First of all, the best thing you can do to isolate hotspot users from your existing network, is to put the hotspot router directly to the internet connection (first router in your network). Then connect other routers to the hotspot router. That way, the hotspot users won’t see other part of your network.

Furthermore, there are several tricks you can do based on your hardware/firmware you are using:

(Note that if you have a local DNS on the restricted subnet, then the hotspot will not work. )

To restrict access to your office network from the hotspot’s subnet you need to edit a file in the router via SSH (using putty.exe or ‘ssh {IP ADDRESS OF YOUR ROUTER}’ from a terminal on MAC).

If you logged in please type:
vi /etc/chilli/ipup.sh

It’s a blank file yet, so we are going to add an iptables (firewall configuration) command:
iptables -I FORWARD -s 192.168.182.0/20 -d 1.2.3.0/24 -j DROP

where 192.168.182.0/20 is the hotspot subnet and 1.2.3.0/24 is your office subnet, this sets he firewall to drop all packets from your hotspot network to your office network.

PLEASE NOTE if your hotspot network differs from 192.168.182.0/20 then you have to use your numbers instead of 192.168.182.0/20 .

If you’re done, press Esc and type :x, then hit ENTER to save the file.
You can type ‘reboot‘, to reboot the router.

Did this answer your question?