TL;DR AirPort Basestations in Bridge Mode support the creation of Guest Networks, and all their traffic gets sent to VLAN 1003 on the Ethernet side.
I have a couple 5th-gen Apple AirPort Extreme Basestations in my house that I use to provide wifi access, together with a couple cheap TP-Link TL-WR841ND flashed with DD-WRT, and I run them all in bridge mode, as I don’t need their routing capablities. I rely on my PC-Engines Alix 2d2 running pfSense to be my router, so I just need wifi access points, not full-blown wireless routers.
One nice feature that you get if you do run AirPort Basestations as routers is the ability to have a completely isolated wifi network for guest use, that gets internet access but does not allow communication with devices on your private LAN.
Due to what I think is a bug in AirPort Utility, you can enable the guest network even when running your AirPort in bridge mode, the network is created and you can connect to it, but it looks like it doesn’t work: you don’t get an IP through DHCP, and any traffic seems to end nowhere.
After some Googling and Wiresharking, I found out that what actually happens is that AirPorts funnel all the guest network traffic to VLAN 1003, so if you have network equipment that is able to deal with VLANs you can actually use both Bridge Mode and Guest Network at the same time.
Luckily enough, my pfSense-based router is more than capable to do that, so I set up a Guest Interface on VLAN 1003, configured the DHCP server to assign addresses on that interface (on 10.10.10.0/24, while my main LAN runs on 192.168.1.0/24) and set up firewall rules to only allow traffic to the internet, and not to my LAN or other local subnets (such as my VPNs, and a second LAN I run on a different VLAN).
5 replies on “Enable Guest Network on AirPort Basestations in Bridge Mode”
Is the VLAN 1003 used on prior versions of Airport base stations? I have both an Airport Extreme A1300 and an Airport Express that appear to have a Guest Network enabled in Bridge mode but I am not confident that the implementation error that makes it look like it is working is the same thing that implements the VLAN tunnel.
Actually I don’t know if it works on other models, and sadly I don’t have any of them to test ☹️
it works also on other models
Thank you! Just configured the VLAN in my Meraki firewall and now guest network is working,
I am using the latest time capsule and I am not able to see the guest network option while in bridge mode. Do you know if Apple plugged the bridge mode bug in the time capsule?
I am trying to setup a vlan to the TC from my Ubiquity router.