Multiple SSID's on separate VLAN's

Discussion in 'DD-WRT Firmware' started by heidnerd, Aug 2, 2008.

  1. heidnerd

    heidnerd LI Guru Member

    I've got several WRT54GL's that I've upgraded to DD-wRT v24. One will be used in an appartment and I want multiple SSID's all with and each SSID effectively on separate VLAN's.

    I.E even though they share a common wireless interface I do not want the wireless clients to contact each other... (ping should fail) I want the clients to be able to reach the internet.

    I've read the DD-wRT wiki's faq's, advance tips, etc... I can get close but still not successful. Has anyone else tried this and what do you do for a setup?
  2. HennieM

    HennieM Network Guru Member

    I have not done so myself with dd-wrt, but the story is probably this:

    When you use different VLANs, those VLANs should be carried, through any switches, to seperate gateways or seperate interfaces on a single gateway, in order to access the internet. These VLANs must also each have its own DHCP server (or different interface on the same DHCP server), if you use DHCP.

    I.e., the seperate VLANs are just like seperate wires that you run for each VLAN from your Access Point to whatever gateway or servers or other network devices you might have on that VLAN.

    For instance, say you have
    1) dd-wrt router used as an AP with the VLAN'd SSIDs
    2) the AP is connected to a switch
    3) the switch is connected to another router (let's call it gateway)
    4) gateway is connected to the internet via its WAN port

    wireless_client- - -wireless- - -AP------ switch------gateway---internet

    Also suppose you have VLAN10 configured on the dd-wrt AP with SSID SSID10

    then you must have a VLAN10 interface configured on the switch and a VLAN10 on gateway, and on gateway VLAN10 must be routed to the WAN port.

    If you have no VLAN10 configured on the switch, then packets on VLAN10 would not get to the switch, and thus not to the gateway and the internet. Also, if you have VLAN10 on the switch, but not on gateway, packets on that VLAN will not get to gateway.

    If you have the dd-wrt AP itself connected to the internet, like

    wireless_client- - -wireless- - -AP---internet

    then you must route/firewall VLAN10 to the WAN interface on its own, as I don't think dd-wrt will do those routings and firewalling for you. If you have more VLANs you must also route/firewall those VLANs to the WAN interface on their own.

    What I've seen with Ciscos, is that, if you don't have those VLANs configured on switches and other connected equipment, the AP don't know where to go with the VLAN packets, and then bring your whole network down. VLANs work well when everything is configured correctly, but if not, things go haywire.
  3. sstidman

    sstidman Addicted to LI Member

    AP Isolation option

    I don't use DD-WRT, I use Tomato. But in Tomato they have an option called "AP Isolation". What that does is prevent the various clients connected to your AP from being able to communicate with one another, even when all the clients are using the same SSID. You might see if DD-WRT supports something similar.
  4. ifican

    ifican Network Guru Member

    The way HennieM has explained is the cleanest way to have multiple vlans. Though vlans in this case have no bearing to anything other than the switch they are configured on. We can get more into this later if need be but what i need is for you to be more clear in what you are trying to do. Are you trying to have all wrt's connected together wirelessly and still have seperate ssid's for wireless users connecting to those wrt's? As HennieM has explained having each wrt on a different subnet is not going to be an issue, the problems and configurations issues are going to arise dependent on how you plan on connecting all these wrt together. The absolute easiest way will be to have one wrt connected to the internet and then cable that wrt to each wrt you want to have different users on. You will have 1 subnet that all internal wrt's are connected too and then have each setup as a gateway so it nat's to internal subnets that are still different. All of you internal subnets could be eachly the same ip range it wouldnt matter because the wan ip of each wrt would be on the subnet of the main wrt. If you want to get even more involved and limit each user on each wrt to not access anything on the local lan you can get into that as well. Though it is going to be tough if everyone is connecting wirelessly, thats what firewalls on the host machines are for. But again until we understand exactly what you are trying / wanting to do we can only speculate.
  5. heidnerd

    heidnerd LI Guru Member

    Mentioning that I have multiple WRT54GL's has started the thread off in the wrong direction. Specifically I have ONE that I want to use in my daughters appartment. Multiple SSID's (one for each of her roomates), and each on their own wireless VLAN. But again using only ONE WRT54GL. The reason for wanting the separate SSID's, passwords and VLANs is because not all of the room mates are as sensitive about keeping the machines upto date with virus patterns, patches, etc.

    Changing room mates isn't an option, multiple internet service isn't an option... so the hope was somehow to do it with one WRT54GL.

    DD-WRT v24 also has an AP Isolation box that you can select for each SSID. And I did that, saved settings rebooted the router and was able to verify that I COULD still ping and touch the other PC's connected to the wireless for the router.

    I tried several of the faq's on the wiki site for DD-WRT and was successful only in getting the router confused enough that it dumped the settings I had made and reset itself to the default for v24....

    so the setup is more like:

    wireless client1 (SSID1/vlan10) --\

    wireless client2 (SSID2/vlan11) --+ ---- switch_engine----firewall_engine---internet

    wireless client3 (SSID3/vlan12) --/

    In this case "switch_engine" and the "firewall_engine" are part of the same firmware running on this single WRT54GL. I thought from the setup and reading I had done that perhaps when I configured each of the SSID's that perhaps I could somehow "tag" the packets as they are received and the "switch_engine" could then treat them as if they are on their own lans.

    Perhaps this helps to clarify...
  6. HennieM

    HennieM Network Guru Member

    I haven't read the wiki, FAQ etc., so I can't comment more than above on the VLANs, but I could suggest some alternatives. You could try them and see which one works for you.

    Firstly though, whether you use VLANs or suggestion no 2 below, you would need either a DHCP server that could serve different subnets, or you need to assign static IPs to the different roommate PCs. You could probably do a DHCP thing with dd-wrt (as I see it has such an option), but I have not explored that either. Whatever the case, I assume you can sort that out.

    1) Probably the easiest if it works....
    One SSID. All bridged configuration on dd-wrt, just like you would use it as in a "normal" configuration.
    All roommates thus use the same wireless settings, and effectively could "speak" to one another, if it was not for this rule you add on dd-wrt:
    iptables -A INPUT -i br0 -o br0 -j DROP
    which means dd-wrt is to drop any packets coming in through br0, which is wireless+LAN, and for which the out interface is also br0. This would let packets coming in through br0 but the destination is the WAN interface (vlan1) through.
    As mentioned, I dunno if this will work, because it might be that wireless (or LAN) packets are not actually coming IN to dd-wrt, and would thus not pass through the INPUT stage of iptables, or there may be some packets that has to pass like that for the internal workings of the router.
    Also, it might be that iptables actualy see these packets through eth1 (the wireless base interface), so you might have to experiment with the br0/eth1.

    2) Different SSIDs on different subnets. I.e. under "Wireless > Basic Settings", have a wl0, a wl0.1 and a wl0.2, UNbridged, with respective IP addresses of say netmask netmask netmask

    Obviously each rommate then get an IP in one (and only one) of the respective IP ranges (which you could do with static DHCP on dd-wrt).

    The interfaces are not bridged to each other nor to the LAN, so the only way they could communicate with each other is through routing. You thus add these rules to stop the routing:
    iptables -I FORWARD -s -d -j DROP
  7. heidnerd

    heidnerd LI Guru Member

    I like the second suggestion better... but I will try both.

    I had already setup multiple SSID's and the intent is to PREVENT the roommates from seeing each others PC's. I figure if they wish to move files there are either thumb drives -- OR the could use a common fourth SSID. Really the purpose is to isolate the laptops from each other... effectively create a network in which no laptop trusts the other.

    Important in college settings where students like to download various things sometimes from less than trustworthy websites. The goal is to prevent one roommates infected PC from easily connecting and infecting the other roommates PC's. But still allow all PC's to access the internet.
  8. leveup

    leveup Addicted to LI Member

    I am glad to read it here.
  9. orangeboy

    orangeboy Guest

    I do exactly what the OP wants using DD-WRT v24 micro on my WRT54G v6.

    In Setup > Basic Setup, I have my local IP address, subnet mask DHCP is setup for 50 clients starting at, DNS is set to my ISP's servers. I also have 'Use DNSMasq' for DNS and DHCP checked.

    I set up 3 SSIDs in Wireless > Basic Settings using 3 subnets as HennieM described, by adding 2 Virtual Interfaces, then I configured all 3 at the same time. I found configuring the Wireless Physical Interface wl0 and then adding virtuals wiped out wl0's information! I kept wl0 bridged, and the 2 virtuals unbridged. This enabled boxes to provide IP address for the virtual interfaces. I chose for wl0.1 and for wl0.2, both with subnet mask I saved the config, but didn't apply (yet).

    I moved onto Wireless > Wireless Security, and configured security for the 3 interfaces. I require WEP for one of my devices, but prefer WPA for the rest of my network, the reason I went through the torture of setting up multiple SSIDs!

    Next I clicked on Services > Services, and enabled DNSMasq and Local DNS, as well as providing these Additional DNSMasq options:

    This basically sets up 50 DHCP clients starting at 192.168.x.200 with a 1 day lease for the virtual interfaces, and uses wl0 as it's DNS 'server' (which gets it's info from my ISP). Again, saved but no apply.

    Next, I went to Administration > Commands. The following was put into the command window:

    iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept
    iptables -I INPUT -i wl0.2 -m state --state NEW -j logaccept
    iptables -I FORWARD -i wl0.1 -o br0 -j logdrop
    iptables -I FORWARD -i wl0.2 -o br0 -j logdrop
    iptables -I FORWARD -i br0 -o wl0.1 -j logdrop
    iptables -I FORWARD -i br0 -o wl0.2 -j logdrop
    iptables -I FORWARD -i wl0.1 -o wl0.2 -j logdrop
    iptables -I FORWARD -i wl0.2 -o wl0.1 -j logdrop
    'Save Firewall' was hit. These firewall rules prevent the different interfaces from accessing each other. It appears 'Save Firewall' acts as 'Apply Settings' in Administration > Management. I did 'Apply Settings' just to be safe though.

    I hope this helps!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice