Setting up multiple WLANs in DD-WRT

Use DD-WRT to Create a Guest WiFi Network and Block Skype 14


SkypeEven for the extremely ungeeky, having WiFi available throughout your house is pretty much standard these days. And while the next logical step of securing that network via encryption (WEP is for n00bs — those in the know use WPA2-AES) may not be standard, it really should be. Assuming you do have a WiFi password at your house, the notion of freely sharing your WiFi password anyone who shows up at your house is so 2009. If you truly want to bring your geeky hospitality to a whole new level, it’s time to consider setting up a “guest-only” network for your wireless router.

A number of modern wireless routers come with out-of-the-box support for guest networks, but still limit the amount of control you have in configuring them. As a long-time user of “hacked” third-party open source router firmware (such as Tomato and DD-WRT), the ability to run those firmwares is an essential requirement when I purchase a router, and the installation of an open source firmware is the first thing I do when I take it out of the box.

Doing the things I’m describing in this post requires that a semi-recent build of DD-WRT be running on your wireless router. If you don’t know what DD-WRT is, find your resident geek and ask them if installing it on your router is even an option (it will only work on certain hardware). Keep in mind that installing third-party firmware improperly and/or on unsupported hardware can “brick” your router (i.e. make it as useful as a brick), so rookies should study up big time by reading the appropriate wiki entries and threads on the DD-WRT website before trying it for the very first time. Seriously. Please don’t comment on this article that “I” ruined your router because you didn’t RTFM. So now that my conscience is clear, let’s proceed. 🙂

Rather than re-post the instructions for getting a 2nd WiFi network running at your house, I’ll simply refer you to the instructions on the DD-WRT website. The process is called setting up a 2nd WLAN (Wireless Local Area Network).

Setting up multiple WLANs in DD-WRT

Setting up multiple WLANs in DD-WRT

At our house, I set up a “private” WiFi network for immediate family members only, which requires a password that we don’t share with anyone else. This allows family members to access shared network resources (both wired and wireless) in the house, such as printers, NAS media storage devices, security cameras, DVRs, home automation tools, AirPlay-capable audio devices, AppleTV, etc.

Additionally, I’ve set up a “public” WiFi network for guests to use, and which doesn’t require any password. With two separate networks, I can configure separate sets of rules to make things more usable and secure across both networks. For example, I’ve configured QoS (Quality of Service) settings that give bandwidth priority to the private network — meaning that if I’m trying to watch something on Netflix at the same time one of my guests is trying to download a huge file, my Netflix experience is unaffected while they’ll have to wait a bit longer for their file. I’ve also applied a number of firewall rules to my guest network so that guests can’t access the network resources on my private network, nor than they run network scans to try and discover the IP addresses or MAC addresses of network devices. Want to try that the next time you’re connected to a public network? Download the free Fing app onto your iPhone or Android device and see what kind of data you can collect at the click of a button. It’s downright scary.

But perhaps the ability I appreciate the most is the option to to block access to certain remote resources for those on the guest network, such as Skype. As an example, let’s take a completely hypothetical situation. Let’s assume that your wife’s sister’s family, who recently moved from Seattle to Casper, Wyoming, is driving to meet you at your vacation home in Utah, where four adults and eight kids will all spend their Christmas and New Year’s vacation together. Let’s also assume that your 17-year old nephew has his very first girlfriend, but that she still lives back in Seattle, and that those crazy kids spend hour… after hour… after hour… on their smart phones logged in to Skype — and sometimes they just stare at each other and don’t even talk. It’s hypothetically creepy. Then again, let’s assume that sometimes they do talk… for hours… and hours… even past midnight when the nephew should be sleeping, and let’s further assume that he’s sharing your son’s bedroom, which is directly below yours, and that his late night Skype marathons are keeping you, your wife, and your son awake late into the night, which makes you grumpy in the morning. Like I said — completely hypothetical.

With most applications, the solution would be easy. Just go into your router’s firewall and shut down the ports used by the application that you want to block. But because Skype uses ports 80 and 443, which are the standard ports used by nearly every website on the Internet, shutting those ports down would essentially mean shutting down access to the entire web for all users on the guest network… which kind of defeats the purpose of having a guest network in the first place. To make matters worse, Skype is a “peer to peer” (P2P) service, meaning that Skype users connect directly to one another, usually on remote dynamic addresses (which change often), meaning there’s no way to predict and block the IP address of the remote user.

Web searching for a solution uncovered a number of extremely complex potential anwers, most of which involved the use of proxy servers, deep packet inspection, and a bunch of other stuff that I really didn’t want to get into. Er… I mean, things I wouldn’t want to get into were this something other than a completely hypothetical scenario.

However, there is a small chink in Skype’s armor… its Achilles Heel, if you will. Prior to establishing a peer-to-peer connection with another Skype user, you first need to sign in to one of Skype’s authentication servers with your username and password. The authentication servers store your contact list, your chat history, and serve as the launching pad for all Skype chats. Best of all, finding a list of Skype’s authentication server IP addresses only took a few seconds with search engine.

With Skype’s authentication server IP addresses in hand, blocking access to them becomes as simple as writing a Linux firewall script to restrict access to them from the guest network. Again, this technically doesn’t shut down the ability for the chat to take place, it shuts down the ability to start the chat, but it accomplishes the same goal. Here’s what such a firewall command would look like, hypothetically, of course:

iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP

In English, that means that you want to insert (-I) a FORWARD chain rule that says any traffic coming in to the router (-i) from the guest network bridge (br1) that tries to go to any destination (-d) IP address that starts with the numbers 111.221.74 should be ignored (-j DROP).

Therefore, adding one of these lines to your firewall script for each of Skype’s subnets would hypothetically do the trick. Of course, if a marathon Skype chat was already underway, this wouldn’t end it — this approach only stops new chats from starting. So to stop a chat that’s already progress, you’d hypothetically have to briefly shut off the guest WiFi network for a couple of seconds and then turn it back on, temporarily dropping all network access, would would hypothetically frustrate your nephew when he tries to re-initiate a Skype chat with his girlfriend. But you’d hypothetically be able to finally get some decent sleep during your Christmas vacation, which would hypothetically be worth the trouble.

So, if you wanted a list of firewall rules for your router that could hypothetically secure your guest network and shut down access to all the Skype authentication servers, here’s what that script would look like, with comments embedded to help you understand what each line is doing:

Feel free to borrow and edit that file to your liking, just in case you ever need it. Hypothetically, of course.

  • Pingback: My Cisco Linksys E4200 DD-WRT Settings for Max Speed | Steve Jenkins' Blog()

  • Gerard

    Very useful information!!. But i thought that if you swith to ip isolation on the virtual network it was already impossible to get onto the physical network. Is my assumption wrong in this??
    This would mean line 1-22 is done by isolation?? Nevertheless i like the skype part :))

    • Hi, Gerard. Yep – that assumption is wrong. The IP isolation function hasn’t worked properly in DD-WRT for some time, so that’s why these firewall tweaks are necessary to achieve true isolation. If you turn on IP isolation, it only prevents wireless clients from seeing each other. They can still see the physical network.

      • Gerard

        Hi Steve, I was setting up a netgear 3500L router for a friend with the appropriate dd-wrt on it. So on the virtual i had on wireless my ipad to test and on the physical my laptop also over wifi. From my ipad i pinged now to the ip of the laptop…and indeed isolation wasn’t working. So I applied your firewall rules…but..hmmm nothing changed…still pingable. I’m not really an expert…but it should drop this requst in my opinion. SPI firewall i had on and off, AP isolation on and off but the ping results remained the same. In between setting changes i did a reboot. I know it’s a different router and maybe doesn’t belong here…but firewall rules are not subject to change on router models. Do you have a clue why this happens..? as i’m a kinda lost now. I wanna try next week the same on my E4200….just as a test…as i’m not needing a virtual there as i’ve a seperate accesspoint for that.

  • Ujjwal Srivastava

    Thanks a lot for your posts for Linksys E4200 v1 and this post to set up a separate guest network. I am successfully running 22208 usb nas build now with two different lans – one for my family owned devices at home and the other for guests.

    My question is related to how to set up priority for home devices vs. guests devices. I am not very interested in QoS for devices at home. So I am assuming that I need to only enable QoS on the WAN port. I have provided the IP/MASK for my home devices, but not sure about the following variables

    WAN Max Up (how is 5000 kBits – does it mean 5 MBytes per sec?)
    WAN Max Down (how is 20000 kBits – does it mean 20 MBytes per sec?)
    Lan Max (leaving it to zero – is that okay?)
    Priority (Manual ?) Not sure what other values Exempt, Premium, Express, Standard, Bulk mean.)

    Would greatly appreciate your guidance on this.

    I run a non-profit group from my home. So sometimes I have several volunteers who need to be on the internet. I want to them to be connected for very low bandwidth so they don’t impact the internet connection for my home devices including my own laptop which I am using to display things on a screen during a meeting with volunteers. Unfortunately I’m not sure I can test it until the next meeting when a lot of guests (10-15) are here. I’d like to be as prepared as possible so I don’t have to open my home network to them.

    Are suggested settings above a decent choice given that my internet connection (WAN) usually gives 20MBps download and 3-4 MBps upload?

    Thanks in advance!!

  • Dirk

    Hi Steve, your guide for the guest WLAN is great and i did it like that for one router with DD-WRT.
    But now i would like to have a second DD-WRT router as an accesspoint which also needs to have a guest WLAN and a seperate IP-range … but i don’t manage that 🙁
    Do you have a guide or any hints for that as well ?

    Regards

    Dirk

    • Max Hopper

      Yes.
      N.B. we run WAPs (WAN port disabled meaning it is the fifth LAN port)

      (presumption here is that the private SSID is the Wireless Physical Interface the subnet 192.168.1.0/24 of the second WAP, meaning guests in subnet 192.168.3.0/24, are served via the DHCP (DNSMASQ is activated) server in the second WAP

      create VAP for guests but in Basic Settings | Network Address Server Settings (DHCP) | DHCP Server (Disabled) is ticked
      create br1 with IP address 192.168.3.0/24 (or a subnet that does not conflict with the private nor that of first VAP) and add the VAP to it

      DNSMASQ commands (presuming the second VAP is 192.168.3.0/24)

      interface=br1
      dhcp-option=br1,3,192.168.3.254
      dhcp-range=br1,192.168.3.1,192.168.3.51,255.255.255.0,60m
      interface=br0
      dhcp-option=br1,3,192.168.1.254

      Thus, a DHCP DISCOVER request from the guest subnet is responded to by the DHCP server of DNSMAQ. The same request from the private subnet is responded to by the DHCP in the aDSL device or networked DHCP server.

      Using the same f/w script (rules) as published (N.B. use of comments, ‘#’, is scripts consumes VALUABLE nvram storage) here, double NATting is avoided.

  • DD

    I’m runnig such a setup for a long time.
    Is there any way to enable or disable the public wifi with one click, without losing all the data, like password an

    • Not that I’m aware of, but that would be a great product suggestion for the DD-WRT team!

      • Max Hopper

        Use cron (Administration tab) to toggle when br1 traffic is forwarded –
        # switch access on M-F beginning at 0900
        0 9 * * 1-5 iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT
        # switch access off M-F (covers the weekend) at midnight
        0 0 * * 1-5 iptables -I FORWARD -i br1 -m state –state NEW -j DROP

      • Max Hopper

        Oops…
        The dd-wrt CLI shell has a different PATH from the Services/Administrative Commands –

        0 9 * * 1-5 root /usr/sbin/iptables –table filter –delete FORWARD 1
        0 0 * * 1-5 root /usr/sbin/iptables –table filter –insert FORWARD 1 –in-interface br1 –jump DROP

        N.B. – I embrace rule numbering rather than reliance on memory that INSERT is LIFO

  • Ray

    Steve I have been using your guide for quite a while thank you! however I am concerned about a firewall. I have been using Trend for many years for antivirus and it used to have a firewall but it doesn’t anymore it has a add on for MicroSofts firewall.

    The problem I have is when I use Steve Gibson’s Leak Test it shows “Firewall Penetrated!” Should I be concerned? I used to use Zone Alarm when I had Cable for my ISP and I got 60+ hits a day on my firewall. On Uverse that wasn’t the issue I Think because its a Point to point type protocall. I have considered changing to cable again for more speed but either way I want to ensure that I have a strong firewall in place. Could you give some direction here? is there a Setting that could be used on the router or do I need to do something else? I hate the thought of having to go with a sonicwall type firewall but you have been such a great source of information and since your post on the E4200 said to goto this blog for firewall I thought this would be the best place to ask Thanks again for everything Ray

  • Mike

    Hi Steve,

    I originally found your page while I was researching the Ecobee3, which I love and your blog was instrumental in pushing me to that product…so thank you. I have a question about the use of DD-WRT as a universal repeater. I flashed a WRT54G with DD-WRT around 5 years ago and have been using it as a wireless repeater since then. Normally, I am repeating my WPA2 network. I am curious to know if it is possible to repeat a public network hotspot that requires a username and password that would normally be entered in a web browser that pops up when you connect to the network. Do you know if this is possible or not? Also, getting a little off topic, but have you ever played around with Aircrack-ng or Reaver for testing your wireless network security? It is very interesting how Reaver can exploit older routers that have the WPS feature enabled and hand over a strong WPA2 encrypted password. I just figured that would be something that would peak your interst if you have not been exposed to it yet.

  • 🙂