Guest Network

From DD-WRT Wiki

Revision as of 19:02, 30 November 2017 by Jeremywh7 (Talk | contribs)
Jump to: navigation, search



A Guest Network is a separate SSID (wireless network ID) using a virtual access point (VAP) that gives guest access to the WAN (internet) while blocking them from your LAN (local network), thereby protecting your security.

New DNSMasq Method

This uses the "23020 and later" method, but with dnsmasq instead of dhcpd. For a Wireless Access Point (WAP), Multiple DHCP Server is not available with the WAN disabled. See the VAP on an Access Point section below.

  • Services -> Services-> DNSMasq: Enable DNSMasq but leave other options disabled
  • In Additional DNSMasq Options, add the IP address and range for the appropriate virtual guest interface
    • Example for Broadcom (5 GHz is wl1.1), Atheros is usually ath0.1 or ath1.1, but depends on the router:

23020 and later

Kong added easy Guest Network capability to DD-WRT, starting with build 23020.

  • Firewall changes should not be needed for a normal gateway router setup

Wiki setup instructions: Guest WiFi + abuse control for beginners

Prior to 23020

Reference: DD-WRT Guest Wireless

  1. Section Wireless -> Basic Settings tab
    • “Add” a “Virtual Interface”, give this guest network a separate SSID, and “Enable” “AP Isolation”.
    • Click Save, then Apply
  2. Wireless Security tab: also use a separate password, and WPA2 AES security
    • Click Save, then Apply
  3. Section Setup -> Networking tab
    • Under “Create Bridge” click “Add”, name it, then set a different subnet
    • Under “Assign to Bridge” click “Add", select the new bridge, then assign it to the new virtual interface
    • Click Save, then Apply
  4. Networking tab: under “Multiple DHCP Server” click “Add” and select the new bridge
    • Click Save, then Apply
  5. Section Administration -> Commands tab
  6. Firewall Rules to secure the private network and give the guest network internet access:
    • Copy/paste the below, then click Save Firewall
   iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
   iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
   iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

More Firewall Rules to isolate guest and restrict services' access:

  • Copy/paste the below, then click Save Firewall
   iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
   iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

Test the guest network, reboot if not working

Special Notes

Guest VAP Passwords

To prevent unauthorized network access, you must use a different wireless password from your normal Wireless Access Point. Though isolated from the LAN, a Guest Network should have a strong password .

Multi-band radios

To have guest VAP's from each radio on the same subnet, create a bridge for them.

VAP on an Access Point (AP)

If the router is used as an AP and not a gateway (meaning the WAN and DHCP are disabled, but the same subnet as the primary gateway router), firewall rules are needed for internet access and client access restrictions.

  • Net Isolation does not work on a WAP so keep it disabled and to get internet access from the bridge:
  • Administration->Commands: copy/paste these lines then click Save Firewall:
   iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
   iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
  • Then reboot the router.
  • Maintain the rules' order, and note that the bridge and/or virtual interface may be different

For more details on this, see this post. For more on various firewall rules' impacts, see this post.