Guest wireless access is handy when you want to separate guest devices (your friends’ phones and laptops) from your own devices connected to the main network.
To get started, you need a router capable of guest wireless (not every router can do this) already set up and running either DD-WRT or Tomato. This tutorial explains how to set up a router running Tomato that is used only as access point (WAN is disabled/unplugged).
Create bridge
Navigate to Basic > Network. In the LAN section select bridge number, fill in the IP address / netmask, check DHCP and fill in IP address allocation limits for the new virtual network.
Then click the Add button and setting should look similar to:
Scroll down and Save settings.
Create VLAN
Navigate to Advanced > VLAN. In the VLAN section fill in data:
- select VLAN: 3
- enter VID: 3
- select Bridge: LAN1 (br1)
and click on the Add button. Double check that settings are similar to:
then scroll down and click Save. The router will restart at this point.
Virtual Wireless
Navigate to Advanced > Virtual Wireless. In the Overview tab under Virtual Wireless Interfaces, fill in the information
- select Interface: wl0.1
- enter desired SSID for the guest wireless
- select Mode: Access Point
- select Bridge: LAN1 (br1)
then click the Add button. You will be taken to the WL0.1 tab to configure the wireless network further:
Here you can set your wireless SSID (again) and security options. Once you’re done scroll down and you’ll notice the Save button turned into an Overview button. Click it and you’ll be returned to the Overview tab. You can now scroll down to click Save.
Navigate to Advanced > VLAN and in the Wireless section confirm that guest wireless is assigned to the correct bridge:
Your virtual wireless is now all set up. It should be visible, connectible and your device should receive an IP address. However you’ll notice that there’s no internet access (yet).
Internet connectivity
For this last step you’ll need to configure the firewall on Tomato to forward traffic around. For this, navigate to Administration > Scripts and enter the following rules in the Firewall tab:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
The rules above are the main minimum for guest devices to access internet. They will also be able to access your main network devices (if anyone knows your IPs or scans for them). The next rules block such accesses (only permitting them to 10.0.0.1 and 10.0.0.251-254):
iptables -I FORWARD -i br1 -m iprange --dst-range 10.0.0.2-10.0.0.250 -j REJECT
If you’re having trouble with the router leaking DHCP leases from the guest network to the main network, also add the following:
iptables -I INPUT -i br0 -p tcp --dport 67:68 --sport 67:68 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j REJECT
And you’re done. Enjoy your guest wireless (or better yet, let your guests enjoy it).
This still works like a charm, thanks!
When the WAN is disabled, how do you get internet access at all?
The WAN is usually connected to the modem, right?
The tutorial is about how to configure a wireless network for guest access. In my case I was only using the device in the screenshots as an AP, so its WAN was disabled – you don’t need to configure anything related to the WAN.
Thanks! Can you make the same guide but for DD-WRT? =)
Thanks! Can you make the same guide but for DD-WRT instead of Tomato? =)
Hello,
Where could I find the Tomato skin that appears on this page?
Seeing that I can’t find it on the themes list but there’s an evolved_grey which looks very similar, I think this was the default theme (at least at that time).
So after successfully set up a guest network für 2.4 and 5 GHz, none of the clients can access the internet. I’m too do not use the WAN port on my Asus RT-N66U, the router is just connected to a local network that uses a Firewall for connecting to the internet.
That means that those defined firewall rules, mentioned in the article do not work for my 1.28 Tomato.
Any hints to get this running properly?
Thanks,
Michael
That’s expected, as the firewall rules in the tutorial perform NAT to the WAN port.
They’d need adjusting, but how should the guests be isolated from your LAN if they share the same IP address block and are forwarded through the same router?
So it works using, but without a password. No matter how i set the password. If I disable security it works. Any ideas?
Guest access worked nicely, but primary network access did not anymor at all! any idea why?
Forgot to mention, I am using DHCP but with a list of fixed ip adresses on the primary access point Br0.
Thank you very much! I spent days trying to get this working using DD-WRT on my Asus RT-AC56U. And it worked first time on Tomato Shibby 1.28.
It seems the firmware is good and your instructions are great! But this is such a common requirement that I’m surprised there isn’t an easier one-step procedure allowed for in the Web GUI.
Thanks again!
Worked perfectly. Thanks a bunch!
Tho im curious on a couple things, first off is there a way to block users on the guest network from downloading stuff?
I mean browsing, checkin snapchat etc etc should work fine.
But i dont want some randoms sitting on my guest downloading movies etc.
Is there a way to block such traffic only on the guest network?
Secondly, i kinda want to troll my guest users a bit..
Is it possible to force a rickroll video in the captive portal agreement thingy?
Or even just always send the users on the guest back to a rickrollpage, regardless of what they type in the browser? Say they want to open google but get redirected right away to a rickroll page 😀
Doesn’t work for me, resetted NVRAM to retry for a 2nd time, but no joy. Guests have no wifi access. Is with RT-N18U and Shibby-Tomato 1.28
Forget my previous comment earlier today. Doesn’t work
I needed to change this line “iptables -t nat -I POSTROUTING -o br0 -j SNAT –to `nvram get lan_ipaddr`” in “iptables -t nat -I POSTROUTING -o br0 -j SNAT –to $(nvram get lan_ipaddr)” in order to get it working with Shibby 1.28.
There was no need for “iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT”; it worked without it
internet on guest wifi is not working for me…
worked perfectly! thanks
Very helpful, thank you !