Dd Wrt Access Point Guest Network

From DD-WRT Wiki

Spring to: navigation, search

Note: This folio must be reevaluated. Please, someone with improve expertise should verify that the main dhcp server still works correctly after adding the insulated wlan dhcpd server. Had to difficult-reset my router.. principal lan/wlan was not assigning any dhcp leases anymore, nonetheless 2nd wlan (guest) had internet working perfectly and good dhcp server. no run a risk to telnet/ssh... locked out... admin interface not reachable from invitee network. Thank you.

This tutorial is for beginners, and therefore before proceeding make sure you lot accept working reset push button and have backed upward you configuration (so you tin can reset your router and restore configuration if y'all stuck somewhere). This guide will show you the basics of creating and decision-making Guest WiFi. Also come across Guest Network for more than details and methods.

Creating Guest VAP

Adding DHCP for Guests

Hardcoded limiting interfaces

Setting priorities

Abuse controlling

Web content filtering

Content blocked

For that purpose we will kickoff create VAP (Virtual Access Betoken) for guests.

On Wireless -> Basic Setup tab click Add together on Virtual Interfaces department. Enable AP isolation then that guests tin can not see each others. AP Isolation drops all traffic between clients connected to the VAP. If you want secure Guest WiFI its recommended to enable this feature to help mitigate Wi-Fi snooping attacks.

Ready Network Configuration to Unbridged, Enable NAT (and then that guest can accept cyberspace), enable Net isolation (this selection creates a couple of firewall rules that blocks invitee to attain your private network). Net isolation works But on unbridged interface on newer builds starting from: Broadcom 23020, Atheros 24759, and Ralink (Mediatek) 25934.

AP Isolation = Guests can not hack each other on guest VAP
Internet isolation = Guests tin can not hack your private LAN/WLAN

Enable Forced DNS Redirection and enter the OpenDNS server IP (208.67.222.222) in the Optional DNS target field. This volition preclude users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify. Enter the IP Address and Subnet Mask of yours newly created interface (ath0.1) 172.16.ane.1./255.255.255.0 Click Save and Apply. Look almost 30 sec. for interface ath0.1 to be created. Note: You however wont be able to connect to this Guest VAP. You must enable DHCP for the clients.

Side by side step is to enable DHCPd for the guest wifi. Go to Setup -> Networking and on DHCPd section add another dhcp server for the invitee network (click add together then choose ath0.1 from drop down menu). Select starting IP for guests, max number of IPs and leasetime. Once more click Salvage and Apply. Wait nigh xxx sec. and try to connect to Guest WiFi. You should be able to browse Cyberspace and shouldn't be able to achieve your private network or encounter other clients on network discovery.

[edit] Bandwidth Limiting

You tin can put your individual network on Maximum and Invitee to bulk. The bulk class is only allocated remaining bandwidth when the remaining classes are idle. If the pipe is full of traffic from other classes, Bulk volition simply be allocated 1% of total set limit. So, basically your guests volition not affect your private speed. Or you can set hardcoded limits with manual entering.

With interface limiting both bridged & unbridged, offers power to charge per unit or priority limit services or ports/port ranges. This tin can be exceptionally useful to control bandwidth hogs, regulate hotspots, etc. with an interface limit, a invitee user can change their ip address & mac accost every bit much as they desire trying to get around qos, calumniating users can't bypass ur rules without switching off the interface. Examples:

vlan1 512/512 0 ssl manual

This means all traffic on vlan1 interface (lan ports for some routers, others utilize eth) is not express or shaped, and can achieve global limits, except ssl traffic being express to 512kbps both upwardly & downward (64KB/southward).

Multiple entries are possible:

ath0 512/512 0 ssl manual  ath0 2048/512 0 http manual  ath0 512/512 0 ftp manual

This is as above except for the ath0 wireless interface, and but the listed services are charge per unit limited. You can instead practice priority limits, but charge per unit limiting & prioritizing the same service simultaneously is not supported.

Use Access Restrictions to block torrents and some VPNs. Determined user is very hard to block considering nowdays you lot take free SSTP VPN services etc. On cheap routers you tin can not run Proxy, Squid etc then this is all nosotros have...

[edit] OpenDNS

OpenDNS can be used for internet abuse filtering. It is a costless DNS (Domain Name Server) service which makes internet browsing safer and allegedly faster. By simply using their DNS servers instead of your Isp's you are automatically protected from their listing of Phishing websites. However, in order to restrict a variety of developed website content you will need to create a gratuitous account with them, register your IP address and select the categories yous want restricted (i.eastward. sexuality, nude, pornography, lingerie, grotesque, etc...). Since most of us have DHCP assigned WAN IP addresses that change periodically we need to instruct our router to tell OpenDNS what our new IP address is when it changes. See DNS-O-MATIC

Reboot router, clear browser enshroud, and manually set public dns server in your PC NIC adapter to attempt to avoid restrictions...