How to set up an isolated Guest WLAN on TP-Link WDR4300 with OpenWRT using command line

You have guests at your home and they want to use your wireless network to retrieve emails, etc off the Internet. This is not a unique situation, but is quite common everywhere, with the proliferation of devices and services that require Internet access. The only issue you face is that if you give them your primary SSID and it’s password, you will probably need to change it when they leave. And, if like me you have 22 devices connected to the primary wireless network, then you need to change the password on each one of them.

To overcome this problem, following method can be followed to enable isolated guest networks on the TP Link WDR4300 router running OpenWRT.

Open a terminal window and perform the steps below.

1. SSH into the TP Link OpenWRT router.
	$ ssh root@ <enter>
	Enter your router password.
	At the root prompt (#), type cd /etc/config <enter>
2. Add a guest interface to /etc/config/network
	# vi network <enter>
	At end of the file, add:
		config interface 'guest'
			option proto 'static'
			option ipaddr ''
			option netmask ''
3. Add the wireless network
	# vi wireless <enter>
	At end of the file, add:
		config wifi-iface
			option device 'radio0'
			option network 'guest'
			option mode 'ap'
			option ssid 'myguests'
			option encryption 'psk2+ccmp'
			option key 'myguestwlanpassword'
	To prevent clients from connecting to each other in the guest network, add
			option isolate '1'
		This will isolate the clients within the guest network.
4. Add following into the DHCP settings
	# vi dhcp <enter>
	At end of the file add:
		config dhcp 'guest'
			option interface 'guest'
			option start '2'
			option limit '10'
			option leasetime '2h'
			option ignore '0'
5. Add firewall rules to isolate the network
	# vi firewall <enter>
	At end of the file add:
		config zone
			option name 'guest'
			option list 'guest'
			option input REJECT
			option output ACCEPT
			option forward REJECT
		config forwarding
			option src 'guest'
			option dest 'wan'
		config rule
			option src 'guest'
			option dest_port '53'
			option proto 'tcpudp'
			option target ACCEPT
		config rule
			option src 'guest'
			option src_port '67-68'
			option dest_port '67-68'
			option proto 'udp'
			option target ACCEPT
	# exit <enter>
6. Restart the router.

Now you can connect to the guest network and check if things work fine.