[3pac]

I have a linksys WRT3200ACM router with DD-WRT firmware.

I have VPN from Nordvpn
Can I make 3 wifi

1. Wifi (3pac wifi) with VPN access to sonos, chromcast, nas server etc. (I have today)

2. Wifi (3pac wifi guest) guest wifi without access to sonos, chromcast etc. With vpn

Wifi (3pac wifi wovpn)
WiFi without VPN and access to Sonos etc.

Firmware: DD-WRT v3.0-r40559 (08/06/19)

[egc]

You can all do that but not with that build, that is an old an crappy build.

See the forum guidelines, link in my signature at the bottom of this post, where to download and other helpful pointers.

You need Policy Based Routing, link also in my signature

[SurprisedItWorks]

Since no one seems to be replying and I need something to do while I slowly build my caffeine level, let me be a complete fool and try to whip out a basic guide to get you moving. I don't claim my proofreading is perfect, and certainly there are many possible dd-wrt configurations that would require changing something from the basic setup here. But I hope this will get you started in the right direction and that others can step in and help you tailor it if needed. With that said, here is my basic how-to on getting VAPs going (I have four VAPs here) with routed through the VPN client and some bypassing it (which I do here also). Could be that I've left out something important. Hope not.

1. 40559 is not a great build. Ignore the router database. It is not well maintained. Get a recent build. The very latest ones are having wifi issues on the Linksys/Marvell routers (like the 3200). I'd try 44213, the last one before the iffy wifi driver changes, and if that presents serious problems, fall back to 44048, which seems to have lots of fans. See the "Cliff Notes" sticky post at the top of the Marvell forum for important details of handing flashing and setup. The Cliff Notes are your basic guide.
   
   
2. You can easily have multiple guest networks. The topic to research is Virtual Access Points (VAPs). There is a lot of old info out there, so be careful. Here's my quick version.
   
   First, note that you are creating it for one wifi band. If you want both wifi bands, create two guest networks with separate SSIDs. Combining both bands into one network with a shared SSID might be tempting, but if you bridge VAP A and VAP B together, there will be no way to keep clients of A and clients of B from seeing each other and interacting. That violates the idea of a guest network. So, here's how you create one VAP.
   
   In the Wireless/BasicSettings page you need to Add Virtual AP, check Advanced Settings, check AP Isolation so that clients cannot see each other, check Unbridged for Network Configuration, and check Masquerade/NAT so your clients can reach the internet. If you will have only one guest network (VAP), check Net Isolation so that clients on the main and guest networks cannot see each other. If you will have more than one guest network, leave it unchecked and use the firewall tweak discussed below instead. I like checking "Forced DNS Redirection" so that clients are strongly encouraged ("forced" is not actually possible) to use dd-wrt's DNS system.
   
   If your router IP is 192.168.1.1 (the default), try entering 192.168.X.1 as both Optional DNS Target and IP Address, with X some small number not equal to 1. Use a different X for each VAP. Don't give the VAP the same IP that your modem uses for dd-wrt's WAN connection (usually not a problem, but it can happen). Most people use X=2 for the first VAP, X=3 for the second, etc. Note the name of the virtual interface, likely ath0.1 or ath1.1, that you have created. Save and Apply.
   
   Move to the Wireless Security subtab and give the VAP a Security Mode of WPA, a Network Authentication type of "WPA2 Personal," and a WPA Algorithms choice of "CCMP-128 (AES)." Put the password in as WPA Shared Key, Save and Apply. At this stage you should be able to connect to the VAP wifi, but you won't yet have internet on it.
   
   On the Setup>BasicSettings page, at the bottom, I'm assuming you have these three checked:
   
   Use DNSMasq for DNS
   DHCP-Authoritative
   Forced DNS Redirection
   
   I'm not saying the below won't work otherwise, only that I'm too lazy to think the matter through.
   
   Go to Setup>Networking, scroll to the bottom to the DHCPD section, and click Add to create a new DHCP server at the bottom of the list. Use the drop-down menu to select the VAP you have created. Set Start to 128 and Max to 64 rather than use the defaults for those. This will make setting up the VPN easier later on. The other defaults are fine. Save and Apply. You should now have a functioning guest network.
   
   
3. Note that a lot of the guides out there talk about using bridges for VAPs either because the guides are old, from before the simpler unbridged option was available in dd-wrt, or because some routers/builds had trouble with unbridged VAPs for some time. Your router and a modern build are perfectly compatible with unbridged VAPs.
   
   
4. Old guides may also suggest various iptables rules to add to the firewall for VAPs. None of these are needed in a modern setup unless you want Net Isolation for multiple VAPs. If your main network is (the default) bridge br0 with IP 192.168.1.1 and your VAPs are on interface ath0.1 with IP 192.168.2.1 and interface ath0.2 with IP 192.168.3.1, achieving that Net Isolation can be accomplished by putting these three firewall commands in Administration>Commands in the Firewall box (enter in Commands box and click Save Firewall):

   Code:

   for i in br0 ath0.1 ath0.2; do     iptables -I FORWARD -i $i -d 192.168.0.0/16 -m state --state NEW -j DROP done

   
   There are many guides to iptables online if you want to sort this out. Be sure you have a backed-up configuration before playing with the firewall, because the wrong kind of errors can lock you out of your router. And this particular firewall setup for Net Isolation is probably not universal. It works for my setup here. In the ssh/PuTTY CLI do iptables -vnL FORWARD | grep DROP to see the rules this created in the firewall (and maybe a few others as well).
   
   
5. If you already have a working VPN setup, all you need to do is enter, in the Policy Based Routing (PBR) window in Services>VPN, the IP ranges you want on the VPN. If your VAP IP is 192.168.2.1 with DHCP Start=128 and Max=64, enter 192.168.2.128/26. You can enter multiple lines for multiple VAPs. If this notation is unfamiliar, google CIDR notation. (An IP address is four groups of 8 bits each so 32 bits total. The /26 means the first 26 bits are as given with the last 6 representing wild cards. Here 2^6 is 64.) For more on PBR, see egc's guide posted as a sticky at the top of the Advanced Networking forum.
   
   
6. The two new builds I recommend above have a "Ignore WAN DNS" box at the top of the Setup>BasicSettings page. Check it. Those new builds also automatically use the DNS server pushed by the VPN provider.
   
   
7. You'll likely want a VPN kill switch. Add to the Administration>Commands to the Firewall window (click Edit in that window to copy its contents to the Commands window, add material below, click Save Firewall to move it back to the Firewall window):

   Code:

   WAN_IF=$(ip route | awk '/^default/{print $NF}') sed -n 's/\s*#.*//;/\S/p' /tmp/openvpncl/policy_ips \ | while read pbr; do    iptables -I FORWARD -s $1 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited    iptables -I FORWARD -s $1 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset    iptables -I FORWARD -s $1 -p udp -o $WAN_IF -j REJECT done

   
   There are many different reasonable kill switches out there. The one Nord recommends, unless they've changed it recently, uses a udp-reset in the last rule. There is no such thing as a udp-reset, and if you make such an error in an iptables command, no firewall rule is created. This kill switch automatically tailors to your PBR setup by reading the internal file where the PBR configuration is stored. Use iptables -vnL FORWARD | grep REJECT in the ssh/PuTTY CLI to see these rules (and a few others) in the firewall, to check that they went in OK.

[3pac]

Thanks.
I have to try, or try to downgrade the firmware to another if it is bad.

I have considered the easy solution to set up a router more in the modem also I have isolated wifi without VPN

[hetrickb]

I know this thread is a few years old, but this is the first successful isolated guest VAP I've been able to setup since switching to DD-WRT a few weeks ago. Thanks SurprisedItWorks!

I have a question and thought I'd post it here - How do I see what's connected to the guest network? my primary is the typical 192.168.1.1 with the guest as 192.168.2.1. However, when I log on to the guest network and query the IP's, using advanced IP scanner, I get nothing.

[SurprisedItWorks]

You get nothing? Perhaps you have AP Isolation enabled in wifi settings.

To see what's connected, use the GUI's Status tab and its Sys Info subtab. The listing of wifi clients near (but not at) the bottom will show for each what wifi interface it's connected to.

I hope you are using a modern build and not the specific ones recommended in that old post. The wifi issues mentioned there were fixed long ago, and modern builds have generally been solid. Do check the new-build thread of any you are considering though. FWIW, I'm on 51530 and happy, but it's not because it's somehow special. It just happened to be the latest one at the time I made my choice. I generally upgrade every 3 to 4 months.

[egc]

To add, a simple unbridged VAP can be isolated in the GUI by Enabling "Net Isolation" in the Interface on the Networking tab

If you want to isolate the wireless clients from each other on the VAP then Enable "AP isolation"

I attach my personal notes how I do it (which is just a modern variation on the setup of @Surpriseditworks )

[hetrickb]

[egc]

That is an old and outdated build with security and other issues.

You should upgrade to the latest build as of today 52020.

As you are comming from such an old build a reset to defaults *after* upgrade is highly recommended.
Put settings in manually never restore from a backup (to a a different build)

[SurprisedItWorks]