Dual SSID one for public network

From DD-WRT Wiki

Jump to: navigation, search

NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.

To separate the WLAN from the LAN see: Separate LAN and WLAN

To create more than one WLAN and optionally separate them see: Multiple WLANs


[edit] DD-WRT v24 Release

This worked for me on V24 release with wrt54GL

My main network is

1) Wireless -->basic setting added another Interface, unbrigged, and with IP of, mask of

2) In wireless security, configure the security for the second adapter.

Apply changes.

3)Setup - networking --> dhcpD add another DHCP server for the second interface choose wl0.1. In my case it was 5 users

4) Administration---> commands

iptables -I INPUT -i wl0.1 -p icmp -j ACCEPT

iptables -I INPUT -i wl0.1 -p tcp --dport 23 -j logdrop

iptables -I INPUT -i wl0.1 -p tcp --dport 80 -j logdrop

iptables -I FORWARD -i wl0.1 -o br0 -j logdrop

By setting these rules, someone logging into the public wifi network cannot see or modify the router or see your network. Probably.

Save firewall

5)Reboot router

That's it

[edit] DD-WRT preSP2 v24

This was developed from the v24 release section above and VLAN Detached Networks each with Wireless and Internet on a WRT54GL v1.1 with Brainslayer's 13525 nokaid-generic release. Before doing the following the public/virtual AP would not get DHCP or pass traffic through the WAN.

  1. Set up the unit with an AP for your private wifi.
  2. Create the virtual AP but leave it bridged.
  3. Set up your security for the two APs (I used WPA Personal AES but read that TKIP can cause problems)
  4. Go to Setup-->VLANs and create VLAN2 with Port 4 from the device (i think it can be any of the LAN ports, just not the one you plug the LAN into) and leave it bridged to None and hit Save.
    To clarify, uncheck Port 4 from VLAN0 and check it on the VLAN2 row and leave or change the drop down towards the right to show None, and hit Save
  5. Go to Basic Setup-->Networking
  6. Create a new bridge (ie br1) and assign the IP you want the public/virtual AP to have and hit Save
  7. Add two assignments to the new bridge and make them wl0.1 and VLAN2, hit Save again
  8. Go to Services and enter this for the Additional DNSMasq Options (modify to your bridge ID and scope):
    1. interface=br1
    2. dhcp-option=br1,3,
    3. dhcp-option=br1,6,
    4. dhcp-range=br1,,,,120m
  9. Hit Save and go to Administration-->Commands
  10. Enter this code in the Command box:
    1. iptables -I INPUT -i br1 -j ACCEPT
    2. iptables -I INPUT -i br1 -p tcp --dport 23 -j logdrop
    3. iptables -I INPUT -i br1 -p tcp --dport 80 -j logdrop
    4. iptables -I INPUT -i br1 -p tcp --dport 443 -j logdrop
    5. iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
    6. iptables -I FORWARD -i br1 -o ppp0 -m state --state NEW -j ACCEPT
    7. iptables -I FORWARD -i br0 -o br1 -j logdrop
    8. iptables -I FORWARD -i br1 -o br0 -j logdrop
  11. Hit Save Firewall and wait for the box to empty
  12. Go to Administration and reboot the router


  • The iptables code MUST be in this order to work correctly
  • ppp0 is in the iptables as my device provides the PPPoE session for the DSL
  • The --dport lines block traffic to ONLY the device on those ports (management here)
  • The bottom two lines block traffic between the LAN and the public/virtual AP

After doing this DHCP worked like a charm from the virtual/public AP and I could hit the Internet from it as well, all while the LAN side worked as it should. It seems DNSMasq just didn't like to bond to the virtual interface or the virtual interface came up after DNSMasq. With that said, it might be possible to just create the bridge and just add wl0.1 to it while skipping the whole VLAN2 section and have it work. For me, the addition of the port is actually needed.

To better understand the DNSMasq Options listed above:

  • Line 1 is the interface to bind to (in this case it's the new bridge)
  • Line 2 is the gateway
  • Line 3 is the DNS
  • Line 4 is the dhcp range start,stop,subnet,lease time in minutes

Just to be clear, this was done from a factory reset on a WRT54GL v1.1 with Brainslayer's preSP2 v24 nokaid-generic build 13525. The SP2 release might affect how this works or might totally break it. Hopefully not unless the release has its own way to do this.
--Envoid 00:23, 10 July 2010 (CEST)

[edit] Links

[edit] References

[edit] Comments

I implemented two wireless networks on the same router using the instructions at Implementing Inexpensive Multiple SSID Networks, on which I based the recipe at Navas Wireless Wiki:Wi-Fi How To:Two wireless networks on one router. --JNavas 21:06, 18 September 2009 (CEST)