Guest WiFi + abuse control for beginners

From DD-WRT Wiki

Revision as of 20:38, 29 October 2015 by Mile-Lile (Talk | contribs)
Jump to: navigation, search

This tutorial is for beginners, and therefore before proceeding make sure you have working reset button and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere). This guide will show you the basics of creating and controlling Guest WiFi.

Creating Guest VAP
Creating Guest VAP
Adding DHCP for Guets
Adding DHCP for Guets
Hardcoded limitng intefaces
Hardcoded limitng intefaces
Setting priorities
Setting priorities


For that purpose we will first create VAP(Virtual Access point) for Guests .

On Wireless->Basic Setup tab click Add on Virtual Interfaces section. Enable AP isolation so that guests can not see each others. AP Isolation drops all traffic between clients connected to the VAP. If you want secure Guest WiFI its recommended to enable this feature to help mitigate Wi-Fi snooping attacks.

Set Network Configuration to Unbridged, Enable NAT (so that guest can have internet). enable Net isolation (this option creates a couple of firewall rules that that blocks guest to reach your private network). Net isolation works ONLY on unbridged inteface on newer builds, for Broadcom starting from build 23020, for Atheros starting from build 24759 and for Mediatek (Ralink) units starting from build 25934.


AP Isolation = Guests can not hack each other on guest VAP Net isolation = Guests can not hack your private LAN+WLAN

Enable Forced DNS Redirection and enter the OpenDNS server IP (208.67.222.222) in the Optional DNS target field. This will prevent users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify. Enter the IP Address and Subent Mask of yours newly created interface (ath0.1) 172.16.1.1./255.255.255.0 Click Save and Apply. Wait about 30 sec. for interface ath0.1 to be created. Note: You still wont be able to connect to this Guest VAP. You must enable DHCP for the clients.

Next step is to enable DHCPd for the guest wifi. Go to Setup->Networking and on DHCPd section add another dhcp server for the guest network (click add then choose ath0.1 from drop down menu). select starting IP for guests, max number of IPs and leasetime. Again click Save and Apply. Wait about 30 sec. and try to connect to Guest WiFi. You should be able to browse Internet and shouldn't be able to reach your private network or see other clients on network discovery.

To do some net abuse filtering we will use OpenDNS.

What is OpenDNS?

OpenDNS is a free DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster. By simply using their DNS servers instead of your ISP's you are automatically protected from their list of Phishing websites. However, in order to restrict a variety of adult website content you will need to create a free account with them, register your IP address and select the categories you want restricted (i.e. sexuality, nude, pornography, lingerie, grotesque, etc...). Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes. See DNS-O-MATIC

Reboot router, clear browser cache, and manually set public dns server in your PC NIC adapter to try to avoid restrictions...