Is it possible to set up a "real Guest Wireless Network"?

Good morning!

My construction at the moment is:
I have a “Fritzbox” Router configured as PPPOE Modem, then after the “modem” the IPFire is connected at “Red”. And at “Blue” there is another Fritzbox connected as Wireless Router and DECT Station.

This works perfect so far…

But: Before I set up the Fritzbox to “Connection to an external Modem or Router” I was able to set up in my Fritzbox that devices in my Guest Wifi Network can’t talk to each other…
Since the DHCP and Firewalling now is managed by the Ipfire it is not possible anymore to set this feature in the Fritzbox.

So: at the moment I can set up a Guest Wireless-Network in the Fritzbox but it has no advantage… the mobile phones and so on are also normal devices in my WLAN and can talk to each device of “blue”.
They also have the same IP - they are in the same network as all other devices…
As already said: the option “Devices are not able to talk to each other” is not available anymore since I changed my settings at the Fritzbox.

The only thing I am able to configure in the Fritzbox would be: "use the settings from the Fritzbox that is used as “Internet Router”…

Is there a way to set up the Ipfire so that it tells the Fritzbox that devices in the guest Network can’t talk to each other anymore?
I really don’t want to set up a third Wireless Router :wink:

Best regards

1 Like

maybe you could setup your guest network using this Fritzbox, instead of the other you are using as access point of the blue network.

In alternative, you can setup the entire blue network to be further restricted and prevent any connection but the red zone.

Also read this at the internet…
Would be if very cool I could if I could set up a Guest Network directly at the first Fritzbox that is configured as PPPOE modem…
But thats not possible how it looks like - the Fritzbox can’t pass the Internet that is set up by the IPFIRE to the WLAN…

And I really don’t like to set the first Fritzbox up as standard Accesspoint… because then I have to deal with the Firewall of the Fritzbox also…
I guess this would make the things (like portforwarding) a lot more complicated…

I’ll have a look if there is an option with an alternative Software called “Freetz-ng” to use the Internet of the PPPOE connection… thats my only approach I have at the moment…

okay… this is possible? how?

From IPFire Web User Interface, create a new rule. Source: blue; Destination: blue; Protocol: all and drop or reject. Click on Add and then Apply.

You won’t be able to connect to anything but the red interface.

In alternative, if you set up a functional proxy, you can select Firewall/Firewall options/Firewall options for BLUE interface/Drop all packets not addressed to proxy. But then you need to set a similar rule in Squid ACL to prevent connections to other blue machines.

If you want to have a privileged blue user, you can always use the VPN. For example, if you set up OpenVPN, you can have your privileged machine connecting to Blue, establishing a tunnel and then it will have all privileges you assign to the VPN service.

1 Like

To the rule: Block all from Blue to blue:
If I for example set up that a specified blue host, that is able to talk to another blue host and then afterwards do a rule to drop all other packages - like you wrote in your last comment - I guess this might be the answer to my problem?!?

Then the “only thing” I would have to set up are the “privileged” devices that are able to talk to each other…
Thank you - I’ll try that one and hope that they are not able to connect to each other just by sending their packages over the WLAN directly…

Tried it: not possible: Source and destination are identical.

Theres a way: when you define a group that “blue” is in and say: Group is not allowed to send to “blue” - but this doesn’t work… the Fritzbox sends the WLAN requests directly…
so only option 2 would be a possibility…
Thank you!

EDIT: Of course, I forgot the gateway!!!

EDIT2: You need first to have an allow rule for the gateway as well. Edited the example.

You could try to use IPTables directly. For example, In IPFire, the /etc/sysconfig/firewall.local file can be customized to define your own rules. To block all traffic within the BLUE network, you could add the following IPTables rules, the first in the start) sections and the next rule in the stop) section:





Keep in mind that:

  • -A: Appends the rule to the end, so it gets evaluated last.
  • -I: Inserts the rule at the beginning, so it gets evaluated first.

Replace [BLUE_SUBNET] with the CIDR notation for your BLUE network, e.g., and [BLUE_GATEWAY] with the address of IPFire in teh blue network (e.g.

Restart the firewall service for changes to take effect.

/etc/init.d/firewall restart

Do you mean that the routed packets will not pass through IPFire but will be routed directly by the Access Point? If your fritzbox is bridged to IPFire and IPFire is the DHCP server, all the packets should be routed by IPFire as well.


The routed packets are passed through the IPfire…

But if 2 devices are logged into the Wireless Lan and have the same IP-address-range and one of them wants to send a package to the other one it doesn’t need to be routed and is sent directly…
That also tells me traceroute → only one hop… → Mobile phone directly was pinged without Ipfire in between…

I just did a little trick…

I gave my phone the IP, configured it so that MacAdress Filter is allowed and it is allowed to the internet…

Now I set in the WLAN-Accesspoint an IP-Route that everything that goes to (Subnetmask should be sent to (the IP of the IPfire)…
Now Internet on the phone is working… but connection to another device in the WLAN is not possible anymore because IPFire blocks it…
Despite of IPfire itself… there the connection can be established…

But: how do I set up a wide IP-Route? I guess through the Subnetmask… but hell… I guess I’m to dumb to calculate it after about 20 years not needing it anymore…

You can use ipcalc


1 Like

Perhaps a Blue wifi network group
All fixed IPs outside DHCP range.
Firewall rule to block Blue from Blue wifi group
Block Blue wifi group to Blue

The only problem then is wifi devices that use random MAC addresses.

Yep… but with Mac Address Filter on Blue that is always the case…
But fortunately most mobile phones use the same MAC address again when connecting the same WLAN Network…

Managed it by using and the first IP I use is .129

Works great!

Thanks a lot!

Hello! I try to replicate this, but for devices in the green network. The situation is a little bit different, but if Ipfire really is solely responsible for the routing, this should not present a problem. Would be nice, if an experienced user could give me feedback here.

In general I want to achieve client isolation in the same subnet. I think a better way to realize is this with vlans or with two different physical APs. But at the moment I just have the fritzbox ap at hand (also 1 Ap is more energy efficient).
My wifi fritzbox AP is on green NIC and I have devices here, that are supposed to connect to the internet but not to other green hosts. I assigned the client that is in green and shall be restricted the ip, ipfire is on, the ap on

I applied these rules for etc/sysconfig/firewall.local

iptables -A CUSTOMFORWARD -s -d -j ACCEPT
iptables -A CUSTOMFORWARD -s -d -j DROP
iptables -A CUSTOMINPUT -s -d -j ACCEPT
iptables -A CUSTOMINPUT -s -d -j DROP
iptables -A CUSTOMOUTPUT -s -d -j ACCEPT

I further set up an fixed ipv4 route in the AP

But still, no success, the phone can still ping all devices in the green subnet, traceroute is completed with only one hop.
I was expecting, that the packages will be routed from to and everything that is not directed to will de droped… Where is the flaw here?

Any traffic within the one subnet will not need to go to IPFire.

It will just communicate directly via the switches you have to the other machines on the same subnet.

So none of your firewall rules will ever get triggered as the source and destination IP’s are on the same subnet.

Hi Adolf, I assumed so, but why was the “trick” of tobias with the static IP route working than? In general he was describing the same situation, didn’t he?

No he mentions about using a subnet mask of instead of which means his subnet consisted of a single machine, although I am not sure I would expect that to work as the subnet caclulateor I used said that means 0 usable hosts.
Later on he mentions a subnet of but I can’t easily tell from the post which IP’s he is trying to prevent talking to which other IP’s and his situation is also on the Blue network which may or may not make a difference.

Certainly on green with a subnet of your network address of gives you a single subnet of IP’s ranging from to 192.168.4/254 which means all of those IP’s can communicate with each other without going through IPFire.

So does this mean there is no possible stativ IP route that I can put into the AP that will prevent direct communication between the clients? The Phone I wish to isolate has IP and I pinged a PC on

Im not sure if the Fritzbox support “Client Isolation” but the IPFire Accesspoint does it. (of course only with a wireless interface as blue network)

If you set the checkbox the clients are forced to communicate via the IPFire because wireless networks are not switched.

1 Like