Adventures in Guest Networking with DD-WRT
From Mike Beane's Blog
Background
I've had DD-WRT running on an old WRT54G2 for awhile and today I decided to look into setting up a guest network for visitors. What could go wrong with that?
First, I have to give Odian The Linux Guy credit for his 2016 YouTube video: Setting up Guest Wifi On DD-WRT, this was extremely helpful, however there were a few nuances that I didn't catch from watching the video (my apologies to Odian if the info was in the video and I missed it) and I kept dead ending.
But I kept hammering away....
This setup assumes you can log into the DD-WRT router and configure it, and that you are doing a LAN-to-Lan connection with the router to your main router. The firmware I used was old, but understand I spent too much time troubleshooting until I realized the issue that I can't be bothered to flash the router up to current release and test. If I do, I'll update the directions.
I now have two separate WRT54G2 running, with different 192.168.x.x offerings and they are independent of each other (as I'm typing this, I realize I need to reconsider how I'm offering connections and DHCP from one 192.168.x.x scope, but seriously, I've been at this for way too long today).
Here we go....
Tools
- Router Model: Linksys WRT54G2 / GS2
- Note: This is a Lan to Lan setup, not a LAN to WAN
- Firmware DD-WRT v3.0-r31899 micro (04/24/17)
- Firmware: DD-WRT v3.0-r29968 micro (06/17/16)
- Router Model: Cisco M10 Valet V1
- Firmware: DD-WRT v3.0-r38159 std-nokaid-small (01/02/19)
- I may try other firmwares later
Setup
- Note: Sub categories are tab locations within DD-WRT config
Basic Setup
Router IP
- Setup router IP with LAN IP (directions assume you can log into the router)
- DNS: 8.8.8.8 (we're going to block access to the router later)
- Attach to LAN via Ethernet Ports 1-4 (we will not be re-assigning the WAN port)
DHCP
- Set to DHCP Forwarder
- Leave 0.0.0.0
Time Settings
- Disable
- Apply\Save (router should reboot)
Wireless
Basic Settings
Virtual Interface
- Add Virtual Interface
- Name the SSID: GUEST-GUEST
- Wireless SSID Broadcast: enabled
- AP Isolation: disable
- Network configuration: Bridged
- Apply\Save
Wireless Security
Basic Settings
- Virtual Interfaces wl0.1 SSID [GUEST-GUEST]
- Security Mode: your choice
- Settings based on your choice
- Security Mode: your choice
- Apply\Save (router may reboot)
Setup
Networking
Create Bridge
- Add br1
- STP ON
- Apply\Save
- Assign to Bridge
- br1 to wl0.1
- Apply\Save
- Verify Current Bridging Table shows
br0 no vlan0 eth1 br1 yes wl0.1
Port Setup
- find Network Configuration br1 on the page
- configure settings according to your network:
TX Queue Length 1000 MTU 1500 Multicast forwarding: Disable Masquerade / NAT: Disable Net Isolation: Disable Forced DNS Redirection: Enable Optional DNS Target: 8.8.8.8 IP Address: 192.168.5.1 Subnet Mask: 255.255.255.0
- Apply\Save
DHCPD
- Add Server
- br0 and set to off
- br1 and set to on
- Apply\Save
- Note the dhcp range on br1
Administration
Commands
- Add iptables info for this network (note the IP address should be your network)
#Allow guest bridge access to Internet iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Block access between private and guest iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP #NAT to make Internet work iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` #Block torrent and p2p #change the IP address to the IP of your guest network x.x.x.x/24 iptables -I FORWARD -p tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 50 -j DROP iptables -I FORWARD -p ! tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 25 -j DROP #Block guest access to router services iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Setup
- Apply\Save (router may reboot)