Installing wifi access points based on DD-WRT with multiple SSIDs and separated networks

Context: In our LAN, we needed multiple wireless access points serving two different SSIDs, a main one with full access to the private network, and a guest one, only allowed to go to Internet. Cheap personal wireless access points do have a guest SSID possibility but only if the router is directly connected to the WAN. In our case, the access points will be distributed on the network and connected via the LAN to the main router. So, we choose the ASUS RT-AC87U for its good reviews about coverage, performance and stability, and by the fact it supports natevely DD-WRT, an Open Source router firmware that allow many things, including multiples SSIDs and firewall.

The first part of this article explains how to setup a double (or multiple) SSID on an access point. Then we will see the particularities for a router (need of multiple DHCP servers).

Setup a multiple-SSID Access point

  1. From a fresh install of the DD-WRT firmware, put it into your network on the basic setup tab (IP/subnet/gateway config).
    Capture d’écran 2015-09-16 à 10.02.32
  2. Still on basic setup tab, disable DHCP server. As this is an access point, we are assuming that your main network already have a DHCP server or that you don’t want it at all. “Use DNSMasq for DHCP”, “Use DNSMasq for DNS” and “DHCP-Authoritative” options are ticked but honestly, I don’t know if this changes anything. I am curious to have your feedback on the comments, if you test ticking/unticking those options.
    Capture d’écran 2015-09-16 à 10.03.10
  3. At the Wireless -> Basic setup tab, setup your wireless networks as wanted. The only mandatory option is to get them bridged. There are some tutorials about making guest networks unbridging the interfaces directly in this tab. This works, but as we got more and more devices with dual-band, each unbridged interface get ungrouped. So, I prefer dealing with bridges later at the networking tabs.
    Capture d’écran 2015-09-16 à 10.04.04
    Capture d’écran 2015-09-16 à 10.04.22
  4. At the Wireless -> Wireless Security tab setup the security wanted.
    Wireless security
  5. Come back to Setup -> Networking, create a second bridge br1 and assign to it the interfaces you want to isolate. In my case it’s wl0.1 and wl1.1 corresponding to the wireless virtual interfaces on both bands. In the new bridge, setup a new IP network, like 192.168.3.1 for example.
    Bridging
  6. At the end of the page Setup -> Networking create a DHCP server for the new network (if you wish to have DHCP).
    Serveur DHCP
  7. At the Services -> Services tab configure DNSMasq as following:
    interface=br1
    dhcp-option=br1,3,gateway_IP
    dhcp-range=br1,192.168.3.100,192.168.3.150,255.255.255.0,24h
    dhcp-option=br1,6,ns1,ns2

    Where gateway_IP is the IP of the gateway of the network (192.168.3.1 if you followed the same numbering as me), ns1 and ns2 are the name servers you use (internal of your network, provided by your ISP or public ones like Google’s name server 8.8.8.8).
    DNSMasq options

  8. At the tab Administration -> Commands, setup a firewall based on the following model (adapt as you wish):
    #Enable NAT on the WAN (Correct a BUG)
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
    
    #Restrict br1 from accessing br0
    iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
    
    #Restrict br1 from accessing the router
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    
    #Allow br1 to access DHCP on the router
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    
    #Allow br1 to access DNS on the router
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

    Save clicking save Firewall button.

  9. Reboot your access point and test. You should now have both SSID working and the guest one (configured at br1) having access only to Internet (if you used AP isolation on the Wireless -> Basic Settings). At least, It should not see the main network and it’s devices.

Setup a multiple-SSID router

  1. From a fresh install of the DD-WRT firmware, setup your WAN/LAN network on the basic setup tab (IP/subnet/gateway config).
    WAN-LAN config
  2. Still on basic setup tab, enable DHCP server. As the main router, I’m assuming you want it to be the DHCP server of the main network. Tick “Use DNSMasq for DHCP”, “Use DNSMasq for DNS” and “DHCP-Authoritative” options.
    DHCP config router
  3. At the Wireless -> Basic setup tab, setup your wireless networks as wanted. The only mandatory option is to get them bridged. There are some tutorials about making guest networks unbridging the interfaces directly in this tab. This works, but as we got more and more devices with dual-band, each unbridged interface get ungrouped. So, I prefer dealing with bridges later at the networking tabs.
    Capture d’écran 2015-09-16 à 10.04.04
    Capture d’écran 2015-09-16 à 10.04.22
  4. At the Wireless -> Wireless Security tab setup the security wanted.
    Wireless security
  5. Come back to Setup -> Networking, create a second bridge br1 and assign to it the interfaces you want to isolate. In my case it’s wl0.1 and wl1.1 corresponding to the wireless virtual interfaces on both bands. In the new bridge, setup a new IP network, like 192.168.3.1 for example.
    Bridging
  6. At the end of the page Setup -> Networking create a DHCP server for each network (if you wish to have DHCP).
    DHCP server router
  7. At the Services -> Services tab configure DNSMasq as following:
    dhcp-range=net:br0,range_start_IP,range_end_IP,netmask,24h
    dhcp-option=br0,6, ns1, ns2
    dhcp-range=net:br1,range_start_IP_2,range_end_IP_2,netmask,24h
    dhcp-option=br1,6, ns1, ns2

    Where range_start_IP and range_end_IP are the first and last IP of the DHCP range, netmask is the mask of your subnet and ns1 and ns2 are the name servers you use (internal of your network, provided by your ISP or public ones like Google’s name server 8.8.8.8).
    DNSMasq router

  8. At the tab Administration -> Commands, setup a firewall based on the following model (adapt as you wish):
    #Enable NAT on the WAN (Correct a BUG)
    iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
    
    #Restrict br0 and br1 from accessing each other 
    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    
    #Restrict br1 from accessing the router 
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    
    #Allow br1 to access DHCP on the router
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    
    #Allow br1 to access DNS on the router
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

    Save clicking save Firewall button.

  9. Reboot your access point and test. You should now have both SSID working and the guest one (configured at br1) having access only to Internet (if you used AP isolation on the Wireless -> Basic Settings). At least, It should not see the main network and it’s devices.

This article shows how to setup two isolated wireless networks, but it’s possible to have more than this. Just setup more virtual wireless interfaces and bridges as needed. Many thanks to all the team of DD-WRT to make all of this possible.

Sources:

Advertisements
This entry was posted in Network and tagged , , , . Bookmark the permalink.

5 Responses to Installing wifi access points based on DD-WRT with multiple SSIDs and separated networks

  1. Philip Chan says:

    How can you made the wl1.1 appear in the dd-wrt? I added both 2.4Ghz and 5GHz guest network, but cannot bridge them together as I cannot see wl1.1 appear in the networking tab

  2. Philip Chan says:

    How can you make wl0.1 and wl1.1 appear in the networking tab, I add 2.4 and 5GHz vap, but only wl0.1 appear in the networking tab

    • Vitorio says:

      First of all, my apologies for the delay, got really busy this month.
      Did you already found a solution?
      From what I know, the possibilities are slight different between different materials/firmwares. If you don’t use the exact same material than me, it’s possible that the DD-WRT for your hardware doesn’t have this bridge feature implemented yet (at least as a GUI).
      I don’t have a more precise answer, I invite you to reiterate your question at the DD-WRT forum (http://www.dd-wrt.com/phpBB2/), where you will find more skilled partners for your project.

      • Philip Chan says:

        Not yet, right now, I simply not to use wl1.1 and fine with wl0.1, and my router is also AC87U, even in ssh, when I create wl1.1 already in GUI, I cannot find in ifconfig result.

      • Vitorio says:

        I’m sorry that I can’t help you anymore. I left the job where I installed this material, so I can’t test anything. If the material is the same, my clue is that you didn’t use the exact same firmware version that I did. Open a thread in the DD-WRT forum and you surely will get some help. Cheers!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s