Future Consideration Feature Request - Guest Network separate DHCP/DNS settings

Hi @TP_LINK,
I've had rock solid performance so far, and do like the Deco Labs options (although the Wifi Interference check results show 'low' then say underneath that there is significant interference), I do, however, have a feature request to put forward.
My use case:
- 3 x Deco M5s in Router mode
- Several wired and many wireless devices on the main network
- Several wireless devices on the guest network (my work devices)
- DHCP is handled by the Deco, and DNS is served by another server on the main network.
If I set the DNS to only have the DNS server, both the main and guest network use these settings. This causes the guest network to fail as it is segregated from the main network where the DNS server resides.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Please implement the feature of allowing separate DNS for main and Guest network.
Using a local DNS server for the main network has the effect of rendering the Guest network unusable without the installation of a secondary local DNS server just for the guest network.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Need exactly this for setting up pihole and not make my smart switches on the guest network be upset. Not DHCP, just a separate DNS setting for the guest network should do.
- Copy Link
- Report Inappropriate Content
@richpriest - I don't have a Deco but an AXE5400. I believe I solved this by setting the Secondary DNS to the IP of the main router itself. Since it can reach my pihole's IP when the guest network calls to it for DNS, it is able to then request to the pihole IP. Maybe this could work for others as well.
Cheers
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Deco M4R
+1 on separate dns server for guest network
- Copy Link
- Report Inappropriate Content
Hi guys, I just wanna share my config to workaround this issue.
There is a setting in Deco app called Port Forwarding in Advance menu. I used this to forward port 53 to my Adguard server as DNS service. Then in the DNS Server setting, I declared Adguard server IP as primary DNS and my Deco IP (which is 192.168.68.1) as secondary DNS then volla my guest network now can access internet through Adguard.
P/S: for simplicity you can declared the Deco IP as primary DNS for both main and guest network if you don't care about user's logs since Adguard will report all usages from a single user (the Deco IP itself).
Hope this can help somebody out there.
Update, thanks to sailboats pointed out the security risk of this method. If your Deco is not behind any router/firewall, you should NOT do this since it will open your Deco to the internet on port 53. Since my Deco is actually behind another router which is my ISP's modem so I have no issue with this setup.
- Copy Link
- Report Inappropriate Content
WHOAH, time out, let's talk this out. It sounds like you are opening port 53 of your router to the wider internet. If I understood you correctly you've just created an open/public DNS resolver, which is something you definitely don't want to do.
https://serverfault.com/questions/573465/what-is-an-open-dns-resolver-and-how-can-i-protect-my-server-from-being-misused
Unless I'm missing something basic - is there any authentication?
- Copy Link
- Report Inappropriate Content
@sailboats hi, forgot to mention that my deco is behind another router (my isp modem) so it's still behind that firewall. But yeah thanks for pointing this out for everyone else whose deco is doing PPoE or directly connect to the internet without a dedicated modem/router
- Copy Link
- Report Inappropriate Content
All,
The workaround proposed by TP-Link DOES work, to an extent...
Setup:
- PrimaryDNS = local AdGuard server IP.
- SecondaryDNS = router IP OR internet DNS server IP.
What will happen:
- Client on Main network - will try AdGuard server first. If it is a blocked site, AdGuard will return 0.0.0.0, and the site will be blocked as desired!
 (AdGuard will NOT simply return nothing, as you might expect, causing the client to proceed to the secondary server. PiHole et al work similarly).
- Client on Guest network - will not be able to reach AdGuard server (I don't think there is a timeout here, it cannot connect and immediately gives up), so it will proceed to secondary server, and so DNS will function.
 Note: if you use router IP here, the router will forward to your ISP DNS servers (not your local AdGuard server). This means guest network is NOT being protected by your AdGuard, and no DNS lookups will be blocked.
 IMO this is ok for a guest network.
-----------------------------------
Though I still agree with everyone else here - Guest network should be on a separate subnet, as this is the recommended networking practice (for simplicity, and security).
Perhaps @TP-Link are worried it would be a breaking change? But they could simply keep Guest with same subnet (as Main) for golive, so nothing would change or break, allowing users to change it later as desired.
Additionally, it would be good to see the ability to configure exceptions to the firewall (that presumably already exists) between Main and Guest networks.
This way, we could allow access from Guest devices to, for example, DNS server or media server on Main network.
Obviously this would be more effort to implement, as would need a whole new section in the UI.
Warm Regards,
- Copy Link
- Report Inappropriate Content

Information
Helpful: 173
Views: 57235
Replies: 244
Voters 162


































































































































































