A standard “home setup” for the wireless router now days consists of just hosting one Service Set IDentifier – or SSID. And if only a year ago that could seem as a router (firmware) limitation, right now using multiple SSIDs with a single wireless router is just a matter of re-configuration.
Below is a simple guide on how to configure a single affordable (from $25 and up) router, that is available to anybody, to host multiple (up to 16 – at the moment of writing) SSIDs using DD-WRT firmware. In order to install the firmware on the router, follow the official DD-WRT Installation Guide.
Below step-by-step howto is good for any routers that could be found on DD-WRT supported hardware list. Which includes pretty much any “home” router that is out there. Given that DD-WRT is installed, let’s move on to configuring it to host multiple SSIDs.
First let’s look at what we would like to archive as our “end goal”:
So what we would like to have is:
- One router with DD-WRT firmware installed, that hosts 2 (in this example) SSIDs: “Home” and “Guest”
- Two VLANs where one network (VLAN1) can “see” another (VLAN2), but not other way around.
What that means is that all “Home” clients (computers that are connected to “Home” SSID) can see (ping/connect to/etc.) “Guest” computers, however none of “Guest” clients can see “Home” computers. (this is a matter of configuration, and can be configured differently, depending on what you need)
Step 1. Setup DHCP server for the “Home” (main) network.
As you can see from the “end goal” diagram above, the “Home” SSID (or VLAN1) has a 10.2.1.0 subnet, and its DHCP client addresses start from 10.2.1.100. Hence that is what needs to be configured on DD-WRT’s “Setup -> Basic Setup” screen (the “Router Local IP” should be set to 10.2.1.1 which would dictate the subnet to be 10.2.1.0):
Note that “10.2.1.0” is just an example – you would want to use something that is appropriate for your network – e.g. “192.168.1.0”
Step 2. Setup wireless networks (SSIDs).
Now we need to create two wireless networks – one main network (e.g. “Home”), and one virtual network (e.g. “Guest”). For that go to DD-WRT “Wireless -> Basic Settings” screen:
Enter a desired name for “Physical Interface’s -> Wireless Network Name(SSID)” (this is going to be the main network). You can also stick to the “end goal” diagram above, and enter “Home”.
After that is done, click “Add” to add a “Virtual Interface” and enter its SSID name as well (e.g. you can enter “Guest”). Make sure that the “Network Configuration” is set to “Bridged” as shown on the screen in this step.
Step 3. Configure wireless network security.
In the previous step we configured two wireless networks, now let’s secure them. We will use 128 bit WEP algorithm for both of them due to the reason described in “Step 5”. To accomplish this go to DD-WRT “Wireless -> Wireless Security” screen:
Choose “WEP” for “Security Mode”, 128 bits for “Encryption”, enter “Passphrase” and click “Generate” button.
Do it for both networks (Physical and Virtual Interfaces)
Step 4. Setup a virtual interface, and its DHCP settings.
Now we will set the bridge for the virtual network – “Guest” (or VLAN2) from the “end goal” diagram above. For that go to DD-WRT “Services -> Services” screen:
Find “DNSMasq” section, enable “DNSMasq”, and in “Additional DNSMasq Options” enter:
interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,1440m |
interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,1440m
This would create a DHCP server for the virtual (“Guest”, VLAN2) network.
“192.168.2.100” is again – just an example, you can use any subnet that suits your needs.
Step 5. Setup firewall rules and a startup script.
This is the most complex step, that makes many network administrators confused, and regular people to give up on DD-WRT multiple SSID configuration. But don’t worry :) – below is a “copy/paste”, working deal.
Go to the DD-WRT “Administration -> Commands” screen:
Enter the following firewall rules to the “Firewall” section:
##BRI1
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
#below keeps the two networks from talking
iptables -I FORWARD -i br0 -o br1 -j logdrop |
##BRI1
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
#below keeps the two networks from talking
iptables -I FORWARD -i br0 -o br1 -j logdrop
Enter the following commands to the “Startup” (it is a startup script that executes when the router starts up):
##MOVES VIRTUAL WIRELESS TO OWN BRIDGE
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
brctl addif br1 vlan2
ifconfig br1 up
##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now)
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1 |
##MOVES VIRTUAL WIRELESS TO OWN BRIDGE
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
brctl addif br1 vlan2
ifconfig br1 up
##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now)
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1
Here is where it gets interesting… Remember in “Step 3”, when configuring wireless security, we chose WEP? That was done because the current DD-WRT firmware “v24-sp1 (07/27/08) micro”, that is used at the moment of writing, has a bug in starting NAS, which is a proprietary binary tool that sets up dynamic encryption (WEP/WPA) on wireless devices.
UPDATE (12/22/2008):
Tried "v24-sp2" (09/26/08 std - build 10431M VINT Eko) for WRTG54GL v1.1 router -
WPA worked with multiple (tried 2) SSIDs. |
UPDATE (12/22/2008):
Tried "v24-sp2" (09/26/08 std - build 10431M VINT Eko) for WRTG54GL v1.1 router -
WPA worked with multiple (tried 2) SSIDs.
In a startup script above, we start NAS in “vanilla” mode for “eth1” (the main network) and for “wl0.1” (guest, virtual nework), and therefore we are using WEP for both networks.
The only line from above startup script that you might want to change is:
ifconfig br1 192.168.2.1 netmask 255.255.255.0 |
ifconfig br1 192.168.2.1 netmask 255.255.255.0
Here “192.168.2.1” is, again, an example, so if you chose a different subnet for the virtual network (br1), you should enter it instead.
DONE!
Now you can save all the changes and restart the router. You should be good to go!
If you have any questions or comments, you are welcome to address them below in the “comments” section.