Last active
October 25, 2025 22:35
-
-
Save fbraz3/3db625adf81e2ea335968d933e6d61b1 to your computer and use it in GitHub Desktop.
[OpenWRT] Shell Script to Create a Fully Isolated Guest Network with Bandwidth Control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # FOR USE IN OPENWRT | |
| # This script creates a guest network fully isolated from the main one. | |
| # Tested on a Xiaomi AX3000T router; should work on any OpenWRT-powered router. | |
| # | |
| # Ensure the Wi-Fi interfaces retain their default names (radio0 and radio1). | |
| # | |
| # Info about OpenWRT support on AX3000T: | |
| # https://openwrt.org/inbox/toh/xiaomi/ax3000t | |
| # | |
| # Guest interface configuration, the interface name will also be the SSID | |
| INTERFACE='guest' | |
| NETWORK='192.168.6.1/24' | |
| # Your current LAN interface configuration, needed by firewall rules | |
| LAN_INTERFACE='lan' | |
| LAN_RANGE='192.168.1.1/24' | |
| # Wi-Fi SSID and Password | |
| RADIO_SSID='my-guest-wifi' # Choose your Wi-Fi network name here | |
| RADIO_KEY='my-guest-password' # BE SURE TO CHANGE THE PASSWORD!!! | |
| RADIO1_ENABLE=1 # Set to 1 to enable radio1; comment out to use only the radio0 interface. | |
| # | |
| # Configuration below this line should not require modification. | |
| # | |
| # Configure network bridge | |
| uci -q delete network.${INTERFACE}_dev | |
| uci set network.${INTERFACE}_dev="device" | |
| uci set network.${INTERFACE}_dev.type="bridge" | |
| uci set network.${INTERFACE}_dev.name="br-${INTERFACE}" | |
| # Configure network interface | |
| uci -q delete network.${INTERFACE} | |
| uci set network.${INTERFACE}="interface" | |
| uci set network.${INTERFACE}.proto="static" | |
| uci set network.${INTERFACE}.device="br-${INTERFACE}" | |
| uci set network.${INTERFACE}.ipaddr="${NETWORK}" | |
| uci commit network | |
| service network restart | |
| # Configure dhcp server | |
| uci -q delete dhcp.${INTERFACE} | |
| uci set dhcp.${INTERFACE}="dhcp" | |
| uci set dhcp.${INTERFACE}.interface="${INTERFACE}" | |
| uci set dhcp.${INTERFACE}.start="100" | |
| uci set dhcp.${INTERFACE}.limit="150" | |
| uci set dhcp.${INTERFACE}.leasetime="1h" | |
| uci commit dhcp | |
| service dnsmasq restart | |
| # Add firewall group | |
| uci -q delete firewall.${INTERFACE} | |
| uci set firewall.${INTERFACE}='zone' | |
| uci set firewall.${INTERFACE}.name="${INTERFACE}" | |
| uci set firewall.${INTERFACE}.network="${INTERFACE}" | |
| uci set firewall.${INTERFACE}.input='REJECT' | |
| uci set firewall.${INTERFACE}.output='ACCEPT' | |
| uci set firewall.${INTERFACE}.forward='REJECT' | |
| # FW Rule: Allow DNS | |
| uci -q delete firewall.${INTERFACE}_dns | |
| uci set firewall.${INTERFACE}_dns='rule' | |
| uci set firewall.${INTERFACE}_dns.name="${INTERFACE}_dns" | |
| uci set firewall.${INTERFACE}_dns.src="${INTERFACE}" | |
| uci set firewall.${INTERFACE}_dns.dest_port='53' | |
| uci set firewall.${INTERFACE}_dns.proto='tcp udp' | |
| uci set firewall.${INTERFACE}_dns.target='ACCEPT' | |
| # FW Rule: Allow DHCP | |
| uci -q delete firewall.${INTERFACE}_dhcp | |
| uci set firewall.${INTERFACE}_dhcp='rule' | |
| uci set firewall.${INTERFACE}_dhcp.name="${INTERFACE}_dhcp" | |
| uci set firewall.${INTERFACE}_dhcp.src="${INTERFACE}" | |
| uci set firewall.${INTERFACE}_dhcp.dest_port='67-68' | |
| uci set firewall.${INTERFACE}_dhcp.target='ACCEPT' | |
| uci set firewall.${INTERFACE}_dhcp.proto='tcp udp' | |
| # FW Rule: Isolate network from local LAN | |
| uci -q delete firewall.${INTERFACE}_iso | |
| uci set firewall.${INTERFACE}_iso='rule' | |
| uci set firewall.${INTERFACE}_iso.name="${INTERFACE}_iso" | |
| uci set firewall.${INTERFACE}_iso.src="${INTERFACE}" | |
| uci set firewall.${INTERFACE}_iso.dest="${LAN_INTERFACE}" | |
| uci set firewall.${INTERFACE}_iso.dest_ip="${LAN_RANGE}" | |
| uci set firewall.${INTERFACE}_iso.target='REJECT' | |
| # Add forwarding to lan | |
| uci -q delete firewall.${INTERFACE}_forward | |
| uci set firewall.${INTERFACE}_forward='forwarding' | |
| uci set firewall.${INTERFACE}_forward.src="${INTERFACE}" | |
| uci set firewall.${INTERFACE}_forward.dest="${LAN_INTERFACE}" | |
| uci commit firewall | |
| service firewall restart | |
| # Create radio0 wifi network | |
| uci -q delete wireless.${INTERFACE} | |
| uci set wireless.${INTERFACE}=wifi-iface | |
| uci set wireless.${INTERFACE}.device='radio0' | |
| uci set wireless.${INTERFACE}.mode='ap' | |
| uci set wireless.${INTERFACE}.network="${INTERFACE}" | |
| uci set wireless.${INTERFACE}.ssid="${RADIO_SSID}" | |
| uci set wireless.${INTERFACE}.encryption='sae-mixed' | |
| uci set wireless.${INTERFACE}.key="${RADIO_KEY}" | |
| # Create radio1 wifi network | |
| if [ ! -z "${RADIO1_ENABLE}" ]; then | |
| uci -q delete wireless.${INTERFACE}_1 | |
| uci set wireless.${INTERFACE}_1=wifi-iface | |
| uci set wireless.${INTERFACE}_1.device='radio1' | |
| uci set wireless.${INTERFACE}_1.mode='ap' | |
| uci set wireless.${INTERFACE}_1.network="${INTERFACE}" | |
| uci set wireless.${INTERFACE}_1.ssid="${RADIO_SSID}" | |
| uci set wireless.${INTERFACE}_1.encryption='sae-mixed' | |
| uci set wireless.${INTERFACE}_1.key="${RADIO_KEY}" | |
| fi | |
| uci commit wireless | |
| wifi reload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment