A standard “home setup” for the wireless router now days consists of just hosting one Service Set IDentifier – or SSID. And if only a year ago that could seem as a router (firmware) limitation, right now using multiple SSIDs with a single wireless router is just a matter of re-configuration.
Below is a simple guide on how to configure a single affordable (from $25 and up) router, that is available to anybody, to host multiple (up to 16 – at the moment of writing) SSIDs using DD-WRT firmware. In order to install the firmware on the router, follow the official DD-WRT Installation Guide.
Below step-by-step howto is good for any routers that could be found on DD-WRT supported hardware list. Which includes pretty much any “home” router that is out there. Given that DD-WRT is installed, let’s move on to configuring it to host multiple SSIDs.
First let’s look at what we would like to archive as our “end goal”:
So what we would like to have is:
- One router with DD-WRT firmware installed, that hosts 2 (in this example) SSIDs: “Home” and “Guest”
- Two VLANs where one network (VLAN1) can “see” another (VLAN2), but not other way around.
What that means is that all “Home” clients (computers that are connected to “Home” SSID) can see (ping/connect to/etc.) “Guest” computers, however none of “Guest” clients can see “Home” computers. (this is a matter of configuration, and can be configured differently, depending on what you need)
Step 1. Setup DHCP server for the “Home” (main) network.
As you can see from the “end goal” diagram above, the “Home” SSID (or VLAN1) has a 10.2.1.0 subnet, and its DHCP client addresses start from 10.2.1.100. Hence that is what needs to be configured on DD-WRT’s “Setup -> Basic Setup” screen (the “Router Local IP” should be set to 10.2.1.1 which would dictate the subnet to be 10.2.1.0):
Note that “10.2.1.0″ is just an example – you would want to use something that is appropriate for your network – e.g. “192.168.1.0″
Step 2. Setup wireless networks (SSIDs).
Now we need to create two wireless networks – one main network (e.g. “Home”), and one virtual network (e.g. “Guest”). For that go to DD-WRT “Wireless -> Basic Settings” screen:
Enter a desired name for “Physical Interface’s -> Wireless Network Name(SSID)” (this is going to be the main network). You can also stick to the “end goal” diagram above, and enter “Home”.
After that is done, click “Add” to add a “Virtual Interface” and enter its SSID name as well (e.g. you can enter “Guest”). Make sure that the “Network Configuration” is set to “Bridged” as shown on the screen in this step.
Step 3. Configure wireless network security.
In the previous step we configured two wireless networks, now let’s secure them. We will use 128 bit WEP algorithm for both of them due to the reason described in “Step 5″. To accomplish this go to DD-WRT “Wireless -> Wireless Security” screen:
Choose “WEP” for “Security Mode”, 128 bits for “Encryption”, enter “Passphrase” and click “Generate” button.
Do it for both networks (Physical and Virtual Interfaces)
Step 4. Setup a virtual interface, and its DHCP settings.
Now we will set the bridge for the virtual network – “Guest” (or VLAN2) from the “end goal” diagram above. For that go to DD-WRT “Services -> Services” screen:
Find “DNSMasq” section, enable “DNSMasq”, and in “Additional DNSMasq Options” enter:
interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,1440mThis would create a DHCP server for the virtual (“Guest”, VLAN2) network.
“192.168.2.100″ is again – just an example, you can use any subnet that suits your needs.
Step 5. Setup firewall rules and a startup script.
This is the most complex step, that makes many network administrators confused, and regular people to give up on DD-WRT multiple SSID configuration. But don’t worry 
– below is a “copy/paste”, working deal.
Go to the DD-WRT “Administration -> Commands” screen:
Enter the following firewall rules to the “Firewall” section:
##BRI1 iptables -I INPUT -i br1 -m state --state NEW -j logaccept iptables -I FORWARD -i br1 -o vlan1 -m state --state NEW -j ACCEPT #below keeps the two networks from talking iptables -I FORWARD -i br0 -o br1 -j logdrop
Enter the following commands to the “Startup” (it is a startup script that executes when the router starts up):
##MOVES VIRTUAL WIRELESS TO OWN BRIDGE brctl addbr br1 brctl delif br0 wl0.1 brctl addif br1 wl0.1 ifconfig br1 192.168.2.1 netmask 255.255.255.0 ifconfig vlan2 up brctl addif br1 vlan2 ifconfig br1 up ##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now) killall nas nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1 nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1
Here is where it gets interesting… Remember in “Step 3″, when configuring wireless security, we chose WEP? That was done because the current DD-WRT firmware “v24-sp1 (07/27/08) micro”, that is used at the moment of writing, has a bug in starting NAS, which is a proprietary binary tool that sets up dynamic encryption (WEP/WPA) on wireless devices.
UPDATE (12/22/2008): Tried "v24-sp2" (09/26/08 std - build 10431M VINT Eko) for WRTG54GL v1.1 router - WPA worked with multiple (tried 2) SSIDs.
In a startup script above, we start NAS in “vanilla” mode for “eth1″ (the main network) and for “wl0.1″ (guest, virtual nework), and therefore we are using WEP for both networks.
The only line from above startup script that you might want to change is:
ifconfig br1 192.168.2.1 netmask 255.255.255.0Here “192.168.2.1″ is, again, an example, so if you chose a different subnet for the virtual network (br1), you should enter it instead.
DONE!
Now you can save all the changes and restart the router. You should be good to go!
If you have any questions or comments, you are welcome to address them below in the “comments” section.
Good tutorial but I didn’t understand if wpa/wpa2 can be used?
@user,
Currently, due to the NAS bug, WPA/WPA2 can be used together with multiple wireless VLANs only on certain router models. Unfortunately, I do not have the list of “NAS fortunate” models.
For all other routers, WEP can be used, and hopefully with v24 SP2, this will no longer be a problem. I submitted the ticket some time ago.
Thanks,
– Toly
Hi, thanks for the very in depth tutorial. I followed it exactly with my WRT54GL v1.1 and installed dd-wrt v24sp1 micro as you suggested. The setting work except I cannot access the internet with the virtual ssid. I do get a correct ip address from the DHCP server but I cannot access the internet at all. Cannot even ping a website. The first ssid does work.
Any ideas?
Thanks, Dan
Hey Dan,
This may happen due to several reasons.. Before troubleshooting, let’s gather the info about your current setup:
1. What router do you have (model / version / etc..)?
2. Can you ping your virtual network (“Guest”, or VLAN2) from your main (“Home”, or VLAN1) network?
3. I know you said that you’ve followed the tutorial exactly, but did you make any changes in firewall / startup scripts?
4. Can you ping the router from the virtual network (given that they are on the different subnets)?
5. Anything else different from the “tutorial setup”?
Thanks for the comment,
– Toly
Hi Toly, thank you for responding so quickly! here are the answers to your questions:
1) my router is: WRT54GL v1.1 and installed dd-wrt v24sp1 micro as you suggested
2) Yes, I was able to ping my guest network (192.168.2.1) from my main network
3) I made no changes to any of the scripts, exact copy paste.
4) Yes, when connecting to the virtual ssid, I get an IP address assigned, say 192.168.2.145. I can ping my router 192.168.1.1 and I can access the dd-wrt config page via the web browser using the same ip.
5) the only difference between your set up and mine is that I have my main network as 192.168.1.1
Thanks again for your help. regards, Dan
Hey Dan,
After some research for your particular configuration, I believe the root cause here is that you are using a NEWD driver, which unfortunately does not support multiple SSIDs (with new dd-wrt v24) for all routers (works for most, but not for all).
What you’d better off using is a VINT vintage driver, that works for most of the routers including yours (WRT54GL v1.1)
You can download the dd-wrt vintage micro v24 sp1 firmware from dd-wrt site here:
dd-wrt.v24-9517_VINT_micro.bin
Let me know if that works for you,
– Toly
Hi Toly, thanks for looking into this. I did not realize my router needed a very specific versio in order to make it work with multiple ssids. I hope this is the fix !! I will let you know if it works. Thanks again for your help! Dan
Hey Dan,
Hopefully by the time v24 SP2 is out, NEWD driver will work with multiple SSIDs for your router, but for now use VINT – it is as good
Let me know how it goes,
– Toly
Great post. Thanks for the information and the steps. The instructions are very clear
Hi Toly, I tried the vint micro and followed the instructions exactly the same but, same problem. On the virtual network, I get an IP address assigned, but no internet access. Please let me know if you have any other ideas. Thanks, Dan
This is amazing – very clear and helpful!
It worked nicely for my WRT54G v5! You might want to contribute this to DD-WRT wiki site, it’ll help a lot of people!
Thank you for the post!
Roger, Jim – Thank you
Dan,
Sorry to hear that. But we can always try harder
:
1. In step 2, make sure that “AP Isolation” is Enabled in “Virtual Interfaces”
2. I understand that your virtual SSID gets an IP, but just for the heck of it – can you disable WEP for both, and restart everything.
Let me know what you get – I’ll think more,
– Toly
Hi Toly, first off i wanted to thank you for doing your best to help me out on this. It is much appreciated.
1) AP Isolation is enabled
2) I disabled security on both networks and the same happens…no internet on the virtual.
Dan
Hey Dan,
I am still thinking.. If you cannot connect from your virtual network, that means that:
1. It is misconfigured for your particular router
2. Or if it is configured correctly, then it is the driver
Seems like we checked the driver, and you are saying that VINT did not work for you also. That would only leave configuration.
Now what can be misconfigured, given that your virtual lan gets assigned an IP?
1. Firewall rules – most likely
2. Moving the virtual lan to its own bridge
It is a bit difficult to speculate what out of the above it incorrect without experimenting with the unit (WRT54GL). However I would narrow down, and try to experiment with the last two configuration points.
Let me know how it goes – I’ll update the post for your model, once we get it working.
– Toly
Hi Toly, I have tried removing the firewall rules before to see if that would help but in the past it didn’t change anything. I will try that again. i am very confused to why I cannot get this to work on a WRT54GL especially when so many others can get it to work on other routers. I would have thought the WRT54GL would be one of the better routers to work with dd-wrt.
I am thinking of to other possible reasons to why this isn’t working. 1) my router is malfunctioning. I just bought another new WRT54GL that I am going to try to config the same way. Or 2) it may have something to do with my DSL connection and possibly a bug with PPPoE. I have no proof that is the problem though…
If I cannot get my new router to work, I will gladly send you one of mine for you to try if you have the ambition to do so. Let me know if you are interested.
Thanks, Dan
Hey Dan,
1. Removing the firewall rules won’t help, since those rules are suppose to make your virtual wireless lan to see (ACCEPT) the word. Specifically these two:
They seem to me pretty straight forward, however maybe you should experiment with them, maybe your router needs to massage it. Should not really, cause it is iptables language, but.. maybe parameters. Definitely not delete them, but see if you need to massage them.
What you can try removing though is the rule that prevents visibility from your virtual SSID to your “home/main” SSID:
This is actually might be a good idea to try, since that definitely limits the virtual SSID rights..
2. I doubt it is either (malfunctioning or DSL connection problem) – if you are able to connect with one (main), you should be able to connect with two/16 if:
2.1 Router driver is right for that (so you can try swapping VINT/NEWD/OTHER?)
2.2 DD-WRT configuration is correct – for your particular router
3. I would not go that far as mailing out your router
Let me know what you get with trying #1,
– Toly
hi Toly, I tried my new router and you are right it works the same. I also tired deleting the firewall line you suggested and that did not change.
I tried a few other iptable setting that I found at the dd-wrt forums but nothing has worked for me. I am not familiar enough to change the iptables and understand what will work and what will ot. That is why I look to experts like you and others at the dd-wrt forum. Unfortunately I can’t get it to work.
I am starting to believe this router won’t work. Any other ideas? I am at a loss.
Thanks, Dan
Thans for a nice guide.
In step 5, when i enter the firewall script and click save firewall. Then my router hangs and i cant access the router. Any idea why?
Wow – thanks for taking the time to put that post together! Solved my router issue asap. Cheers!
Hey thanks for taking your time to put that guide up! Will post if I have any problems.
Does the latest version Of DD-WRT, SVN revision 10737 fix the different security settings? I am trying to do the above with the main ssid having WPA/Personal and the virtual ssid having WEP. Has anyone figured out how to do this?
Hi Toly,
I was playing with doing this for a little while now and was having similar problems to Dan (I also have a WRT54GL). Once I flashed to the VINT firmware, and used the methodology you described, it worked great. I really appreciate you putting this together. Thanks!
@Shawn,
I have not tried a new (10737) SVN revision, but I would really appreciate if you can post here, when you find out. I’d update my guide to include the change. Thx!
@Zeke,
That is what I originally though (that VINT driver should do it).
Is there anything you did differently from my article? I can post the corrections for “WRT54GL” router, so Dan, and other guys can follow.
I am very glad it works for you!
Hey Toly,
The only thing that seems different that you did from some other stuff I read, was that some other sources defined DNS for a particular interface in DNSmasq. Otherwise most of the stuff is the same. However, things were not working before I flashed to the VINT firmware. I don’t think that was due to my configuration, because I more or less had the same stuff you posted, and tried it in various different ways. That’s why I’m quick to attribute it to the firmware upgrade. Plus, I was trying to use WEP on one of the WLANs and WPA on the other, which is specifically a bug you were referring to. In fact, the WLAN that _wasn’t_ working for me (the 2nd one) was the one that I had WPA set up on.
To be more specific, the problem that I kept having was this: the DHCP server wasn’t appearing to run (or at least correctly) because I wasn’t getting an IP on the 2nd WLAN; and when I was able to get an IP correctly, I couldn’t access the internet (this may have been poor bridge set up on my part, but I don’t think so at least at the end)… as if it wasn’t routing correctly. So… I don’t know if this helps for other WRT54GL people out there… or if I was just setting it up weird until seeing your article… but that’s how it went down for me.
Thanks again Toly!
Zeke
@Zeke,
What you described is sometimes called a “walmart problem”. That is due to the fact that people cannot access “walmart.com” what represents the world outside of the router.
Unfortunately, I do not have a linux linksys router to play with, but what is the version of your WRT54GL?
Thanks for your details!
– Toly
Hi Toly,
I have a WRT54GL V1.1. You are right… I wasn’t able to access the outside world. Like I said, I think the routing wasn’t right. Is there any other info I could provide that might be helpful?
Thanks for everything!
Zeke
@Zeke,
Thanks for the version.
Let’s say there is “anybody” who has two things:
1. WRT54GL V1.1 Router
2. The above guide
What would you identify as additional/changed steps, from the above guide, that “anybody” should take in order to succeed in setting up two SSIDs?
Thanks Zeke,
– Toly
Thanks for the great post Toly. Best and most current how-to on setting up multiple SSIDs I’ve found so far.
I’ve been going over your post in detail and taking the time to learn exactly what’s going on in these steps. I’ve got a fairly strong linux & networking background, so the terms are very familiar.
I’ve been running though the steps by hand, running the startup commands through the ssh shell before committing them to nvram. I ran into an issue when trying to add vlan2 to the new bridge-group. Turning up vlan2 doesn’t give an error msg, but I get one when I try to add it to br1:
root@myrtr:~# ifconfig vlan2 up
root@myrtr:~# brctl addif br1 vlan2
interface vlan2 does not exist!
vlan2 is also missing from the ‘ifconfig -a’ output. (I’ve tried adding the commands blindly to the startup as instructed and rebooting, but I get the same results.)
I tried moving one of the ethernet ports to vlan2 via the GUI. vlan2 then showed up, and was added to br1 correctly. However, when I moved the ethernet port back to vlan1 and rebooted, vlan2 disappeared.
I’m hoping you have a better understanding than I about how the vlan interfaces work in dd-wrt and how I can resurrect the vlan2 interface?!? Have you seen similar issues?
It’s possibly something with my software revision, I’m running an eko svn build for usb support. Also, to simplify things, I’ve left net security disabled (I’m out in the country, so I’m relatively safe from eavesdroppers).
Router Model: Asus WL-520GU/GC
Firmware Version: DD-WRT v24-sp2 (11/05/08) std – build 10776M NEWD Eko
(/others/eko/V24_TNG/svn10776/dd-wrt.v24-10776_NEWD_nokaid_usb.bin)
Thanks!
Bob
Do you happen to have any updates to this, i have a WRT54G and i would like to setup another SSID but still use WPA
@Bob,
Thanks for the update – very cool for Asus router people!
@Darvan,
Have you tried configuring multiple SSIDs using the guide (above) using “v24-sp2″ instead of “v24-sp1″?
Let me know if you did, and if you did not, it should only take you about 10-15 minutes total to try it out.
– Toly
Can someone help do this with a Westell Versalink 327W?
@Nina,
Interesting.. I do not see “Westell Versalink 327W” on a list of dd-wrt supported devices, but..
What exact problem are you having when configuring your “Westell” using the above guide?
– Toly
Hey I just thought I say…I was having the same issues to some of the people above….I could connect to wl0.1 get an IP but not ping default gateway an/or get out to the net…I intalled the VINBT firmware without changing any other settings and it works now. I’m running a Buffalo WHR-HP-G54.
Thanks for the fix…..you guys rule!!!!!!!!
Toly, this is a very interesting article. Not having DD-WRT installed, but am thinking about it, is it possible to set up two VLANs, one for wired and the other for wireless and isolate the two for maximum possible security? Thanks again for a terrific article!
Perfect, after i read your post. i try on my wrt54gl with ddwrt and running smooth as you said. Thanks alot. But do you have setup for wrt54gl as client and access point in one box?
Is it possible to set bandwidth limit only for virtual SSID?
tnx!
I have a similar problem….I am using a Linksys WRT160N. It has been working fine. I have 4 laptops and a coupke of desktops plus 2 i-touches and a PGP winked up. Recently, my daughters Toshiba Satellite M200 was reset to factory after fitting a new hard drive. Since then, i can connect to the router but cannot get internet access. I have tried many times to sort this and am also now getting various version of the SSID such as “SSID2″ and “SSID2 3″ etc and it is driving me bonkers. Any advice kind Sir?
If you plan to use WPA would you still use the following 3 lines in the startup script:
##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now)
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1
@SG,
Yes, it is indeed possible. I had this configuration a couple of years ago, before I actually needed to separate WIFI. I think it deserves a separate article, and in fact the one already exist from dd-wrt site: https://secure.dd-wrt.com/wiki/index.php/Separate_Lan_and_WLan
@bayyou,
No, you don’t have to use your router as a client – access point is good enough.
@Matjaz,
Yes, it is possible – you can monitor bandwidth by the subnet which maps to your virtual SSID ( e.g. 192.168.2.0 )
@David,
You description is rather too broad – one of your laptop had to be restored, and now you cannot access Internet from that laptop? Or you re-configured you router, if yes, how did you reconfigure it, and what was the reason for reconfiguring?
@NV,
You are correct, this was a hacky way to get WEP working, current firmware handles WPA(2) just fine, so you do not need these lines.
– Toly
Hi, thanks for the tutorial. I followed it exactly with my WRT54G v5.1 and installed dd-wrt v24sp1 micro. Now I can see the two SSID, so I think that the settings are good. But it doesn’t work. I cannot have a valid IP address (from the DHCP server) from the two virtual ssid.
Any ideas?
I would like to try configuring multiple SSIDs using the “v24-sp2″ instead of “v24-sp1″
but I don’t know where I can dowload it on the DD-WRT website.
Do you know where I can find it?
Thanks, Rv
@Rv,
The latest build of dd-wrt v24-sp2 micro is here: ftp://ftp.dd-wrt.com/others/eko/V24_TNG/svn12774/
Here is a direct link: ftp://ftp.dd-wrt.com/others/eko/V24_TNG/svn12774/dd-wrt.v24-12774_NEWD-2_micro.bin
– Toly
Thank you for the tutorial, very good.
I am using a WRT56GS v.7 and the firmware v.24 sp1.
I have used you config, and I can use WPA2 on the main wireless network, but not on the \”guest\”-network.
Will it help upgrade to sp2?
@Makky,
It might, depending what problem it is you have. SP2 have a better Wifi VLAN support especially when it comes to anything beyond WEP.
– Toly
When the two wireless networks was without security, both of them worked.
With WPA2 on both, it tries to get an IP on the guest-network, but it just fails.
Same happen on regular WPA (Main wireless still on WPA2).
I get an IP when using WEP on the guest network.
Should I give sp2 a shot?
Can I use this file on my box?
ftp://ftp.dd-wrt.com/others/eko/V24_TNG/svn12774/dd-wrt.v24-12774_NEWD-2_micro.bin
And btw, I did not enter this part on the startup script:
“##FIX NAS. Here NAS is disabled, cause it is NOT used for WEP, and these wifi networks will use WEP (for now)
killall nas
nas -P /tmp/nas.wl0lan.pid -H 34954 -l br0 -i eth1
nas -P /tmp/nas.wl0.1lan.pid -H 34954 -l br1 -i wl0.1
“
Is it ok to use the internal firmware updater in DDWRT to update to SP2?
I have a Buffalo WHR-G300N with DD-WRT v24-sp2. I want to separate the local LAN from the WIFI users. Will this solution work? Have they fixed WPA so this works in this version for this router?
Given the specs above and useing WPA for both connections, I tried it and it loses the WAN connection. I ran each command in the startup to see where it goes wrong and I lose the WAN when I run this command – brctl addif br1 vlan2. I changed it to brctl addif br1 ra1 and that works, but I’m not able to connect to the internet on the virtual lan. Access to the internet works on the LAN and the main WIFI connection. What happens is that it does assign an IP address of 192.168.2.114 as expected, but nothing going out. I tried commenting out the last line in the firewall commands, but that didn’t make a difference. Any ideas?
Is there a way I can run the 2nd guest virtual interface and use MAC filtering for my home LAN (1st virtual interface) and no MAC filtering for my “guest” internet passthrough?
I’m using VINT and running into trouble with DHCP for the Guest SSID. I can’t seem to get an IP.