Create a routed Access Point with Raspberry Pi and OpenWrt

In this article, I will show you how to configure your Rapberry Pi into a routed WiFi access point. This configuration is a little bit more complicated than the configuration of my previous post that is available under this link.

In this configuration, the WiFi clients are on a different subnet than the management workstation. The Raspi will act as a router and forward all packets from the clients to the Lan network using Masquerading (Port Address Translation)




Get the current OpenWrt image

Take the current factory image (openwrt-18.06.1-brcm2708-bcm2710-rpi-3-ext4-factory.img.gz)

Burn the image with etcher

Change LAN IP address of Raspi


For this you will need to configure your management workstation IP address to with subnet mask

Then open a browser and access to the default IP of the Raspi (

By default, the password is empty.

Then, navigate to Network – Interfaces and edit LAN interface

Disable DHCP server on this interface

To apply this configuration, you will need to first click on "Save & Apply" and then force apply with "Apply unchecked".

Your Raspi is now available under

You can revert your management workstation Ip configuration to DHCP.

Begin by doing some cleanup


Open a browser and access to the new IP address of the Raspi (

Navigate to Network – Wireless and remove the default wireless SSID OpenWrt (see below)

Navigate to Network – Firewall, and under "General Settings" delete all Zones

Under "Traffic Rules" delete all Rules.

Create a new wireless SSID for Guest


Navigate to Network - Wireless and add a new SSID called Guest associated with a network called Guest too.

You should now have a brand new SSID (see below)

Configure the new Guest Interface


Navigate to Network – Interface and edit the newly created Guest Interface

Under General Setup, change the protocol from "Unmanaged" to "Static address"

Then click "Apply" and configure the IP address and the netmask of the Guest Interface

Assign a DHCP server to this interface.

Create firewall Zones for the interfaces


Navigate to Network – Interfaces and edit the LAN Interface

Under "Firewall Settings" create a new zone called LAN (notice that DHCP server should be disabled for the LAN interface)

Do the same for Interface Guest (notice that DHCP server should be enabled for the GUEST interface)

Configure the firewall


Navigate to Network – Firewall, you should now see two zones

Edit the zone Guest and configure it as bellow:

  • Name : guest
  • Input : accept
  • Output : accept
  • Forward : accept
  • Masquerading : unchecked
  • MSS clamping : unchecked
  • Covered Network : guest
  • Allow forward to destination zones : lan
  • Allow forward from source zones : empty

Edit the zone Lan and configure it as bellow:

  • Name : lan
  • Input : accept
  • Output : accept
  • Forward : reject
  • Masquerading : checked
  • MSS clamping : checked
  • Covered Network : lan
  • Allow forward to destination zones : empty
  • Allow forward from source zones : guest

The general setting should look like this

Click on "Save and Apply"

Navigate to Network - Wireless and enable the newly created SSID "Guest"

Then, check if it works by connecting a wireless device to the "Guest" SSID

That's all folks

This Post Has 7 Comments

    1. Thank a lot Remco. Allways a pleasure to have news from Nederland...

  1. Thank you very much! I was looking around for clear instructions to do exactly the same thing and you saved me hours of wasted time. Now all I need to do is figure out how to limit guest wifi users to just the internet and one local IP. Thanks again.

    1. You are welcome ! No idea how to do this... Maybe add some rules in the firewall ...

  2. Yeah, the devil is always in the details...

  3. Thank you for this article!
    When i 'm connecting to the ssid guest, i dont have access to internet. Did i miss something?

  4. Thanks for this post, it was very helpful.
    I used it to configure ROOter (an OpenWRT variant that supports Mobile Broadband dongles) on the Raspberry Pi.
    I've now effectively got a Mobile Broadband Router that I can use on the road or as a backup Internet connection at home.

Leave a Reply

Close Menu