Guest Network

From DD-WRT Wiki

Revision as of 03:11, 1 December 2017 by Jeremywh7 (Talk | contribs)
Jump to: navigation, search



A Guest Network is a separate SSID (wireless network ID) using a virtual access point (VAP) that gives guest access to the WAN (internet) while blocking them from your LAN (local network), thereby protecting your security.

New DNSMasq Method

This uses the "23020 and later" method, but with dnsmasq instead of dhcpd. For a Wireless Access Point (WAP), Multiple DHCP Server is not available with the WAN disabled. See the VAP on an Access Point section below.

  • Services -> Services-> DNSMasq: Enable DNSMasq but leave other options disabled
  • In Additional DNSMasq Options, add the IP address and range for the appropriate virtual guest interface
    • Example for Broadcom (5 GHz is wl1.1), Atheros is usually ath0.1 or ath1.1, but depends on the router:

23020 and later

Kong added easy Guest Network capability to DD-WRT, starting with build 23020.

  • Firewall changes should not be needed for a normal gateway router setup

Wiki setup instructions: Guest WiFi + abuse control for beginners

Prior to 23020

Reference: DD-WRT Guest Wireless

  1. Section Wireless -> Basic Settings tab
    • “Add” a “Virtual Interface”, give this guest network a separate SSID, and “Enable” “AP Isolation”.
    • Click Save, then Apply
  2. Wireless Security tab: also use a separate password, and WPA2 AES security
    • Click Save, then Apply
  3. Section Setup -> Networking tab
    • Under “Create Bridge” click “Add”, name it, then set a different subnet
    • Under “Assign to Bridge” click “Add", select the new bridge, then assign it to the new virtual interface
    • Click Save, then Apply
  4. Networking tab: under “Multiple DHCP Server” click “Add” and select the new bridge
    • Click Save, then Apply
  5. Section Administration -> Commands tab
  6. Firewall Rules to secure the private network and give the guest network internet access:
    • Copy/paste the below, then click Save Firewall
   iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
   iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
   iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

More Firewall Rules to isolate guest and restrict services' access:

  • Copy/paste the below, then click Save Firewall
   iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
   iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
   iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

Test the guest network, reboot if not working

Special Notes

Guest VAP Passwords

To prevent unauthorized network access, you must use a different wireless password from your normal Wireless Access Point. Though isolated from the LAN, a Guest Network should have a strong password .

Guest Access to a Network Device

To allow the guest network access to a printer, web server, or other network device, add this rule last:

   iptables -I FORWARD -i wl0.1 -o br0 -d {IP address} -m state --state NEW -j ACCEPT
  • Adjusting the virtual interface, bridge, and appropriate IP address

Multi-radio routers

To have guest VAP's from multiple radios on the same subnet, create a bridge for them. Multiple interfaces would need their own entries for DNSMasq (and the firewall, if applicable), such as for both wl0.1 and wl1.1. 'Net Isolation' (Networking page under br1 section) will not isolate all interfaces from the primary network.

  • This may depend on the interfaces bridged via br1, so be sure to test
  • To be safe, add firewall rules to block br1 from the subnet and router, but ensure the guest has DHCP & DNS:
   iptables -I INPUT -i br1 -m state --state NEW -j REJECT
   iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
   iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
  • Copy/paste these lines to Administration->Commands, then click Save Firewall
  • To allow this br1 access to a printer, web server, or other network device, add this rule last:
   iptables -I FORWARD -i br1 -o br0 -d {IP address} -m state --state NEW -j ACCEPT

VAP when WAN is disabled

If the router is not used as a gateway (thus WAN and DHCP are disabled, but the same subnet as the primary gateway router), firewall rules are needed for client access restrictions and internet access.

  • Examples: Access Point (AP), Repeater Bridge (RB), & Dual-band Client Bridge + AP: see here
  • Net Isolation does not work on a WAP so keep it disabled, & to get internet access from the bridge:
  • Administration->Commands: copy/paste these lines then click Save Firewall:
   iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
   iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
  • Then reboot the router.
  • Important: Maintain the rules order
  • Note that the bridge and/or virtual interface may be different

For more details on this, see this post. For more on various firewall rules' impacts, see this post.