subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
151 views 2 comments
by anonymous

How do I restrict my guest network to only be able to access WAN and WAN6

If my WAN interface goes down I want my LAN to be able to fail over to mobile data but I want the guest network to drop out and not be able to use the mobile data.

1 Answer

+1 vote
by anonymous


To solve this rules in Network -> Failover page could be used.

First, I assume that your guest wireless network is in a separate subnet, created in a similar way as described here.

The first step is to enable failover for WAN and mobile interfaces. 

Additionally, for each interface you can set Flush connections on option to Connected and Disconnected states.

Add a new instance under Rules section. 

In rule settings, first, add a new failover policy for WAN interface only:

Attach this policy to rule configuration section with your Guest subnet set as Source address ( in my test case).

Save rule settings, then move the rule above the default one:

This should route your guest subnet only through WAN interface. 

Best regards,

Best answer
by anonymous

This seems to work. However say WAN 1 goes down and it fails over to mob1s1a1 I get a drop out on my computer and a DNS error. For some reason when failing over DNS is not working properly.  

There is no way to route Subnet another way via static routes maybe? Or blocking the guest subnet going out via mob1s1a1 via the firewall?
by anonymous


A couple of things to try, both involve SSH manipulation.

One thing that can be attempted, is to add a firewall rule, which drops packets from your wireless guest network destined to mobile interface.

You would simply need to login to router via SSH and add the following rule:

  • iptables -I FORWARD -i wlan0-1 -o wwan0 -j DROP

In my testing, wlan0-1, was the wireless interface assigned with LAN IP. In your case it would be interface with 10.10.10.x IP address. To make sure, enter command:

  • ifconfig

It will list all available interfaces, look for the name with your wireless LAN IP. 

This rule should be enough to prevent wireless clients from reaching internet through mobile interface. If you have a rule for the same purpose in Failover configuration from previous suggestion, it can be deleted.

Another workaround'ish suggestion, in regards to DNS issue, is to configure router to query all of the available DNS servers from both, mobile and wired interfaces, regardless of currently used WAN interface.

You would need to login to router via SSH and execute command:

  • vi /etc/config/dhcp

Press letter i to enable editing and add the following line at the bottom in accordance to your details, as i the example below:

  • option allservers '1'

Once done, press Esc, then enter :wq and press Enter.

Lastly, execute the following command:

  • /etc/init.d/network restart

You will get disconnected from SSH, but DNS issue should not be present after failover.

Best regards,