Sharing your Wi-Fi with guests is just the polite thing to do, but that doesn’t mean you want to give them wide open access to your entire LAN. Read on as we show you how to set up your router for dual SSIDs and create a separate (and secured) access point for your guests.
Why Do I Want to Do This?
There are several very practical reasons for wanting to set up your home network to have dual access points (AP).
The reason with the most practical application for the most number of people is simply isolating your home network so that guests can’t access things you wish to remain private. The default configuration for almost every home Wi-Fi access point/router is to use a single wireless access point and anyone authorized to access that AP is given access to the network as if they were wired right into the AP via Ethernet.
In other words if you give your friend, neighbor, house guest, or whoever the password to your Wi-Fi AP, you’ve also given them access to your network printer, any open shares on your network, unsecured devices on your network, and so on. You may have just wanted to let them check their email or play a game online, but you’ve given them the freedom to roam anywhere they want on your internal network.
Now while the majority of us certainly don’t have malicious hackers for friends, that doesn’t mean it isn’t prudent to set up our networks so that guests stay where they belong (on the free internet access side of the fence) and can’t go where they don’t (on the home server/personal shares side of the fence).
Another practical reason for running an AP with two SSIDs is the ability to not only restrict where the guest AP can go, but when. If you’re a parent, for example, that wants to restrict how late your child can stay up dinking around on the computer you could put their computer, tablet, etc. on the secondary AP and set restrictions on internet access for the entire sub-SSID after, say, 9PM.
What Do I Need?
Our tutorial today is focused on using a DD-WRT compatible router to achieve dual SSIDs. As such you will need the following things:
- 1 DD-WRT compatible router with an appropriate hardware revision (we’ll show you how to check)
- 1 installed copy of DD-WRT on said router
This is not the only way to set up dual SSIDs for your home network. We’re going to run our SSIDs off the ubiquitous Linksys WRT54G series Wireless Router. If you don’t want to go through the hassle of flashing custom firmware on your old router and doing the extra configuration steps, you could instead:
- Purchase a newer router that supports dual SSIDs right out of the box such as the ASUS RT-N66U.
- Purchase a second wireless router and configure it as a stand alone access point.
Unless you already own a router that supports dual SSIDs (in which case you can skip this tutorial and just read the manual for your device) both of these options are less than ideal in that you have to spend extra money and, in the case of the second option, do a bunch of extra configuring including setting up the secondary AP to not interfere with and/or overlap with your primary AP.
In light of all that, we were more than happy to use hardware we already had (the Linksys WRT54G series Wireless Router) and skip the outlay of cash and extra Wi-Fi network tweaking.
How Do I Know My Router Is Compatible?
There are two critical compatibility elements you need to check in order to have success with this tutorial. The first, and most elementary, is to check that your particular router has DD-WRT support. You can visit the DD-WRT wiki’s Router Database here to check.
Once you’ve established that your router is compatible with DD-WRT, we need to check the revision number of your router’s chip. If you have a really old Linksys router, for example, it might be a perfectible serviceable router in every way but the chip may not support dual SSIDs (which makes it fundamentally incompatible with the tutorial).
There are two degrees of compatibility in regard to the router’s revision number. Some routers can do multiple SSIDs but they cannot split the SSIDs into distinct absolutely unique access points (e.g. a unique MAC address for each SSID). In some situations this can cause problems with some Wi-Fi devices as they get confused as to which SSID (since both of them have the same MAC address) they should use. Unfortunately there is no way to predict which devices will misbehave on your network so we can’t flat out recommend that you avoid the technique outlined in this tutorial if you find you have a device that does not support discrete SSIDs.
You can check the revision number by performing a Google search for the specific model of your router along with the version number printed on the information label (usually found on the underside of the router) but we’ve found this technique to be unreliable (labels can be misapplied, information posted online regarding the model and date of manufacture can be inaccurate, etc.)
The most reliable way to check the revision number of the chip inside your router is to actually poll the router to find out. In order to do so you need to perform the following steps. Open up a telnet client (either a multi-purpose program like PuTTY or the basic Windows Telnet command) and telnet to the IP address of your router (e.g. 192.168.1.1). Login to the router using your administrator login and password (be aware that for some routers even if you type in “admin” and “mypassword” to login to the web-based management portal on the router, you may have to type in “root” and “mypassword” to login via telnet).
Once you are logged into the router, type the following command at the prompt:
nvram show|grep corerev
This will return the core revision number of the chip(s) in your router in the following format:
What the above output means is that our router has one radio (wl0, there is no wl1) and that the core revision of that radio chip is 9. How do you interpret the output? The revision number, in relationship to our guide, means the following:
- 0-4 The router does not support multiple SSIDs (with unique identifiers or otherwise)
- 5-8 The router supports multiple SSIDs (but not with unique identifiers)
- 9+ The router supports multiple SSIDs (with unique identifiers)
As you can see from our command output above, we lucked out. Our router’s chip is the lowest revision that supports multiple SSIDs with unique identifiers.
Once you’ve determined that your router can support multiple SSIDs you’ll need to install DD-WRT. If your router shipped with DD-WRT or you already installed it, fantastic. If you haven’t already installed it we recommend downloading the appropriate version from the DD-WRT web site and following along with our tutorial: Turn Your Home Router Into a Super-Powered Router with DD-WRT.
In addition to our tutorial, we cannot stress the value of the extensive and excellently maintained DD-WRT wiki. Read up on your particular router and the best practices for flashing a new firmware to it there.
Configuring DD-WRT for Multiple SSIDs
You have a compatible router, you’ve flashed DD-WRT to it, now it’s time to get started setting up that second SSID. Just like you should always flash new firmware over a wired connection, we strongly recommend working on your wireless setup over a wired connect so the changes don’t force your wireless computer off the network.
Open up your web browser on a computer connected to the router via Ethernet. Navigate to the default router IP (typically 18.104.22.168). Within the DD-WRT interface, navigate to Wireless -> Basic Settings (as seen in the screenshot above). You can see that our existing Wi-Fi AP has the SSID “HTG_Office”.
At the bottom of the page, in the “Virtual Interfaces” section, click on the Add button. The previously empty “Virtual Interfaces” section will expand with this prepopulated entry:
This virtual interface is piggybacked onto your existing radio chip (note the wl0.1 in the title of the new entry). Even the shorthand in the SSID indicated this, the “vap” at the end of the default SSID stands for Virtual Access Point. Let’s break down the rest of the entries under the new Virtual Interface.
You can rename the SSID to whatever you want. In keeping with our existing naming convention (and to make life easy on our guests) we’re going to change the SSID from the default to “HTG_Guest”–remember our main Wi-Fi AP is “HTG_Office”.
Leave Wireless SSID Broadcast enabled. Not only do many older computers and Wi-Fi enabled devices not play very nice with secret SSIDs but a hidden guest network isn’t a very inviting/useful guest network.
AP Isolation is a security setting that we’ll leave at your discretion to enable or disable. If you enable AP Isolation every client on your guest Wi-Fi network will be totally isolated from each other. From a security standpoint this is great, as it keeps a malicious user from poking around on the clients of other users. That’s more of a concern for corporate networks and public hotspots, however. Practically speaking, that also means if your niece and nephew are over and they want to play a Wi-Fi linked game on their Nintendo DS units, their DS units won’t be able to see each other. In most home and small office applications there is little reason to isolate the APs.
The Unbridged/Bridged option in Network Configuration refers to whether or not the Wi-Fi AP will be bridged or not to the physical network. As counterintuitive as this is, you need to leave it set to Bridged. Rather than let the router firmware handle (rather clumsily) the unlinking process, we’re going to manually unbridge everything ourselves with a cleaner and more stable outcome.
Once you’ve changes your SSID and reviewed the settings, click Save.
Next navigate over to Wireless -> Wireless Security:
By default there is no security on the second AP. You can leave it as such temporarily for testing purposes (we left ours open until the very end) to save yourself from keying in the password on your test devices. We don’t, however, recommend leaving it permanently open. Whether you opt to leave it open or not at this point, you need to click Save and then Apply Settings for the changes we made both in the previous section and this one to take effect. Be patient, it can take up to a 2 minutes for changes to take effect.
Now is a great time to confirm that nearby Wi-Fi devices can see both the primary and secondary APs. Opening the Wi-Fi interface on a smartphone is a great way to quickly check. Here’s the view from our Android phone’s Wi-Fi config page:
We can’t connect to the secondary AP just yet as we need to make a few more changes to the router, but it’s always nice to see them both in the list.
The next step is to begin the process of separating the SSIDs on the network by assigning a unique range of IP addresses to the guest Wi-Fi devices.
Navigate to Setup -> Networking. Under the “Bridging” section, click the Add button.
First, change the initial slot to “br1″, leave the rest of the values the same. You won’t be able to see the IP/Subnet entry seen above just yet. Click “Apply Settings”. The new bridge will be in the Bridging section with the IP and Subnet sections available. Set the IP address to one value off your regular network’s IP (e.g. your primary network is 192.168.1.1, so make this value 192.168.2.1). Set the Subnet Mask to 255.255.255.0. Click “Apply Settings” at the bottom of the page again.
After the changes are applied, scroll to the bottom of the page once more to the DHCPD section. Click “Add”. Switch the first slot to “br1″. Leave the rest of the settings the same (as seen in the screenshot below).
Click “Apply Settings” one more time. Once you’ve finished all the tasks in the Setup -> Networking page you should be good to go for connectivity and DHCP assignment.
Note: If the Wi-Fi AP you’re configuring for dual SSIDs is piggy backing on another device (e.g. you have two Wi-Fi routers in your home or office to extend your coverage and the one you’re setting the guest SSID up on is #2 in the chain) you’ll need to set up the DHCP in the Services section. If this sounds like your setup it’s time to navigate to the Services -> Services section.
In the services section we need to add a little bit of code to the DNSMasq section so that the router will properly assigned dynamic IP addresses to the devices connecting to the guest network. Scroll down the DNSMasq section. In the “Additional DNSMasq Options” box, paste the following code (minus the # comments explaining the functionality of each line):
# Enables DHCP on br1
# Set the default gateway for br1 clients
# Set the DHCP range and default lease time of 24 hours for br1 clients
Click “Apply Settings” at the bottom of the page.
Whether you used technique one or two, wait a few minutes to connect to your new guest SSID. When you connect to the guest SSID, check your IP address. You should have an IP within the range we specified with the above. Again, it’s handy to use your smartphone to check:
Everything looks good. The secondary AP is assigning dynamic IPs in an appropriate range, we can get on the Internet–we’re making a note here, huge success.
The only problem, however, is that the secondary AP still has access to the resources of the primary network. This means all networked printers, network shares, and such are still visible (you can test it now, try to find a network share from your primary network on the secondary AP).
If you want guests on the secondary AP to have access to these things (and are following along with the tutorial so you can do other dual-SSID tasks like restrict guest bandwidth or times they are allowed to use the Internet) then you’re effectively done with the tutorial.
We imagine that most of you would like to keep your guests from poking around your network and gently herd them towards sticking to Facebook and email. In that case we need to finish the process by unlinking the secondary AP from the physical network.
Navigate to Administration -> Commands. You’ll see an area labeled “Command Shell”. Paste the following commands, sans the # comment lines, into the editable area:
#Removes guest access to physical network
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
#Removes guest access to the router's config GUI/ports
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Click “Save Firewall” and reboot your router.
These additional firewall rules simple stop everything on on the two bridges (the private network and the public/guest network) from talking as well as reject any contact between a client on the guest network and the telnet, SSH, or web server ports on the router (thus restricting them from attempting to access the router’s configuration files at all).
A word on using the command shell and the startup, shutdown, and firewall scripts. First, the IPTABLES commands are processed in order. Changing the order of the individuals lines can significantly change the outcome. Second, there are dozens upon dozens of routers supported by DD-WRT and depending on your specific router and and configuration you may need to tweak the IPTABLES commands above. The script worked for our router and it uses the broadest and simplest possible commands to accomplish the task so it should work for most routers. If it doesn’t, we’d strongly urge you to search for your specific router model in the DD-WRT discussion forums and see if other users have experienced the same issues you have.
At this point you’re done with the configuration and ready to enjoy dual SSIDs and all the benefits that come with running them. You can easily give out a guest password (and change it at will), set up QoS rules for the guest network, and otherwise modify and restrict the guest network in ways that won’t affect your primary network in the least.
Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on Google+ if you'd like.
- Published 04/22/13