Creating a limited and secure guest SSID on your DD-WRT router
November 27, 2011 9 Comments
After one of my friends connected to my private LAN with his phone and suddenly could access all my pictures, music and documents I realized I needed some kind of separate network for friends and family.
Our TP-LINK TL-WR1043ND is running DD-WRT so this should be a piece of cake.
What I wanted to archieve:
- Block all access in between the private and public wlan
- Give the public wlan the a lower QOS priority so it won’t slow down my private network
- Only allow http and https on the public wlan
I followed this nice tutorial on youtube which got me started: DD-WRT Tutorial: Create a secure and separate public guest network
Unfortunately I soon discovered that my new separate public guest network was anything but secure and separate. Simon who made the video let some crucial parts out resulting in the private network to be wide open to the public network.
Googling the topic I found lots of information but not really a good guide to simply make it work. So I decided to write this post about it.
Here we go:
- Follow Simon’s youtube instruction
- Open your DD-WRT’s WEBGUI and fix the QOS mistake made in the video. On the “NAT/COS” -> “QOS” we need to change the added networks to 192.168.1.0/24 and 192.168.2.0/24.
- Create some IPTABLES script to make it secure and separate. This can be added on the “Administration” -> “Commands” page. Just copy and paste the text below into the text box and click “Save firewall”.
#Allow br1 to access DHCP on the router iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
#Allow br1 to access DNS on the router iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
#Restrict br1 from accessing br0 iptables -I FORWARD 1 -i br1 -o br0 -m state --state NEW -j DROP
#Restrict br0 from accessing br1 iptables -I FORWARD 2 -i br0 -o br1 -m state --state NEW -j DROP
#Allow br1 to access http/https to internet iptables -I FORWARD 3 -i br1 -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -I FORWARD 4 -i br1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Drop everything else on br1 iptables -I FORWARD 5 -i br1 -j DROP
That’s everything. Don’t forget to test your new setup:
-
Test that your primary and private network is still giving you the same access to your resources and the internet
-
Try to browse a random website on your public network; this should work
-
Try to download a torrent on your public network; this should not work
-
Try to “telnet <some random mailserver> 25″ on your public network; this should not work
I have similar setting in my 2nd router for guest network.
Private: 192.168.0.#
Public: 192.168.4.#
I follow the video, “DD-WRT Tutorial: Create a secure and separate public guest network” to setup my guest network, except, I use ChilliSpot instead of Qos. And it works. However, the guest network still can access to the my lan computers. When I enter the ip address on my private network computers, I see the Windows login prompt, and when I enter the username and password, I can see the shared folders.
I don’t want the public network communicate with my private network, but only the internet.
Isn’t the problem fall on iptable?
Hej, you did copy and paste the IPTABLES and do some customization to make the IP addresses etc like in your situation?
What you are describing is what would happen if you just follow the video and don’t go ahead configuring some rules to block the traffic.
I have tried few commands, and it seems working. However, I have a question.
what is this command does?
#Drop everything else on br1
iptables -I FORWARD 5 -i br1 -j DROP
If I this command with this command below, will all my access drop?
#Allow br1 to access http/https to internet
iptables -I FORWARD 3 -i br1 -p tcp -m multiport –dports 80,443 -j ACCEPT
iptables -I FORWARD 4 -i br1 -m state –state ESTABLISHED,RELATED -j ACCEPT
Since I only want the guests to use the internet only.
A IPTABLES script runs line by line. The drop in the end basically drops everything that is not allowed so far. You need to keep that one to have your network secured.
Thank you so much.
I got it to work on my repeater without using the chillispot. I can separate the 2 networks. however, when I add Chillispot, the ip address of my client turn to 192.168.182.x. And, the guests can easily access to my network, which is 192.168.0.x.
In chillispot, they offer ip table, but none of them work.
# secure access to local addresses other than chillispot
iptables -A FORWARD -i tun0 -j DROP;
iptables -t nat -I PREROUTING -i tun0 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.0.0/16 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 169.254.0.0/16 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 172.16.0.0/12 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 10.0.0.0/8 -j DROP
iptables -t nat -I PREROUTING -i tun0 -d 192.168.182.1/32 -j ACCEPT
Anyway, I can operate my guest network without worrying intrusion now, except without hotspot management functions.
Just curious about your second step:
Open your DD-WRT’s WEBGUI and fix the QOS mistake made in the video. On the “NAT/COS” -> “QOS” we need to change the added networks to 192.168.1.0/24 and 192.168.2.0/24.
Why 192.168.1.0/24 and 192.168.2.0/24 and not 192.168.1.1/24 and 192.168.2.1/24? Does x.x.x.0 mean *any* address on that sub-net? I admit I’m not an expert…
Yes, x.x.x.0/24 means any address on that network
Tried this out on my E3000. Whenever I create the bridge a short time later my Internet connection goes down and it’s not able to obtain a WAN IP address any more (stays on 0.0.0.0). Only way to get it back is to remove the bridge and do a hard reset (or restore factory settings). It actually worked for a few minutes the very first time I tried it (I was able to verify that when connected to the virtual WLAN I didn’t have access to my local network), but then the Internet access dropped, and after that the same thing now happens immediately after I create the bridge.
Since it’s not related to your IP tables fix I guess I have to check out the DD-WRT forums. Does anyone here have any idea why this would happen?
Did you try to just reset/reboot your router? When I was setting this up I ran into a some weird problems which were solved by just restarting the thing…