Allow GUEST Network to Access Local Server, But Not VPN (WireGuard) — Beryl AX Setup

Hi all,

I’m using the GL.iNet GL-MT3000 Beryl AX and have the following setup:

• MAIN WiFi (10.0.5.0/24)
• GUEST WiFi (192.168.5.0/24)
• WireGuard VPN connected on MAIN network to access my homelab at 10.0.0.0/24.

There’s a small server on the MAIN network at 10.0.5.10. And of course, it has access to the homelab via the WireGuard tunnel.

So far, this is all working great using the default web UI setup.

Now, here’s what I want to achieve:

• Devices on the GUEST network should be able to access 10.0.5.10 (e.g., to use some services hosted on it).
• GUEST devices should also have internet access.
• But they must not have access to the 10.0.0.0/24 network (the remote homelab via WireGuard).

Has anyone done something similar? I’m open to firewall rule suggestions or other config tweaks to isolate the VPN while still allowing limited local access from GUEST to MAIN.

Thanks in advance!

Some routers have LAN isolation as a feature, such that guest connections can see the internet but not one another.

Is that an option?

Yep, it's enabled, and rightfully so - I only want to allow access to one particular IP in the MAIN network, I don't want the GUEST hosts to roam across other MAIN hosts.

Hmm, preventing GUEST from VPN can be solved by proper VPN policy:

image1280×598 22.5 KB

And what's weird, the GUEST can talk to MAIN WiFi hosts by default (when I only want it to access one particular IP there). I described this issue in another post on this forum.

I guess I'll have to add proper firewall rules, but I worry that setting with those via LuCI will somehow be overridden by Beryl native UI in case I modify e.g. the VPN policy...