Actions

Adventures in Guest Networking with DD-WRT

From Mike Beane's Blog

Background

I've had DD-WRT running on an old WRT54G2 for awhile and today I decided to look into setting up a guest network for visitors. What could go wrong with that?

First, I have to give Odian The Linux Guy credit for his 2016 YouTube video: Setting up Guest Wifi On DD-WRT, this was extremely helpful, however there were a few nuances that I didn't catch from watching the video (my apologies to Odian if the info was in the video and I missed it) and I kept dead ending.

But I kept hammering away....

This setup assumes you can log into the DD-WRT router and configure it, and that you are doing a LAN-to-Lan connection with the router to your main router. The firmware I used was old, but understand I spent too much time troubleshooting until I realized the issue that I can't be bothered to flash the router up to current release and test. If I do, I'll update the directions.

I now have two separate WRT54G2 running, with different 192.168.x.x offerings and they are independent of each other (as I'm typing this, I realize I need to reconsider how I'm offering connections and DHCP from one 192.168.x.x scope, but seriously, I've been at this for way too long today).

Here we go....


Tools

  • Router Model: Linksys WRT54G2 / GS2
    • Note: This is a Lan to Lan setup, not a LAN to WAN
    • Firmware DD-WRT v3.0-r31899 micro (04/24/17)
    • Firmware: DD-WRT v3.0-r29968 micro (06/17/16)
  • Router Model: Cisco M10 Valet V1
    • Firmware: DD-WRT v3.0-r38159 std-nokaid-small (01/02/19)
  • I may try other firmwares later

Setup

  • Note: Sub categories are tab locations within DD-WRT config

Basic Setup

Router IP

  • Setup router IP with LAN IP (directions assume you can log into the router)
    • DNS: 8.8.8.8 (we're going to block access to the router later)
  • Attach to LAN via Ethernet Ports 1-4 (we will not be re-assigning the WAN port)

DHCP

  • Set to DHCP Forwarder
  • Leave 0.0.0.0

Time Settings

  • Disable
  • Apply\Save (router should reboot)

Wireless

Basic Settings

Virtual Interface

  • Add Virtual Interface
  • Name the SSID: GUEST-GUEST
    • Wireless SSID Broadcast: enabled
    • AP Isolation: disable
    • Network configuration: Bridged
  • Apply\Save

Wireless Security

Basic Settings

  • Virtual Interfaces wl0.1 SSID [GUEST-GUEST]
    • Security Mode: your choice
      • Settings based on your choice
  • Apply\Save (router may reboot)

Setup

Networking

Create Bridge

  • Add br1
    • STP ON
    • Apply\Save
  • Assign to Bridge
    • br1 to wl0.1
    • Apply\Save
  • Verify Current Bridging Table shows
br0	no	vlan0 eth1
br1	yes	wl0.1

Port Setup

  • find Network Configuration br1 on the page
  • configure settings according to your network:
TX Queue Length 1000
MTU	1500
Multicast forwarding: Disable 
Masquerade / NAT: Disable 
Net Isolation: Disable 
Forced DNS Redirection: Enable
Optional DNS Target: 8.8.8.8
IP Address: 192.168.5.1
Subnet Mask: 255.255.255.0
  • Apply\Save

DHCPD

  • Add Server
    • br0 and set to off
    • br1 and set to on
  • Apply\Save
  • Note the dhcp range on br1

Administration

Commands

  • Add iptables info for this network (note the IP address should be your network)
#Allow guest bridge access to Internet
 iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
 iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
 iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
 iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
#change the IP address to the IP of your guest network x.x.x.x/24
 iptables -I FORWARD -p tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 50 -j DROP
 iptables -I FORWARD -p ! tcp -s 192.168.5.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
 iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
 

Setup

  • Apply\Save (router may reboot)