[RockNLol]

hi,
I use two DD-WRT Routers as WiFi-access points in my house. The gateway to the internet is a dedicated opnsense firewall though, which also does DNS and DHCP.

I would like to configure a guest network, but I am unsure as to where I even start in my case. I can configure a virtual interface wl0.1 very easily, but how do I route this to the firewall on a different vlan on the same cable? Are there tutorials for this case out there?

Hope you can help me and thanks in advance

[RockNLol]

Thanks for your reply! Unfortunately this does not seem to work, but maybe I am doing something wrong here:
(note that my dd-wrt is in german, so I might be translating some things differentley here) I set up a virtual interface wl0.1:
SSID Broadcast enabled
AP Isolation disabled
Network configuration bridged

Then I save the two iptables commands into the firewall section under administration > diagnosis

and finally reboot the router.

The result is a working guest network, but with full access to the local network. If I understand the iptables command correctley, this only works, if the router is also the gateway, because it does NAT?
Also DHCP clients get the local dns-server which would/should be blocked by the iptables, right? I do not think the opnsense firewall which does the DHCP could differ between clients on guest or private network.

Do I need vlans now? (I hope not, as I do not have a lot of experience setting vlans up)

[egc]

When you want to isolate a guest network you have to unbridge the interface.

See my attached notes.

There are 2 ways to do this see the references in my notes

There is also a section for when you are using a WAP (like you seem to do) and there are the commands from @eibgrad coming into play