Posted: Tue Jul 15, 2014 9:57 Post subject: SSIDs (wireless interfaces) to seperate Networks
Hi
I have a simple question, but I got confused with the information I have found in the wiki and forum posts.
Basically one hardware serving two WiFi interfaces, SSIDs for two separate networks without any routing or connection between them.
DD-WRT used for this is NOT working as a router (it is not doing any routing, another DD-WRT is doing the routing.)
WAN port is not used(I can use it if I need to)
Create two WiFi wireless interfaces, SSIDs
- SSID1 >> connected to the default switch or the network (lets say Port1)
- SSID2 >> connected to a separate port Not to the default switch (lets say Port2)
I want to connect
- Port1 to network1 (eg corp network or home network)
- Port2 to network2 (eg special network, separate independent net)
Optionally
I would prefer to run a DHCP on one of the networks if I can eg on network2, Port2 SSID2
Any guideline or details are appreciated.
Cheers _________________ ~niPPit~
- two SSID's broadcasting from an Access Point running DD-WRT?
- One SSID would be for the "Private" network and the other would be a "Guest" network.
- The "Private" network would be on the "main LAN" whereas the "Guest" would be isolated and could only get out to the Internet. Not talk to anyone else.
Is this right? If so we need to know what kind of router you have (Make, Model, and Version) and what Build (with build number) of DD-WRT you are running.
- two SSID's broadcasting from an Access Point running DD-WRT?
- One SSID would be for the "Private" network and the other would be a "Guest" network.
- The "Private" network would be on the "main LAN" whereas the "Guest" would be isolated and could only get out to the Internet. Not talk to anyone else.
Is this right? If so we need to know what kind of router you have (Make, Model, and Version) and what Build (with build number) of DD-WRT you are running.
Nope sorry but this is not my question
Your senario works, only if ddwrt is set as router and Internet is connected to the same ddwrt.
My request in fact got nothing to with Internet
Security _________________ ~niPPit~
I think it would be a good idea to rephrase your question. Tell us exactly what it is you are trying to accomplish...not what you want to do, but what you want to accomplish. Maybe if you gave an example of clients connecting and what they have access to and what they wouldn't have access to that would really help.
When you said "only if ddwrt is set as router and Internet is connected to the same ddwrt." You may not be aware that DD-WRT can be installed and used as an Access Point whereas it forward's DHCP requests from your main router when on the "Private SSID" and it can be setup to act as a DHCP controller for the "Guest SSID".
If you want to have DHCP requests for both SSID's be forwarded to the main DD-WRT router (not the DD-WRT unit acting as just an AP) you will have to use VLANs to do that. It gets pretty complicated to accomplish.
Lastly, sure hope you're using a router with a Broadcom chipset. If it's an Atheros you may want to give up now. Still don't think the Atheros chipsets support VLANs which means that the multiple SSID's and separating them will NOT work. We really need to know the Make and Model of the router and the Build of DD-WRT. Doesn't really matter what you want to do with it, we still need to know that.
I think it would be a good idea to rephrase your question. Tell us exactly what it is you are trying to accomplish...not what you want to do, but what you want to accomplish. Maybe if you gave an example of clients connecting and what they have access to and what they wouldn't have access to that would really help.
When you said "only if ddwrt is set as router and Internet is connected to the same ddwrt." You may not be aware that DD-WRT can be installed and used as an Access Point whereas it forward's DHCP requests from your main router when on the "Private SSID" and it can be setup to act as a DHCP controller for the "Guest SSID".
If you want to have DHCP requests for both SSID's be forwarded to the main DD-WRT router (not the DD-WRT unit acting as just an AP) you will have to use VLANs to do that. It gets pretty complicated to accomplish.
Lastly, sure hope you're using a router with a Broadcom chipset. If it's an Atheros you may want to give up now. Still don't think the Atheros chipsets support VLANs which means that the multiple SSID's and separating them will NOT work. We really need to know the Make and Model of the router and the Build of DD-WRT. Doesn't really matter what you want to do with it, we still need to know that.
Thanks sure I can do that
First all the routers I have are Broadcom, I have few WRT54Gs, few WHR-HP-G54, few RT-N16s and all new ones RT-AC68U. I will specifically be using RT-N16 for this purpose.
current version installed is Build 18024 mega. I can upgrade or downgrade as required
WHAT I WANT TO ACHIVE:
Create two WiFi wireless interfaces, SSIDs
- SSID1 >> connected to the default switch or the network (lets say Port1)
- SSID2 >> connected to a separate port Not to the default switch (lets say Port2)
I want to connect
- Port1 to network1 (eg corp network or home network)
- Port2 to network2 (eg special network, separate independent net)
Two WiFi interfaces broadcasting on access point DD-WRT each interface connecting to separate network.
currently (sadly) we have two APs, physically sitting next to each other. both set up as AP DD-WRT. they are connected to separate LAN by separate Ethernet cable. they are independent networks. DHCP, routing etc all handled by other devices on those networks independently.
if you want to call it guest and private network it is fine.(but this is not typical)
there is no need for VLAN as guest network will have its own cable connected to Port2 of the access point
and
private network will be connected to Port1 of the access point
then
Port1>>SSID1 is the private network. AP for private networks between Port1 and SSID1
Port2>>SSID2 is the guest network. AP for guest network between Port2 and SSID2
this also means that Port1 and Port2 are NOT on the same switch, they are seperate.
(WHY NOT TYPICAL, when you normally mean guest and private networks:
- private network is connected to private network AP (SSID) + LAN + routing to WAN.
- guest network is connected to guest network AP (virtual interface SSID) NO LAN + routing to WAN
as you can see this is NOT what I am trying to do. each AP SSID needs to connect to a port of their own)
thanks for spending time reading these _________________ ~niPPit~
I'm still a little fuzzy on this. So try not to get too frustrated. It really looks like to me you need to have tagged VLANs to do what you want to do (on both main router and WAP). Check out this post below and pay particular attention to what mache said he did. I think this is what you want to do. Only issue, I was the last post in that thread and would have loved to see the instructions for setting that up. But never got any response back from mache. Here is the link:
One more thing, if this still is not what you are trying to accomplish can you give me some specific scenarios of why you want to set this up? For example, "Client 1 that connects to SSID 1 is this kind of client with this type of network access. Client 2 connects to SSID 2 for this reason with this type of access." I know it's frustrating sometimes trying to explain things but I have often found that if I describe very technical things to completely non-technical people I get better results even when those people are very technically proficient in the first place. The whole "assume nothing" thing.
@80sguitartist
What Mache writes IS NOT what I am trying to do.
I guess when I say independent networks you assume that at some point they will be connected to internet together. Again this is not the case.
When I mean two separate networks, I mean physical, for two purposes NO VLANS
Scenario
Device1/User1 connects to SSID1 that connects to Network1. on Network1 there are Server1A and Server1B. Device1 communicates with SERVER1x (NO VLANs)
This network has one switch two servers one AP one wireless device
Device2/user2 connects to SSID2 that connects to Network2. On network2 there are Server2a Server2b, server2c (NO VLAN)
Weather these can access to the internet or not is not a problem.
I CAN NOT use VLANs. At the moment the above set up works with two AP sitting next to each other.
I want one AP (DD-WRT), to have two switches(maybe I should say bridges), two AP and no connection between them. No routing.
You are thinking of guest and private networks connecting these using the same LAN cat5 cable to the main switch. We have two cat 5 cables the data in them are not connected to each other. This is because we cannot use VLANs _________________ ~niPPit~
Alright, I think I've got what you are saying. However, it would probably be best to actually draw up a schematic (diagram) of how everything would work. Visually it makes it a lot easier to see what SSID1, SSID2, Network1, Network2, Port1, Port2, and all that other stuff is you are talking about. But, I do have an idea of what you want to do.
Now here comes the big thing. I have NO earthly idea how you would do this without utilizing VLANs. You would create VLANs and then start bridging stuff together or separating them. (At least having VLANs on the WAP running DD-WRT.) If I saw a diagram of what you were doing maybe then I would understand your persistence for not using VLANs.
It is so annoying.. I have typed a reply originally and hit send.
Now I realised the page says…
Information
Mistake! There was an attempt of an automatic insert of the message in a forum. Your message is not posted. Try still times who knows - can it will turn out? Still probably, that you too long wrote the message - then pass to page back, copy the text, update page, insert the copied text and press button "Send".
I don’t have anything when I click page back
@80sguitartist
It is not my personal persistence on NO VLANs, it is device dependencies.
Personally I don’t care if we use VLANs or NOT.
VLANs are useful when you need to separate two network segments in the same physical layer. This is NOT my case. We have two physical network cable (cat5e cat6 etc) two separate switch. The networks do not get connected physically at all. And this will stay as is.
As of now;
I have physical AP1 connect to network1,
next to it
there is another physical AP2 connected to network2,
two physical networks two physical AP.
-Network1 has server1a server1b etc user1/device1 connected to SSID1 gets access to servers on network1. NO access to other networks.
-Network2 has server2a server2b etc user2/device2 connect to SSID2 gets to access to servers on network2
You may be assuming that there is one cable Ethernet cable between these devices, but they are separate, individual.
You may also assuming that they will be connected to single router to access internet at some point on the network again this is not the issue here.
I am trying to set up one DDWRT router/AP to have two independent switches (maybe I should say bridges) both having separate AP attached to them and NO routing or connection between these two.
WHY?
Devices we use are embedded devices with poor or not full implementations of TCP/IP stack due to their design and usage. (I am NOT taking about a mobile phone or a PC) if we enable VLANs or some other features they fail to communicate!
Alright nippit, got some "Somewhat good news". I now know EXACTLY what you are trying to do. It does make sense, albeit a lot of work especially if you've already got two APs already set up getting the job done. I could understand if you were an IT Consultant and had to set this stuff up a lot and therefore did not want to put two APs in on every install. But, if it's just one, I'd probably say, "Screw it, it works".
Now with all that said I have no earthly idea how you would ever accomplish this without separating the Ports on the back of the AP. Hence, VLANs. So when you say no to VLANing because,
"Devices we use are embedded devices with poor or not full implementations of TCP/IP stack due to their design and usage. (I am NOT taking about a mobile phone or a PC) if we enable VLANs or some other features they fail to communicate!"
I'm thinking one of two things 1) What the hell types of devices are you using that don't work with VLANs? or 2) I don't think you have set up VLANs properly in DD-WRT (yes, it can be really tough to get it working on all devices properly especially when some of those devices don't want to renew their IP addresses).
So unfortunately I can only see two options. 1) Leave it how you have it set up now or 2) Start working more in a test environment with VLANs as that's the only way I know this could be possible. Since other members haven't chimed in I'd say it doesn't look too good.
Nippit I understand perfectly what you want to do -- I AM TRYING TO DO THE EXACT SAME THING, except I indeed want to use one ethernet cable and segregate the traffic using what some folks here are calling "VLANs."
More specifically I want to put one port into trunk mode and do dot1q (802.1Q) tagging based on VLAN. I see that you prefer to use two separate switchports each in access mode instead of trunking.
This DD-WRT is a joke. Okay so you guys were able to port linux to run on a POS home wifi router. Okay you were able to compile and run some snippets of network-related code on it.
The CLI is trash. Come on guys. The rest of us use ios or junos. Even ftos is somewhat useable.
The architecture is questionable. How about I want the entire device to operate as a switch/bridge or pure access point? Not possible? Its gotta be a router? Not to mention your "bridge" inside the DD-WRT doesn't seem to have anything to do with a network bridge. (aka 2-port switch)
How about some documentation that actually allows a network professional to integrate this device into a system? Doesn't exist? Not even a whitepaper?
