WikiDevi.Wi-Cat.RU:DD-WRT/Multiple WLANs

Introduction
This guide teaches you how to broadcast multiple WLAN SSID's using virtual interfaces. You can have different encryption settings for each WLAN and you can restrict what they have access to. You may also bridge a VLAN or VPN tunnel interface to the virtual wireless interface.

Note: Virtual Access Points (VAP's) and VLAN's are entirely different technologies and you should be careful not to confuse these terms. If you're referring to a virtual wireless interface then call it a VAP, if you're referring to an Ethernet VLAN then call it a VLAN, and if you bridge them together then say that you've bridged a VAP and VLAN.

Preparation
As with all configuration changes, it is best to connect your router with an Ethernet cable so that you do not get disconnected or locked out of your router while configuring it. If you wish to bridge a VLAN or other interface to the virtual wireless interface, then see other guides on how to set up those interfaces, this guide will just tell you how to bridge it.

If your router is configured as a Wireless Access Point (WAN is disabled) then you must be sure to set the gateway and local DNS as recommended in the WAP guide. This also applies to WDS client nodes (but not the main WDS node) which are bridged to another router that does routing for them. Keep your eye out for the places this guide gives alternative instructions for WAP's.

Before beginning, read Bug 1853 about a minor bug with bridge creation and a haphazard fix to the bug that was introduced in changeset 16181. This guide will NOT be changed to reflect the bridge creation changes until recommended builds are affected by the change.

Atheros Based Hardware
The Atheros VAP interface will be named ath0.1 instead of wl0.1 so just substitute this name in the instructions.

Broadcom Based Hardware
Very early Broadcom based routers have radios that do not support or only partially support multiple WLAN's. You will need to telnet to the router and run this command on the router:

nvram get wl0_corerev




 * If the number is 4 or less then the router is too old.
 * If it is between 5 and 8 then it is capable of multiple SSID's but not multiple BSSID's, which means the wireless interfaces will all have the same MAC address so some devices might not recognize both WLAN's, and you will need to use a build that has a VINT wireless driver.
 * If it is 9 or above then the router fully supports multiple WLAN's, each with their own BSSID (MAC address).

Ralink Based Hardware
The Ralink VAP interface will be named ra1 instead of wl0.1 so just substitute this name in the instructions.

Basic Wireless Settings
Use a web browser to connect to your router's web GUI. Navigate to the Wireless -> Basic Settings page and under the Virtual Interfaces section press the "Add" button to add a new virtual interface. Leave the Network Configuration set to "Bridged" for all interfaces regardless of whether you want to bridge them or not because "Unbridged" has unresolved bugs at the time this was written (svn 13312). To get a working unbridged interface we will actually assign it to its own bridge later on. You may change any of the other settings to your liking.



Press the "Apply Settings" button, wait 1 minute, and then you should be able to see and connect to your new WLAN SSID. Make sure that you can connect to it, receive a DHCP lease, and browse the network/internet before you do anything further.

Note: If you're using a Broadcom VINT build then some devices may have problems connecting. Often it is just that they will only display one SSID being broadcast but they will still be able to connect if you manually create a profile for the virtual interface's SSID. Two of my old 802.11g adapters can not see the VAP's SSID but can still connect with manual profiles while my 802.11n adapter can see both SSID's being broadcast.

Encryption
Configure whatever encryption you desire on the Wireless Security page. For instance, you may want WPA2-AES for your main interface to have maximum security but use WEP or no encryption on the virtual interface to allow others to connect. You may also use the same encryption type in order to have different passwords for different people.

Note: Firmware builds prior to 12548 are known to have trouble with using different encryption settings.



Press the "Apply Settings" button, wait 1 minute, and then you should be able to see and connect to both WLAN SSID's using their new encryption settings. Make sure that you can connect to both SSID's, receive a DHCP lease, and browse the network/Internet before you do anything further.

At this point you may stop if you want to allow everything to communicate together. If you are mixing strong encryption for your main network with weak encryption or none at all on the virtual interface then it is advisable to follow the steps below to separate the interfaces so that the virtual interface is restricted from communicating with your main network.

Separating the WLAN's
Navigate to the Setup -> Networking page. Press the "Add" button in the Create Bridge section and type "br1" into the blank input box that is on the left side of all the options that just appeared. Press the "Apply Settings" button at the bottom of the page and new input boxes will appear to specify the IP address for the new bridge.

This new bridge needs to have an address that is in a different subnet than your main LAN. By default the main router LAN address is 192.168.1.1 netmask 255.255.255.0 so we will use 192.168.2.1 netmask 255.255.255.0 for the br1 bridge interface. Press the "Apply Settings" button again so that the IP address will be assigned to the br1 interface before you continue.



Press the "Add" button in the Assign to Bridge section. Select "br1" in the left drop down menu that appeared and select "wl0.1" in the other. Press the "Apply Settings" button and the virtual wireless interface wl0.1 will now be moved from br0 to br1. If you wish to bridge a VLAN or other interface to the VAP, then you can add another bridge assignment to do so.



Press the "Add" button in the Multiple DHCP Server section. Select "br1" in the left drop down menu that appeared. Press the "Apply Settings" button to finish enabling the DHCP server for the br1 interface.



Note: DHCP Type must not be set to "DHCP Forwarder," this type is often mistakenly used when it is not appropriate. If DHCP is disabled on your main LAN in Basic Setup because it is a WAP that connects LAN-LAN to an existing network instead of using the WAN port or DHCP is disabled for any other reason, then the Multiple DHCP method above will not work and instead you will need to use the Command Method for DHCP.

You should now be able to connect to VAP's SSID and receive a DHCP lease with an IP address that is in the 192.168.2.0/24 subnet. Make sure that you can connect to it, receive a DHCP lease, and connect to the router's 192.168.2.1 address from the VAP before you do anything further. On current builds (>17000) you will not be able to browse the internet until you add appropriate iptables commands later in the guide. If you are making a WAP then you must either use the iptables commands for WAP's in the next section, or create routes throughout your network, or add a working tagged VLAN interface to the bridge.

Command Method
This section does not contain complete instructions. Currently it only has substitutions for the GUI method to overcome problems with certain configurations.

DHCP
Go to the Services tab and find the DNSMasq section. Make sure that DNSMasq is Enabled. Adjust the following options to fit your environment (omit the comment lines starting with '#') and them to the Additional DNSMasq Options text area.

interface=br1 dhcp-option=br1,3,192.168.2.1 dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
 * 1) Enables DHCP on br1
 * 1) Set the default gateway for br1 clients
 * 1) Set the DHCP range and default lease time of 24 hours for br1 clients

If you would like to use different DNS servers for the VAP then you can use this DNSMasq option regardless of which DHCP configuration method you used.

dhcp-option=br1,6,[DNS IP 1],[DNS IP 2]

Restricting Access
Now that you have your WLAN's working you can start limiting what access they have. Here are several iptables commands that you can save to your firewall script on the Administration -> Commands page. These commands are written in the same order that the should appear in your firewall script, changing the order can affect the way that they work. Mix and match them however you like, just be sure to keep them in the order they appear on this page.

If you have any problems with your firewall script, then create a forum thread and be sure to describe in great detail what you're trying to do, what it is actually doing, and post your firewall script.

Enable NAT on the WAN port to correct a bug in builds over 17000 iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on) iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Restrict br1 from accessing br0 (do not use on WAP's) iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

Restrict br0 from accessing br1 iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

Restrict br1 from accessing the WAN port (no internet access!) iptables -I FORWARD -i br1 -o `get_wanface` -j DROP

Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's) iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled) iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled) iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

Restrict br1 from accessing the router's local sockets (software running on the router) iptables -I INPUT -i br1 -m state --state NEW -j DROP

Allow br1 to access DHCP on the router iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

Allow br1 to access DNS on the router iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT