Implementing Inexpensive Multiple SSID Networks: Part II

By Eric Geier

December 04, 2007

Step-by-step instruction on how to set up multiple SSIDs using DD-WRT and your basic home router.

Related Articles

In the first part of this tutorial series, we discussed the two different multiple or virtual SSID methods. We also touched on the availability of these features in off-the-shelf APs from popular hardware manufactures. We concluded by discussing the installation of DD-WRT, a firmware replacement for many popular wireless routers, which now embraces the multiple SSID feature.

Now, we’ll step you through exactly how to set up multiple SSIDs with DD-WRT.

Logging into your DD-WRT router 

After successfully flashing your router with the DD-WRT firmware, you can log on to the DD-WRT Web-based configuration screen by following these steps: 

Bring up your Web browser.

Type the IP address of your router into the browser. (By default, DD-WRT uses 192.168.1.1.) After you click on a page/section of the DD-WRT configuration utility, you’ll be prompted to enter the (default) login credentials:       

  • Username: root       
  • Password: admin 

Now you can configure your router for your particular needs. Feel free to set up your main SSID, labeled as Physical Interface wl0 on the Wireless page, as you would like, but you should leave the network configuration as “Bridged.” 

You can also configure your Internet connection, wireless, and other generic settings. These should be similar to what you did with your original router. Once you’re ready, you can configure the additional SSIDs by moving to the next section.

Adding the virtual interface(s)

The first item on the list is to configure the virtual SSID interface(s):

  1. Select the Wireless tab.
  2. Under the Virtual Interfaces section, click Add.
  3. Specify your desired SSID, broadcast, and isolation settings; but make sure you set the network configuration as Unbridged and create a subnet by defining an IP address and subnet mask for the interface.

Figure 1 [below] shows an example of configuring the virtual SSID to be segregated from the main SSID. This is because the virtual interface IP address (192.168.2.1) is on another subnet from the main SSID’s IP address (192.168.1.1).

If you wanted the virtual SSID to be on the same VLAN as the main SSID, (meaning people on the virtual SSID could access the network of the main SSID) you could, for example, enter 192.168.1.2 for the virtual interface IP address.

Later, you’ll have to specify the DHCP settings, including the IP address range that matches the IP information you set up here.

4. Click the Save button to save, but not apply your changes.

Configuring the DNS and DHCP settings

Now, you must manually configure the DNS and DHCP settings for each virtual interface:

  1. Select the Services tab.
  2. Under the DNSMasq section, enter the following set of code (with any applicable edits as discussed) in the Additional DNSMasq Options box for each virtual SSID:

interface=wl0.1

dhcp-option=wl0.1,3,192.168.2.1

dhcp-option=wl0.1,6,192.168.1.1

dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m

Figure 2: Example of configuring the DNS and DHCP settings.

Keep in mind each virtual SSID requires its own set of code. Additionally, make sure you specify the correct interface number in each set. The wl0.1 refers to the Virtual Interface wl0.1 SSID (seen in the wireless section of DD-WRT); for example if you are setting up a second virtual SSID then its set of code would contain wl0.2, the third would be wl0.3, and so on.

Even when using only one virtual SSID, you should also keep in mind the other variables this code presents:

  • The IP address in the second line of code should be the address you specified earlier when setting up the virtual interface in the wireless section.
  • The IP address in the third line of code should be the main or original address of your router which is 192.168.1.1 by default.
  • The last line of the code specifies (in consecutive order) the following, separated by comas in the code:

o       Starting IP address of the DHCP addresses, matching the subnet you defined.

o       Ending IP address of the DHCP addresses, matching the subnet you defined.

o       Subnet mask.

o       Client lease time. (in minutes)

3. Click the Save button to save but not apply your changes.

Configuring Firewall (VLAN) Settings

You also have to manually configure firewall settings for each virtual interface to prevent users on the virtual SSID(s) from accessing the original network:

  1. Click the Administration tab.
  2. Click the Commands tab.
  3. Enter the following in the Commands box for each virtual SSID:

iptables -I INPUT -i wl0.XXX -m state –state NEW -j logaccept

Replace XXX with the virtual interface number shown on the main wireless page of DD-WRT.

Note: If you already have specified commands (shown in the Firewall section) click the Edit button which should make your existing commands appear in the commands box. After you make your desired additions/edits in the box, you can click the Save Firewall button as step six instructs.

  1. Add the following two lines of code in the Commands box for each virtual interface you want to segregate from the main SSID:

iptables -I FORWARD -i wl0.XXX -o br0 -j logdrop

iptables -I FORWARD -i br0 -o wl0.XXX -j logdrop

Replace XXX with the virtual interface number shown on the main wireless page of DD-WRT.

  1. If you have more than one virtual SSID and you want to segregate the virtual SSIDs from each other, add the following two lines of code (with applicable edits as discussed) in the Commands box for each virtual SSID link you would like to segregate:

For example, if you have two virtual SSIDs (not counting your main one) you would like to segregate, add the following:

(This prevents communication like file sharing, pinging, etc between your first and second virtual SSID.)

iptables -I FORWARD -i wl0.1 -o wl0.2 -j logdrop

iptables -I FORWARD -i wl0.2 -o wl0.1 -j logdrop

When adding your third virtual SSID that you would like to segregate from the others you would add the following two sets of code:

(This prevents communication between your third and first virtual SSID)

iptables -I FORWARD -i wl0.1 -o wl0.3 -j logdrop

iptables -I FORWARD -i wl0.3 -o wl0.1 -j logdrop

(This prevents communication between your third and second virtual SSID)

iptables -I FORWARD -i wl0.2 -o wl0.3 -j logdrop

iptables -I FORWARD -i wl0.3 -o wl0.2 -j logdrop

  1. Click Save Firewall.
  2. Click the Management sub-tab of the Administration section.
  3. Scroll down and click Apply Settings.

You’re done; your router should now be broadcasting multiple SSIDs!

Overcoming Multiple SSID (Not BSSID) Connectivity Issues

The use of multiple SSIDs with DD-WRT may cause confusion (or at least to your wireless client utility) when attempting to connect to the router. This is because the firmware only implements multiple SSID, rather than multiple BSSID method. The differences of these types were pointed out in the previous tutorial.

The way wireless clients handle and display the numerous network names on multiple SSID (not BSSID) networks varies. Some client utilities may show the main SSID along with all the virtual ones; however some clients may only show a random listing of just one of the broadcasted SSIDs. In the case of multiple BSSID networks, the clients should just show all the SSIDs as normal.

If you find you’re having this type of problem remember you can manually connect to a SSID, like you would for non-broadcasted SSIDs:

  1. Add the SSID (and other applicable settings) of your desired network to the preferred list of your client utility.
  2. Remove any entries of the other SSIDs of your DD-WRT-enabled router from the preferred list.
  3. It should then connect to the SSID you specified; if not try to refresh or restart your wireless adapter.

Bear in mind even though you know this workaround now, consumers and the public won’t. They may not even see the network in their list of nearby wireless networks. Therefore if you’ve setup an SSID intended for public access or for external members of your organization, you may think about disabling the broadcasting of all your other SSIDs, leaving the single broadcasted SSID for those less-inclined users. This way wireless clients shouldn’t get confused, it should always show the one broadcasted SSID.

Conclusion

You have a few places to turn to if you run into troubles when setting up DD-WRT:

  • DD-WRT Wiki: Contains information and help on installing and setting up DD-WRT and its features through frequently asked questions (FAQ) and tutorials.
  • Discussion Forum: You can review previous discussions and/or post questions or start conversations with the developers and other users worldwide.
  • IRC: You can chat with DD-WRT users and developers using an Internet Relay Chat (IRC) client.
  • Wi-Fi Planet Forums: Lastly but not least, you can hit the discussion forum here on the site where you might find some experienced DD-WRT users.

Whether you are trying to setup virtual SSIDs to give public access, for segmenting reasons, or for multi-security support–remember if the DD-WRT solution doesn’t work out there are inexpensive out-of-the-box APs out there for your choosing.

Eric Geier is an author of many wireless networking and computing books including 100 Things You Need to Know about Upgrading to Windows Vista, published by Que and Wi-Fi Hotspots: Setting up Public Wireless Internet Access, published by Cisco Press.

Latest posts by Eric Sandler (see all)

Give a Comment