi VLAN is off the Asus router.

The other option (which I am not well versed in) would be to use another 3rd party firmware like Tomato or DD-DWT which do support VLANs.
Not sure if there is model specific requirements or any other gotcha's but they could be an alternate route to get that feature out of an otherwise home oriented router.

Ideally a simple AP solution that is a true AP only is going to be the easiest method.

I did just have a thought. If you have 2 of these Asus routers or whatever, you could put each into AP mode.
1st AP would be landed on a port of your LAN for Internal access.
2nd AP would be landed on another port with a guest VLAN.
Then all the VLAN / control is handled at your higher level switch or pfsense box.
You would just need 2 Asus routers in AP mode for that solution.

Good luck


Yea, I'm very familiar with DD-WRT, but unfortunately there is no support for AX devices yet, there. Thanks for the suggestions everyone!

