Enabling Guest Network on AP - or in IPFire?

I recently upgraded my AP’s Firmware and while doing that I considered enabling the Guest mode for some devices. I did not proceed since I am concerned about CPU/RAM load on the AP and perhaps this should be done in IPFire instead, since that machine has plenty CPU/RAM.

The AP is connected to Green via Patch panel and Switch. I have no Blue configured, nor anything connected to a NIC that could adopt the Blue role.

It is not a Wifi NIC as stated here: wiki.ipfire.org - Wireless Access Point
I do not think hostapd is relevant for my scenario…

Looking through IPFire system I see no obvious way to enable any Wifi Guest functionality, which I guess is fine since I have no Blue configured.

What I believe I should do, from reading threads here and the wiki, is:
Connect the AP to a NIC on my IPFire computer and configure Blue to that NIC, which is perfectly possible. That raises additional questions.

  1. How do I then create a Guest network for untrusted Wifi connected devices? A vlan? On Blue? How?
  2. How do I configure Blue so trusted Wifi devices can access the rest of the trusted Lan network, that being

I hope the following links will be helpful:



Pinhole seems additionally relevant, missed that. Thanks…

So I was pondering the effects of this implementation - yes. sorry I do ponder a lot and am sometimes a slow learner. Then again I hardly ever have system crashes or stuff that keeps breaking randomly.

Nothing done yet, only checked that I have the cabling in place so far.

An example: I have some Aqara sensors to measure electricity consumption and temperature. They are connected to an Aqara Hub and that Hub is connected to my WiFi - which is still on the Green network, thus have internet. These are IoT devices and a standing recommendation among a lot of people is to deny them Internet access.

If I put them on Blue and do not add pinhole to that, will I not be able to access them from devices with pinhole?

Another thing.
I run SuperMicro IPMI from my smartphone. I do many things from my smartphone and the Green network. So when I add that to Blue, I assume from the Pinhole guide I will have to open up all relevant protocols via Pinholes, not just TCP but RDP, SSH and some more. OR, I set the phones MAC to access everything?

If you don’t add a pinhole for them to access devices on your green lan then they will not be able to access green which is probably what you want. If you want to access the Aqara sensors from devices in green, to read some data etc, then you can do that as the default rules setup allow green to access blue.

If your smartphone gets connected to the blue network but needs to access devices in the green network then you will need to create a pinhole.

You could set the phone’s mac to access everything but I would suggest creating a group called say smartphone and in that you create a list of all the protocols you need to use in connections to the green network from your smartphone.
Then you create a single rule that opens a pinhole for the smartphone (source either IP or MAC) and apply the group of protocols to that rule.

If you find you forgot something or a new protocol needs to be accessed then you can add that to the group very easily.


Add Smartphone Group >


Just checking, it seems the functionality is correct. Add devices to that group with MAC or IP to access other Networks

That is for making a group of multiple clients to be able to access a specific machine, protocol etc.

It is in the right area but it is the Service Groups section you need.


In that page in place of the title Examplegroup1 you would use smartphone and you would then select any of the existing protocols in the IPFire list.

If you find that you need a protocol that is not listed in the IPFire protocol list then follow the Services page


Then you can create the protocol in that list and it will then be available to select in the Service Groups section.

Then when you make your firewall rule for the pinhole, in the protocol section select preset and you have two radio buttons. select the Service Groups one and you can then select your smartphone group from that.

Here is an example from my system with a qbittorrent gtroup covering both the tcp and udp ports for qbittorrent.

ok, not what i thought it would be. I have three smartphones that should have pinholes from blue to green, I thought I would be able to add them to group “Smartphone” with their respective Mac address (since I have collected those), but I don’t see how.

Then the Smartphone group handles the protocols.

How do I add those MAC’s?

Sorry, I thought you only had one smartphone being used. If you have three then you need to create a host for each one using the Hosts entry in the Firewall Groups WUI page. In there you can specify either the IP or the MAC address.
Then create a host group where you now select the three Hosts with their MAC addresses.

Then the service group for the different protocols, presuming that all three smartphones will use the same protocols, as you have shown in your screenshot.

Then create a new firewall rule for the pinhole that uses the host group of three smartphones for the source and the protocol group for the Protocol Service Group selection and the destination will be an IP on the green network or it can be the whole green network or you can create a group of clients on the green network that those smartphones are allowed to access. Just bear in mind that for the destination only IP addresses can be used, not MAC addresses.

Hope that helps.

3 smartphones, 4 laptops, 3 tablets, aside from previously mentioned IoT devices.

Once I secured that maybe i add my washing machine and dryer as well… :rofl:

:joy: :rofl: :joy:

To make it clearer than lots of words I have set some groups up and created a rule and taken screen shots.

First from the Hosts section of the Firewall Groups page

Then from the Network/Hosts Groups section

Then from the Services Group section

Then using the two groups created the entries in the Firewall Ruls page

I just entered a single IP in the destination but that section would be where you could also use a group if it was a subset of all clients in the green network.

Good Luck. Come back if you have any issues.


A small addition.

Apple platforms also use a randomized MAC address when conducting enhanced Preferred Network Offload (ePNO) scans when a device isn’t associated with a Wi-Fi network or its processor is asleep.

This feature can be disabled either by the user or using a new option in the Wi-Fi payload. Under certain circumstances, the device will fall back to the actual MAC address.

Wi-Fi privacy - Wsparcie Apple (PL)

On some Android smartphones, mac address randomisation can also be blocked.

Disabling Randomizing MAC Addresses on iOS and Android Devices - YouTube

So if these are your smartphones, you can turn off randomisation for your wifi network on them.

I hope I have written this understandably :innocent: