{"id":1362,"date":"2013-12-31T14:22:17","date_gmt":"2013-12-31T19:22:17","guid":{"rendered":"http:\/\/blog.danjoannis.com\/?p=1362"},"modified":"2017-03-05T14:12:46","modified_gmt":"2017-03-05T17:42:46","slug":"creating-a-private-guest-wifi-access-point-dd-wrt","status":"publish","type":"post","link":"https:\/\/blog.danjoannis.com\/?p=1362","title":{"rendered":"Creating a Private + Guest WiFi Access Point (DD-WRT)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-1389\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Screenshot_2013-12-31-15-32-18.png\" alt=\"Screenshot_2013-12-31-15-32-18\" width=\"181\" height=\"323\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Screenshot_2013-12-31-15-32-18.png 720w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Screenshot_2013-12-31-15-32-18-168x300.png 168w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Screenshot_2013-12-31-15-32-18-576x1024.png 576w\" sizes=\"auto, (max-width: 181px) 100vw, 181px\" \/><\/p>\n<p>Recently I was asked to configure a WiFi access point for a small business, who needed to have both a private internal network, and a public guest network.<\/p>\n<p>There are many privacy concerns when having guests share your network. Specifically, it is desirable to:<\/p>\n<ul>\n<li>Disallow access to any computers on the private network<\/li>\n<li>Prevent network abuse (such as P2P file sharing)<\/li>\n<li>Secure the access point itself from tampering or unauthorized access<\/li>\n<\/ul>\n<p>Of course, all this needs to be done without impacting the desired service: Internet access.<\/p>\n<p>Although I found many guides online for setting up a guest network when the access point was\u00a0<em>also<\/em> the primary router, I didn&#8217;t find any that worked for the intended network. So, after some trial, error, and research, I managed to get it to work.<\/p>\n<p><!--more--><\/p>\n<h2>Network Topology<\/h2>\n<p>The following is a description of the desired network.<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"color: #3366ff;\">Private LAN<\/span>: <span style=\"text-decoration: underline;\">192.168.1.x<\/span> (DHCP already provided for private addresses, Internet source)<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"color: #ff9900;\">Guest WLAN<\/span>: <span style=\"text-decoration: underline;\">192.168.10.x<\/span> (separate DHCP server, isolated from Private LAN)<\/p>\n<p>Wireless SSIDs:<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"color: #3366ff;\">Private_WiFi<\/span> (in this example,\u00a0<strong>Internal<\/strong>)<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"color: #ff9900;\">Guest_WiFi<\/span> (in this example,\u00a0<strong>Guest<\/strong>)<\/p>\n<p>There is already a wireless home router installed, sharing Internet access with the private network.<\/p>\n<p>We want to do two things:<\/p>\n<ol>\n<li>Bridge <span style=\"color: #3366ff;\">Private_WiFi<\/span> to the private network<\/li>\n<li>Share <em>only<\/em> the Internet connection from the private network to the <span style=\"color: #ff9900;\">Guest_WiFi<\/span>.<\/li>\n<\/ol>\n<p>Let&#8217;s move on to the requirements.<\/p>\n<h2>Requirements<\/h2>\n<p>This task requires you to have a fresh, default installation of DD-WRT on any compatible router.<\/p>\n<p><a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/logo1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1402\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/logo1.jpg\" alt=\"logo[1]\" width=\"221\" height=\"55\" \/><\/a><\/p>\n<p>The installation of DD-WRT is beyond the scope of this article. I encourage you to consult the <a href=\"http:\/\/www.dd-wrt.ca\/wiki\/index.php\/Supported_Devices\" target=\"_blank\">DD-WRT Wiki<\/a> to identify compatible devices and their installation procedures.<\/p>\n<p>This article describes the process for integrating <span style=\"color: #3366ff;\">private<\/span> + <span style=\"color: #ff9900;\">guest<\/span> WiFi Access Points into an existing private network. If you are seeking to add a <span style=\"color: #ff9900;\">guest <\/span>network to your existing router, or if you are looking for a dedicated <span style=\"color: #ff9900;\">guest<\/span> AP, this is not the solution. It may help you, but continue Googling, and I am certain you will find the guide you need.<\/p>\n<h2>1. Prepare the router<\/h2>\n<p>Connect your computer directly to the router. Open your web browser, and navigate to <a href=\"http:\/\/192.168.1.1\" target=\"_blank\">http:\/\/192.168.1.1<\/a>.<\/p>\n<p>Since this is a fresh installation, you will need to set your administration username and password. Make it secure!<\/p>\n<h2>2. Create and secure WiFi access points<\/h2>\n<p>Now, begin by preparing your wireless networks.<\/p>\n<p><strong><span style=\"text-decoration: underline;\">SSIDs<\/span><\/strong><\/p>\n<p>In Wireless -&gt; Basic Settings, enter the desired name and channel for your\u00a0<span style=\"color: #3366ff;\">private\u00a0<\/span>SSID. Click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>.<\/p>\n<p>Next, click Add, at the bottom, to add a Virtual Access Point (VAP). Enter the name for your\u00a0<span style=\"color: #ff9900;\">guest <\/span>SSID, and click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>\u00a0again.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1372\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Wireless-Basic.png\" alt=\"Wireless - Basic\" width=\"564\" height=\"470\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Wireless-Basic.png 805w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Wireless-Basic-300x250.png 300w\" sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/p>\n<p>Multiple SSIDs can be broadcast from the same AP. The only limitation is that they must be broadcast on the same channel, if you only have one wireless radio. This impacts performance slightly.<\/p>\n<p><strong><span style=\"text-decoration: underline;\">Security<\/span><\/strong><\/p>\n<p>In Wireless -&gt; Wireless Security, type in the password(s) you would like for the private and guest networks. Click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1373\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Wireless-Security.png\" alt=\"Wireless - Security\" width=\"564\" height=\"293\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Wireless-Security.png 805w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Wireless-Security-300x156.png 300w\" sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/p>\n<p>Although traditionally guest networks have no password, this means that all traffic on the guest network is unencrypted, and easily captured. It is best to create a password that you share, so that your users&#8217; data is secure.<\/p>\n<h2>3. Begin isolating the guest network<\/h2>\n<p><a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Networking.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-1371 alignright\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Networking.png\" alt=\"Networking\" width=\"338\" height=\"529\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Networking.png 804w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Networking-191x300.png 191w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Networking-653x1024.png 653w\" sizes=\"auto, (max-width: 338px) 100vw, 338px\" \/><\/a><\/p>\n<p>In Setup -&gt; Networking, we will be doing a number of things to separate the guest WLAN from the private one.<\/p>\n<ol>\n<li>Under\u00a0<strong>Create Bridge<\/strong>, click Add. Note <strong>br0<\/strong> is already there. Do not change its settings!<\/li>\n<li style=\"text-align: left;\">Give the new bridge a name, such as\u00a0<strong>br1<\/strong>. The rest of the settings are fine as they are. Click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-1340 alignnone\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>.<\/li>\n<li>After it refreshes, you will notice two boxes, for Network Address and Subnet Mask. Enter the desired IP address range for the new\u00a0<span style=\"color: #ff9900;\">guest <\/span>network. In this example, we use <span style=\"text-decoration: underline;\">192.168.10.1<\/span>. Click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>.<\/li>\n<li>Next, we must add out guest WLAN to this bridge. Because the guest WLAN is a Virtual AP, it is named\u00a0<strong>wl0.1<\/strong>. So, under the\u00a0<strong>Assign to Bridge<\/strong> section, click Add, and select\u00a0<strong>br1<\/strong> as the bridge, and\u00a0<strong>wl0.1<\/strong> as the interface. Click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>.<\/li>\n<li>Now, onto the last step for this page. At the very bottom, there is a section called\u00a0<strong>Multiple DHCP Server<\/strong>. In order to give IP addresses to the guest clients, we need to create another server instance.<\/li>\n<li>In this section, click Add, and select <strong>br1<\/strong>.\u00a0By default, it will give out up to 50 IP addresses. Finally, click <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>.<\/li>\n<\/ol>\n<p>The final step for getting DHCP working is on another page. Navigate to the Services tab, add the following to the DNSmasq section, and <a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a>:<\/p>\n<blockquote><p># Enables DHCP on br1<br \/>\ninterface=br1<br \/>\n# Set the default gateway for br1 clients<br \/>\ndhcp-option=br1,3,192.168.10.1<br \/>\n# Set the DHCP range and default lease time of 24 hours for br1 clients<br \/>\ndhcp-range=br1,192.168.10.100,192.168.10.150,255.255.255.0,24h<\/p><\/blockquote>\n<p><a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/DNSmasq.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1369\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/DNSmasq.png\" alt=\"DNSmasq\" width=\"594\" height=\"197\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/DNSmasq.png 594w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/DNSmasq-300x99.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/a><\/p>\n<p>The reason for this is because we will be disabling the normal DHCP server in our last step, in order to incorporate the Access Point into our private network. Thus we need to configure DNSmasq as the server for the <span style=\"color: #ff9900;\">guest<\/span> network.<\/p>\n<h2>4. Firewall Rules<\/h2>\n<p>At this point, we have both private and guest wireless networks. The guest network is still not fully isolated from the private network, and doesn&#8217;t have Internet access.<\/p>\n<p>To fix these points, and also add some security, go to the Administration -&gt; Commands page, and copy and paste the following in the <strong>Command Shell<\/strong>:<\/p>\n<blockquote>\n<pre>#Allow guest bridge access to Internet\r\n iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT\r\n iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\r\n#Block access between private and guest\r\n iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP\r\n iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`\/`nvram get lan_netmask` -m state --state NEW -j DROP\r\n#NAT to make Internet work\r\n iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`\r\n<span style=\"color: #ff6600;\">#Block torrent and p2p\r\n iptables -I FORWARD -p tcp -s 192.168.10.0\/24 -m connlimit --connlimit-above 50 -j DROP\r\n iptables -I FORWARD -p ! tcp -s 192.168.10.0\/24 -m connlimit --connlimit-above 25 -j DROP<\/span>\r\n#Block guest access to router services\r\n iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset\r\n iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset\r\n iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset\r\n iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset<\/pre>\n<\/blockquote>\n<p><strong>Note: <\/strong>Some people have reported issues with the <span style=\"color: #ff6600;\"><em>#Block torrent and p2p section<\/em><\/span>. The limit may be too low to load modern sites, sometimes making the guest network unusable. I would recommend leaving this out unless you want to be really restrictive.<\/p>\n<p>Finally, click &#8220;Save Firewall&#8221;.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Firewall.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1370\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Firewall.png\" alt=\"Firewall\" width=\"564\" height=\"384\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Firewall.png 806w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/Firewall-300x203.png 300w\" sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/a><\/p>\n<p>Do not be tempted to change the quotes around the\u00a0<strong>nvram<\/strong> commands. It works exactly as is.<\/p>\n<p>The section for blocking P2P works by throttling the maximum number of connections made by a client. P2P services make many connections, which significant impact network performance. So for TCP connections, it limits clients to 50, and for UDP they are limited to 25.<\/p>\n<p>Blocking router services on the guest side is a good security idea. In this example, it prevents telnet, ssh, www and https access to the router.<\/p>\n<h2>5. Adding it to the private network<\/h2>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/5-Setup.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-1368 alignright\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/5-Setup.png\" alt=\"5 - Setup\" width=\"338\" height=\"516\" srcset=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/5-Setup.png 804w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/5-Setup-196x300.png 196w, https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/12\/5-Setup-670x1024.png 670w\" sizes=\"auto, (max-width: 338px) 100vw, 338px\" \/><\/a><\/p>\n<p>We are almost done! All that is left is to include it in the private network. To begin, click the Setup tab.<\/p>\n<p>The following steps all need to be done in sequence. Do not click Apply Settings until the very end!<\/p>\n<ol>\n<li>Disable the WAN connection, by setting the\u00a0<strong>WAN Connection Type<\/strong> to Disabled.<\/li>\n<li>Change the Router IP address to something that is\u00a0<strong>a)<\/strong>\u00a0in your private subnet,\u00a0<strong>b)<\/strong>\u00a0not already being used. For example, if you existing router is <span style=\"text-decoration: underline;\">192.168.1.1<\/span>, change this to <span style=\"text-decoration: underline;\">192.168.1.2<\/span>.<\/li>\n<li>Set the\u00a0<strong>Gateway<\/strong> and <b>Local DNS<\/b> settings to the IP address of your existing router (ie.\u00a0<span style=\"text-decoration: underline;\">192.168.1.1<\/span>).<\/li>\n<li>Toggle the DHCP server from\u00a0<strong>Enabled<\/strong> to\u00a0<strong>Disabled<\/strong>.<\/li>\n<li>If you want the router to keep time, enter the NTP settings.<\/li>\n<li><a href=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.danjoannis.com\/wp-content\/uploads\/2013\/11\/Apply.png\" alt=\"Apply\" width=\"68\" height=\"16\" \/><\/a><\/li>\n<\/ol>\n<h2>6. Making the connections<\/h2>\n<p>Now that all these settings are in place, you can reconnect your computer to your existing network. Alternatively, you can leave it connected to this router, as the wired connections will still be in the private network.<\/p>\n<p>Connect any of the remaining LAN ports of this guest router to your existing network. The Internet port is disabled in this configuration.<\/p>\n<p>Your computer should now be on your <span style=\"color: #3366ff;\">private<\/span> network. Now you can begin testing by connecting a wireless client to the <span style=\"color: #ff9900;\">guest<\/span> network, verifying Internet access, and ensuring it cannot communicate with any of the private computers.<\/p>\n<h2>Resources!<\/h2>\n<p>The DD-WRT Wiki is very helpful. Here is the <a href=\"http:\/\/www.dd-wrt.ca\/wiki\/index.php\/Multiple_WLANs\" target=\"_blank\">specific page<\/a> that helped me get it all working (note the &#8220;for WAPs &#8211; WAN port disabled&#8221; commands.)<\/p>\n<p>Also, <a href=\"http:\/\/www.howtogeek.com\/153827\/how-to-enable-a-guest-access-point-on-your-wireless-network\/\" target=\"_blank\">How-To Geek<\/a> had great information for the DNSmasq settings, and for blocking guest access to router services.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently I was asked to configure a WiFi access point for a small business, who needed to have both a private internal network, and a public guest network. There are many privacy concerns when having guests share your network. Specifically, it is desirable to: Disallow access to any computers on the private network Prevent network [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,285,138],"tags":[294,286,66,288,293],"class_list":["post-1362","post","type-post","status-publish","format-standard","hentry","category-computers","category-networking","category-work","tag-ap","tag-dd-wrt","tag-internet","tag-router","tag-wifi"],"_links":{"self":[{"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=\/wp\/v2\/posts\/1362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1362"}],"version-history":[{"count":38,"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=\/wp\/v2\/posts\/1362\/revisions"}],"predecessor-version":[{"id":1733,"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=\/wp\/v2\/posts\/1362\/revisions\/1733"}],"wp:attachment":[{"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.danjoannis.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}