Installing wifi access points based on DD-WRT with multiple SSIDs and separated networks

Context: In our LAN, we needed multiple wireless access points serving two different SSIDs, a main one with full access to the private network, and a guest one, only allowed to go to Internet. Cheap personal wireless access points do have a guest SSID possibility but only if the router is directly connected to the WAN. In our case, the access points will be distributed on the network and connected via the LAN to the main router. So, we choose the ASUS RT-AC87U for its good reviews about coverage, performance and stability, and by the fact it supports natevely DD-WRT, an Open Source router firmware that allow many things, including multiples SSIDs and firewall.

The first part of this article explains how to setup a double (or multiple) SSID on an access point. Then we will see the particularities for a router (need of multiple DHCP servers).

Setup a multiple-SSID Access point

1. From a fresh install of the DD-WRT firmware, put it into your network on the basic setup tab (IP/subnet/gateway config).
   
2. Still on basic setup tab, disable DHCP server. As this is an access point, we are assuming that your main network already have a DHCP server or that you don’t want it at all. “Use DNSMasq for DHCP”, “Use DNSMasq for DNS” and “DHCP-Authoritative” options are ticked but honestly, I don’t know if this changes anything. I am curious to have your feedback on the comments, if you test ticking/unticking those options.
   
3. At the Wireless -> Basic setup tab, setup your wireless networks as wanted. The only mandatory option is to get them bridged. There are some tutorials about making guest networks unbridging the interfaces directly in this tab. This works, but as we got more and more devices with dual-band, each unbridged interface get ungrouped. So, I prefer dealing with bridges later at the networking tabs.
   
   
4. At the Wireless -> Wireless Security tab setup the security wanted.
   
5. Come back to Setup -> Networking, create a second bridge br1 and assign to it the interfaces you want to isolate. In my case it’s wl0.1 and wl1.1 corresponding to the wireless virtual interfaces on both bands. In the new bridge, setup a new IP network, like 192.168.3.1 for example.
   
6. At the end of the page Setup -> Networking create a DHCP server for the new network (if you wish to have DHCP).
   
7. At the Services -> Services tab configure DNSMasq as following:

   interface=br1
   dhcp-option=br1,3,gateway_IP
   dhcp-range=br1,192.168.3.100,192.168.3.150,255.255.255.0,24h
   dhcp-option=br1,6,ns1,ns2

   Where gateway_IP is the IP of the gateway of the network (192.168.3.1 if you followed the same numbering as me), ns1 and ns2 are the name servers you use (internal of your network, provided by your ISP or public ones like Google’s name server 8.8.8.8).
   

8. At the tab Administration -> Commands, setup a firewall based on the following model (adapt as you wish):

   #Enable NAT on the WAN (Correct a BUG)
   iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
   
   #Restrict br1 from accessing br0
   iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
   
   #Restrict br1 from accessing the router
   iptables -I INPUT -i br1 -m state --state NEW -j DROP
   
   #Allow br1 to access DHCP on the router
   iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
   
   #Allow br1 to access DNS on the router
   iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
   iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

   Save clicking save Firewall button.

9. Reboot your access point and test. You should now have both SSID working and the guest one (configured at br1) having access only to Internet (if you used AP isolation on the Wireless -> Basic Settings). At least, It should not see the main network and it’s devices.

Setup a multiple-SSID router

1. From a fresh install of the DD-WRT firmware, setup your WAN/LAN network on the basic setup tab (IP/subnet/gateway config).
   
2. Still on basic setup tab, enable DHCP server. As the main router, I’m assuming you want it to be the DHCP server of the main network. Tick “Use DNSMasq for DHCP”, “Use DNSMasq for DNS” and “DHCP-Authoritative” options.
   
3. At the Wireless -> Basic setup tab, setup your wireless networks as wanted. The only mandatory option is to get them bridged. There are some tutorials about making guest networks unbridging the interfaces directly in this tab. This works, but as we got more and more devices with dual-band, each unbridged interface get ungrouped. So, I prefer dealing with bridges later at the networking tabs.
   
   
4. At the Wireless -> Wireless Security tab setup the security wanted.
   
5. Come back to Setup -> Networking, create a second bridge br1 and assign to it the interfaces you want to isolate. In my case it’s wl0.1 and wl1.1 corresponding to the wireless virtual interfaces on both bands. In the new bridge, setup a new IP network, like 192.168.3.1 for example.
   
6. At the end of the page Setup -> Networking create a DHCP server for each network (if you wish to have DHCP).
   
7. At the Services -> Services tab configure DNSMasq as following:

   dhcp-range=net:br0,range_start_IP,range_end_IP,netmask,24h
   dhcp-option=br0,6, ns1, ns2
   dhcp-range=net:br1,range_start_IP_2,range_end_IP_2,netmask,24h
   dhcp-option=br1,6, ns1, ns2

   Where range_start_IP and range_end_IP are the first and last IP of the DHCP range, netmask is the mask of your subnet and ns1 and ns2 are the name servers you use (internal of your network, provided by your ISP or public ones like Google’s name server 8.8.8.8).
   

8. At the tab Administration -> Commands, setup a firewall based on the following model (adapt as you wish):

   #Enable NAT on the WAN (Correct a BUG)
   iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
   
   #Restrict br0 and br1 from accessing each other 
   iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
   iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
   
   #Restrict br1 from accessing the router 
   iptables -I INPUT -i br1 -m state --state NEW -j DROP
   
   #Allow br1 to access DHCP on the router
   iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
   
   #Allow br1 to access DNS on the router
   iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
   iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

   Save clicking save Firewall button.

9. Reboot your access point and test. You should now have both SSID working and the guest one (configured at br1) having access only to Internet (if you used AP isolation on the Wireless -> Basic Settings). At least, It should not see the main network and it’s devices.

This article shows how to setup two isolated wireless networks, but it’s possible to have more than this. Just setup more virtual wireless interfaces and bridges as needed. Many thanks to all the team of DD-WRT to make all of this possible.

Sources:

• http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
• http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html
• http://blog.danjoannis.com/?p=1362
• http://www.coertvonk.com/technology/networking/dd-wrt-leading-two-seperate-networks-5829