diff --git a/package/lean/luci-app-guest-wifi/Makefile b/package/lean/luci-app-guest-wifi/Makefile
new file mode 100644
index 000000000..814bac85d
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/Makefile
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2018 By-Ameng Openwrt.org
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=luci-app-guest-wifi
+LUCI_DEPENDS:=
+LUCI_PKGARCH:=all
+PKG_VERSION:=1.0
+PKG_RELEASE:=1
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
diff --git a/package/lean/luci-app-guest-wifi/luasrc/controller/guest-wifi.lua b/package/lean/luci-app-guest-wifi/luasrc/controller/guest-wifi.lua
new file mode 100644
index 000000000..887512f6a
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/luasrc/controller/guest-wifi.lua
@@ -0,0 +1,14 @@
+module("luci.controller.guest-wifi", package.seeall)
+
+function index()
+	require("luci.i18n")
+	luci.i18n.loadc("guest-wifi")
+	if not nixio.fs.access("/etc/config/guest-wifi") then
+		return
+	end
+	
+	local page = entry({"admin", "network", "guest-wifi"}, cbi("guest-wifi"), translate("Guest-wifi"), 19)
+	page.i18n = "guest-wifi"
+	page.dependent = true
+	
+end
diff --git a/package/lean/luci-app-guest-wifi/luasrc/model/cbi/guest-wifi.lua b/package/lean/luci-app-guest-wifi/luasrc/model/cbi/guest-wifi.lua
new file mode 100644
index 000000000..c498af3ce
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/luasrc/model/cbi/guest-wifi.lua
@@ -0,0 +1,66 @@
+
+require("luci.tools.webadmin")
+
+m = Map("guest-wifi", translate("Guest-wifi"))
+
+s = m:section(TypedSection, "guest-wifi", translate("Config"), translate("You can set guest wifi here. The wifi will be disconnected when enabling/disabling. When modifying the password, first disable the guest wifi, and then do the modification, save and apply. Finally check both Enable and Create, save and apply."))
+s.anonymous = true 
+s.addremove = false
+
+enable = s:option(Flag, "enable", translate("Enable"), translate("Enable or disable guest wifi"))
+enable.default = false
+enable.optional = false
+enable.rmempty = false
+
+create = s:option(Flag, "create", translate("Create/Remove"), translate("Check to create guest wifi when enabled, or check to remove guest wifi when disabled."))
+create.default = false
+create.optional = false
+create.rmempty = false
+
+device = s:option(ListValue, "device", translate("Define device"), translate("Define device of guest wifi"))
+device:value("radio0", "radio0")
+device:value("radio1", "radio1")
+device:value("radio2", "radio2")
+device.default = "radio0"
+
+wifi_name = s:option(Value, "wifi_name", translate("Wifi name"), translate("Define the name of guest wifi"))
+wifi_name.default = "Guest-WiFi"
+wifi_name.rmempty = true
+
+interface_name = s:option(Value, "interface_name", translate("Interface name"), translate("Define the interface name of guest wifi"))
+interface_name.default = "guest"
+interface_name.rmempty = true
+
+interface_ip = s:option(Value, "interface_ip", translate("Interface IP address"), translate("Define IP address for guest wifi"))
+interface_ip.datatype = "ip4addr"
+interface_ip.default ="192.168.4.1"
+
+encryption = s:option(Value, "encryption", translate("Encryption"), translate("Define encryption of guest wifi"))
+encryption:value("psk", "WPA-PSK")
+encryption:value("psk2", "WPA2-PSK")
+encryption:value("none", "No Encryption")
+encryption.default = "psk2"
+encryption.widget = "select"
+
+passwd = s:option(Value, "passwd", translate("Password"), translate("Define the password of guest wifi"))
+passwd.password = true
+passwd.default = "guestnetwork"
+
+isolate = s:option(ListValue, "isolate", translate("Isolation"), translate("Enalbe or disable isolation"))
+isolate:value("1", translate("YES"))
+isolate:value("0", translate("NO"))
+
+start = s:option(Value, "start", translate("Start address"), translate("Lowest leased address as offset from the network address"))
+start.default = "50"
+start.rmempty = true
+
+limit = s:option(Value, "limit", translate("Client Limit"), translate("Maximum number of leased addresses"))
+limit.default = "200"
+limit.rmempty = true
+
+leasetime = s:option(Value, "leasetime", translate("DHCP lease time"), translate("Expiry time of leased addresses, minimum is 2 minutes (2m)"))
+leasetime.default = "1h"
+leasetime.rmempty = true
+
+return m
+
diff --git a/package/lean/luci-app-guest-wifi/po/zh-cn/guest-wifi.po b/package/lean/luci-app-guest-wifi/po/zh-cn/guest-wifi.po
new file mode 100644
index 000000000..d5971e7ab
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/po/zh-cn/guest-wifi.po
@@ -0,0 +1,90 @@
+msgid "guest-wifi"
+msgstr "访客网络"
+
+msgid "Guest-wifi"
+msgstr "访客网络"
+
+msgid "Config"
+msgstr "设置"
+
+msgid "You can set guest wifi here. The wifi will be disconnected when enabling/disabling. When modifying the password, first disable the guest wifi, and then do the modification, save and apply. Finally check both Enable and Create, save and apply."
+msgstr "在此可以设置访客网络。启用/禁用访客网络时wifi会断开。当修改访客名称密码时，先禁用访客网络并保存应用，然后修改后保存应用，最后同时勾选启用和创建并保存应用。"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Enable or disable guest wifi"
+msgstr "启用/禁用访客网络"
+
+msgid "Create/Remove"
+msgstr"创建/删除"
+
+msgid "Check to create guest wifi when enabled, or check to remove guest wifi when disabled."
+msgstr "与启用同时勾选，可创建和启用访客网络；启用不勾选时勾选，可删除访客网络。"
+
+msgid "Define device"
+msgstr "指定设备"
+
+msgid "Define device of guest wifi"
+msgstr "指定用于访客网络的设备"
+
+msgid "Wifi name"
+msgstr "无线名称"
+
+msgid "Define the name of guest wifi"
+msgstr "指定访客网络的无线名称"
+
+msgid "Interface name"
+msgstr "接口名称"
+
+msgid "Define the interface name of guest wifi"
+msgstr "设置访客网络的接口名称"
+
+msgid "Interface IP address"
+msgstr "接口IP地址"
+
+msgid "Define IP address for guest wifi"
+msgstr "指定访客网络的IP地址(不能与其他LAN的IP地址段相同)"
+
+msgid "Encryption"
+msgstr "加密"
+
+msgid "Define encryption of guest wifi"
+msgstr "设置访客网络的无线加密方式"
+
+msgid "Password"
+msgstr "密码"
+
+msgid "Define the password of guest wifi"
+msgstr "设备访客网络的无线密码"
+
+msgid "Isolation"
+msgstr "隔离"
+
+msgid "Enalbe or disable isolation"
+msgstr "开启或关闭与其它LAN网段的隔离"
+
+msgid "Start address"
+msgstr "起始地址"
+
+msgid "Lowest leased address as offset from the network address"
+msgstr "网络地址分配的起始地址"
+
+msgid "Client Limit"
+msgstr "客户端最大数目"
+
+msgid "Maximum number of leased addresses"
+msgstr "最大地址分配数量"
+
+msgid "DHCP lease time"
+msgstr "DHCP地址租用时间"
+
+msgid "Expiry time of leased addresses, minimum is 2 minutes (2m)"
+msgstr "租用地址的到期时间，最短2分钟(2m)"
+
+msgid "YES"
+msgstr "是"
+
+msgid "NO"
+msgstr "否"
+
diff --git a/package/lean/luci-app-guest-wifi/root/etc/config/guest-wifi b/package/lean/luci-app-guest-wifi/root/etc/config/guest-wifi
new file mode 100644
index 000000000..d43f5f5b3
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/root/etc/config/guest-wifi
@@ -0,0 +1,14 @@
+
+config guest-wifi
+	option enable '0'
+	option wifi_name 'Guest-WiFi'
+	option interface_name 'guest'
+	option encryption 'psk2'
+	option passwd 'guestnetwork'
+	option interface_ip '192.168.4.1'
+	option isolate '1'
+	option start '50'
+	option limit '200'
+	option leasetime '1h'
+	option device 'radio0'
+	option create '0'
diff --git a/package/lean/luci-app-guest-wifi/root/etc/init.d/guest-wifi b/package/lean/luci-app-guest-wifi/root/etc/init.d/guest-wifi
new file mode 100755
index 000000000..18ad8b164
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/root/etc/init.d/guest-wifi
@@ -0,0 +1,213 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2015
+# Must keep author's information if you use this file.
+
+START=50
+
+HISTORY_DIR="/etc/config/guestwifi"
+[ -e /etc/config/guestwifi ]||mkdir -p /etc/config/guestwifi
+
+enabled=$(uci get guest-wifi.@guest-wifi[0].enable)
+wifi_name=$(uci get guest-wifi.@guest-wifi[0].wifi_name)
+interface_name=$(uci get guest-wifi.@guest-wifi[0].interface_name)
+encryption=$(uci get guest-wifi.@guest-wifi[0].encryption)
+passwd=$(uci get guest-wifi.@guest-wifi[0].passwd)
+interface_ip=$(uci get guest-wifi.@guest-wifi[0].interface_ip)
+isolate=$(uci get guest-wifi.@guest-wifi[0].isolate)
+start=$(uci get guest-wifi.@guest-wifi[0].start)
+limit=$(uci get guest-wifi.@guest-wifi[0].limit)
+leasetime=$(uci get guest-wifi.@guest-wifi[0].leasetime)
+device=$(uci get guest-wifi.@guest-wifi[0].device)
+create=$(uci get guest-wifi.@guest-wifi[0].create)
+
+
+start() {
+	[ $enabled = 1 ] && {
+		[ $create = 1 ] && {
+			[ -f /etc/config/guestwifi/guest_del ] || echo "#! /bin/sh" > ${HISTORY_DIR}/guest_del
+			chmod 0755 ${HISTORY_DIR}/guest_del
+			add_interface
+			add_ssid
+			mod_dhcp
+			mod_fw
+			/etc/init.d/network restart
+		}
+		uci set guest-wifi.@guest-wifi[0].create='0'
+		uci commit guest-wifi
+		uci del wireless.$interface_name.disabled
+		uci commit wireless
+		wifi
+	}
+}
+
+
+stop() {
+	[ $enabled = 0 ] && {
+		[ $create = 1 ] && {
+			${HISTORY_DIR}/guest_del
+			rule_c=`uci show firewall |grep "Hide My LAN for $wifi_name"|grep -o "[0-9]*[0-9]"`
+			uci del firewall.@rule[$rule_c]
+			uci commit firewall
+			rule_b=`uci show firewall |grep "Allow DHCP request for $wifi_name"|grep -o "[0-9]*[0-9]"`
+			uci del firewall.@rule[$rule_b]
+			uci commit firewall
+			rule_a=`uci show firewall |grep "Allow DNS Queries for $wifi_name"|grep -o "[0-9]*[0-9]"`
+			uci del firewall.@rule[$rule_a]
+			uci commit firewall
+			/etc/config/guestwifi/guest_del
+			rm -rf /etc/config/guestwifi/guest_del
+			/etc/init.d/network restart
+		}
+		uci set guest-wifi.@guest-wifi[0].create='0'
+		uci commit guest-wifi
+		uci set wireless.$interface_name.disabled='1'
+		uci commit wireless
+		wifi
+	}
+}
+
+restart() {
+	stop
+	sleep 2
+	start		
+}
+
+add_interface() {
+	name=`uci show network |grep "$interface_ip"`
+	if [ $? = 1 ]; then
+		uci set network.$interface_name=interface
+		uci set network.$interface_name.proto='static'
+		uci set network.$interface_name.ipaddr="$interface_ip"
+		uci set network.$interface_name.netmask='255.255.255.0'
+		echo "uci del network.$interface_name" >> ${HISTORY_DIR}/guest_del
+		echo "uci commit network" >> ${HISTORY_DIR}/guest_del
+		uci commit network
+	fi
+}
+
+add_ssid() {
+	check_name=`uci show wireless |grep "$wifi_name"`
+	if [ $? = 1 ]; then
+		uci set wireless.$interface_name=wifi-iface
+		uci set wireless.$interface_name.device="$device"
+		uci set wireless.$interface_name.mode='ap'
+		uci set wireless.$interface_name.network="$interface_name"
+		uci set wireless.$interface_name.ssid="$wifi_name"
+		uci set wireless.$interface_name.encryption="$encryption"
+		uci set wireless.$interface_name.isolate="$isolate"
+		if [ "$encryption" != "none" ]; then
+			uci set wireless.$interface_name.key="$passwd"
+		fi
+		echo "uci del wireless.$interface_name" >> ${HISTORY_DIR}/guest_del
+		echo "uci commit wireless" >> ${HISTORY_DIR}/guest_del
+		uci commit wireless
+	fi
+}
+
+mod_dhcp() {
+	check_dhcp=`uci show dhcp |grep "$interface_name=dhcp"`
+	if [ $? = 1 ]; then
+		uci set dhcp.$interface_name=dhcp
+		uci set dhcp.$interface_name.interface="$interface_name"
+		uci set dhcp.$interface_name.start="$start"
+		uci set dhcp.$interface_name.limit="$limit"
+		uci set dhcp.$interface_name.leasetime="$leasetime"
+		echo "uci del dhcp.$interface_name" >> ${HISTORY_DIR}/guest_del
+		echo "uci commit dhcp" >> ${HISTORY_DIR}/guest_del
+		uci commit dhcp
+	fi
+}
+
+mod_fw() {
+	num_a=`uci show firewall |grep '=zone' |wc -l`
+	num_b=`uci show firewall |grep '=forwarding' |wc -l`
+
+	check_zone=`uci show firewall |grep "name=\'$interface_name\'"`
+	if [ $? = 1 ]; then
+		uci add firewall zone
+		echo "uci del firewall.@zone[$num_a]" >> ${HISTORY_DIR}/guest_del
+		echo "uci commit firewall" >> ${HISTORY_DIR}/guest_del
+		uci set firewall.@zone[$num_a]=zone
+		uci set firewall.@zone[$num_a].name="$interface_name"
+		uci set firewall.@zone[$num_a].network="$interface_name"
+		uci set firewall.@zone[$num_a].forward='REJECT'
+		uci set firewall.@zone[$num_a].output='ACCEPT'
+		uci set firewall.@zone[$num_a].input='REJECT'
+		uci commit firewall
+	fi
+
+	check_forward=`uci show firewall |grep "forwarding\[.*\].src=\'"$interface_name\'""`
+	if [ $? = 1 ]; then
+		uci add firewall forwarding
+		echo "uci del firewall.@forwarding[$num_b]" >> ${HISTORY_DIR}/guest_del
+		echo "uci commit firewall" >> ${HISTORY_DIR}/guest_del
+		uci set firewall.@forwarding[$num_b]=forwarding
+		uci set firewall.@forwarding[$num_b].src="$interface_name"
+		uci set firewall.@forwarding[$num_b].dest='wan'
+		uci commit firewall
+	fi
+
+	check_DNS=`uci show firewall |grep "Allow DNS Queries for $wifi_name"`
+	if [ $? = 1 ]; then
+		num_c=`uci show firewall |grep '=rule' |wc -l`
+		uci add firewall rule
+		uci set firewall.@rule[$num_c]=rule
+		uci set firewall.@rule[$num_c].name="Allow DNS Queries for $wifi_name"
+		uci set firewall.@rule[$num_c].src="$interface_name"
+		uci set firewall.@rule[$num_c].dest_port='53'
+		uci set firewall.@rule[$num_c].proto='tcpudp'
+		uci set firewall.@rule[$num_c].target='ACCEPT'
+		uci commit firewall
+		unset num_c
+	fi
+
+	check_DHCP=`uci show firewall |grep "Allow DHCP request for $wifi_name"`
+	if [ $? = 1 ]; then
+		num_c=`uci show firewall |grep '=rule' |wc -l`
+		uci add firewall rule
+		uci set firewall.@rule[$num_c]=rule
+		uci set firewall.@rule[$num_c].name="Allow DHCP request for $wifi_name"
+		uci set firewall.@rule[$num_c].src="$interface_name"
+		uci set firewall.@rule[$num_c].src_port='67-68'
+		uci set firewall.@rule[$num_c].dest_port='67-68'
+		uci set firewall.@rule[$num_c].proto='udp'
+		uci set firewall.@rule[$num_c].target='ACCEPT'
+		uci commit firewall
+		unset num_c
+	fi
+
+	check_HIDE=`uci show firewall |grep "Hide My LAN for $wifi_name"`
+	if [ $? = 1 ]; then
+		num_c=`uci show firewall |grep '=rule' |wc -l`
+		uci add firewall rule
+		uci set firewall.@rule[$num_c]=rule
+		uci set firewall.@rule[$num_c].enabled='1'
+		uci set firewall.@rule[$num_c].name="Hide My LAN for $wifi_name"
+		uci set firewall.@rule[$num_c].proto='all'
+		uci set firewall.@rule[$num_c].src="$interface_name"
+		#convert netmask to cidr
+		local lan_netmask=`uci get network.lan.netmask`
+		local nbits=0
+		local IFS=.
+		for netmask_dec in $lan_netmask ; do
+			case $netmask_dec in
+				255) let nbits+=8 ;;
+				254) let nbits+=7 ;;
+				252) let nbits+=6 ;;
+				248) let nbits+=5 ;;
+				240) let nbits+=4 ;;
+				224) let nbits+=3 ;;
+				192) let nbits+=2 ;;
+				128) let nbits+=1 ;;
+				0) ;;
+				*) echo "Error: $netmask_dec can not be recognised as netmask decimal." && exit 1 ;;
+			esac
+		done
+		unset netmask_dec
+		uci set firewall.@rule[$num_c].dest_ip="`uci get network.lan.ipaddr`/$nbits"
+		uci set firewall.@rule[$num_c].target='REJECT'
+		uci commit firewall
+		unset num_c
+	fi
+}
+
diff --git a/package/lean/luci-app-guest-wifi/root/etc/uci-defaults/luci-app-guest-wifi b/package/lean/luci-app-guest-wifi/root/etc/uci-defaults/luci-app-guest-wifi
new file mode 100755
index 000000000..02ad18b3f
--- /dev/null
+++ b/package/lean/luci-app-guest-wifi/root/etc/uci-defaults/luci-app-guest-wifi
@@ -0,0 +1,11 @@
+#!/bin/sh 
+
+uci -q batch <<-EOF >/dev/null
+          delete ucitrack.@guest-wifi[-1]
+          add ucitrack guest-wifi
+          set ucitrack.@guest-wifi[-1].init=guest-wifi
+          commit ucitrack
+EOF
+
+rm -f /tmp/luci-indexcache
+exit 0