Dual SSID one for public network

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 16:02, 31 May 2008 (edit)
Blaser (Talk | contribs)
(How to enable dual SSID with V24 release, one public)
← Previous diff
Current revision (00:57, 4 April 2011) (edit) (undo)
Phuzi0n (Talk | contribs)
(point to newer guides)
 
(15 intermediate revisions not shown.)
Line 1: Line 1:
 +'''NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.'''
 +
 +To separate the WLAN from the LAN see: [[Separate LAN and WLAN]]
 +
 +To create more than one WLAN and optionally separate them see: [[Multiple WLANs]]
 +
 +
 +== DD-WRT v24 Release ==
This worked for me on V24 release with wrt54GL This worked for me on V24 release with wrt54GL
-My main network is 192.168.1.1 +My main network is 192.168.1.1
 + 
1) Wireless -->basic setting added another Interface, unbrigged, and with IP of 192.168.2.1, mask of 255.255.255.0 1) Wireless -->basic setting added another Interface, unbrigged, and with IP of 192.168.2.1, mask of 255.255.255.0
-2) In wireless security configure the security for the second adapter. + 
 +2) In wireless security, configure the security for the second adapter.
Apply changes. Apply changes.
-3)Setup - networking --> dhcpD added another DHCP server for the second interface chose wl0.1. +3)Setup - networking --> dhcpD add another DHCP server for the second interface choose wl0.1.
-In my case is was 192.168.2.10 5 users+In my case it was 192.168.2.10 5 users
4) Administration---> commands 4) Administration---> commands
Line 20: Line 30:
iptables -I FORWARD -i wl0.1 -o br0 -j logdrop iptables -I FORWARD -i wl0.1 -o br0 -j logdrop
 +;''WHAT DO THESE COMMANDS DO?'':By setting these rules, someone logging into the public wifi network cannot see or modify the router or see your network. Probably.
Save firewall Save firewall
Line 26: Line 37:
That's it That's it
 +
 +
 +== DD-WRT preSP2 v24 ==
 +This was developed from the v24 release section above and [[VLAN Detached Networks each with Wireless and Internet]] on a WRT54GL v1.1 with Brainslayer's 13525 nokaid-generic release. Before doing the following the public/virtual AP would not get DHCP or pass traffic through the WAN.<br>
 +<br>
 +# Set up the unit with an AP for your private wifi.
 +# Create the virtual AP but leave it bridged.
 +# Set up your security for the two APs (I used WPA Personal AES but read that TKIP can cause problems)
 +# Go to ''Setup''-->''VLANs'' and create VLAN2 with Port 4 from the device (i think it can be any of the LAN ports, just not the one you plug the LAN into) and leave it bridged to ''None'' and hit ''Save''.<br>To clarify, uncheck Port 4 from VLAN0 and check it on the VLAN2 row and leave or change the drop down towards the right to show ''None'', and hit ''Save''
 +# Go to ''Basic Setup''-->''Networking''
 +# Create a new bridge (ie br1) and assign the IP you want the public/virtual AP to have and hit ''Save''
 +# Add two assignments to the new bridge and make them wl0.1 and VLAN2, hit ''Save'' again
 +# Go to ''Services'' and enter this for the ''Additional DNSMasq Options'' (modify to your bridge ID and scope):
 +##interface=br1
 +##dhcp-option=br1,3,192.168.2.1
 +##dhcp-option=br1,6,192.168.1.254
 +##dhcp-range=br1,192.168.2.20,192.168.2.220,255.255.255.0,120m
 +# Hit ''Save'' and go to ''Administration''-->''Commands''<br>
 +# Enter this code in the ''Command'' box:<br>
 +##iptables -I INPUT -i br1 -j ACCEPT
 +##iptables -I INPUT -i br1 -p tcp --dport 23 -j logdrop
 +##iptables -I INPUT -i br1 -p tcp --dport 80 -j logdrop
 +##iptables -I INPUT -i br1 -p tcp --dport 443 -j logdrop
 +##iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
 +##iptables -I FORWARD -i br1 -o ppp0 -m state --state NEW -j ACCEPT
 +##iptables -I FORWARD -i br0 -o br1 -j logdrop
 +##iptables -I FORWARD -i br1 -o br0 -j logdrop
 +# Hit ''Save Firewall'' and wait for the box to empty
 +# Go to ''Administration'' and reboot the router
 +
 +<br>NOTE:
 +*The iptables code MUST be in this order to work correctly
 +*ppp0 is in the iptables as my device provides the PPPoE session for the DSL
 +*The --dport lines block traffic to ONLY the device on those ports (management here)
 +*The bottom two lines block traffic between the LAN and the public/virtual AP
 +<br>
 +After doing this DHCP worked like a charm from the virtual/public AP and I could hit the Internet from it as well, all while the LAN side worked as it should. It seems DNSMasq just didn't like to bond to the virtual interface or the virtual interface came up after DNSMasq. With that said, it might be possible to just create the bridge and just add wl0.1 to it while skipping the whole VLAN2 section and have it work. For me, the addition of the port is actually needed.<br>
 +
 +<br>To better understand the DNSMasq Options listed above:
 +*Line 1 is the interface to bind to (in this case it's the new bridge)
 +*Line 2 is the gateway
 +*Line 3 is the DNS
 +*Line 4 is the dhcp range start''','''stop''','''subnet''','''lease time in minutes
 +
 +<br>Just to be clear, this was done from a factory reset on a WRT54GL v1.1 with Brainslayer's preSP2 v24 nokaid-generic build 13525. The SP2 release might affect how this works or might totally break it. Hopefully not unless the release has its own way to do this.
 +<br>--[[User:Envoid|Envoid]] 00:23, 10 July 2010 (CEST)
 +
 +== Links ==
 +*http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html
 +
 +
 +== References ==
 +*[[VLAN Detached Networks each with Wireless and Internet]]
 +*[[Separate_WLANs]]
 +*[[Multiple_WLANs]]
 +*[[Separate_LAN_and_WLAN]]
 +*[[Separate Lan and WLan]]
 +*[[WLAN separate from LAN, with independent dhcp, etc]]
 +
 +
 +== Comments ==
 +I implemented two wireless networks on the same router using the instructions at [http://www.wi-fiplanet.com/tutorials/article.php/10724_3714521_1 Implementing Inexpensive Multiple SSID Networks], on which I based the recipe at [http://wireless.navas.us/wiki/Wi-Fi_How_To#Two_wireless_networks_on_one_router Navas Wireless Wiki:Wi-Fi How To:Two wireless networks on one router]. --[[User:JNavas|JNavas]] 21:06, 18 September 2009 (CEST)
 +
 +
 +[[Category:Wlan]]
 +[[Category:Advanced tutorials]]

Current revision

NOTE: This is an old unmaintained and duplicate guide. You should use one of the following currently maintained guides instead.

To separate the WLAN from the LAN see: Separate LAN and WLAN

To create more than one WLAN and optionally separate them see: Multiple WLANs


Contents

[edit] DD-WRT v24 Release

This worked for me on V24 release with wrt54GL

My main network is 192.168.1.1

1) Wireless -->basic setting added another Interface, unbrigged, and with IP of 192.168.2.1, mask of 255.255.255.0

2) In wireless security, configure the security for the second adapter.

Apply changes.

3)Setup - networking --> dhcpD add another DHCP server for the second interface choose wl0.1. In my case it was 192.168.2.10 5 users

4) Administration---> commands

iptables -I INPUT -i wl0.1 -p icmp -j ACCEPT

iptables -I INPUT -i wl0.1 -p tcp --dport 23 -j logdrop

iptables -I INPUT -i wl0.1 -p tcp --dport 80 -j logdrop

iptables -I FORWARD -i wl0.1 -o br0 -j logdrop

WHAT DO THESE COMMANDS DO?
By setting these rules, someone logging into the public wifi network cannot see or modify the router or see your network. Probably.

Save firewall

5)Reboot router

That's it


[edit] DD-WRT preSP2 v24

This was developed from the v24 release section above and VLAN Detached Networks each with Wireless and Internet on a WRT54GL v1.1 with Brainslayer's 13525 nokaid-generic release. Before doing the following the public/virtual AP would not get DHCP or pass traffic through the WAN.

  1. Set up the unit with an AP for your private wifi.
  2. Create the virtual AP but leave it bridged.
  3. Set up your security for the two APs (I used WPA Personal AES but read that TKIP can cause problems)
  4. Go to Setup-->VLANs and create VLAN2 with Port 4 from the device (i think it can be any of the LAN ports, just not the one you plug the LAN into) and leave it bridged to None and hit Save.
    To clarify, uncheck Port 4 from VLAN0 and check it on the VLAN2 row and leave or change the drop down towards the right to show None, and hit Save
  5. Go to Basic Setup-->Networking
  6. Create a new bridge (ie br1) and assign the IP you want the public/virtual AP to have and hit Save
  7. Add two assignments to the new bridge and make them wl0.1 and VLAN2, hit Save again
  8. Go to Services and enter this for the Additional DNSMasq Options (modify to your bridge ID and scope):
    1. interface=br1
    2. dhcp-option=br1,3,192.168.2.1
    3. dhcp-option=br1,6,192.168.1.254
    4. dhcp-range=br1,192.168.2.20,192.168.2.220,255.255.255.0,120m
  9. Hit Save and go to Administration-->Commands
  10. Enter this code in the Command box:
    1. iptables -I INPUT -i br1 -j ACCEPT
    2. iptables -I INPUT -i br1 -p tcp --dport 23 -j logdrop
    3. iptables -I INPUT -i br1 -p tcp --dport 80 -j logdrop
    4. iptables -I INPUT -i br1 -p tcp --dport 443 -j logdrop
    5. iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
    6. iptables -I FORWARD -i br1 -o ppp0 -m state --state NEW -j ACCEPT
    7. iptables -I FORWARD -i br0 -o br1 -j logdrop
    8. iptables -I FORWARD -i br1 -o br0 -j logdrop
  11. Hit Save Firewall and wait for the box to empty
  12. Go to Administration and reboot the router


NOTE:

  • The iptables code MUST be in this order to work correctly
  • ppp0 is in the iptables as my device provides the PPPoE session for the DSL
  • The --dport lines block traffic to ONLY the device on those ports (management here)
  • The bottom two lines block traffic between the LAN and the public/virtual AP


After doing this DHCP worked like a charm from the virtual/public AP and I could hit the Internet from it as well, all while the LAN side worked as it should. It seems DNSMasq just didn't like to bond to the virtual interface or the virtual interface came up after DNSMasq. With that said, it might be possible to just create the bridge and just add wl0.1 to it while skipping the whole VLAN2 section and have it work. For me, the addition of the port is actually needed.


To better understand the DNSMasq Options listed above:

  • Line 1 is the interface to bind to (in this case it's the new bridge)
  • Line 2 is the gateway
  • Line 3 is the DNS
  • Line 4 is the dhcp range start,stop,subnet,lease time in minutes


Just to be clear, this was done from a factory reset on a WRT54GL v1.1 with Brainslayer's preSP2 v24 nokaid-generic build 13525. The SP2 release might affect how this works or might totally break it. Hopefully not unless the release has its own way to do this.
--Envoid 00:23, 10 July 2010 (CEST)

[edit] Links


[edit] References


[edit] Comments

I implemented two wireless networks on the same router using the instructions at Implementing Inexpensive Multiple SSID Networks, on which I based the recipe at Navas Wireless Wiki:Wi-Fi How To:Two wireless networks on one router. --JNavas 21:06, 18 September 2009 (CEST)