Simple Guest Access Setup - DD-WRT (Kong Mod 18010M)

2 posts / 0 new
Last post
rbscairns
rbscairns's picture
Simple Guest Access Setup - DD-WRT (Kong Mod 18010M)

I decided to set up secure guest access on my WNR3500L router to allow visitors to access the internet with their wifi devices..

I have next to no command line knowledge, so everything had to be done using the internet browser based graphical user interface (GUI).

This thread covers what I did to set up secure guest access the WNR3500L with DD-WRT.

First, I flashed (installed) the DD-WRT firmware onto my router and set everything up so that my network (both wireless and wired) was working with good wireless security settings.

Next was to activate a virtual interface on the router:

 

  1. Log in to the router GUI and go to Wireless>Basic Settings
  2. At Virtual Interfaces, click on [Add]. This will open up a section with more options.
  3. In the Virtual Interfaces section, enter a Wireless Network Name (e,g., MyGuest).
  4. Wireless SSID Broadcast = Enable (so your gest can see your network on their device).
  5. AP Isolation = Disable (because I have no idea what it is).
  6. Network Configeration = Bridged (because I think I am going to need it later for security).
  7. Click on the [Applied Settings] button and wait 1 minute.

 

Now you need a bit of security so that your good honest neighbours do not "accidentally" access your network.

 

  1. In the GUI, go to Wireless>Wireless Security. There you should see a section for your new Virtual Interface.
  2. In this new Virtual Interfaces section, select your preferred wireless security settings. For future security settings, make sure that your sharedkey (WPA security mode) or passphrase (WEP security mode) or sharedsecret (RADIUS security mode) is different from the one you used in your Physical Interface.
  3. Click on the Applied Settings button and wait 1 minute.

 

That is all there is to it, although there is a downside. Your guest will have full access to your network Surprised, not just the internet! Your guest(s) should see your MyGuest on their wireless device and they can connect to your wireless network with the sharedkey/passphrase/sharedsecret that you provide to them.

Next I will try and learn how to isolate guest access to just the internet. When done, I will expand this post.

zoomlink
zoomlink's picture
There is a way to keep that

There is a way to keep that interface separate from your home network (br0) remember the bridged setting on the Virtual Interface? If you do a search in the DD-WRT Wiki you should find instructions on doing it....

The br0 interface is where all 'bridged traffic' joins the router and the router [based on its mode and firewall rules] forwards or blocks traffic to/from the WAN interface to/from the LAN side of the router.

On your router's GUI, if you go to SETUP>VLANS you will see which VLAN is assigned to to which physical interface, LAN or WAN.

On my RT-N16, VLAN1=Carries LAN Traffic and VLAN2=Carries WAN Traffic.

So the Router/Bridge br0 receives traffic via its physical interface eth0 from VLAN1 (LAN) and eth1 (WLAN) and joins this traffic to make a determination (based on its role of Router or Gateway) on how that traffic will be forwarded to VLAN2 (WAN Interface).

You can see this when you go on the Router GUI to SETUP>NETWORKING, down to the Bridging Table section.

Normally shows that br0 (router/bridge) is linking/bridging VLAN1(LAN traffic) together with eth1 (WLAN traffic).

So from a conceptual standpoint, if you create the following in the SETUP>NETWORKING Section you could segregate your VAP traffic straight to the WAN Interface without it touching or having visibility into your Private LAN.

Cenceptually, you would need to create a new bridge [br1] and then assign/link that bridge to the VAP interface. You would also need to create another instance of the DHCP server and assign it to your br1 bridge and configure a different network from your current private LAN (if you are using 192.168.1.0, then make the VAP Network 192.168.2.0). I will test this today but I believe you may need to also add a static route on your SETUP>ADVANCED ROUTING tab.

This is just what I have in my head conceptually.. but you should double check it with DD-WRT Wiki Tutorials and Forum Posts.

EDIT:
Check this tutorial out http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN