Set Up Multiple SSIDs and VLANs on a DD-WRT Router

Date: Jul 19, 2011 By Eric Geier. Article is provided courtesy of Cisco Press.
DD-WRT is arguably the most popular firmware replacement or upgrade for select wireless routers. Eric Geier, author of Wi-Fi Hotspots: Setting Up Public Wireless Internet Access , walks you through creating a second SSID, segregating it from the main SSID, making two of the LAN ports on the back of the router connect to just the new SSID, and leaving the other two LAN ports connected to the main SSID.

DD-WRT is arguably the most popular firmware replacement or upgrade for select wireless routers. In addition to many other things, it gives you the ability to create virtual wireless networks (multiple SSIDs) and configure virtual LANs (VLANs). These features let you offer public or separated access, and are usually found only in more expensive enterprise-level gear. You get them and much more at the cost of just a cheap home router.

In this tutorial, we’ll create a second SSID, segregate it from the main SSID, make two of the LAN ports on the back of the router connect to just the new SSID, and leave the other two LAN ports connected to the main SSID.

You might want to, for example, use this second SSID to offer your visitors wireless Internet access, or encrypt it for use by another department in your organization. Plus, you can also plug computers into the individual networks and/or expand each with more access points. We’ll make it so users won’t be able to snoop or communicate with users from the other SSID or LAN ports, to protect your shared folders and resources.

For the record, this tutorial is based off using the standard DD-WRT version 24 Service Pack 1—more specifically, Build 10011.

Before continuing, flash your compatible wireless router with the DD-WRT firmware.

Creating the Virtual Wireless Network

Let’s get started! Bring up the web-based GUI by typing the IP address (192.168.1.1) into a browser and logging in with the username and password you created at the first login. Then follow these steps to create the new virtual SSID:

  1. Select the Wireless tab.
  2. Under the Virtual Interfaces section, click the Add button to add a new virtual interface.
  3. Specify the basic wireless settings.
  4. For the Network Configuration, choose Unbridged.
  5. Input an IP address that’s in a different subnet, such as 192.168.2.1. Just make sure the second to last digit isn’t a 1.
  6. For the subnet mask, you’ll probably want to use the usual one: 255.255.255.0.
  7. Click Apply Settings to save and apply the changes.

Now create a new bridge and assign the new SSID to it:

  1. Select Setup > Networking.
  2. In the Create Bridge section, click the Add button, type br1 into the first (blank) field on the left, and click Apply Settings.
  3. In the new fields, input the same IP address and subnet mask that you did earlier in the Wireless settings, and click Apply Settings.
  4. In the Assign to Bridge section, click the Add button, select br1 in the left drop-down menu, select wl0.1 for the Interface, and click Apply Settings.

Lastly, let’s activate a DHCP server for the new bridge:

  1. Select Setup > Networking.
  2. In the Multiple DHCP Server section, click the Add button.
  3. Select br1 in the left drop-down menu.
  4. Click Apply Settings.
Separating the LAN ports

Separating the LAN ports

Now you can optionally split the ethernet ports in the back of the router among the main and new network, otherwise all of them will stay assigned to the main network. First, we’ll move LAN ports 3 and 4 to a different VLAN:

  1. Select Setup > VLANs.
  2. Deselect the checkboxes for Port 3 and Port 4 (in the VLAN 0 column) and then check Port 3 and Port 4 in the VLAN 2 column.
  3. Click Apply Settings.

Now you must move VLAN 2 to the new bridge:

  1. Select Setup > Networking.
  2. In the Assign to Bridge section, click the Add button.
  3. Select br1 in the left drop-down menu.
  4. Select vlan2 for the Interface
  5. Click Apply Settings.

Testing It Out

Now that we’ve done most of the configuration, you ought to test it out. Connect to the main SSID and plug into the first two LAN ports; you should get an IP within the 192.168.1.100 – 192.168.1.149 range. Then connect to the new SSID and last two LAN ports; you should get an IP in the new subnet you created (for instance 192.168.2.1 with a range of 192.168.2.100 – 192.168.2.149). Make sure you get an active Internet connection on both networks.

To check your IP address in Windows, open the Network Connections window via the Start Menu, Control Panel, or Network and Sharing Center. Then double-click the desired network connection. On the Network Connection Status window, click Details. You can also see your IP details in a command prompt by typing ipconfig /all.

Testing It Out

Firewalling the Networks

Now you’ll probably want to configure the firewall so users from the new SSID and LAN ports can’t access the main network, and vice versa. Plus, you might want to prevent the users on the new network from accessing the router. To get started, bring up the web-based Control Panel and click Administration > Commands.

If you already have commands listed in the Firewall section, click the Edit button to bring them to the Commands box, and then click Save Firewall when you’re done. Otherwise, just type and paste into the blank Commands box and click Save Firewall when you’re finished.

Enter your desired commands, each on their own line, in the order listed here:

  • Restrict br1 (new SSID/LAN) from accessing br0 (main SSID/LAN): 
    • iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
  • Restrict br0 (main SSID/LAN) from accessing br1 (new SSID/LAN):
    • iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
  • Restrict br1 (new SSID/LAN) from accessing the router and its servers, except for DHCP and DNS so users can connect and access the Internet:
    • iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

You can verify the firewall settings by sending some pings. Connect a computer to each network and reference their IP addresses. Bring up a command prompt on each computer and type ping, then the spacebar, enter the other computer’s IP, and press Enter. It will send four pings. If it says Request timed out, they’ve been successfully segregated. Now connect both computers to the same network and ping each other; it should list the replies.

Look into Other DD-WRT Features

We’ve set up a new SSID and separated the LAN ports. DD-WRT still offers many more interesting features. You might check out the VPN server or client, hotspot solutions, or its repeating capabilities. Even seemingly simple features, like the site survey functionality that shows signal details for clients and nearby APs, can be invaluable.

Don’t forget to support the DD-WRT team and community on the message boards and the wiki.