«

»

Mar 22

DD-WRT Guest Wireless

Introduction

If you’ve done any amount of work with routers, you know that it doesn’t take long to start craving consistency. And more advanced functionality that the cheap home interfaces simply don’t grant you. This is the point where you usually break down and start research things like Tomato, OpenWrt, and DD-WRT, just to name a few of the more popular alternatives.

These alternate firmwares don’t just provide a consistent administrative experience across all compatible models and brands, they also turn a cheap home router into a flexible and competitive enterprise router.

My Setup

DD-WRT is my personal firmware of choice. Powerful, flexible, and stable. One thing that I demand in a router is the ability to broadcast a secondary SSID for my guest’s to be able to access wireless internet in my home without also having access to my entire network of computers and devices.

Gladly, because my router’s firmware was extremely slow and buggy, I flashed my Cisco E2500 router with “mini” DD-WRT firmware (the E2500 also supports the “big” firmware). But after reviewing getting the two wireless networks setup on my router, it was brought to my attention that there are no good tutorials for how exactly you are to do this using DD-WRT. The tutorial provided on their own website, in fact, does not work. So, I find that it falls upon me to put out my particular configuration for two mutually exclusive wireless networks from a single router, both networks having access to the WAN port (that is, internet access). There are, of course, multiple ways to do this. Feel free to leave alternative suggestions in the comments.

Create Two Wireless Networks

First, create your wireless networks by clicking clicking on “Wireless” and then “Basic Settings”. We’ll setup security in a moment. After you’ve configured your private wireless network setup, click “Add” under “Virtual Interfaces” to add the “wl0.1 SSID”. Give your guest network a separate SSID, and select “Enable” for “AP Isolation”.

Now click “Save” and “Apply Settings”.

ssid

Setup Wireless Security

Navigate over to the “Wireless Security” tab. After you’ve setup the wireless security for your private network, setup similar security for your guest SSID. I would advise against leaving your guest wireless completely open, but since you’re going to be giving out this password to your guests, it should probably be a little simpler than your private network’s key.

Now click “Save” and “Apply Settings”.

security

Create Bridge

At this point, you have two wireless networks broadcasting on two separate SSIDs. Both networks should have internet access, but you’ll also notice both networks dish out IPs in the same subnet, and both networks are clearly able to see each other. While you may like and trust your guests, that doesn’t mean you necessarily want them to have access to all your network devices. To separate the network routing, we need to create a bridge and place the guest network into a different subnet.

Click on “Setup” and then on the “Networking” tab. Under “Create Bridge” click “Add” to add a new bridge. Give the bridge a name, and modify the IP address of the bridge to be in a different subnet than your private network. For example, my private network grants IPs in the subnet 192.168.1.0/24, so my guest network in the image below is setup to grant IPs in the subnet 192.168.2.0/24.

Now click “Save” and “Apply Settings”. Though the page may refresh right away, you may need to wait about a minute before the bridge is available to use in the next few steps.

create-bridge

Assign Guest Network to Bridge

Under “Assign to Bridge” click “Add”. Select the new bridge you’ve created from the first drop-down, and pair it with the “wl0.1″ interface.

Now click “Save” and “Apply Settings”.

assign-bridge

Create DHCP Server for Guest Network

We’re almost there! We’ve created a bridge in an alternate subnet, but the alternate subnet doesn’t have a DHCP server, so our guests currently cannot access the guest SSID (unless they assign themselves a static IP). Scroll to the bottom of the “Networking” page and under “Multiple DHCP Server” click “Add”. Ensure your newly created bridge name is selected from the first drop-down menu.

Now click “Save” and “Apply Settings”. Congratulations, we now have a working, separate guest network! Unfortunately, while users can connect to the network and DHCP is running, guest users aren’t able to access the internet quite yet.

bridge-dhcp

Create Firewall Rules for Guest Network

Navigate to the “Administration” tab and click on “Commands”. We need to add three rules to our firewall settings before our private network is completely secure and our guest network has internet access. Add these three rules (one per line) to the “Commands” text field, then click “Save Firewall” to ensure the rules execute even after the router is rebooted.

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

firewall

Improve Guest Security

Pete Runyan commented with a few more ways to nail down the security of the guest network. For one, your guests likely assume that their device on the guest network is not accessible from other devices on the same network, so you’ll want to add the firewall rules below to make that true. It’s also probably unnecessary (depending on your needs) to allow users on the guest network SSH, Telnet, or GUI access to the router. Append these firewall rules to harden the security of all of your networks!

iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

Conclusion

You should now have two working SSIDs: a private one for your home network, and a guest network for your visitors. Both networks should have internet access. The private network will function the same as a LAN and single wireless network did before, with the wireless network having full access to the LAN connections. The guest network, on the other hand, is separated from the private network. Additionally, each individual device on the guest network is separate from another, so guests cannot see each other.

If you’ve gotten to this point and something is not working, or your guest network does not have internet access, don’t be alarmed. DD-WRT is a always evolving, and it’s entirely possible bridge settings or firewall rules for the latest build have changed. If this tutorial does not produce the desired result, please leave a comment below. I’ll try to always keep the tutorial updated with instructions for the latest DD-WRT build.

Important!

If you are using DD-WRT and experiencing issues with NAT loopback (accessing your public IP address from within your network), I have a tutorial to help resolve that issue here.

  • Eric Wagner

    Thank you! These firewall rules were the only rules allowing me to get a gateway on my DD-WRT v24-sp2 (04/07/12) std-usb-nas. All previous attempts, I had no gateway on br1!

    Thank you for posting this.

  • Pingback: DD-WRT NAT Loopback Issue » The Internet Home of Alex Laird

  • Pasja

    Many thanks for this great explanation. Since I use my router only as an Access Point (AP) I had to change the DHCP and commands used. See http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs#DHCP for those details.

  • chris

    THANKS THANKS THANKS your rules where the only ones that worked for me and believe me I tried alot I was about to give up and re flash the stock firmware thanks again

  • BR

    Hi Alex,

    Thanks for your site. A great resource indeed!

    I have installed Firmware: DD-WRT v24-sp2 (04/27/13) mega on a newly acquired RT-N66U.

    I’ve followed your instructions on setting up a guest network. However, I can’t seem to get the the guest network to issue an IP address to my device. My device is perpetually reporting “Obtaining IP address…”. I’ve verified the settings for the “Multiple DHCP Server” and they match your instructions. What else am I overlooking?

    Thanks,

    Bruce

  • Tom Lebe

    Thanks Alex I appreciate the write-up.

    I am also having trouble with the guest network accessing the internet DD-WRT v24-sp2 (12/08/11) mini on a Asus RT-N12B1.

    I can obtain an IP, but no traffic passes to the internet interface.

    Best,
    Tom

  • Michael Paul

    If I may echo the sentiments above; other tutorials ended at creating the DHCP server. The secret sauce for internet connectivity is to add the firewall rules and yours worked. Thanks again.

  • Pete Runyan

    Great article! I noticed one problem – the non-guest wireless network still has full access
    to any wireless device on the guest network. This probably won’t be an issue for most
    sites that are only concerned with segregating the guest wireless network, but I decided to
    block access from the non-guest wired and wireless network to the guest wireless network,
    as well as forbid the guest wireless network from accessing my router via the web gui,
    telnet and ssh. To do this, add these lines to your firewall setup below the lines listed in
    the article:
    iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP
    iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset
    I also found, on my old WRT54G v8, I had to give it a kick in the pants
    (aka a power-cycling) afterwards to get everything working.

    • http://alexlaird.com/ Alex Laird

      Thanks for pointing this out, Pete! I think you pointed out a terrific issue, because the guest’s using the network assume they are protected and private, even from other guest users, so the network administrator should be implementing policies like this.

      There actually used to be a less elegant solution for disallowing guests from accessing each others computers, but it must have been removed in one of the edits, plus I like your solution better, so I’ll incorporate it into the article. Thanks!

  • John Anthony

    How does this affect the MAC Filtering?

  • Peter Hee

    I am connected to existing network where they already hv a firewall.
    In this case, I need to use ddwrt as AP only connected to their LAN.
    My objective is simple:
    1)Guest network only can access Internet. Cannot access staff network on br0
    2)I will install many ddwrt around the building..can they use back the same SSId(A-staff and A-guest)?
    3)My guest network is running on 10.1.1.X. Can i enable Nat for traffic going out through the lan ports so that i no need to distrub their existing network?

  • Steve

    Thanks for the guide. I had got as far as doing all the config from other guides but they didn’t cover the firewall rules to allow the guest access to the internet.

    Other forum entries just confused me with the firewall rules as they all seemed to be different but yours was straight to the point and just what I was after.

    Thanks

  • Brett Williamson

    Great guide, but am I missing something? My default (main) wireless SSID is getting bridged to my guest IP range as well. o following this both my primary and my guest wireless are both 192.168.2.– when my primary should still be 192.168.1.–. I get why br1 is mapped to the 192.168.2.– scheme (my guest wireless) because br1 is asigned to wl0.1. But how do I assign wl0 to br0 (my main network) wl0 isn’t in any of the drop down lists to assign it.

    Thanks

  • Jeff Bratcher

    I am trying to use a linksys E3000 with dd-wrt v24 sp2 on it. I want a wireless network that can see the internet, and local machines, and a wireless guest network that can just see the internet. I also am trying to use a dhcp server to give ip’s to the non-guest wifi.
    1) If I turn dhcp off on the router it does not let me log on unless I give my laptop a static IP.
    2) I cannot see local machines from either main or guest network.
    2) Guest network has no internet connectivity.

    I went through the above tutorial, including the firewall rules in it and in Pete’s post, and also the NAT loopback additions. What am I doing wrong?

  • Andreas Holzer

    Thank you so much for this guide, this finally worked. I tried the guide from the ddwrt wiki and this forum thread http://www.dd-wrt.com/phpBB2/viewtopic.php?t=149085&postdays=0&postorder=asc&start=15&sid=d026da2d2d071bb5f1386e9d4315a01b – but I always got stumped in creating the internet connectivity for the guest zone. The differences between your script and the one on the forum seems to be minute, but just that seemed to cause the problem.

    So, thanks again! :-)

    • Andreas Holzer

      To add onto this: In my home network, I don’t only have my wifi-router, but also an additional AP to increase the wifi coverage in the house. This is connected via wire to the main router. Obviously, on the second AP the WAN port is disabled. I managed to adapt your rules and setup to offer the guest zone via the additional AP. What I did was:

      - configure a bridge on the AP with an IP in the same subnet as 192.168.2.2, and configure that in the Additional DNSMasq Options:
      # Set the default gateway for br1 clients
      dhcp-option=br1,3,192.168.2.2

      - the iptables commands look like this:

      iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT
      iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
      iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state –state NEW -j DROP
      iptables -t nat -I POSTROUTING -o br0 -j SNAT –to `nvram get lan_ipaddr`
      iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP
      iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset

      Voila, guest zone all over!

      • Bogdan Onofrei

        thanks a lot, i was struggling to get this thing working:). now thanks to you i can set some guest networks.

        do you have the issue on the guest network that when it connects 1st time dosent keep the conection and the it searches again and then no problem?

        i have wrt on rt-n66u

      • Ericcan

        HI Andreas-

        I am thrilled to find your description in my search. I think this might be exactly what I am hoping to set up in my home, where my AP doesn’t have a WAN port enabled. Instead, my AP has a gateway specified (the gateway is a different router on my network, in the same subnet as my AP).

        I’m no expert in iptables, but I am wondering if you could explain why this works. Which line allows packets intended for the internet to go through from br1 to br0? Also, I don’t think I have NAT running (since my AP doesn’t connect to the WAN–it just passes requests to the gateway). Yet, I am guessing that this is the line that might be responsible for redirecting the requests to the appropriate gateway. And if my gateway address is different from the address of my AP, do I want to alter the NAT line to get the gateway address from nvram instead of the lan_ipaddr?

        Thanks for taking the time to post this and thanks in advance for any additional information so I can better understand!

        -Eric

        • Andreas Holzer

          I must admit that I am no expert to explain every line here. I found a setup for an AP without WAN and stuck it together with the lines from the guide on this page, and it just worked. I skipped the line about the NAT, because my AP does not handle this, but the primary router with the WAN port. I guess you’d have to take this setup to the DD_WRT forums where the real experts can explain why my setup works. :)

  • mqueue

    Thank you for posting the helpful info. I was not able to get to the Internet from my guest wireless until I also added the following command to the mix that you posted:

    iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

    I’m running DD-WRT v24SP2- (03/24/14) std build 23709 on a Buffalo WZR-1750DHP, so if anyone else has the issue I had, try adding that line. My final firewall config appears as follows:

    iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT –to `nvram get wan_ipaddr`
    iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT
    iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
    iptables -I FORWARD -i br1 -o br0 -m state –state NEW -j DROP
    iptables -I INPUT -i br1 -m state –state NEW -j DROP
    iptables -I INPUT -i br1 -p udp –dport 67 -j ACCEPT
    iptables -I INPUT -i br1 -p udp –dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp –dport 53 -j ACCEPT

  • STIG

    This is awesome, thank you for this! Is it possible to associate a physical port on the AP to the separate guest network?

  • Erik Bouw

    I would like to connect a long range external outdoor access-point using a utp cable to a tcp port on the back of the router. I configured the router just like you explained. The guide is very clear and everything works. Except i do not know how to configure the router so that the router assigns guest ip-addresses to the clients connecting to my external access-point. I tried creating a new vlan, but i am not able to. It is greyed out. After that i created a new bridge (br2) and configured it exactly like br1 but then with a new dhcp scope, so i can see which client is connected to which access-point, but i keep receiving br0 addresses.