When you use two network cards—one for Internet access and one for the guest network—it’s expected that the guest network cannot reach other networks. Its addresses are not routable from the system’s perspective.
There’s no need to force IP routing because the Proxy and the DNS server already “bridge” traffic at Layer 7 between the two interfaces.
The proxy listens on the guest-network interface and forwards requests out via the Internet interface; DNS works the same way.
¶ However, this limits access to HTTP/HTTPS/DNS only.
If you want other ports and protocols, that won’t work through the L7 bridge alone.
To enable them, ensure guest-network addresses are properly NATed (masqueraded) when exiting the Internet-facing interface.
This way, packets appear to come from the hotspot’s egress interface and can be routed normally.
Note: with masquerade, you won’t see the original guest IP per connection/port—the traffic will appear to come from the hotspot’s address.
¶ Create a Masquerade Bridge
- In the left menu, open
Networks & Nics > Interfaces connectors. - create a masqueraded bridge with a rule from the guest network to the Internet egress interface
