Joined: 04 Aug 2018
Location: Appalachian mountains, USA
|Posted: Thu Jul 09, 2020 15:32 Post subject:
|Yes, what kp69 said!
Also, as you read be aware that much of those wiki discussions is old and somewhat obsolete. You'll see talk about setting up a bridge, for example, but generally you don't need to create a bridge anymore in order to create a guest network. And you don't generally need to create your own firewall rules, as dd-wrt will set that up on its own.
To do it the easy way instead of using a new bridge, just create a Virtual AP (VAP) in the Wireless tab, check "advanced settings," and as you set up the various interface details, check the "unbridged" box and at the bottom enter the same IP/mask info that you would have entered in Setup>Networking for a new bridge. Save then set up a password (WPA2-Personal, CCMP-128 AES) in Wireless Security. Save that then in Networking at the bottom, add a DHCP server for your new subnet, just as you would have done for a bridge. You have to select your new virtual interface and make sure it's On, but the defaults will work for everything else. Save and reboot and you should have a guest network.
For some routers - I think they are ones that use Broadcom wifi hardware - you'll have to search the forums for discussions - there are many - of the simple fix for the guest network not coming up on its own. The fix involves one line of Startup code to restart the wifi interfaces. I've never needed it for my routers, which each have multiple guest networks.
Re firewalling, for a guest network, check AP Isolation and Net Isolation in the wifi VAP settings. AP Isolation will keep your guests from seeing each other's devices on the network (so malware on person X's device won't leap to person Y's device), and Net Isolation will keep users on the guest network (VAP) and main network (br0) from seeing each other. Same idea re malware protection. Those two checkboxes will coax dd-wrt to use the right firewalling, and you won't need more firewalling than that unless you plan multiple guest networks.
Final note: Try the latest build... Recent builds have been good, and a lot has changed in recent months and of course years. And DON'T pick a build using the Router Database. It's not maintained and often gives bad advice (like steering people to the problematic 40559 build).
Five Linksys WRT1900ACSv2's on 42926, 44048
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client/PBR (AirVPN), wireguard/PBR (AzireVPN), two DNSCrypt servers (incl Quad9) routed through OpenVPN.