Adventures in Guest Networking with DD-WRT
From Rabbi Blog
Background
I've had DD-WRT running on an old WRT54G2 for awhile and today I decided to look into setting up a guest network for visitors. What could go wrong with that?
First, I have to give Odian The Linux Guy credit for his 2016 YouTube video: Setting up Guest Wifi On DD-WRT, this was extremely helpful, however there were a few nuances that I didn't catch from watching the video (my apologies to Odian if the info was in the video and I missed it) and I kept dead ending.
But I kept hammering away....
This setup assumes you can log into the DD-WRT router and configure it, and that you are doing a LAN-to-Lan connection with the router to your main router. The firmware I used was old, but understand I spent too much time troubleshooting until I realized the issue that I can't be bothered to flash the router up to current release and test. If I do, I'll update the directions.
I now have two separate WRT54G2 running, with different 192.168.x.x offerings and they are independent of each other (as I'm typing this, I realize I need to reconsider how I'm offering connections and DHCP from one 192.168.x.x scope, but seriously, I've been at this for way too long today). WDS may be where this goes when I have more time.
Here we go....
Tools
- Router Model: Linksys WRT54G2 / GS2
- Note: This is a Lan to Lan setup, not a LAN to WAN
- Firmware DD-WRT v3.0-r31899 micro (04/24/17)
- Firmware: DD-WRT v3.0-r29968 micro (06/17/16)
- Router Model: Cisco M10 Valet V1
- Firmware: DD-WRT v3.0-r38159 std-nokaid-small (01/02/19)
- Note: Unable to get the second wireless network to broadcast
- Misc
- I may try other firmwares later
- May look into WDS later, not really important right now
Setup
- Note: Sub categories are tab locations within DD-WRT config
Basic Setup
Router IP
- Setup router IP with LAN IP (directions assume you can log into the router)
- DNS: 8.8.8.8 (we're going to block access to the router later)
- Attach to LAN via Ethernet Ports 1-4 (we will not be re-assigning the WAN port)
DHCP
- Set to DHCP Forwarder
- Set it to your LAN DHCP server
Time Settings
- Disable
- Apply\Save (router should reboot)
Wireless
Basic Settings
Virtual Interface
- Add Virtual Interface
- Name the SSID: GUEST-GUEST
- Wireless SSID Broadcast: enabled
- AP Isolation: disable
- Network configuration: Bridged
- Apply\Save
Wireless Security
Basic Settings
- Virtual Interfaces wl0.1 SSID [GUEST-GUEST] - (note the VI name, here is "wl0.1", it will be needed later)
- Security Mode: your choice
- Settings based on your choice
- Security Mode: your choice
- Apply\Save (router may reboot)
Setup
Networking
Create Bridge
- Add br1
- STP ON
- Apply\Save
- Assign to Bridge
- br1 to wl0.1
- Apply\Save
- Verify Current Bridging Table shows
br0 no vlan0 eth1 br1 yes wl0.1
Port Setup
- find Network Configuration br1 on the page
- configure settings according to your network
- Note: the M10 took a few page refreshes for br1 to appear
TX Queue Length 1000 MTU 1500 Multicast forwarding: Disable Masquerade / NAT: Disable Net Isolation: Disable Forced DNS Redirection: Enable Optional DNS Target: 8.8.8.8 IP Address: 192.168.5.1 Subnet Mask: 255.255.255.0
- Apply\Save
DHCPD
- Add Server
- br0 and set to off
- br1 and set to on
- Apply\Save
- Note the dhcp range on br1
Administration
Commands
- Add iptables info for this network (note the IP address should be your network)
#Allow guest bridge access to Internet iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Block access between private and guest iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP #NAT to make Internet work iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` #Block torrent and p2p #change the IP address to the IP of your guest network x.x.x.x/24 iptables -I FORWARD -p tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 50 -j DROP iptables -I FORWARD -p ! tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 25 -j DROP #Block guest access to router services iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Setup
- Apply\Save (router may reboot)