Sharing your Wi-Fi with guests is a polite gesture but, surely you don’t want to give them open access to your entire wireless network. In your home network, there is something that you want to keep private. By having a separate SSID for your guests, you can maintain that thin line of separation between you and your guests. This tutorial explains how to arrange your router for dual SSIDs.
If you provide your guest, the password to your Wi-Fi AP, then in a way you are giving them access to your network printer, unsecured network devices, and so on. However, you might just want them to have the network facility so that they can check their emails or play game. So, there is a thin line between your private access and guest access that most of the wireless network users want to maintain.
Having dual or multiple SSIDs is a good solution in this regard. That is because it ensures that your guest will access the network from a completely different IP address and thus won’t have access to many things that you havent shared in that home network.
What do you need?
DD-WRT compatible router
One installed copy of DD-WRT on the router
Configuring DD-WRT for Multiple SSIDs
Once you have a compatible router, flashed with DD-WRT, now its time to get started setting up that second SSID.
Open a browser on the PC attached to the compatible router
Navigate to the default router IP, which should be 198.168.1.1, as it is in most of the cases
Now open the DD-WRT interface
Here, navigate to Wireless -> Basic Settings
Here, you will see the SSID for the existing Wi-Fi AP. Lets assume its Wifi_Office.
Now scroll down to the section of Virtual Interfaces.
Here, click on the Add button
The Virtual Interfaces section, which was previously empty will expand with an entry compromising numbers
This newly opened Virtual Interfaces section is the area to set the new SSID
We will see a default Wifi home network name for the SSID, which will be something like dd-wrt_vap. Here, vap stands for virtual access point.
You can rename the SSID, lets assume the name to be Wifi_Guest.
In the same window, you will see three options:
Wireless SSID Broadcast, keep it enabled
AP Isolation, Keep it disabled
Network Configuration, keep it bridged
After changing the settings for SSID, click Save.
Then, navigate over to Wireless -> Wireless Security
Here, you will see the security settings for the first AP under the section Physical Interface. By default, the second AP for your Wireless home network doesnt have any security. So, select disabled under Virtual Interface wlo.1 SSID {wifi_Guest}
Then, click Save and Apply Settings.
Confirm the APs are visible from devices
Now, you need to confirm whether or not the two APs get visible from your devices connected to your wireless network. You can check it from any device, let us assume that you have picked your smartphone.
Opening the Wi-Fi interface on your smartphone
Go to the Wi-Fi config page.
Here, you must be able to see the two APs Wifi_Guest and Wifi_Office. The Wifi_Office has the WPA2 security, but the Wifi_Guest doesn’t have that and hence is usable as guest access point. But, at this point, you still cant connect to the Guest AP. There is still need to make a few more changes to the router.
Assign unique IP address to guest Access point
Now, you should assign a unique range of IP addresses to the guest Wi-Fi devices and this is how you will also be able to separate the two SSIDs on the network. For that navigate to Setup -> Networking.
Click the ‘Add’ button, Under the Bridging section
Then, change the initial slot to br1″
Leave the rest of the values the same
Click Apply Settings.
To set a different IP address for the guest access point, you can choose to set one value of your regular networks IP. For e.g. if your primary network IP address is 192.168.1.1, then for the secondary IP address choose the value 192.168.2.1.
Then, Click Apply Settings
Scroll to the DHCPD section
Click Add
Switch the first slot to br1″
Leave the remaining settings options as it is
Click Apply Settings
Now move to the services section. Here, you will require adding code to the DNSMasq section. That is important to ensure that your router will assign dynamic IP addresses to the devices connected to the guest network.
Scroll down the DNSMasq section
Then, paste the following three pairs of codes in the Additional DNSMasq Options box
Enables DHCP on br1
interface=br1
Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.2.1
Set the DHCP range and default lease time of 24 hours for br1 clients
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
Click Apply Settings
Wait a few minutes and connect to your new guest SSID
Then check your IP address
Your IP should be within the range specified by you.
If the range is same as you had specified, that means the secondary AP is assigning dynamic IPs in an appropriate range.
Restricting the Guest access
However, even now, the guest accessing your home network from the secondary AP will have access to resources of the primary network. That means all network shares, networked printers; network devices, etc. will remain visible to your guest.
But, if you wish that your guests should have access of these, then you need not do anything more. But if you want that your guests shouldnt have access to these, then there is some more settings you need to set.
Navigate to Administration -> Commands
Here, you will see an area labeled Command Shell.
Paste the following commands, (minus the # comment lines)
o #Removes guest access to the physical network
o iptables -I FORWARD -i br1 -o br0 -m state –state NEW -j DROP
o iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j DROP
o Remove guest access to the router’s config GUI/ports
o iptables -I INPUT -i br1 -p tcp –dport telnet -j REJECT –reject-with tcp-reset
o iptables -I INPUT -i br1 -p tcp –dport ssh -j REJECT –reject-with tcp-reset
o iptables -I INPUT -i br1 -p tcp –dport www -j REJECT –reject-with tcp-reset
o iptables -I INPUT -i br1 -p tcp –dport https -j REJECT –reject-with tcp-reset
Click Save Firewall
Reboot your router.
That is a bit long and complicated procedure but worth conducting, if you care about your networking privacy and Wifi security. Although, your guests or friends are not hackers but why take a chance, when you can play safe.
