«

»

Mar 22

DD-WRT Guest Wireless

If you’ve done any amount of work with routers, you know that it doesn’t take long to start craving consistency. And more advanced functionality that the cheap home interfaces simply don’t grant you. This is the point where you usually break down and start research things like Tomato, OpenWrt, and DD-WRT, just to name a few of the more popular alternatives.

These alternate firmwares don’t just provide a consistent administrative experience across all compatible models and brands, they also turn a cheap home router into a flexible and competitive enterprise router.

My Setup

DD-WRT is my personal firmware of choice. Powerful, flexible, and stable. One thing that I demand in a router is the ability to broadcast a secondary SSID for my guest’s to be able to access wireless internet in my home without also having access to my entire network of computers and devices.

Gladly, because my router’s firmware was extremely slow and buggy, I flashed my Cisco E2500 router with “mini” DD-WRT firmware (the E2500 also supports the “big” firmware). But after reviewing getting the two wireless networks setup on my router, it was brought to my attention that there are no good tutorials for how exactly you are to do this using DD-WRT. The tutorial provided on their own website, in fact, does not work. So, I find that it falls upon me to put out my particular configuration for two mutually exclusive wireless networks from a single router, both networks having access to the WAN port (that is, internet access). There are, of course, multiple ways to do this. Feel free to leave alternative suggestions in the comments.

Create Two Wireless Networks

First, create your wireless networks by clicking clicking on “Wireless” and then “Basic Settings”. We’ll setup security in a moment. After you’ve configured your private wireless network setup, click “Add” under “Virtual Interfaces” to add the “wl0.1 SSID”. Give your guest network a separate SSID, and select “Enable” for “AP Isolation”.

Now click “Save” and “Apply Settings”.

ssid

Setup Wireless Security

Navigate over to the “Wireless Security” tab. After you’ve setup the wireless security for your private network, setup similar security for your guest SSID. I would advise against leaving your guest wireless completely open, but since you’re going to be giving out this password to your guests, it should probably be a little simpler than your private network’s key.

Now click “Save” and “Apply Settings”.

security

Create Bridge

At this point, you have two wireless networks broadcasting on two separate SSIDs. Both networks should have internet access, but you’ll also notice both networks dish out IPs in the same subnet, and both networks are clearly able to see each other. While you may like and trust your guests, that doesn’t mean you necessarily want them to have access to all your network devices. To separate the network routing, we need to create a bridge and place the guest network into a different subnet.

Click on “Setup” and then on the “Networking” tab. Under “Create Bridge” click “Add” to add a new bridge. Give the bridge a name, and modify the IP address of the bridge to be in a different subnet than your private network. For example, my private network grants IPs in the subnet 192.168.1.0/24, so my guest network in the image below is setup to grant IPs in the subnet 192.168.2.0/24.

Now click “Save” and “Apply Settings”. Though the page may refresh right away, you may need to wait about a minute before the bridge is available to use in the next few steps.

create-bridge

Assign Guest Network to Bridge

Under “Assign to Bridge” click “Add”. Select the new bridge you’ve created from the first drop-down, and pair it with the “wl0.1” interface.

Now click “Save” and “Apply Settings”.

assign-bridge

Create DHCP Server for Guest Network

We’re almost there! We’ve created a bridge in an alternate subnet, but the alternate subnet doesn’t have a DHCP server, so our guests currently cannot access the guest SSID (unless they assign themselves a static IP). Scroll to the bottom of the “Networking” page and under “Multiple DHCP Server” click “Add”. Ensure your newly created bridge name is selected from the first drop-down menu.

Now click “Save” and “Apply Settings”. Congratulations, we now have a working, separate guest network! Unfortunately, while users can connect to the network and DHCP is running, guest users aren’t able to access the internet quite yet.

bridge-dhcp

Create Firewall Rules for Guest Network

Navigate to the “Administration” tab and click on “Commands”. We need to add three rules to our firewall settings before our private network is completely secure and our guest network has internet access. Add these three rules (one per line) to the “Commands” text field, then click “Save Firewall” to ensure the rules execute even after the router is rebooted.

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

firewall

Improve Guest Security

Pete Runyan commented with a few more ways to nail down the security of the guest network. For one, your guests likely assume that their device on the guest network is not accessible from other devices on the same network, so you’ll want to add the firewall rules below to make that true. It’s also probably unnecessary (depending on your needs) to allow users on the guest network SSH, Telnet, or GUI access to the router. Append these firewall rules to harden the security of all of your networks!

iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

Conclusion

You should now have two working SSIDs: a private one for your home network, and a guest network for your visitors. Both networks should have internet access. The private network will function the same as a LAN and single wireless network did before, with the wireless network having full access to the LAN connections. The guest network, on the other hand, is separated from the private network. Additionally, each individual device on the guest network is separate from another, so guests cannot see each other.

If you’ve gotten to this point and something is not working, or your guest network does not have internet access, don’t be alarmed. DD-WRT is a always evolving, and it’s entirely possible bridge settings or firewall rules for the latest build have changed. If this tutorial does not produce the desired result, please leave a comment below. I’ll try to always keep the tutorial updated with instructions for the latest DD-WRT build.

  • Eric Wagner

    Thank you! These firewall rules were the only rules allowing me to get a gateway on my DD-WRT v24-sp2 (04/07/12) std-usb-nas. All previous attempts, I had no gateway on br1!

    Thank you for posting this.

  • Pingback: DD-WRT NAT Loopback Issue » The Internet Home of Alex Laird()

  • Pasja

    Many thanks for this great explanation. Since I use my router only as an Access Point (AP) I had to change the DHCP and commands used. See http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs#DHCP for those details.

  • chris

    THANKS THANKS THANKS your rules where the only ones that worked for me and believe me I tried alot I was about to give up and re flash the stock firmware thanks again

  • BR

    Hi Alex,

    Thanks for your site. A great resource indeed!

    I have installed Firmware: DD-WRT v24-sp2 (04/27/13) mega on a newly acquired RT-N66U.

    I’ve followed your instructions on setting up a guest network. However, I can’t seem to get the the guest network to issue an IP address to my device. My device is perpetually reporting “Obtaining IP address…”. I’ve verified the settings for the “Multiple DHCP Server” and they match your instructions. What else am I overlooking?

    Thanks,

    Bruce

    • Roger Joseph

      My 2 cents to anyone having this issue, try setting the ip information on your client manually and see if internet works. That way you have a good guess as to where the problem might be. Ping the gateway or ping the internet (8.8.8.8).

  • Tom Lebe

    Thanks Alex I appreciate the write-up.

    I am also having trouble with the guest network accessing the internet DD-WRT v24-sp2 (12/08/11) mini on a Asus RT-N12B1.

    I can obtain an IP, but no traffic passes to the internet interface.

    Best,
    Tom

  • Michael Paul

    If I may echo the sentiments above; other tutorials ended at creating the DHCP server. The secret sauce for internet connectivity is to add the firewall rules and yours worked. Thanks again.

  • Pete Runyan

    Great article! I noticed one problem – the non-guest wireless network still has full access
    to any wireless device on the guest network. This probably won’t be an issue for most
    sites that are only concerned with segregating the guest wireless network, but I decided to
    block access from the non-guest wired and wireless network to the guest wireless network,
    as well as forbid the guest wireless network from accessing my router via the web gui,
    telnet and ssh. To do this, add these lines to your firewall setup below the lines listed in
    the article:
    iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP
    iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset
    I also found, on my old WRT54G v8, I had to give it a kick in the pants
    (aka a power-cycling) afterwards to get everything working.

    • Thanks for pointing this out, Pete! I think you pointed out a terrific issue, because the guest’s using the network assume they are protected and private, even from other guest users, so the network administrator should be implementing policies like this.

      There actually used to be a less elegant solution for disallowing guests from accessing each others computers, but it must have been removed in one of the edits, plus I like your solution better, so I’ll incorporate it into the article. Thanks!

  • John Anthony

    How does this affect the MAC Filtering?

  • Peter Hee

    I am connected to existing network where they already hv a firewall.
    In this case, I need to use ddwrt as AP only connected to their LAN.
    My objective is simple:
    1)Guest network only can access Internet. Cannot access staff network on br0
    2)I will install many ddwrt around the building..can they use back the same SSId(A-staff and A-guest)?
    3)My guest network is running on 10.1.1.X. Can i enable Nat for traffic going out through the lan ports so that i no need to distrub their existing network?

  • Steve

    Thanks for the guide. I had got as far as doing all the config from other guides but they didn’t cover the firewall rules to allow the guest access to the internet.

    Other forum entries just confused me with the firewall rules as they all seemed to be different but yours was straight to the point and just what I was after.

    Thanks

  • Brett Williamson

    Great guide, but am I missing something? My default (main) wireless SSID is getting bridged to my guest IP range as well. o following this both my primary and my guest wireless are both 192.168.2.– when my primary should still be 192.168.1.–. I get why br1 is mapped to the 192.168.2.– scheme (my guest wireless) because br1 is asigned to wl0.1. But how do I assign wl0 to br0 (my main network) wl0 isn’t in any of the drop down lists to assign it.

    Thanks

  • Jeff Bratcher

    I am trying to use a linksys E3000 with dd-wrt v24 sp2 on it. I want a wireless network that can see the internet, and local machines, and a wireless guest network that can just see the internet. I also am trying to use a dhcp server to give ip’s to the non-guest wifi.
    1) If I turn dhcp off on the router it does not let me log on unless I give my laptop a static IP.
    2) I cannot see local machines from either main or guest network.
    2) Guest network has no internet connectivity.

    I went through the above tutorial, including the firewall rules in it and in Pete’s post, and also the NAT loopback additions. What am I doing wrong?

    • Approve—
      Alex Laird

      Phone: (319) 360-8771
      Email: alexdlaird@gmail.com
      Website: http://www.alexlaird.com

      Sent from Mailbox for iPhone

    • Roger Joseph

      This guide is “flawless” with the additional notes 🙂 . So if yours was not working (6 months ago) it has nothing to do with the guide. If you can (subject to version of software) do what this says all will work. One huge note is that many of the changes will require a complete reboot before performing the next step. At stages save a backup before continuing. My additional notes, bridges need to be called appropriate names like br1,br2 and so fourth don’t name it “guest” for with some DD-WRT it will not be an acceptable bridge name so on’t show in the list.

  • Andreas Holzer

    Thank you so much for this guide, this finally worked. I tried the guide from the ddwrt wiki and this forum thread http://www.dd-wrt.com/phpBB2/viewtopic.php?t=149085&postdays=0&postorder=asc&start=15&sid=d026da2d2d071bb5f1386e9d4315a01b – but I always got stumped in creating the internet connectivity for the guest zone. The differences between your script and the one on the forum seems to be minute, but just that seemed to cause the problem.

    So, thanks again! 🙂

    • Andreas Holzer

      To add onto this: In my home network, I don’t only have my wifi-router, but also an additional AP to increase the wifi coverage in the house. This is connected via wire to the main router. Obviously, on the second AP the WAN port is disabled. I managed to adapt your rules and setup to offer the guest zone via the additional AP. What I did was:

      – configure a bridge on the AP with an IP in the same subnet as 192.168.2.2, and configure that in the Additional DNSMasq Options:
      # Set the default gateway for br1 clients
      dhcp-option=br1,3,192.168.2.2

      – the iptables commands look like this:

      iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT
      iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
      iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state –state NEW -j DROP
      iptables -t nat -I POSTROUTING -o br0 -j SNAT –to `nvram get lan_ipaddr`
      iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP
      iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset
      iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset

      Voila, guest zone all over!

      • Bogdan Onofrei

        thanks a lot, i was struggling to get this thing working:). now thanks to you i can set some guest networks.

        do you have the issue on the guest network that when it connects 1st time dosent keep the conection and the it searches again and then no problem?

        i have wrt on rt-n66u

      • Ericcan

        HI Andreas-

        I am thrilled to find your description in my search. I think this might be exactly what I am hoping to set up in my home, where my AP doesn’t have a WAN port enabled. Instead, my AP has a gateway specified (the gateway is a different router on my network, in the same subnet as my AP).

        I’m no expert in iptables, but I am wondering if you could explain why this works. Which line allows packets intended for the internet to go through from br1 to br0? Also, I don’t think I have NAT running (since my AP doesn’t connect to the WAN–it just passes requests to the gateway). Yet, I am guessing that this is the line that might be responsible for redirecting the requests to the appropriate gateway. And if my gateway address is different from the address of my AP, do I want to alter the NAT line to get the gateway address from nvram instead of the lan_ipaddr?

        Thanks for taking the time to post this and thanks in advance for any additional information so I can better understand!

        -Eric

        • Andreas Holzer

          I must admit that I am no expert to explain every line here. I found a setup for an AP without WAN and stuck it together with the lines from the guide on this page, and it just worked. I skipped the line about the NAT, because my AP does not handle this, but the primary router with the WAN port. I guess you’d have to take this setup to the DD_WRT forums where the real experts can explain why my setup works. 🙂

          • Sam Felton

            Hey guys, not an iptables guru, but the keyboard imprints on my forehead will testify to having learnt a few tidbits. Firstly, this script is intended mostly to _prevent_ things from happening, rather than allowing them.

            Here’s the same script, with comments added:

            # make sure to track new connections on br1 so we can do stuff with them later
            iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT

            # overcome stupid ISPs who block ICMP “frag needed” packets
            ## BTW – this is only needed if WAN iface is being used as a WAN, and even then, only if you’re having problems like the OP
            #iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

            # keep br1 guests off our internal network, keep us from evesdropping on guest network
            iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state –state NEW -j DROP

            iptables -t nat -I POSTROUTING -o br0 -j SNAT –to `nvram get lan_ipaddr`
            iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP

            # keep br1 guests away from router setup/control activities
            iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset
            iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset
            iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset
            iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset

            Hope this is, in some small way, helpful.

            Cheers,
            ~Sam

  • mqueue

    Thank you for posting the helpful info. I was not able to get to the Internet from my guest wireless until I also added the following command to the mix that you posted:

    iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

    I’m running DD-WRT v24SP2- (03/24/14) std build 23709 on a Buffalo WZR-1750DHP, so if anyone else has the issue I had, try adding that line. My final firewall config appears as follows:

    iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT –to `nvram get wan_ipaddr`
    iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT
    iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
    iptables -I FORWARD -i br1 -o br0 -m state –state NEW -j DROP
    iptables -I INPUT -i br1 -m state –state NEW -j DROP
    iptables -I INPUT -i br1 -p udp –dport 67 -j ACCEPT
    iptables -I INPUT -i br1 -p udp –dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp –dport 53 -j ACCEPT

  • STIG

    This is awesome, thank you for this! Is it possible to associate a physical port on the AP to the separate guest network?

  • Erik Bouw

    I would like to connect a long range external outdoor access-point using a utp cable to a tcp port on the back of the router. I configured the router just like you explained. The guide is very clear and everything works. Except i do not know how to configure the router so that the router assigns guest ip-addresses to the clients connecting to my external access-point. I tried creating a new vlan, but i am not able to. It is greyed out. After that i created a new bridge (br2) and configured it exactly like br1 but then with a new dhcp scope, so i can see which client is connected to which access-point, but i keep receiving br0 addresses.

  • Renato Constancio Filho

    When I do the create bridge step and apply the setting, the router restart and I lose internet connection and control panel access. I´m running on a tp-link wdr4300, v24-sp2 (03/25/13) revision 21061. Any guess?

  • John Bryan Salvador

    Hi Alex Laird
    i found your post and it work flawlessly,i just wondering if there is a way/setting that i can use so that my guest WLAN do not have openVPN access for as of now both WLANs have openVPN access.hope you can help me out

  • Stretch

    I just wanted to stop in and say thank you for this article ! it was very good. I was able to get my guest hotspot in the house up and running last night.

  • john bob

    Everything is great on your discuss… I add another router on another building (same property) over through a network cable. I did setup the main and guest wifi (same ssid and same password from the main router). I connected it as guest wifi and it does work but show a different ip address like 192.168.2.120. But it should be 10.0.0.XXX. Guest wifi ip address is 10.0.0.1/24. It is only problem i have…….

  • Pingback: Give your router second chance. | Блоги экспертов()

  • siteexperts

    I followed these steps exactly (and confirmed everything in my UI twice).
    When I followed these steps exactly, my guest network is not isolated. I can get to the internet and intranet. My IP addresses are being served from my internal DHCP server (not the extra one I configured on bridge br1).
    The only possible difference I foresee is I have DHCP disabled for my internal network on my router (asus ac66u) and am using a separate DHCP server on the internal network. Is there something additional I need to do to isolate this?

  • Thanks so much for this tutorial. Very clear and concise.

  • Chris U

    Thank you, it works so far realy good. One Problem, i can´t access the LAN from my LAN. LAN devices do not see each other. My firmware ist from april 2015.

  • crackers8199

    i know i’m late to the party but i’m ecstatic this has worked well for me on a buffalo airstation WZR-1750DHP

    my question is: is there a way to see what clients are currently connected to the guest wireless?

  • Jeff Bassler

    Does this work if the router you want to supply guest access is configured as WAP according to this procedure?

    http://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point

  • Nate Barbettini

    Worked perfectly on a Buffalo WZR-1750DHP running stock DD-WRT build 23709a. I was stumped as to why the tutorial on the DD-WRT site wasn’t working. The GUI seems so simple, if only it worked! But your tutorial got me up and running in 10 minutes. Thanks man.

  • OleBrom

    Thanks for this guide. Helped alot. Wish you would update it for current builds of dd-wrt. I use brainslayer build 26866 now.

  • J Fehribach

    Laird’s notes are a very helpful guide to add a 2.4 GHz Guest network to DD-WRT.

    The notes below describe what to do for a DD-WRT installation where some of the item names have changed (presumably due to DD-WRT firmware changes) from Laird’s guide, and how to also add a 5 Ghz guest network after the 2.4 Ghz guest network has been added.

    I am not a networking expert, but I have successfully tested my 5G guest network after using the following steps. My current router is Linksys WRT 1900AC with Firmware Version DD-WRT v3.0-r28628 std (12/29/15). In the last line of this post, I have a question about the Firewall Rules which I hope a networking expert can address.

    In step 1 (Create Two…), I needed to check the box for Advanced Settings. In my DD-WRT the name was ath0.1 instead of wl0.1 ; ath1.1 is for 5G guest.

    In step 3 (Create Bridge), “Give the bridge a name”, br1 then click Save to see IP Address boxes; also fill in Subnet Mask as 255 255 255 0 . br2 for 5 GHz.

    In step 4 (Assign Guest…), “and pair it with the wl0.1 interface”, br1 paired with ath0.1 . For 5GHz Guest, in Assignment 1 (br2), select Interface ath1.1 .

    In step 5 (Create DHCP…), “Ensure your newly created bridge name is selected from the first drop-down menu.” Use br1 for DHCP 0. br2 selected next to DHCP 1 for the 5 GHz network.

    In step 6 (Create Firewall…), also add these two lines:
    iptables -I FORWARD -i br2 -m state –state NEW -j ACCEPT
    iptables -I FORWARD -i br2 -o br0 -m state –state NEW -j DROP

    I wasn’t sure if the first “iptables” rule should have a parallel for 5 GHz, but my 5 GHZ Guest worked without a parallel. I also did nothing to parallel step 7 (Improve…)

    My question for a networking guru: what should the ideal complete set of firewall rules be?