My Teltonika RUTX12 is connected via a single cable in the LAN1 port to a modem-router which acts as an internet gateway.
On the RUTX12 I would like to be able to separate this single physical connection into two virtual/logical interfaces: a WAN and a LAN.
I would then create a Guest WiFi network which is restricted to the WAN interface only, preventing clients from accessing any LAN devices.
Here is what I want to achieve:
Hello,
This can be done by configuring a separate firewall zone for the WiFi clients. We have a few configuration examples for such a setup on our Wiki:
Let me know if any additional help is needed with the configuration.
Best regards,
Hi @Daumantas and thank you for your reply.
So I have actually already followed the article in your first link and have previously set up a Guest WiFi network which was limited to the WAN interface. I successfully did this last year and it worked.
However, the key difference was that at that time, I was using the router’s 4G modem as my WAN connection, and therefore my internet connection was automatically part of the built-in WAN interface.
Recently I have stopped using 4G and I am connecting to the internet via my new ISP-supplied router which is connected to the RUTX12’s LAN1 port as per my diagram. Therefore, my RUTX12’s WAN interface is now Status: Down which means I can’t use it in firewall rules.
(Could I just plug my ISP router into the RUTX12’s WAN port and re-activate the WAN interface again? Yes, I could. However, there are actually other LAN devices attached to the ISP router as you can see from my diagram (e.g. “NAS”, “PC 1”). So presumably then my Guest WiFi would get access to those LAN devices which is undesirable… or those LAN devices would be totally inaccessible even from the RUTX12’s regular WiFi which is also undesirable. Please correct me if any of this is wrong.)
So I hope you can see my problem - if I understand it correctly, my RUTX12 is not actually aware that a WAN network exists - all it knows is that there is a LAN interface and it’s sending all traffic there.
What I am trying to achieve is to tell the RUTX12: “Hey, that connection in your LAN1 port actually exposes a WAN and a LAN. If any clients on Guest WiFi request a WAN connection, allow the traffic to go via LAN1. If they request a LAN connection, reject it.”
Or in “firewall pseudocode”:
IF [source_interface] is "Guest Wifi"
AND [destination_IP] is in any of these ranges:
[10.0.0.0 - 10.255.255.255]
[172.16.0.0 - 172.31.255.255]
[192.168.0.0 - 192.168.255.255]
THEN block the connection
ELSE allow the connection
I’m sure this must be possible - either by using VLANs or just plain old firewall rules or something - but I just don’t know enough to know how to set it up.
Hello,
Apologies, missed that there is no WAN configured on the RUTX12.
In this case, the configuration would need to be done on the carrier provided modem, as you correctly mentioned, the RUTX12 does not have a WAN zone. What you could do, is create a seperate network interface for WiFi with it’s own DHCP server, and assuming this interface is on the LAN zone (with forwarding enabled), it should be reachable from the ISP modem.
Then the ISP modem should only allow the packets from the WiFi network to go to the WAN interface.
Best regards,
Can you please tell me how to do this? I tried creating a new interface under Network → Interfaces called “Guest” and a new WiFi network associated with it, but the connected clients don’t get any internet connection. They can’t even ping the router’s IP.
The new Guest interface is on the same subnet as my regular LAN connection, and I have tried assigning it to the “lan” firewall zone as well as a new custom zone called “guestzone” for which I set input/output/forwarding all to enabled.
Do I need to select anything under the “Physical Settings” tab?
Here are screenshots showing my settings for Interfaces/Wifi/Firewall sections:
Hello,
The created network interface currently overlaps with LAN IP subnet. This will cause routing issues. I’d suggest moving the created network to 192.168.5.0/24. Other than that, everything should be fine.
Best regards,
I changed the Guest interface IP to 192.168.5.1 and changed its DHCP range to 192.168.5.1 - 192.168.5.254.
Guest WiFi clients can ping the RUTX12 on 192.168.1.1 but they still can’t ping the ISP router which runs on 192.168.1.111 and they still have no internet access.
Any idea what might be wrong, please?
Could you try enabling Masquerading on the LAN zone in General Firewall settings?
Still didn’t work 
Guest Wifi can still ping the RUTX12 but not the ISP router or the internet.
This topic was automatically closed after 15 days. New replies are no longer allowed.
