How to setup guest network on OPT1



  • Is there a quick guide for setting up a guest network using OPT1 or OPT2?  I want it to be on a separate subnet from my LAN connection, have no access to the LAN (for the LAN to the OPT1 network).  I appreciate the help!



  • Basically looking for the following:  1 WAN and two separate physical LAN's.  1 on using the LAN port and the other using the OPT1 or OPT2 port.


  • Rebel Alliance Global Moderator

    Well create the rules you want on your lan and opt interfaces to not allow the traffic you want.. Out of the box lan would be able to create any connections it want to opt network because the default rules on lan are any any.

    But your opt network would have no rules, and opt network would not be able to go anywhere.  So if you don't want opt to go to lan, then create a block rule on opt 1 blocking access to lan network. before you create your allow rules to get to internet.

    Same goes on your lan interface, create a block rule that blocks access to opt network.

    Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated.

    Do you need a picture?



  • That was super helpful in confirming what I had done already.  I appreciate that, thank you.  Also - I can just create a DHCP pool for that interface like normal right?

    Technically after this point my router has two LAN IP's right?  one for each subnet?



  • @janderson2k:

    That was super helpful in confirming what I had done already.  I appreciate that, thank you.  Also - I can just create a DHCP pool for that interface like normal right?

    Technically after this point my router has two LAN IP's right?  one for each subnet?

    Yes, "LAN" and "OPT1" become both local private subnets and each has an IP address in its subnet. As you say, just create a DHCP pool that is some part of the IP address range in each subnet.


  • Rebel Alliance Global Moderator

    "That was super helpful in confirming what I had done already."

    Confirming what - you posted ZERO to what you had done or even thought of doing..

    Do you need a picture?  Post up what you have DONE!!



  • LOL, "confirming what"?  Confirming that I had done exactly as you had recommended (thank you) prior to you suggesting it.  But - non the less, I am still having some issues and would def appreciate your further help.  I have my pfsense box passing IP's on the opt 1 (we will call it guest) network but I cannot access the internet from the guest network.

    Here is a pic of what I have for rules:
    states : 0/0b
    Protocol :IPv4*
    Source : opt1 guest net
    port : *
    Destination : wan address (had this as wan net as well)
    Port : *
    Gateway : *



  • I will assume that is a pass rule.

    You are only allowing clients on "opt1 guest net" to reach exactly 1 IP address - "WAN address". So they are going to be rather restricted  ;) Actually you said that you want them to be able to reach "the internet".

    You need to first put a block rule with source "opt1 guest net" and destination "lan net" - that will stop opt1 from reaching lan.

    Then put a pass rule with source 'opt1 guest net' and destination "*" - that will let anything else through to the "big bad internet".

    Then test from a client in opt1.



  • Basically looking for the following:  1 WAN and two separate physical LAN's.  1 on using the LAN port and the other using the OPT1 or OPT2 port.

    WAN as it is served to you by your ISP
    LAN1 with 192.xxx and DHCP range from 192.xxx.20 to192.xxx.50
    OPT1 as LAN2 with 172.xxx and DHCP range from 172.xxx.20 to 172.xxx.50

    What exactly was now the problem? You can realize either that with managed or unmanaged switches likes you want!

    Technically after this point my router has two LAN IP's right?

    Right, and both must now configured likes you want to allow or deny the traffic between them.

    one for each subnet?

    Yes, you got now two totally different subnets (CIDR) with private IP address ranges or pools and its own DHCP server for each.
    Now you should overthink what to allow or to deny for them and their clients.