OpenWRT, Access Point only config. LAN and PUBLIC wireless on an existing subnet

In this scenario we will be implementing a openWRT as a wireless access point only. One wireless essid will be LAN accessible and the other will be segregated from the LAN but able to access the WAN. The openWRT in this example will not be the gateway to the network. Another device is the gateway and there is an existing dhcp server.

                            PUBLIC wifi
                     public gateway and dhcp server
                   Source NAT to
ISP <-Gateway-> LAN wired <-openWRT-> 
                           LAN wifi (wpa2+aes)

1. Add a new wireless access point


2. Settings for the new wireless access point. Create a new network interface of “public”. Don’t use any encryption, as this is for general public use.


3. Edit network interface for the public network


4. Edit PUBLIC interface settings. Set to static address and enable DHCP server for this new network.

5. Edit the LAN interface. Set the lan interface to an un-used ip of the existing network. Don’t set to “dhcp client” as you will lose connectivity and need to perform a recovery on your openwrt device. Be sure to disabled the DHCP server as the existing network already has one.


6. Add a new zone and call it “public_zone”. Masquarade it and put it in the public network. Allow forwarding to and from “lan” zone. We will limit this later with specific firewall rules.


7. This is what the general firewall zones should look like


8. Under the Firewall -> Traffic Rules section add a new Source NAT Rule. Call it “pub2lan“. Set the “Source zone” to “public_zone” and the “Destination zone” to “lan” and set the drop down option “To source IP” to br-lan interface, in this example its Leave “To source port” blank. This SNAT rule will translate all traffic on the public wireless network of into the IP of This is the redirect rule from /etc/config/firewall

config redirect
option target 'SNAT'
option src 'public_zone'
option dest 'lan'
option proto 'all'
option name 'pub2lan'
option src_dip ''
option enabled '1'

9. Setup a “New forward rule:” Set name to allow2gw or similar. Source zone to “public_zone” Destination zone to “lan” Click “Add and edit…” Protocols should be “Any”, Destination address is the gateway of the network. In this case The following is the /etc/config/firewall rule for reference. This will allow traffic from the public_zone to reach the gateway of the network.


config rule
option target 'ACCEPT'
option proto 'all'
option name 'allow2gw'
option src 'public_zone'
option dest 'lan'
option dest_ip ''

10. Setup a “New forward rule”. Set the name to drop2lan or similar. Set the Source zone to “public_zone” and Destination zone to “lan”. Click “Add and edit…” Set Protocol to “Any”, Destination address to custom and enter the subnet of the LAN. In this case its, set “Action” to “drop”. You can add more rules like this one to limit access to other networks or hosts as needed.


config rule
option name 'drop2lan'
option src 'public_zone'
option proto 'all'
option target 'DROP'
option dest 'lan'
option dest_ip ''


11. Firewall Traffic Rule overview. There is an error on this view. The following rules have “option proto ‘all’” set and the luci web interface shows “Any TCP+UDP”. This is simply a bug in the luci interface and can be ignored. The order of these rules is very important. In this case you can see we added the “Allow to” before the “Drop to”. If reversed, the lan including the gateway would not be accessible from the public wireless AP. Therefore, you would not be able to reach the Internet.



10 responses to “OpenWRT, Access Point only config. LAN and PUBLIC wireless on an existing subnet”

  1. Hi There!
    This exactly this with my device that is acting as an AP Client Only and can’t seem to make it work with the Public wifi. No connection at all.
    My external Internet Gateway is
    I’ve configured Private wifi (DS10) as, gateway DHCP disabled
    and public wifi (DS10-GUEST) as, DHCP enabled
    Configured Firewall rules as explained.
    I can connect to public wifi (DS10-GUEST) and optain IP address and gateway, dns, etc. but…
    The only IP i can acces is Every other site / ip doesn’t get thru.
    You didn’t mention in the explanation anything about Bridge Interfaces. Is it necessary?

    My WAN port is disconnected, of course.

  2. Hi Pedro
    I suspect your source NAT rule is not setup properly. Go through section 8 and be sure you are translating to your openwrt lan ip of (src_dip option).
    Also, be sure your public interface does not have a route set (section 4).

    Let me know how it goes.

  3. Hi again! Checked the firewall settings and everything checks ok. Here’s the parameters. I assume the section 8 translation is to be ON (the config after the pic on section 8 leaves it off):

    config zone
    option input ‘ACCEPT’
    option forward ‘REJECT’
    oprion output ‘ACCEPT’
    option name ‘public_zone’
    option network ‘public’
    option masq ‘1’

    option redirect
    option enabled ‘1’
    option target ‘SNAT’
    option src ‘public_zone’
    option dest ‘lan’
    option proto ‘all’
    option src_dip ‘’
    option name ‘pub2lan’

    config rule
    oprion target ‘ACCEPT’
    option proto ‘all’
    option name ‘allow2gw’
    option src ‘public_zone’
    option dest ‘lan’
    option dest_ip ‘’

    config rule
    option name ‘pub2lan’
    option src ‘public_zone’
    option proto ‘all’
    option target ‘DROP’
    option dest ‘lan’
    option dest_ip ‘’

    One more thing… my LAN cable is connected to an ethernet slot and NOT WAN slot. This is correct, right?

  4. Pedro Marques Avatar
    Pedro Marques

    Solved. Besides this tutorial, had to go to “Inter-Zone Forwarding” and check “Allow Forward to destination zones” and “Allow forward from source zones” for LAN.

  5. Hi Pedro

    Thanks for bringing this to my attention! Oddly this is not required in 12.09 so I didn’t include it in the tutorial. For some reason 12.09 ignores these forwarding rules. If you are using the latest 14.07 you will need to allow those inter-zone forwarding. I have updated the tutorial with these settings and recommend to use those settings regardless of the version you are on. Thanks for pointing this out!

  6. Ruben Tavares Avatar
    Ruben Tavares

    Cannot get this to work on my TP Link WR841N with OpenWrt Chaos Calmer 15.05.1.

    Did everything has explained. I can get guest wifi to work on ddwrt, openwrt looks like a no go :(

  7. Hi Ruben
    Nothing in this tutorial would be hardware specific. Double check the SNAT stuff, this is where most people get tripped up.


  8. […] more modern way to do this is outlined here. It also requires more modern hardware. The wrt54gl only supports openwrt v10 […]

  9. Jason,

    Doesn’t image #6 need to have “forward to WAN” enabled to work …? Perhaps this has something to do with the comment about “interzone” transfers which another mentioned … i cannot find where that setting is, but regardless, only works like above ^ if I have forward to WAN enabled for pub interface … which makes sense to me … why am i wrong?


  10. Hi Jonathan
    It needs to be forwarded to LAN and not WAN. The public interface is source NAT’ing through the LAN. It doesn’t interact with the WAN at all. In fact you can delete the WAN interface all-together. There is a bug in which the SNAT option disappears if the WAN interface is not there. So, be sure to add your SNAT rule before deleting WAN or just leave it alone..

Leave a Reply

Your email address will not be published. Required fields are marked *