Configure Multiple SSIDs with One Router
A standard “home setup” for the wireless router now days consists of just hosting one Service Set IDentifier - or SSID. And if only a year ago that could seem as a router (firmware) limitation, right now using multiple SSIDs with a single wireless router is just a matter of re-configuration.
Below is a simple guide on how to configure a single affordable (from $25 and up) router, that is available to anybody, to host multiple (up to 16 - at the moment of writing) SSIDs using DD-WRT firmware. In order to install the firmware on the router, follow the official DD-WRT Installation Guide.
Below step-by-step howto is good for any routers that could be found on DD-WRT supported hardware list. Which includes pretty much any “home” router that is out there. Given that DD-WRT is installed, let’s move on to configuring it to host multiple SSIDs.
First let’s look at what we would like to archive as our “end goal”:
So what we would like to have is:
- One router with DD-WRT firmware installed, that hosts 2 (in this example) SSIDs: “Home” and “Guest”
- Two VLANs where one network (VLAN1) can “see” another (VLAN2), but not other way around.
What that means is that all “Home” clients (computers that are connected to “Home” SSID) can see (ping/connect to/etc.) “Guest” computers, however none of “Guest” clients can see “Home” computers. (this is a matter of configuration, and can be configured differently, depending on what you need)
Step 1. Setup DHCP server for the “Home” (main) network.
As you can see from the “end goal” diagram above, the “Home” SSID (or VLAN1) has a 10.2.1.0 subnet, and its DHCP client addresses start from 10.2.1.100. Hence that is what needs to be configured on DD-WRT’s “Setup -> Basic Setup” screen (the “Router Local IP” should be set to 10.2.1.1 which would dictate the subnet to be 10.2.1.0):
Note that “10.2.1.0″ is just an example - you would want to use something that is appropriate for your network - e.g. “192.168.1.0″
Step 2. Setup wireless networks (SSIDs).
Now we need to create two wireless networks - one main network (e.g. “Home”), and one virtual network (e.g. “Guest”). For that go to DD-WRT “Wireless -> Basic Settings” screen:
Enter a desired name for “Physical Interface’s -> Wireless Network Name(SSID)” (this is going to be the main network). You can also stick to the “end goal” diagram above, and enter “Home”.
After that is done, click “Add” to add a “Virtual Interface” and enter its SSID name as well (e.g. you can enter “Guest”). Make sure that the “Network Configuration” is set to “Bridged” as shown on the screen in this step.
Step 3. Configure wireless network security.
In the previous step we configured two wireless networks, now let’s secure them. We will use 128 bit WEP algorithm for both of them due to the reason described in “Step 5″. To accomplish this go to DD-WRT “Wireless -> Wireless Security” screen:
Choose “WEP” for “Security Mode”, 128 bits for “Encryption”, enter “Passphrase” and click “Generate” button.
Do it for both networks (Physical and Virtual Interfaces)
Step 4. Setup a virtual interface, and its DHCP settings.
Now we will set the bridge for the virtual network - “Guest” (or VLAN2) from the “end goal” diagram above. For that go to DD-WRT “Services -> Services” screen:
Find “DNSMasq” section, enable “DNSMasq”, and in “Additional DNSMasq Options” enter:
interface=br1 dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,1440m
This would create a DHCP server for the virtual (”Guest”, VLAN2) network.
“192.168.2.100″ is again - just an example, you can use any subnet that suits your needs.
Step 5. Setup firewall rules and a startup script.
This is the most complex step, that makes many network administrators confused, and regular people to give up on DD-WRT multiple SSID configuration. But don’t worry 
- below is a “copy/paste”, working deal.
Go to the DD-WRT “Administration -> Commands” screen:
Enter the following firewall rules to the “Firewall” section:
##BRI1 iptables -I INPUT -i br1 -m state --state NEW -j logaccept iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT #below keeps the two networks from talking iptables -I FORWARD -i br0 -o br1 -j logdrop
Enter the following commands to the “Startup” (it is a startup script that executes when the router starts up):
##MOVES VIRTUAL WIRELESS TO OWN BRIDGE brctl addbr br1 brctl delif br0 wl0.1 brctl addif br1 wl0.1 ifconfig br1 192.168.2.1 netmask 255.255.255.0 ifconfig vlan2 up brctl addif br1 vlan2 ifconfig br1 up ##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now) killall nas nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1
Here is where it gets interesting… Remember in “Step 3″, when configuring wireless security, we chose WEP? That was done because the current DD-WRT firmware “v24-sp1 (07/27/08) micro”, that is used at the moment of writing, has a bug in starting NAS, which is a proprietary binary tool that sets up dynamic encryption (WEP/WPA) on wireless devices.
UPDATE (12/22/2008): Tried "v24-sp2" (09/26/08 std - build 10431M VINT Eko) for WRTG54GL v1.1 router - WPA worked with multiple (tried 2) SSIDs.
In a startup script above, we start NAS in “vanilla” mode for “eth1″ (the main network) and for “wl0.1″ (guest, virtual nework), and therefore we are using WEP for both networks.
The only line from above startup script that you might want to change is:
ifconfig br1 192.168.2.1 netmask 255.255.255.0Here “192.168.2.1″ is, again, an example, so if you chose a different subnet for the virtual network (br1), you should enter it instead.
DONE!
Now you can save all the changes and restart the router. You should be good to go!
If you have any questions or comments, you are welcome to address them below in the “comments” section.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
October 3rd, 2008 at 1:05:17
Good tutorial but I didn’t understand if wpa/wpa2 can be used?
October 3rd, 2008 at 1:31:24
@user,
Currently, due to the NAS bug, WPA/WPA2 can be used together with multiple wireless VLANs only on certain router models. Unfortunately, I do not have the list of “NAS fortunate” models.
For all other routers, WEP can be used, and hopefully with v24 SP2, this will no longer be a problem. I submitted the ticket some time ago.
Thanks,
– Toly
October 4th, 2008 at 16:55:55
Hi, thanks for the very in depth tutorial. I followed it exactly with my WRT54GL v1.1 and installed dd-wrt v24sp1 micro as you suggested. The setting work except I cannot access the internet with the virtual ssid. I do get a correct ip address from the DHCP server but I cannot access the internet at all. Cannot even ping a website. The first ssid does work.
Any ideas?
Thanks, Dan
October 4th, 2008 at 17:45:24
Hey Dan,
This may happen due to several reasons.. Before troubleshooting, let’s gather the info about your current setup:
1. What router do you have (model / version / etc..)?
2. Can you ping your virtual network (”Guest”, or VLAN2) from your main (”Home”, or VLAN1) network?
3. I know you said that you’ve followed the tutorial exactly, but did you make any changes in firewall / startup scripts?
4. Can you ping the router from the virtual network (given that they are on the different subnets)?
5. Anything else different from the “tutorial setup”?
Thanks for the comment,
– Toly
October 4th, 2008 at 22:46:59
Hi Toly, thank you for responding so quickly! here are the answers to your questions:
1) my router is: WRT54GL v1.1 and installed dd-wrt v24sp1 micro as you suggested
2) Yes, I was able to ping my guest network (192.168.2.1) from my main network
3) I made no changes to any of the scripts, exact copy paste.
4) Yes, when connecting to the virtual ssid, I get an IP address assigned, say 192.168.2.145. I can ping my router 192.168.1.1 and I can access the dd-wrt config page via the web browser using the same ip.
5) the only difference between your set up and mine is that I have my main network as 192.168.1.1
Thanks again for your help. regards, Dan
October 6th, 2008 at 0:33:09
Hey Dan,
After some research for your particular configuration, I believe the root cause here is that you are using a NEWD driver, which unfortunately does not support multiple SSIDs (with new dd-wrt v24) for all routers (works for most, but not for all).
What you’d better off using is a VINT vintage driver, that works for most of the routers including yours (WRT54GL v1.1)
You can download the dd-wrt vintage micro v24 sp1 firmware from dd-wrt site here:
dd-wrt.v24-9517_VINT_micro.bin
Let me know if that works for you,
– Toly
October 6th, 2008 at 9:06:01
Hi Toly, thanks for looking into this. I did not realize my router needed a very specific versio in order to make it work with multiple ssids. I hope this is the fix !! I will let you know if it works. Thanks again for your help! Dan
October 6th, 2008 at 9:42:54
Hey Dan,
Hopefully by the time v24 SP2 is out, NEWD driver will work with multiple SSIDs for your router, but for now use VINT - it is as good
Let me know how it goes,
– Toly
October 6th, 2008 at 11:08:12
Great post. Thanks for the information and the steps. The instructions are very clear
October 6th, 2008 at 18:03:24
Hi Toly, I tried the vint micro and followed the instructions exactly the same but, same problem. On the virtual network, I get an IP address assigned, but no internet access. Please let me know if you have any other ideas. Thanks, Dan
October 6th, 2008 at 18:56:01
This is amazing - very clear and helpful!
It worked nicely for my WRT54G v5! You might want to contribute this to DD-WRT wiki site, it’ll help a lot of people!
Thank you for the post!
October 6th, 2008 at 19:25:11
Roger, Jim - Thank you
Dan,
Sorry to hear that. But we can always try harder
:
1. In step 2, make sure that “AP Isolation” is Enabled in “Virtual Interfaces”
2. I understand that your virtual SSID gets an IP, but just for the heck of it - can you disable WEP for both, and restart everything.
Let me know what you get - I’ll think more,
– Toly
October 6th, 2008 at 20:11:09
Hi Toly, first off i wanted to thank you for doing your best to help me out on this. It is much appreciated.
1) AP Isolation is enabled
2) I disabled security on both networks and the same happens…no internet on the virtual.
Dan
October 8th, 2008 at 21:05:40
Hey Dan,
I am still thinking.. If you cannot connect from your virtual network, that means that:
1. It is misconfigured for your particular router
2. Or if it is configured correctly, then it is the driver
Seems like we checked the driver, and you are saying that VINT did not work for you also. That would only leave configuration.
Now what can be misconfigured, given that your virtual lan gets assigned an IP?
1. Firewall rules - most likely
2. Moving the virtual lan to its own bridge
It is a bit difficult to speculate what out of the above it incorrect without experimenting with the unit (WRT54GL). However I would narrow down, and try to experiment with the last two configuration points.
Let me know how it goes - I’ll update the post for your model, once we get it working.
– Toly
October 9th, 2008 at 9:42:16
Hi Toly, I have tried removing the firewall rules before to see if that would help but in the past it didn’t change anything. I will try that again. i am very confused to why I cannot get this to work on a WRT54GL especially when so many others can get it to work on other routers. I would have thought the WRT54GL would be one of the better routers to work with dd-wrt.
I am thinking of to other possible reasons to why this isn’t working. 1) my router is malfunctioning. I just bought another new WRT54GL that I am going to try to config the same way. Or 2) it may have something to do with my DSL connection and possibly a bug with PPPoE. I have no proof that is the problem though…
If I cannot get my new router to work, I will gladly send you one of mine for you to try if you have the ambition to do so. Let me know if you are interested.
Thanks, Dan
October 9th, 2008 at 10:54:34
Hey Dan,
1. Removing the firewall rules won’t help, since those rules are suppose to make your virtual wireless lan to see (ACCEPT) the word. Specifically these two:
They seem to me pretty straight forward, however maybe you should experiment with them, maybe your router needs to massage it. Should not really, cause it is iptables language, but.. maybe parameters. Definitely not delete them, but see if you need to massage them.
What you can try removing though is the rule that prevents visibility from your virtual SSID to your “home/main” SSID:
This is actually might be a good idea to try, since that definitely limits the virtual SSID rights..
2. I doubt it is either (malfunctioning or DSL connection problem) - if you are able to connect with one (main), you should be able to connect with two/16 if:
2.1 Router driver is right for that (so you can try swapping VINT/NEWD/OTHER?)
2.2 DD-WRT configuration is correct - for your particular router
3. I would not go that far as mailing out your router
Let me know what you get with trying #1,
– Toly
October 10th, 2008 at 11:01:26
hi Toly, I tried my new router and you are right it works the same. I also tired deleting the firewall line you suggested and that did not change.
I tried a few other iptable setting that I found at the dd-wrt forums but nothing has worked for me. I am not familiar enough to change the iptables and understand what will work and what will ot. That is why I look to experts like you and others at the dd-wrt forum. Unfortunately I can’t get it to work.
I am starting to believe this router won’t work. Any other ideas? I am at a loss.
Thanks, Dan
October 11th, 2008 at 13:15:46
Thans for a nice guide.
In step 5, when i enter the firewall script and click save firewall. Then my router hangs and i cant access the router. Any idea why?
October 11th, 2008 at 21:36:07
Wow - thanks for taking the time to put that post together! Solved my router issue asap. Cheers!
October 17th, 2008 at 10:20:37
Hey thanks for taking your time to put that guide up! Will post if I have any problems.
October 22nd, 2008 at 14:15:38
[…] Extend wireless network range with WDS Implementing Inexpensive Multiple SSID Networks Building a Wireless Bridge Configure Multiple SSIDs with One Router […]
November 3rd, 2008 at 5:18:56
Does the latest version Of DD-WRT, SVN revision 10737 fix the different security settings? I am trying to do the above with the main ssid having WPA/Personal and the virtual ssid having WEP. Has anyone figured out how to do this?
November 7th, 2008 at 4:41:24
Hi Toly,
I was playing with doing this for a little while now and was having similar problems to Dan (I also have a WRT54GL). Once I flashed to the VINT firmware, and used the methodology you described, it worked great. I really appreciate you putting this together. Thanks!
November 7th, 2008 at 19:20:53
@Shawn,
I have not tried a new (10737) SVN revision, but I would really appreciate if you can post here, when you find out. I’d update my guide to include the change. Thx!
@Zeke,
That is what I originally though (that VINT driver should do it).
Is there anything you did differently from my article? I can post the corrections for “WRT54GL” router, so Dan, and other guys can follow.
I am very glad it works for you!
November 7th, 2008 at 21:40:59
Hey Toly,
The only thing that seems different that you did from some other stuff I read, was that some other sources defined DNS for a particular interface in DNSmasq. Otherwise most of the stuff is the same. However, things were not working before I flashed to the VINT firmware. I don’t think that was due to my configuration, because I more or less had the same stuff you posted, and tried it in various different ways. That’s why I’m quick to attribute it to the firmware upgrade. Plus, I was trying to use WEP on one of the WLANs and WPA on the other, which is specifically a bug you were referring to. In fact, the WLAN that _wasn’t_ working for me (the 2nd one) was the one that I had WPA set up on.
To be more specific, the problem that I kept having was this: the DHCP server wasn’t appearing to run (or at least correctly) because I wasn’t getting an IP on the 2nd WLAN; and when I was able to get an IP correctly, I couldn’t access the internet (this may have been poor bridge set up on my part, but I don’t think so at least at the end)… as if it wasn’t routing correctly. So… I don’t know if this helps for other WRT54GL people out there… or if I was just setting it up weird until seeing your article… but that’s how it went down for me.
Thanks again Toly!
Zeke
November 8th, 2008 at 1:54:57
@Zeke,
What you described is sometimes called a “walmart problem”. That is due to the fact that people cannot access “walmart.com” what represents the world outside of the router.
Unfortunately, I do not have a linux linksys router to play with, but what is the version of your WRT54GL?
Thanks for your details!
– Toly
November 9th, 2008 at 5:24:30
Hi Toly,
I have a WRT54GL V1.1. You are right… I wasn’t able to access the outside world. Like I said, I think the routing wasn’t right. Is there any other info I could provide that might be helpful?
Thanks for everything!
Zeke
November 10th, 2008 at 0:58:51
@Zeke,
Thanks for the version.
Let’s say there is “anybody” who has two things:
1. WRT54GL V1.1 Router
2. The above guide
What would you identify as additional/changed steps, from the above guide, that “anybody” should take in order to succeed in setting up two SSIDs?
Thanks Zeke,
– Toly
December 3rd, 2008 at 15:39:05
Thanks for the great post Toly. Best and most current how-to on setting up multiple SSIDs I’ve found so far.
I’ve been going over your post in detail and taking the time to learn exactly what’s going on in these steps. I’ve got a fairly strong linux & networking background, so the terms are very familiar.
I’ve been running though the steps by hand, running the startup commands through the ssh shell before committing them to nvram. I ran into an issue when trying to add vlan2 to the new bridge-group. Turning up vlan2 doesn’t give an error msg, but I get one when I try to add it to br1:
root@myrtr:~# ifconfig vlan2 up
root@myrtr:~# brctl addif br1 vlan2
interface vlan2 does not exist!
vlan2 is also missing from the ‘ifconfig -a’ output. (I’ve tried adding the commands blindly to the startup as instructed and rebooting, but I get the same results.)
I tried moving one of the ethernet ports to vlan2 via the GUI. vlan2 then showed up, and was added to br1 correctly. However, when I moved the ethernet port back to vlan1 and rebooted, vlan2 disappeared.
I’m hoping you have a better understanding than I about how the vlan interfaces work in dd-wrt and how I can resurrect the vlan2 interface?!? Have you seen similar issues?
It’s possibly something with my software revision, I’m running an eko svn build for usb support. Also, to simplify things, I’ve left net security disabled (I’m out in the country, so I’m relatively safe from eavesdroppers).
Router Model: Asus WL-520GU/GC
Firmware Version: DD-WRT v24-sp2 (11/05/08) std - build 10776M NEWD Eko
(/others/eko/V24_TNG/svn10776/dd-wrt.v24-10776_NEWD_nokaid_usb.bin)
Thanks!
Bob
December 19th, 2008 at 5:58:51
Do you happen to have any updates to this, i have a WRT54G and i would like to setup another SSID but still use WPA
December 22nd, 2008 at 22:08:13
@Bob,
Thanks for the update - very cool for Asus router people!
@Darvan,
Have you tried configuring multiple SSIDs using the guide (above) using “v24-sp2″ instead of “v24-sp1″?
Let me know if you did, and if you did not, it should only take you about 10-15 minutes total to try it out.
– Toly
January 1st, 2009 at 4:16:26
[…] untuk keterangan tentang masing-masing perintah, bisa di baca di web http://blog.dotkam.com/2008/10/02/configure-multiple-ssids-with-one-router/ […]