Adventures in Guest Networking with DD-WRT

From Rabbi Blog

Jump to: navigation, search


I've had DD-WRT running on an old WRT54G2 for awhile and today I decided to look into setting up a guest network for visitors. What could go wrong with that?

First, I have to give Odian The Linux Guy credit for his 2016 YouTube video: Setting up Guest Wifi On DD-WRT, this was extremely helpful, however there were a few nuances that I didn't catch from watching the video (my apologies to Odian if the info was in the video and I missed it) and I kept dead ending.

But I kept hammering away....

This setup assumes you can log into the DD-WRT router and configure it, and that you are doing a LAN-to-Lan connection with the router to your main router. The firmware I used was old, but understand I spent too much time troubleshooting until I realized the issue that I can't be bothered to flash the router up to current release and test. If I do, I'll update the directions.

I now have two separate WRT54G2 running, with different 192.168.x.x offerings and they are independent of each other (as I'm typing this, I realize I need to reconsider how I'm offering connections and DHCP from one 192.168.x.x scope, but seriously, I've been at this for way too long today). WDS may be where this goes when I have more time.

Here we go....


  • Router Model: Linksys WRT54G2 / GS2
    • Note: This is a Lan to Lan setup, not a LAN to WAN</b>
    • Firmware DD-WRT v3.0-r31899 micro (04/24/17)
    • Firmware: DD-WRT v3.0-r29968 micro (06/17/16)
  • Router Model: Cisco M10 Valet V1
    • Firmware: DD-WRT v3.0-r38159 std-nokaid-small (01/02/19)
    • Note: Unable to get the second wireless network to broadcast
  • Misc
    • I may try other firmwares later
    • May look into WDS later, not really important right now


  • Note: Sub categories are tab locations within DD-WRT config

Basic Setup

Router IP

  • Setup router IP with LAN IP (directions assume you can log into the router)
    • DNS: (we're going to block access to the router later)
  • Attach to LAN via Ethernet Ports 1-4 (we will not be re-assigning the WAN port)


  • Set to DHCP Forwarder
  • Set it to your LAN DHCP server

Time Settings

  • Disable
  • Apply\Save (router should reboot)


Basic Settings

Virtual Interface

  • Add Virtual Interface
  • Name the SSID: GUEST-GUEST
    • Wireless SSID Broadcast: enabled
    • AP Isolation: disable
    • Network configuration: Bridged
  • Apply\Save

Wireless Security

Basic Settings

  • Virtual Interfaces wl0.1 SSID [GUEST-GUEST] - (note the VI name, here is "wl0.1", it will be needed later)
    • Security Mode: your choice
      • Settings based on your choice
  • Apply\Save (router may reboot)



Create Bridge

  • Add br1
    • STP ON
    • Apply\Save
  • Assign to Bridge
    • br1 to wl0.1
    • Apply\Save
  • Verify Current Bridging Table shows
br0	no	vlan0 eth1
br1	yes	wl0.1

Port Setup

  • find Network Configuration br1 on the page
  • configure settings according to your network
  • Note: the M10 took a few page refreshes for br1 to appear
TX Queue Length 1000
MTU	1500
Multicast forwarding: Disable 
Masquerade / NAT: Disable 
Net Isolation: Disable 
Forced DNS Redirection: Enable
Optional DNS Target:
IP Address:
Subnet Mask:
  • Apply\Save


  • Add Server
    • br0 and set to off
    • br1 and set to on
  • Apply\Save
  • Note the dhcp range on br1



  • Add iptables info for this network (note the IP address should be your network)
#Allow guest bridge access to Internet
 iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
 iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
 iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
 iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
#change the IP address to the IP of your guest network x.x.x.x/24
 iptables -I FORWARD -p tcp -s -m connlimit --connlimit-above 50 -j DROP
 iptables -I FORWARD -p ! tcp -s -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
 iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset


  • Apply\Save (router may reboot)