Home > Articles > Cisco Network Technology > Wireless/Optical/High Speed > Set Up Multiple SSIDs and VLANs on a DD-WRT Router

Set Up Multiple SSIDs and VLANs on a DD-WRT Router

Article Description

DD-WRT is arguably the most popular firmware replacement or upgrade for select wireless routers. Eric Geier, author of Wi-Fi Hotspots: Setting Up Public Wireless Internet Access , walks you through creating a second SSID, segregating it from the main SSID, making two of the LAN ports on the back of the router connect to just the new SSID, and leaving the other two LAN ports connected to the main SSID.
Testing It Out

Firewalling the Networks

Now you’ll probably want to configure the firewall so users from the new SSID and LAN ports can’t access the main network, and vice versa. Plus, you might want to prevent the users on the new network from accessing the router. To get started, bring up the web-based Control Panel and click Administration > Commands.

If you already have commands listed in the Firewall section, click the Edit button to bring them to the Commands box, and then click Save Firewall when you’re done. Otherwise, just type and paste into the blank Commands box and click Save Firewall when you’re finished.

Enter your desired commands, each on their own line, in the order listed here:

  • Restrict br1 (new SSID/LAN) from accessing br0 (main SSID/LAN):
  • iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
  • Restrict br0 (main SSID/LAN) from accessing br1 (new SSID/LAN):
  • iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
  • Restrict br1 (new SSID/LAN) from accessing the router and its servers, except for DHCP and DNS so users can connect and access the Internet:
  • iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

You can verify the firewall settings by sending some pings. Connect a computer to each network and reference their IP addresses. Bring up a command prompt on each computer and type ping, then the spacebar, enter the other computer’s IP, and press Enter. It will send four pings. If it says Request timed out, they’ve been successfully segregated. Now connect both computers to the same network and ping each other; it should list the replies.

Look into Other DD-WRT Features

We’ve set up a new SSID and separated the LAN ports. DD-WRT still offers many more interesting features. You might check out the VPN server or client, hotspot solutions, or its repeating capabilities. Even seemingly simple features, like the site survey functionality that shows signal details for clients and nearby APs, can be invaluable.

Don’t forget to support the DD-WRT team and community on the message boards and the wiki.