1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tomato with dd-wrt on secondary router as WiFi AP and guest Wifi

Discussion in 'DD-WRT Firmware' started by atomicrabbit, May 21, 2012.

  1. atomicrabbit

    atomicrabbit Addicted to LI Member

    Currently I have an Asus RT-N16 running Tomato and an older Buffalo WHR-HP-G54 running tomato as well acting only as a second AP (connected to the first via LAN) for better wifi coverage in my house.

    I would like to set up the buffalo router with DD-WRT so that it not only extends my main wifi, but also set up guest wifi access on the same router.

    Any suggestions on how to go about doing this?
     
  2. gutsman7

    gutsman7 Networkin' Nut Member

  3. atomicrabbit

    atomicrabbit Addicted to LI Member

    from what i understand, the dd-wrt repeater bridge feature bridges the connection over wifi.

    I have a wired connection between the two routers. The way i have it set up now with the two router's running tomato is i just set the second router's ssid to the same as the first and disable dhcp on the second. this works fine for me now but i would like to set up a guest wireless connection as well and tomato cannot easily accomplish this AFAIK. Would i do the same on dd-wrt, then set up the guest wifi as a second wifi connection.

    this is what i would like to do:

    Main router (Asus RT-N16)
    - main WiFi connection

    Second router (Buffalo WHR-HP-G54)
    - extend main WiFi
    - guest wifi without access to the rest of the network
     
  4. atomicrabbit

    atomicrabbit Addicted to LI Member

    ok i figured it out. Here are the steps i took:

    Connected the buffalo router with dd-wrt directly to my computer
    Setup > Basic
    1. Set WAN Connection Type to Disabled.
    2. Set Local IP Address to 192.168.1.2 and Gateway to 192.168.1.1.
    3. Checked Assign WAN Port to Switch.
    4. Disabled the DHCP Server.
    5. Save.
    Wireless > Basic Settings
    1. Set the Wireless Mode of the Wireless Physical Interface (wl0) to AP.
    2. Set the SSID of wl0 to the same SSID as my main router.
    3. Set the Wireless Channel of wl0 to 6 (my main router wireless is using 11).
    4. Followed instructions from hereto set up multiple WLANs
      1. Added a new Vrtual Interface.
      2. Set the SSID.
      3. Left AP Isolation as Disabled and Network Configuration as Bridged.
    5. Save.
    Wireless > Wireless Security
    1. Set the Security Mode of wl0 to the same security as my main router's wireless settings.
    2. Set the WPA Shared Key to the same key as my main router's wireless settings.
    3. Set the Security Mode and WPA Shared Key of wl0.1.
    4. Save.
    Setup > Networking
    1. Added a new Bridge named br1
    2. Set the IP Address to 192.168.2.1 and Subnet Mask to 255.255.255.0
    3. Assigned the new br1 Bridge to wl0.1.
    4. NOTE: Since I disabled DHCP on DD-WRT because I want my main router to handle the DHCP for the main wireless, according to the instructions in the tutorial link, I could not use the GUI to set up the DHCP for br1. Instead I followed the instructions to set up br1's DHCP via commands (see below).
    5. Save.
    Services
    1. Left DNSMasq as Enabled
    2. Set the following in Addition DNSMasq Options
    Code:
    # Enables DHCP on br1
    interface=br1
    # Set the default gateway for br1 clients
    dhcp-option=br1,3,192.168.2.1
    # Set the DHCP range and default lease time of 24 hours for br1 clients
    dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
    dhcp-option=br1,6,8.8.8.8,8.8.4.4
    
    Note: I added the last line because I use DNS servers from unblock-us.com that I would preferred guests not to use. The DNS servers I specified are Google's.

    Administration > Commands
    1. Added the following Startup commands:
    Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
    Code:
    iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
    
    Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
    Code:
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
    
    Restrict br1 from accessing the router's local sockets (software running on the router)
    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    
    This seems to be working as I required. If i get into range of the second router, it will switch over to it, essentially extending the range. And the guest wifi access works great as well -- it allows guests to access the internet while blocking them from my internal network and anything they don't need and shouldn't have access to.
     
  5. atomicrabbit

    atomicrabbit Addicted to LI Member

    I ended up having to add a few commands to the Administration > Commands section because the last line (iptables -I INPUT -i br1 -m state --state NEW -j DROP) seemed to have been fully blocking internet access for the guests. I added 3 more lines as per the tutorial:

    Allow br1 to access DHCP on the router
    Code:
     iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    Allow br1 to access DNS on the router
    Code:
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    So my full script looks like this:
    Code:
    iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
    iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    Now the guests have full internet access but they cannot access the dd-wrt settings, or anything on br0's subnet.
     
  6. ChuckHL

    ChuckHL Serious Server Member

    Is there any way to do this with tomato on the secondary router? I have one main router an two repeaters. All three routers running tomato. I want to also host a guest network with access only for the internet. I was able to add br1 on the main router and have it host a guest network. My problem is with the repeater routers. They are able to connect and extend the main network, but I have not found how to have them also host a guest network. For some reason since the dhcp for the repeater router is off, it wont work for the guest network. Is there a way to do this?

    For me it is not an option to switch to ddwrt ase they dont support my router's dual band yet.
     
    Last edited: Aug 11, 2013
  7. eibgrad

    eibgrad Addicted to LI Member

    Your situation is not quite the same as the OP. The OP has extended his network by ethernet to another AP. As a repeater, presumably you've extended your network as a wireless client, and added a VAP (virtual AP) to repeat the private network. But whether you can add yet another VAP under those circumstances, I don’t know. It appears you’ve already done so based on your comments. And if you have, there’s no obvious reason you shouldn’t be able to follow the same strategy as the OP. The fact DHCP is disabled for the repeater configuration doesn’t actually stop the DHCP service. AFAIK, it’s just not bound to the private network anymore. I believe you should still be able to bind the DHCP service to other network interfaces, such as the guest (br1) network. Perhaps you’ve configured it incorrectly.
     

Share This Page