How to Arrange up Your Wireless Network Router for Guest Access?

Sharing your Wi-Fi with guests is a polite gesture but, surely you don’t want to give them open access to your entire wireless network. In your home network, there is something that you want to keep private. By having a separate SSID for your guests, you can maintain that thin line of separation between you and your guests. This tutorial explains how to arrange your router for dual SSIDs.

If you provide your guest, the password to your Wi-Fi AP, then in a way you are giving them access to your network printer, unsecured network devices, and so on. However, you might just want them to have the network facility so that they can check their emails or play game. So, there is a thin line between your private access and guest access that most of the wireless network users want to maintain.

Having dual or multiple SSIDs is a good solution in this regard. That is because it ensures that your guest will access the network from a completely different IP address and thus won’t have access to many things that you haven’t shared in that home network.

What do you need?

DD-WRT compatible router
One installed copy of DD-WRT on the router

Configuring DD-WRT for Multiple SSIDs

Once you have a compatible router, flashed with DD-WRT, now it’s time to get started setting up that second SSID.

• Open a browser on the PC attached to the compatible router

• Navigate to the default router IP, which should be 198.168.1.1, as it is in most of the cases

• Now open the DD-WRT interface

• Here, navigate to Wireless -> Basic Settings

• Here, you will see the SSID for the existing Wi-Fi AP. Let’s assume its “Wifi_Office.”

• Now scroll down to the section of “Virtual Interfaces.”

• Here, click on the Add button

• The “Virtual Interfaces” section, which was previously empty will expand with an entry compromising numbers

• This newly opened Virtual Interfaces section is the area to set the new SSID

• We will see a default Wifi home network name for the SSID, which will be something like dd-wrt_vap. Here, vap stands for virtual access point.

• You can rename the SSID, let’s assume the name to be “Wifi_Guest.”
In the same window, you will see three options:

• Wireless SSID Broadcast, keep it enabled

• AP Isolation, Keep it disabled

• Network Configuration, keep it bridged

• After changing the settings for SSID, click Save.

• Then, navigate over to Wireless -> Wireless Security

• Here, you will see the security settings for the first AP under the section Physical Interface. By default, the second AP for your Wireless home network doesn’t have any security. So, select ‘disabled’ under Virtual Interface wlo.1 SSID {wifi_Guest}

• Then, click ‘Save’ and ‘Apply Settings.’

Confirm the APs are visible from devices

Now, you need to confirm whether or not the two APs get visible from your devices connected to your wireless network. You can check it from any device, let us assume that you have picked your smartphone.

• Opening the Wi-Fi interface on your smartphone

• Go to the Wi-Fi config page.

Here, you must be able to see the two APs ‘Wifi_Guest’ and ‘Wifi_Office.’ The Wifi_Office has the WPA2 security, but the ‘Wifi_Guest’ doesn’t have that and hence is usable as guest access point. But, at this point, you still can’t connect to the Guest AP. There is still need to make a few more changes to the router.

Assign unique IP address to guest Access point

Now, you should assign a unique range of IP addresses to the guest Wi-Fi devices and this is how you will also be able to separate the two SSIDs on the network. For that navigate to Setup -> Networking.

• Click the ‘Add’ button, Under the “Bridging” section

• Then, change the initial slot to “br1″

• Leave the rest of the values the same

• Click “Apply Settings.”

To set a different IP address for the guest access point, you can choose to set one value of your regular network’s IP. For e.g. if your primary network IP address is 192.168.1.1, then for the secondary IP address choose the value 192.168.2.1.

• Then, Click “Apply Settings”

• Scroll to the DHCPD section

• Click “Add”

• Switch the first slot to “br1″

• Leave the remaining settings options as it is

• Click “Apply Settings”

• Now move to the services section. Here, you will require adding code to the DNSMasq section. That is important to ensure that your router will assign dynamic IP addresses to the devices connected to the guest network.

• Scroll down the DNSMasq section

• Then, paste the following three pairs of codes in the “Additional DNSMasq Options” box

• Enables DHCP on br1

• interface=br1

• Set the default gateway for br1 clients

• dhcp-option=br1,3,192.168.2.1

• Set the DHCP range and default lease time of 24 hours for br1 clients

• dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h

• Click “Apply Settings”

• Wait a few minutes and connect to your new guest SSID

• Then check your IP address

• Your IP should be within the range specified by you.

If the range is same as you had specified, that means the secondary AP is assigning dynamic IPs in an appropriate range.

Restricting the Guest access

However, even now, the guest accessing your home network from the secondary AP will have access to resources of the primary network. That means all network shares, networked printers; network devices, etc. will remain visible to your guest.

But, if you wish that your guests should have access of these, then you need not do anything more. But if you want that your guests shouldn’t have access to these, then there is some more settings you need to set.

• Navigate to Administration -> Commands

• Here, you will see an area labeled “Command Shell.”

• Paste the following commands, (minus the # comment lines)

o #Removes guest access to the physical network

o iptables -I FORWARD -i br1 -o br0 -m state –state NEW -j DROP

o iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP

o Remove guest access to the router’s config GUI/ports

o iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset

o iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset

o iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset

o iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset

• Click “Save Firewall”

• Reboot your router.

That is a bit long and complicated procedure but worth conducting, if you care about your networking privacy and Wifi security. Although, your guests or friends are not hackers but why take a chance, when you can play safe.