[spuriousoffspring]

[giles02134]

This has been an interesting experience, to say the least.

DD-WRT 3.0 Build 33342
Router: WRT1900ACSv2
Interface 1 is 5GHz
Interface 2 is 2.4GHz

Setup: Router is doing everything: WiFi, DHCP, DNS (via DNSMasq). There are no other routers or WAP's.

To summarize my experiences thus far:
Added a VAP to Interface 2 with basic settings (bridged). VAP SIDD wasn't broadcast, and wasn't accessible.

Added a VAP to Interface 1. It was broadcast, but all WiFi (Int. 1&2) became unavailable. I restored from an earlier backup and was able to resume
Added a VAP to interface 2 with all my settings (security, etc.)
Added another VAP to interface 2 with basic settings. The "Basic" VAP was visible, but the one I really wanted (the first one) was not. No way to delete the 1st VAP without first deleting the second.
Restored from backup once again, and rebooted.

So, I'm back to square one. I've read bits and pieces of what it takes to get a VAP running on recent builds when using DNSMasq for DHCP. You can't use the GUI interface to simply setup another DHCP range--it must be added through DNSMasq configuration.

I've also read that if you want to isolate the guest network from your regular WAP's, you need to configure an additional bridge.

I'd be most grateful for comments and suggestions from folks who have actually done this (and gotten it working) on a recent build. I'm reasonably experienced with DD-WRT, but the last time I configured a guest network was on v. 24, and things were less complication.

Thanks!

[htismaqe]

I set this up a LONG time ago so I can't go into a lot of detail but I can provide you with the link from when I went through this myself.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=287402&postdays=0&postorder=asc&start=0

In summary, there's just a few configuration steps. The final step involves manually editing the firewall (iptables) configuration - I've included my firewall config as well. You can enter these via the GUI, you don't have to SSH into the router.

1. Create two bridged virtual interfaces on ath0 and ath1. This will nullify the Net Isolation and NAT/Masquerade code, which only applies to unbridged virtual interfaces.
   
2. Enable AP Isolation on both virtual interfaces. NOTE: I'm fairly certain that AP Isolation will only work at the virtual interface level and creating a bridge group from both interfaces will allow clients on 2.4Ghz to see clients on 5Ghz and vice versa.
   
3. Create the br1 bridge interface and give it an IP address. Disable both Net Isolation and NAT/Masquerade since this will be accomplished via manual iptables rules.
   
4. Create DHCP server and assign it to br1.
   
5. Add the iptables rules.

My firewall rules with explanations:

# Block any remaining traffic from guest LAN after all other rules have been checked

iptables -I INPUT 2 -i br1 -m state --state NEW -j DROP

# Allow DNS and DHCP from guest LAN

iptables -I INPUT 2 -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT 2 -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 2 -i br1 -p udp --dport 67 -j ACCEPT

# Allow any traffic from guest LAN not satisfying first 2 rules to be forwarded

iptables -I FORWARD 2 -i br1 -j ACCEPT

# Block traffic from being forwarded between private LAN and guest LAN

iptables -I FORWARD 2 -i br0 -o br1 -j DROP
iptables -I FORWARD 2 -i br1 -o br0 -j DROP

# Enable Internet and NAT for guest LAN, if sourced from guest LAN

iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -o eth1 -j SNAT --to-source $(nvram get wan_ipaddr)[/i]

[giles02134]

Thanks!
Does the DHCP configuration apply even though I'm using DNSMasq for DHCP?

[htismaqe]

Yes.

[giles02134]

You said "Create two bridged virtual interfaces on ath0 and ath1."

By this, do you mean one VI on each? I assume you do, but just making sure since I'm a novice with any setup beyond basic stuff.

If I only want to offer a guest network on the 2.4GHz (ath1), would that work? Or is it necessary to bridge both interfaces no matter what?

Thanks again for your step-by-step instructions. Much appreciated.

[giles02134]

THIS JUST IN:

I updated to the latest build (33413), added a VAP to ath1, the 2.4GHz interface. The SSID didn't broadcast.

I changed the security to WPA2 Personal/AES, and the SSID now broadcasts.

My security settings on the two physical interfaces are:
WPA2 Personal / TKIP + AES

Apparently, for a VAP, those settings don't work.

I've read every post and online doc I could find about a "Guest" network on DD-WRT. I've opted for a basic setup.

I did NOT add a bridge
I DID create a separate DHCP range
Network Configuration is Unbridged
Masquerade/NAT is Enabled
Net Isolation is Enabled
Forced DNS redirection is Enabled

If I've made any major gaffs or omissions that those more experienced than myself think should be changed, by all means, please post!

[Gigabitten]

The more secure way to do this today probably might be to put the guest network in its own Vlan.

[Gigabitten]

[Dexterity06]

[giles02134]

FURTHER ADVENTURES

After running perfectly for 48 hours or so, my WiFi network began to break.

The physical 2.4GHz interface began asking for a username and password, while the VAP connected to it continued to work.

The 5GHz physical interface continued to function normally.

I reset the router to default, then restored a settings file from prior to setting up the VAP.

I then changed ALL the WiFi security settings from TKIP+AES to AES only.

I re-added the VAP, setting WiFi security the same as the physical interface: AES.
All other settings remain as noted in my earlier post.

So far, so good.

[rsmith2650]

Has the 48 hour record been broken? I have the 1900AVSV2 and want to get a guest network working so I am trying to follow your lead. Hoping it is not leading to a rat hole.

RSS

[giles02134]

All is running well now. I have my router set to reboot at 3:00a.m. each day, but since I reconfigured the WiFi security settings, I've not had any issues.

There are many posts about setting up guest networks that involve adding another bridge, and some firewall rules. I'm not enough of a Linux/DD-WRT guru to know if that's really necessary. I suspect that you'll get as many different answers as people you ask.

Here's what works for me on the most current release. This all assumes you've added a VAP to one of your physical interfaces. On my unit, ath1 is the 2.4GHz, so my VAP is ath1.1.

On the basic setup page:

Use dnsmasq for DNS
Use dnsmasq for DHCP

On the Wireless Basic Settings page:

Network mode is MIXED for both interfaces

On the Wireless Security Page

All interfaces (including your VAP) set to WPA2 Personal/AES (NOTE: AES only!

Under Setup/Networking, scroll down to your virtual interface (e.g. ath1.1):

Bridge Assignment: Unbridged
Multicast forwarding: Disable (default)
Masquerade / NAT: Enable
Net Isolation: Enable
Forced DNS Redirection: Enable
Optional DNS Target should be set to an external server, like Google: 8.8.8.8
IP Address: Set to a different starting point than your "Real" interfaces. If your primary interface is 192.168.1.1, then make this 192.168.15.1 or something like that.
Under DHCPD, configure another DHCP range for your virtual interface. For example, if you've attached your VAP to ath1, then the VAP will be ath1.1. BE SURE YOU PICK THE CORRECT ONE!

NOTE: Before you leave one setup page for the next, be sure to click "SAVE" at the bottom of the page. When you're done, click "Apply Settings". Or you could simply reboot the router.

Anyway, that's my story, and I'm sticking to it.