WikiDevi.Wi-Cat.RU:DD-WRT/Dual SSID one for public network
NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.
To separate the WLAN from the LAN see: Separate LAN and WLAN
To create more than one WLAN and optionally separate them see: Multiple WLANs
DD-WRT v24 Release
This worked for me on V24 release with wrt54GL
My main network is 192.168.1.1
1) Wireless -->basic setting added another Interface, unbrigged, and with IP of 192.168.2.1, mask of 255.255.255.0
2) In wireless security, configure the security for the second adapter.
Apply changes.
3)Setup - networking --> dhcpD add another DHCP server for the second interface choose wl0.1. In my case it was 192.168.2.10 5 users
4) Administration---> commands
iptables -I INPUT -i wl0.1 -p icmp -j ACCEPT
iptables -I INPUT -i wl0.1 -p tcp --dport 23 -j logdrop
iptables -I INPUT -i wl0.1 -p tcp --dport 80 -j logdrop
iptables -I FORWARD -i wl0.1 -o br0 -j logdrop
- WHAT DO THESE COMMANDS DO?
- By setting these rules, someone logging into the public wifi network cannot see or modify the router or see your network. Probably.
Save firewall
5)Reboot router
That's it
DD-WRT preSP2 v24
This was developed from the v24 release section above and VLAN Detached Networks each with Wireless and Internet on a WRT54GL v1.1 with Brainslayer's 13525 nokaid-generic release. Before doing the following the public/virtual AP would not get DHCP or pass traffic through the WAN.
- Set up the unit with an AP for your private wifi.
- Create the virtual AP but leave it bridged.
- Set up your security for the two APs (I used WPA Personal AES but read that TKIP can cause problems)
- Go to Setup-->VLANs and create VLAN2 with Port 4 from the device (i think it can be any of the LAN ports, just not the one you plug the LAN into) and leave it bridged to None and hit Save.
To clarify, uncheck Port 4 from VLAN0 and check it on the VLAN2 row and leave or change the drop down towards the right to show None, and hit Save - Go to Basic Setup-->Networking
- Create a new bridge (ie br1) and assign the IP you want the public/virtual AP to have and hit Save
- Add two assignments to the new bridge and make them wl0.1 and VLAN2, hit Save again
- Go to Services and enter this for the Additional DNSMasq Options (modify to your bridge ID and scope):
- interface=br1
- dhcp-option=br1,3,192.168.2.1
- dhcp-option=br1,6,192.168.1.254
- dhcp-range=br1,192.168.2.20,192.168.2.220,255.255.255.0,120m
- Hit Save and go to Administration-->Commands
- Enter this code in the Command box:
- iptables -I INPUT -i br1 -j ACCEPT
- iptables -I INPUT -i br1 -p tcp --dport 23 -j logdrop
- iptables -I INPUT -i br1 -p tcp --dport 80 -j logdrop
- iptables -I INPUT -i br1 -p tcp --dport 443 -j logdrop
- iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
- iptables -I FORWARD -i br1 -o ppp0 -m state --state NEW -j ACCEPT
- iptables -I FORWARD -i br0 -o br1 -j logdrop
- iptables -I FORWARD -i br1 -o br0 -j logdrop
- Hit Save Firewall and wait for the box to empty
- Go to Administration and reboot the router
NOTE:
- The iptables code MUST be in this order to work correctly
- ppp0 is in the iptables as my device provides the PPPoE session for the DSL
- The --dport lines block traffic to ONLY the device on those ports (management here)
- The bottom two lines block traffic between the LAN and the public/virtual AP
After doing this DHCP worked like a charm from the virtual/public AP and I could hit the Internet from it as well, all while the LAN side worked as it should. It seems DNSMasq just didn't like to bond to the virtual interface or the virtual interface came up after DNSMasq. With that said, it might be possible to just create the bridge and just add wl0.1 to it while skipping the whole VLAN2 section and have it work. For me, the addition of the port is actually needed.
To better understand the DNSMasq Options listed above:
- Line 1 is the interface to bind to (in this case it's the new bridge)
- Line 2 is the gateway
- Line 3 is the DNS
- Line 4 is the dhcp range start,stop,subnet,lease time in minutes
Just to be clear, this was done from a factory reset on a WRT54GL v1.1 with Brainslayer's preSP2 v24 nokaid-generic build 13525. The SP2 release might affect how this works or might totally break it. Hopefully not unless the release has its own way to do this.
--Envoid 00:23, 10 July 2010 (CEST)
Links
References
- VLAN Detached Networks each with Wireless and Internet
- Separate_WLANs
- Multiple_WLANs
- Separate_LAN_and_WLAN
- WLAN separate from LAN, with independent dhcp, etc
Comments
I implemented two wireless networks on the same router using the instructions at Implementing Inexpensive Multiple SSID Networks, on which I based the recipe at Navas Wireless Wiki:Wi-Fi How To:Two wireless networks on one router. --JNavas 21:06, 18 September 2009 (CEST)