8821 questions

10469 answers


15696 members

0 votes
478 views 5 comments

Hi Guys:

Is it possible to configure a WiFi network in a RUT240, just to give access to the internet to external persons, without giving them access to the LAN?

I created a new Access Point with the "Separate clients" option enabled, but it doesn't block access to internal IP's.

Best regards


2 Answers

0 votes


1. First of all, you will need to create a separate LAN interface with a separate DHCP server in it. You can do that by navigating to VLAN > LAN Networks and creating a new subnet: and DHCP server for 192.168.2.x.


2. Make sure you have a wireless access point enabled.

3. Go to CLI, login and execute cd /etc/config and vi network

Click the letter "I" on your keyboard so you could start editing the file.

Find your new created LAN interface and change it to look something like that:

To exit editing mode press "ESC" on your keyboard and write :wq to save and exit from editing mode.

4. Now edit file wireless with command vi wireless in the same folder.

Once again click letter "I" on your keyboard to start editing the file.

Find your AP in the file and edit it's network to your new created LAN name, it should look something like that:

Press "ESC" button to exit editing and type :wq to save and quit.

Execute command /etc/init.d/network restart so your router could restart network service and apply changes.

After this check if your wireless client is getting IP in your new 192.168.2.x subnet.

If everything works till this point please proceed with the next step where we separate LAN from new wireless LAN.

5. Go to Network > Firewall > Traffic rules

Scroll down and create a new forward rule, which source is your new LAN interface and destination is the main LAN.

When you're in rule edit page make sure source and destination zones are right, scroll down to the bottom and select action as "drop". Save.

Create one more rule which has the same source and destination zones but select "reject" this time.

Once you're done with these two rules create two more, but this time with source and destination zones swapped so main LAN cannot reach your new LAN interface. (this is optional so if you want main LAN clients to reach your new interface you can skip this).

6. After this wireless clients shouldn't be able to ping your internal LAN network behind 192.168.1.x subnet.


What is the reason for creating 2 rules: one for "drop" and anther one for "reject"?
0 votes

This is an alternative configuration if the other one looks too complicated:



Very informative reply, thank you very much.

What is the reason for setting up port forwarding blocking rules in the first approach, but not the second (wiki article)?

As the configuration differs - there must be additional steps done. As the second instructions have different approach and functionality, the first one lacks that and is done more manually, then automatically.
I followed the Wiki instructions to set up two wireless access points. It worked with an exception of the network separation. The router WebUI on is still accessible from subnet.
Exactly... Could you help with this separation?