Recently I was asked to configure a WiFi access point for a small business, who needed to have both a private internal network, and a public guest network.
There are many privacy concerns when having guests share your network. Specifically, it is desirable to:
- Disallow access to any computers on the private network
- Prevent network abuse (such as P2P file sharing)
- Secure the access point itself from tampering or unauthorized access
Of course, all this needs to be done without impacting the desired service: Internet access.
Although I found many guides online for setting up a guest network when the access point was also the primary router, I didn’t find any that worked for the intended network. So, after some trial, error, and research, I managed to get it to work.
The following is a description of the desired network.
Private LAN: 192.168.1.x (DHCP already provided for private addresses, Internet source)
Guest WLAN: 192.168.10.x (separate DHCP server, isolated from Private LAN)
Private_WiFi (in this example, Internal)
Guest_WiFi (in this example, Guest)
There is already a wireless home router installed, sharing Internet access with the private network.
We want to do two things:
- Bridge Private_WiFi to the private network
- Share only the Internet connection from the private network to the Guest_WiFi.
Let’s move on to the requirements.
This task requires you to have a fresh, default installation of DD-WRT on any compatible router.
The installation of DD-WRT is beyond the scope of this article. I encourage you to consult the DD-WRT Wiki to identify compatible devices and their installation procedures.
This article describes the process for integrating private + guest WiFi Access Points into an existing private network. If you are seeking to add a guest network to your existing router, or if you are looking for a dedicated guest AP, this is not the solution. It may help you, but continue Googling, and I am certain you will find the guide you need.
1. Prepare the router
Connect your computer directly to the router. Open your web browser, and navigate to http://192.168.1.1.
Since this is a fresh installation, you will need to set your administration username and password. Make it secure!
2. Create and secure WiFi access points
Now, begin by preparing your wireless networks.
Multiple SSIDs can be broadcast from the same AP. The only limitation is that they must be broadcast on the same channel, if you only have one wireless radio. This impacts performance slightly.
Although traditionally guest networks have no password, this means that all traffic on the guest network is unencrypted, and easily captured. It is best to create a password that you share, so that your users’ data is secure.
3. Begin isolating the guest network
In Setup -> Networking, we will be doing a number of things to separate the guest WLAN from the private one.
- Under Create Bridge, click Add. Note br0 is already there. Do not change its settings!
- Give the new bridge a name, such as br1. The rest of the settings are fine as they are. Click .
- After it refreshes, you will notice two boxes, for Network Address and Subnet Mask. Enter the desired IP address range for the new guest network. In this example, we use 192.168.10.1. Click .
- Next, we must add out guest WLAN to this bridge. Because the guest WLAN is a Virtual AP, it is named wl0.1. So, under the Assign to Bridge section, click Add, and select br1 as the bridge, and wl0.1 as the interface. Click .
- Now, onto the last step for this page. At the very bottom, there is a section called Multiple DHCP Server. In order to give IP addresses to the guest clients, we need to create another server instance.
- In this section, click Add, and select br1. By default, it will give out up to 50 IP addresses. Finally, click .
# Enables DHCP on br1
# Set the default gateway for br1 clients
# Set the DHCP range and default lease time of 24 hours for br1 clients
The reason for this is because we will be disabling the normal DHCP server in our last step, in order to incorporate the Access Point into our private network. Thus we need to configure DNSmasq as the server for the guest network.
4. Firewall Rules
At this point, we have both private and guest wireless networks. The guest network is still not fully isolated from the private network, and doesn’t have Internet access.
To fix these points, and also add some security, go to the Administration -> Commands page, and copy and paste the following in the Command Shell:
#Allow guest bridge access to Internet iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Block access between private and guest iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP #NAT to make Internet work iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` #Block torrent and p2p iptables -I FORWARD -p tcp -s 192.168.10.0/24 -m connlimit --connlimit-above 50 -j DROP iptables -I FORWARD -p ! tcp -s 192.168.10.0/24 -m connlimit --connlimit-above 25 -j DROP #Block guest access to router services iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Note: Some people have reported issues with the #Block torrent and p2p section. The limit may be too low to load modern sites, sometimes making the guest network unusable. I would recommend leaving this out unless you want to be really restrictive.
Finally, click “Save Firewall”.
Do not be tempted to change the quotes around the nvram commands. It works exactly as is.
The section for blocking P2P works by throttling the maximum number of connections made by a client. P2P services make many connections, which significant impact network performance. So for TCP connections, it limits clients to 50, and for UDP they are limited to 25.
Blocking router services on the guest side is a good security idea. In this example, it prevents telnet, ssh, www and https access to the router.
5. Adding it to the private network
We are almost done! All that is left is to include it in the private network. To begin, click the Setup tab.
The following steps all need to be done in sequence. Do not click Apply Settings until the very end!
- Disable the WAN connection, by setting the WAN Connection Type to Disabled.
- Change the Router IP address to something that is a) in your private subnet, b) not already being used. For example, if you existing router is 192.168.1.1, change this to 192.168.1.2.
- Set the Gateway and Local DNS settings to the IP address of your existing router (ie. 192.168.1.1).
- Toggle the DHCP server from Enabled to Disabled.
- If you want the router to keep time, enter the NTP settings.
6. Making the connections
Now that all these settings are in place, you can reconnect your computer to your existing network. Alternatively, you can leave it connected to this router, as the wired connections will still be in the private network.
Connect any of the remaining LAN ports of this guest router to your existing network. The Internet port is disabled in this configuration.
Your computer should now be on your private network. Now you can begin testing by connecting a wireless client to the guest network, verifying Internet access, and ensuring it cannot communicate with any of the private computers.
The DD-WRT Wiki is very helpful. Here is the specific page that helped me get it all working (note the “for WAPs – WAN port disabled” commands.)
Also, How-To Geek had great information for the DNSmasq settings, and for blocking guest access to router services.