Guest Network

From DD-WRT Wiki

Revision as of 20:14, 29 November 2017 by Jeremywh7 (Talk | contribs)
Jump to: navigation, search



A Guest Network is a separate SSID (wireless network ID) using a virtual access point (VAP) that gives guest access to the WAN (internet) while blocking them from your LAN (local network), thereby protecting your security.

  • A common use of a Guest Network is to provide internet access for an adjacent rental unit or neighbor.

Important Note

Though isolated from the LAN, a Guest Network needs a strong wireless password to prevent unauthorized network access, and should be a different password from your normal Wireless Access Point (WAP).

The Modern Way

This uses the "23020 and later" method, but uses dnsmasq instead of dhcpd.

  • Services -> Services-> DNSMasq: Enable DNSMasq but leave other options disabled
  • In Additional DNSMasq Options, add the IP address and range for the appropriate virtual guest interface
    • Examples:





23020 and later

Kong added easy Guest Network capability to DD-WRT, starting with build 23020.

Wiki setup instructions: Guest WiFi + abuse control for beginners

Prior to 23020

Ref: DD-WRT Guest Wireless

  1. Section Wireless -> Basic Settings tab
    • “Add” a “Virtual Interface”, give this guest network a separate SSID, and “Enable” “AP Isolation”.
    • Click Save, then Apply
  2. Wireless Security tab: also use a separate password, and WPA2 AES security
    • Click Save, then Apply
  3. Section Setup -> Networking tab
    • Under “Create Bridge” click “Add”, name it, then set a different subnet
    • Under “Assign to Bridge” click “Add", select the new bridge, then assign it to the new virtual interface
    • Click Save, then Apply
  4. Networking tab: under “Multiple DHCP Server” click “Add” and select the new bridge
    • Click Save, then Apply
  5. Section Administration -> Commands tab
  6. Firewall Rules to secure the private network and give the guest network internet access:
    • Copy/paste the below, then click Save Firewall
   iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
   iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
   iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    1. More Firewall Rules to isolate guest and restrict services' access:
    • Copy/paste the below, then click Save Firewall
   iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
   iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
    • Test the guest network, reboot if not working

Special Note for a VAP on an Access Point (AP)

If the router is used as an AP and not a gateway (meaning the WAN and DHCP are disabled, but the same subnet as the primary gateway router), firewall rules are needed for internet access and client access restrictions.

  • order to get internet access from the VAP, in Administration/Commands save Firewall:
   iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
  • Net Isolation does not work on a WAP so keep it disabled and also add the this line to the firewall:
   iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT

For more details on various firewall rules' impacts, see this post.