MultiSSIDs in the same subnet?

Discussion in 'Tomato Firmware' started by onlinespending, May 1, 2012.

  1. onlinespending

    onlinespending Addicted to LI Member

    I am wondering if it's possible to create a secondary SSID via a virtual LAN that is in the same subnet as the main wireless interface. In DD-WRT when you create a virtual SSID it does create it in the same subnet.

    The reason this is important to me, is that I have some Apple Airport Express devices that don't seem to work well with WPA2 security. They only work reliably for me with WEP. So I want to create a secondary SSID just for these devices. However, if they are not in the same subnet, the other Apple devices (laptop, iPad, etc.) cannot find the Airport Expresses. They must be on the same subnet. Unless there is a way to bridge them so that the Apple devices are tricked into finding them on the same subent, I'm curious if this can simply be done by creating the virtual SSID to exist on the same subnet as the primary one to begin with.

    Thank you!
  2. humba

    humba Network Guru Member

    I haven't installed the MultiSSID builds yet, but couldn't you combine it with VLANs and bridging to create just that (put the MultiSSID to another VLAN and bridge it with the man LAN VLAN). You'd undo any and all additional security you gain by using WPA though - WEP is fatally flawed and a dedicated hacker with a few minutes time sitting outside your home will gain access to your entire network - and unless any and all traffic that goes to the unsecure WLAN is encrypted, people will be able to eavesdrop into whatever goes over the unsecured WLAN.
  3. onlinespending

    onlinespending Addicted to LI Member

    But that's the thing. The WEP would only be for those Airport Express devices which are just streaming audio (no sensitive data to snoop on). And I'd ideally restrict the WEP virtual WLAN to not have internet access, so it's not as if someone jumping onto that network would benefit at all.

    Can you elaborate on doing the bridging? I should point out that Apple iTunes only looks for Airport Expresses on the same subnet (they actually have to have an IP on the same subnet). Can I map an IP address in the 192.168.1.x domain to one in another domain, say 192.168.2.x? If I have 3 Airport Express devices, I'd need to map 3 IP addresses, so that to iTunes they all look as if they reside in the 192.168.1.x subnet.
  4. apnar

    apnar Network Guru Member

    MultiSSID will let you assign each virtual SSID to whichever bridge you want, including the original one. So it'd be no problem having them all talk to each other on the same subnet.

    The much trickier job would be what you suggest in trying to stop users on WEP from accessing the net. If they connected via WEP they'd be talking to the same DHCP server as your regular network (since its on the same bridge) it'd be hard to differentiate their traffic at the IP level unless you have all your known machines mapped to static DHCP entries. You might be able to do some iptables commands based on which interface the packets are coming in on but that'd definitely be diving into the command line, possibly doable though.
  5. onlinespending

    onlinespending Addicted to LI Member

    Thank you. I'll have to give that a shot. I'm really only going to have 4 devices connecting on that WEP virtual SSID, so ideally I'd like to block any devices other than the 4 devices I have from even being able to connect to the interface (via MAC filtering). I know someone could certainly clone an allowable MAC address, but it's just one more line of defense. Between that and blocking internet access, there's little they can do.
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    You can definitely do it via iptables, which can be set via the Firewall tab on the Scripts page (under Administration). I have iptables-based blocks to prevent wireless clients from talking to certain subnets (I have blocks in place on the firewall controlling access between subnets too, but a few iptables rules reduces load on the firewall if someone's silly enough to start an IP/port scan), as well as other niceties (e.g. control general packet blasting).

    The trick is visualizing how traffic flows between subnets and interfaces, though since I haven't played with MultiSSID mods yet I don't have a firm grasp of how traffic flows through the second VLAN... if it goes straight from each VLAN out to the WAN IP, and VLAN to VLAN for inter-VLAN traffic, you would create three rules... two allowing traffic to & from your two VLAN subnets (one flowing in, the other flowing out), then a third dropping all traffic from the 2nd VLAN.

    If you're using -I remember that to insert rules in reverse order (-I inserts the rule at the top of the list, -A appends the rule at the bottom of the list), so under Scripts the drop rule would be inserted first, followed by the next two rules, which means (if you were to view it from a command line) in iptables you'd end up with the two allow rules at top, followed the drop rule, followed by whatever normal rules that are present. I would put them on the FORWARD ruleset since you're talking about traffic being routed (forwarded) between subnets.
  7. humba

    humba Network Guru Member

    Will iptables work if everything comes together on the same bridge? Isn't that where ebtables comes in (being layer 2 filtering and all.... iptables is layer 3 and involves routing - something that doesn't happen if you remain in the same subnet).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice