Configure Multiple SSIDs with One Router

One Router Multiple SSIDsA standard “home setup” for the wireless router now days consists of just hosting one Service Set IDentifier – or SSID. And if only a year ago that could seem as a router (firmware) limitation, right now using multiple SSIDs with a single wireless router is just a matter of re-configuration.

Below is a simple guide on how to configure a single affordable (from $25 and up) router, that is available to anybody, to host multiple (up to 16 – at the moment of writing) SSIDs using DD-WRT firmware. In order to install the firmware on the router, follow the official DD-WRT Installation Guide.

Below step-by-step howto is good for any routers that could be found on DD-WRT supported hardware list. Which includes pretty much any “home” router that is out there. Given that DD-WRT is installed, let’s move on to configuring it to host multiple SSIDs.

First let’s look at what we would like to archive as our “end goal”:

Multiple SSIDs by several wireless VLANs served by one router

So what we would like to have is:

  • One router with DD-WRT firmware installed, that hosts 2 (in this example) SSIDs: “Home” and “Guest”

  • Two VLANs where one network (VLAN1) can “see” another (VLAN2), but not other way around.
    What that means is that all “Home” clients (computers that are connected to “Home” SSID) can see (ping/connect to/etc.) “Guest” computers, however none of “Guest” clients can see “Home” computers. (this is a matter of configuration, and can be configured differently, depending on what you need)

Step 1. Setup DHCP server for the “Home” (main) network.

As you can see from the “end goal” diagram above, the “Home” SSID (or VLAN1) has a 10.2.1.0 subnet, and its DHCP client addresses start from 10.2.1.100. Hence that is what needs to be configured on DD-WRT’s “Setup -> Basic Setup” screen (the “Router Local IP” should be set to 10.2.1.1 which would dictate the subnet to be 10.2.1.0):

DD-WRT - DHCP settings

Note that “10.2.1.0″ is just an example – you would want to use something that is appropriate for your network – e.g. “192.168.1.0″

Step 2. Setup wireless networks (SSIDs).

Now we need to create two wireless networks – one main network (e.g. “Home”), and one virtual network (e.g. “Guest”). For that go to DD-WRT “Wireless -> Basic Settings” screen:

configure wireless networks with dd-wrt

Enter a desired name for “Physical Interface’s -> Wireless Network Name(SSID)” (this is going to be the main network). You can also stick to the “end goal” diagram above, and enter “Home”.

After that is done, click “Add” to add a “Virtual Interface” and enter its SSID name as well (e.g. you can enter “Guest”). Make sure that the “Network Configuration” is set to “Bridged” as shown on the screen in this step.

Step 3. Configure wireless network security.

In the previous step we configured two wireless networks, now let’s secure them. We will use 128 bit WEP algorithm for both of them due to the reason described in “Step 5″. To accomplish this go to DD-WRT “Wireless -> Wireless Security” screen:

configure wireless security with dd-wrt

Choose “WEP” for “Security Mode”, 128 bits for “Encryption”, enter “Passphrase” and click “Generate” button.

Do it for both networks (Physical and Virtual Interfaces)

Step 4. Setup a virtual interface, and its DHCP settings.

Now we will set the bridge for the virtual network – “Guest” (or VLAN2) from the “end goal” diagram above. For that go to DD-WRT “Services -> Services” screen:

Configuring DNSMasq and DHCP for virtual network

Find “DNSMasq” section, enable “DNSMasq”, and in “Additional DNSMasq Options” enter:

interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,1440m

This would create a DHCP server for the virtual (“Guest”, VLAN2) network.
“192.168.2.100″ is again – just an example, you can use any subnet that suits your needs.

Step 5. Setup firewall rules and a startup script.

This is the most complex step, that makes many network administrators confused, and regular people to give up on DD-WRT multiple SSID configuration. But don’t worry :) – below is a “copy/paste”, working deal.

Go to the DD-WRT “Administration -> Commands” screen:

Setting up firewall rules and a startup script for multiple SSIDs - DD-WRT

Enter the following firewall rules to the “Firewall” section:

##BRI1
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT
 
#below keeps the two networks from talking
iptables -I FORWARD -i br0 -o br1 -j logdrop

Enter the following commands to the “Startup” (it is a startup script that executes when the router starts up):

##MOVES VIRTUAL WIRELESS TO OWN BRIDGE
brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
brctl addif br1 vlan2
ifconfig br1 up
 
##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now)
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1

Here is where it gets interesting… Remember in “Step 3″, when configuring wireless security, we chose WEP? That was done because the current DD-WRT firmware “v24-sp1 (07/27/08) micro”, that is used at the moment of writing, has a bug in starting NAS, which is a proprietary binary tool that sets up dynamic encryption (WEP/WPA) on wireless devices.

UPDATE (12/22/2008):
           Tried "v24-sp2" (09/26/08 std - build 10431M VINT Eko) for WRTG54GL v1.1 router -
           WPA worked with multiple (tried 2) SSIDs.

In a startup script above, we start NAS in “vanilla” mode for “eth1″ (the main network) and for “wl0.1″ (guest, virtual nework), and therefore we are using WEP for both networks.

The only line from above startup script that you might want to change is:

ifconfig br1 192.168.2.1 netmask 255.255.255.0

Here “192.168.2.1″ is, again, an example, so if you chose a different subnet for the virtual network (br1), you should enter it instead.

DONE!
Now you can save all the changes and restart the router. You should be good to go!
If you have any questions or comments, you are welcome to address them below in the “comments” section.

76 comments

  1. HI,

    really a very good post but as many people above i am having the problem pinging anything outside router from my virtual network;my router is ASUS WL500gP v2 and the firmware used: DD-WRT v24-sp2 (01/02/10) big (SVN revision 13577M NEWD-2 Eko)

    any thought would be very appreciated

  2. Really thorough and useful set of instructions. Very useful for getting this set up quickly without having to do the research myself. Thanks for putting it together. It was a real time saver!

  3. These instructions and screenshots are perfect, couldn’t find complete instructions anyplace and this got me running in 15 min, thanks a million!! BTW it worked on my version of ddwrt v24 sp2

  4. I’m using the 11/30/2009 version 24-13064_Vint_standard on a WRT54Gv2.0. Following the directions and subbing 192.168.1.0 etc. Trying to get WPA to work. Multiple failures.
    Laptop can see router under Private, but not Guest. Can not see the internet.

  5. Brilliant! It worked perfectly…much appreciated!

  6. I was wondering how this could be achieved — great tutorial, thanks.

  7. The screenshots were very helpful, as always. Thanks for the info.

  8. I just moved into an apartment with a friend, and we needed to know how to set up multiple SSIDs. This post was exactly what we were looking for.

  9. I just had an exhausting hour looking for videos that would help me with multiple SSIDS, with no luck. Wish I came here sooner…

  10. Everything it’s working good whit my router Cisco Linksys E2000. It’s not necessary change any settings, only follow this instructions.
    tnks.
    alguien sabe como bloquear solo algunas paginas para la red “guest”?

  11. hi,

    First I am using Linksys WRT610Nv2 , latest mega dd-wrt installed

    Thank you for spending time to write this brilliant dumber friendly tutorial, but i could it get it work round.

    Everything seems to work fine except not having the internet connection on guest ssid, I found another article similar to yours at http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs which works fine for me. My question is, what firewall rules should I add to unable Guest SSID users to access Private SSID users, Guest users should even not be able to see or understand what private ssid users are, not even able to ping them ?

    Also, on my router I can setup two different physical wireless network like wlan0 and wlan1 , while I can do two completely seperate wlan networks for different users why do I need to use virtual wlan ?

    If I was to do two different wlans they have different bssid, what would it change ?

  12. my outgoing internet connection is Clear and is set up with hard connection to router as a switch. its ok..
    now if i wanted to switch out the internet connection with a totally wireless access like the clear spot thing, what is needed if have 2 router LInksys 1 has dd=wrt on it. any short cuts so i can walkin to my house connect to the router wirelessly and not conect to the spot box?

  13. I see WEP wireless security like this.. 10 digits passphrase e.g. “23:E3:CS:54:79″.

    How can i enter this under “wireless security” setup page? Thanks.

  14. is it possible to have 2 ssid but one with mac filtering and the other without (for guests).

    thanks for the great post btw

  15. I’ve a linksys router with dd-wrt firmware connected with the LAN port (not the WAN) with my modem/router that has the DHCP enabled (not enabled in the linksys router). I followed all the steps in this guide but with the new virtual VLAN i can’t surf the internet.
    My modem/router has 192.168.1.254 and all my lan is in that range. I’ve done the new virtual VLAN whit 10.0.0.1 IP range but when my laptop (with fedora 16) get the connection obtains the rigth IP, 10.0.0.11 but as gateway and DNS obtain 10.0.0.1 instead of 192.168.1.254. I’m doing something wrong?

  16. got internet access on the guest ssid, but the subnet is the same as the private. the bridge didnt work. I had to create it myself under “setup>networking>bridging”

    perhaps this is because i have an Atheros chipset and not a Broadcom?

  17. I have a Dual Band WNDR4000 and I would like to set up my guest network on my second 5.0Ghz radio. How would the configurations change? Also, would I refer to the devices as eth0, vlan0, or wlan0?

  18. Is it possible to use this DDWRT configuration with 2 routers, one in AP mode, and the second in repeater mode, to extend the signal of both “Home” and “Guest”?

tell me something...
  1. (required)
  2. (valid email - optional)
  3. Captcha
  4. (required)