Multiple WLANs
From DD-WRT Wiki
Revision as of 00:28, 7 March 2010 (edit) Phuzi0n (Talk | contribs) (→Restricting Access) ← Previous diff |
Revision as of 00:29, 7 March 2010 (edit) (undo) Phuzi0n (Talk | contribs) (→Restricting Access) Next diff → |
||
Line 112: | Line 112: | ||
- | Restrict br1 from accessing the WAN (do not use on [[Wireless Access Point|WAP]]'s) | + | Restrict br1 from accessing the WAN port (do not use on [[Wireless Access Point|WAP]]'s) |
iptables -I FORWARD -i br1 -o `nvram get wan_iface` -j DROP | iptables -I FORWARD -i br1 -o `nvram get wan_iface` -j DROP | ||
Revision as of 00:29, 7 March 2010
Contents |
Introduction
This guide teaches you how to broadcast multiple WLAN SSID's using virtual interfaces. You can have different encryption settings for each WLAN and you can restrict what they have access to.
Preparation
As with all configuration changes, it is best to connect your router with an Ethernet cable so that you do not get disconnected or locked out of your router while configuring it.
Broadcom Based Hardware
Very early Broadcom based routers have radios that do not support or only partially support multiple WLAN's. You will need to telnet to the router and run this command on the router:
nvram get wl0_corerev
- If the number is 4 or less then the router is too old.
- If it is between 5 and 8 then it is capable of multiple SSID's but not multiple BSSID's, which means the wireless interfaces will all have the same MAC address so some devices might not recognize both WLAN's, and you will need to use a build that has a VINT wireless driver.
- If it is 9 or above then the router fully supports multiple WLAN's.
Configuration
GUI Method
Basic Wireless Settings
Use a web browser to connect to your router's web GUI. Navigate to the Wireless -> Basic Settings page and under the Virtual Interfaces section press the "Add" button to add a new virtual interface. Leave the Network Configuration set to "Bridged" for all interfaces regardless of whether you want to bridge them or not because "Unbridged" has unresolved bugs at the time this was written (svn 13312). To get a working unbridged interface we will actually assign it to its own bridge later on. You may change any of the other settings to your liking.
Press the "Apply Settings" button, wait 1 minute, and then you should be able to see and connect to your new WLAN SSID. Make sure that you can connect to it, receive a DHCP lease, and browse the network/internet before you do anything further.
Note: If you're using a Broadcom VINT build then some devices may have problems connecting. Often it is just that they will only display one SSID being broadcast but they will still be able to connect if you manually create a profile for the virtual interface's SSID. Two of my old 802.11g adapters can not see the VAP's SSID but can still connect with manual profiles while my 802.11n adapter can see both SSID's being broadcast.
Encryption
Configure whatever encryption you desire on the Wireless Security page. For instance, you may want WPA2-AES for your main interface to have maximum security but use WEP or no encryption on the virtual interface to allow other to connect. You may also use the same encryption type in order to have different passwords for different people.
Note: Firmware builds prior to 12548 are known to have trouble with using different encryption settings.
Press the "Apply Settings" button, wait 1 minute, and then you should be able to see and connect to both WLAN SSID's using their new encryption settings. Make sure that you can connect to both SSID's, receive a DHCP lease, and browse the network/internet before you do anything further.
At this point you may stop if you want to allow everything to communicate together. If you are mixing strong encryption for your main network with weak encryption or none at all on the virtual interface then it is advisable to follow the steps below to separate the interfaces so that the virtual interface is restricted from communicating with your main network.
Separating the WLAN's
Navigate to the Setup -> Networking page. Press the "Add" button in the Create Bridge section and type "br1" into the blank input box that is on the left side of all the options that just appeared. Press the "Apply Settings" button at the bottom of the page and new input boxes will appear to specify the IP address for the new bridge.
This new bridge needs to have an address that is in a different subnet than your main LAN. By default the main router LAN address is 192.168.1.1 netmask 255.255.255.0 so we will use 192.168.2.1 netmask 255.255.255.0 for the br1 bridge interface. Press the "Apply Settings" button again so that the IP address will be assigned to the br1 interface before you continue.
Press the "Add" button in the Assign to Bridge section. Select "br1" in the left drop down menu that appeared and select "wl0.1" in the other. Press the "Apply Settings" button and the virtual wireless interface wl0.1 will now be moved from br0 to br1.
Press the "Add" button in the Multiple DHCP Server section. Select "br1" in the left drop down menu that appeared. Press the "Apply Settings" button to finish enabling the DHCP server for the br1 interface.
Note: If DHCP is disabled on your main LAN in Basic Setup because it is a WAP that connects LAN-LAN to an existing network instead of using the WAN port, then the Multiple DHCP method above will not work. Instead you will need to use the Command Method for DHCP.
You should now be able to connect to VAP's SSID and receive a DHCP lease with an IP address that is in the 192.168.2.0/24 subnet. Make sure that you can connect to it, receive a DHCP lease, and browse the network/internet before you do anything further.
Command Method
This section does not contain complete instructions. Currently it only has substitutions for the GUI method to overcome problems with certain configurations.
DHCP
Go to the Services tab and find the Additional DNSMasq Options text area. Adjust the following options to fit your environment (omit the comments starting with '#'):
# Enables DHCP on br1 interface=br1 # Set the default gateway for br1 clients dhcp-option=br1,3,192.168.2.1 # Set the DHCP range and default lease time of 24 hours for br1 clients dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
Restricting Access
Now that you have your WLAN's working you can start limiting what access they have. Here are several iptables commands that you can save to your firewall script on the Administration -> Commands page. These commands are written in the same order that the should appear in your firewall script, changing the order can affect the way that they work. Mix and match them however you like, just be sure to keep them in the order they appear on this page.
If you have any problems with your firewall script, then create a forum thread and be sure to describe in great detail what you're trying to do, what it is actually doing, and post your firewall script.
Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
Restrict br1 from accessing the WAN port (do not use on WAP's)
iptables -I FORWARD -i br1 -o `nvram get wan_iface` -j DROP
Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT