daknetworks.com

You are here: Blog DDWRT Guest Network

DDWRT Guest Network

[UPDATE: This process isn't worth it anymore. For low-end projects, just buy an Asus router (it doubles as an access-point). For mid-sized projects, buy Ubiquiti. For high-end projects, buy Watchguard. Boom. Done. Easy.]

The goal is to have one wireless unit providing both the OFFICE WIFI and the GUEST WIFI. This wireless unit is an access point already running the OFFICE WIFI. It is not a router/gateway/firewall. A SonicWall is the router/gateway/firewall.

So how do we have a wireless GUEST WIFI as well as a regular OFFICE WIFI?

ADD GUEST WIFI NETWORK

  • -click WIRELESS > BASIC SETTINGS.
  • -find VIRTUAL INTERFACES (at the bottom).
  • -click ADD.
  • -give your guest wifi network a name.
  • -select ENABLE for AP ISOLATION.
  • -click SAVE > APPLY.

ADD PASSWORD TO GUEST WIFI NETWORK

  • -click WIRELESS SECURITY (at the top).
  • -select a mode (I chose WPA2 PERSONAL).
  • -select an algorithm (I chose TKIP + AES).
  • -type a password.
  • -click SAVE.

CREATE A BRIDGE

  • -click SETUP > NETWORKING (at the top).
  • -find BRIDGING SECTION (should be the 2nd from the top).
  • -click ADD.
  • -type: br1 (in the first box).
  • -click SAVE (at the bottom).
  • -new options will show under the bridge.
  • -type in an IP ADDRESS & SUBNET MASK (I typed in 192.168.2.1 & 255.255.255.0).
  • The idea here is that it must be a separate network from the main network. Since most small networks are 192.168.1.1 or 192.168.0.1, using 192.168.2.1 is fine.
  • -click SAVE > APPLY.

ASSIGN GUEST WIFI TO BRIDGE

  • -go to the BRIDGING SECTION again.
  • -find ASSIGN TO BRIDGE.
  • -click ADD.
  • -select BR1.
  • -select WL0.1
  • -click SAVE > APPLY.

 ADD 2ND DHCP SERVICE

The DHCP service must be running to add a secondary DHCP service.

  • -click SETUP > BASIC SETUP (at the top).
  • -find the DHCP section.
  • -select DHCP SERVER.
  • -verify the appropriate network information.
  • -checkmark USE DNSMASQ FOR DHCP.
  • -checkmark USE DNSMASQ FOR DNS.
  • -checkmark DHCP-AUTHORITATIVE.
  • -click SAVE (at the bottom).
  • -click SETUP > NETWORKING (at the top).
  • -find the DHCPD section (at the bottom).
  • -click ADD.
  • -select BR1.
  • -select ON.
  • -click SAVE > APPLY SETTINGS (at the bottom).

 CUSTOMIZE THE 2ND DHCP SERVICE

  • -click SERVICES (at the top).
  • -find the DNSMASQ section.
  • -select ENABLE for DNSMASQ.
  • -select ENABLE for LOCAL DNS.
  • -select ENABLE for NO DNS REBIND.
  • -type the following in the Additional DNSMasq Options:

dhcp-option=3,192.168.1.1
dhcp-range=192.168.1.100,192.168.1.150,255.255.255.0,24h
dhcp-option=6,192.168.1.1,4.2.2.2
interface=br1
dhcp-option=br1,3,192.168.2.1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
dhcp-option=br1,6,4.2.2.2,8.8.8.8

This should be fairly straight forward. We are setting the options for 2 sets of DHCP. Each set customizes the GATEWAY, DHCP RANGE and DNS for the each DHCP set. You will have to customize this to fit your own needs.

This is different than most instructions you will see. This is because since this is an ACCESS POINT and not a GATEWAY/ROUTER/FIREWALL. When that happens the AP will automatically try to become the DNS & the GATEWAY for both sets of DHCP ranges. That obviously won't do since we need have to other items perform those functions. More importantly, I do not want the guest network to have the same DNS settings as the regular network. The settings above allow us to customize them to our needs.

ADD FIREWALL RULES

  • -click ADMINISTRATION > COMMANDS (at the top).
  • -find the COMMAND SHELL box.
  • -type the following:

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p tcp -dport telnet -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport ssh -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport www -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport https -j REJECT -reject-with tcp-reset

  • -click SAVE FIREWALL (at the bottom).

This isn't straight forward at all. Basically, the first 5 commands allow internet access to flow. The last 4 commands block the GUEST WIFI from accessing the OFFICE WIFI.

That should do it! Save and Restart the unit to make sure that it survives a reboot. There are 2 separate networks, the OFFICE WIFI and the GUEST WIFI. The GUEST WIFI can access the internet but cannot access the office network. That includes any shares, printers or any other computers on the office network.

Contact Dak Networks

We are not taking on new clients at this time.