A guide to turning your DD-WRT flashed router into a simple access point using bridged networking with an additional separate virtual wireless interface for handling isolated guest traffic.
Your access point will be handling none of these functions on your primary network
Your subnet is going to be 192.168.1.0/24, and the DHCP server is configured to handle this
Your AP's guest subnet is going to be 192.168.11.0/24
If your setup is different, swap the appropriate values where needed.
Recommended
Update DD-WRT - The latest for the R7000 as of this writing (06/18/2018) is 36070
Reset your router to the default settings beforehand
Disable the WAN connection
Basic Settings
Go into Setup -> Basic Setup. Under WAN Setup select WAN Connection TypeDisabled.
Set a Router Name (shows up when logging in via the web client), a Hostname (shows up when logging in via SSH client), and a Domain Name (handed out to clients who connect via the guest network).
Under Network Setup set a Local IP Address to a unique IP on your network. If you already have a router at 192.168.1.1 you'll need to change the IP of the access point. Set Subnet Mask to 255.255.255.0 (unless you know what you're doing). Set the Gateway to 192.168.1.1, and Local DNS to 192.168.1.1.
At the bottom of the page, select Save. This will refresh the page and give us some new options. If you cannot reconnect, change your browser's address to http://192.168.1.2.
Under WAN Port select Assign WAN Port to Switch. Under Network Address Server Settings (DHCP) select a DHCP Type of DHCP Server then set DHCP Server to disabled. Untick the boxes for Use DNSMasq for DHCP and Use DNSMasq for DNS.
Optional but recommended: enable NTP Client under Time Settings and set it to a local time server on your network.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings. If you cannot reconnect, change your browser's address to http://192.168.1.2.
Set to router
Advanced Routing
Go into Setup -> Advanced Routing. Under Operating Mode select Router.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings.
Set up Wireless
Wireless Basic Settings
Go into Wireless -> Basic Setup. Configure these settings as you please, but try to set your AP to wireless channels that are less congested in your area for best performance.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings.
Go into Wireless -> Wireless Security and setup some obnoxious WPA2 PersonalAES keys in for your bridged wireless connections. These connections will be bridged directly to your network so you don't want any untrusted devices on it. GRC's password generator is a step in the right direction. Guests should not want to type this password in.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings.
Create a guest WiFi network
Adding a guest network
Go into Wireless -> Basic Setup. If your router supports 2.4GHz and 5GHz radios you probably have two sections called Virtual Interfaces. Devices that only cover 2.4GHz will have a single one. Choose the device you'd like to create the network under (I prefer 2.4GHz to keep my 5GHz bandwidth free) and click Add. Choose a Wireless Network Name (SSID) for this network that's different from your others, set the Wireless SSID Broadcast to Enable, and disable the other options. We'll isolate this network manually later.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings.
Go into Wireless -> Wireless Security and setup an easy to remember password for your new guest network. You'll still want to set it to WPA2 Personal and AES unless you have some ancient wireless devices. Clients will only be able to see other devices connected to the guest network, so we aren't worried about anything here touching our primary network. Make a note of the device name of the guest network as you will need this in the next step. On rhe R7000 it's wl0.1.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings.
Isolate the guests via networking
Networking settings
Go into Setup -> Networking. Under Create Bridge click Add. This creates a new bridge connection that we can isolate our guest network to. Name the bridge br1, set STP to Off, then click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings. This creates br1 and sets it online.
Under Assign to Bridge click Add. For Assignment select br1. For Interface, select the device name you noted earlier for the guest network. In my case it was wl0.1.
Under Port Setup - Network Configuration br1 set the MAC Address to a unique value (optional). Set Multicast forwarding, Net Isolation, and Forced DNS Redirection to Disable. Set IP Address to 192.168.11.2 and Subnet Mask to 255.255.255.0.
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings. At this point we have a guest WiFi network that cannot communicate with our primary network at all.
DHCP for guests
DNSMasq settings
One problem the guests have is that they are never offered a DHCP address on this new network. We're going to enable DNSMasq to hand out DHCP requests only for the new guest network (192.168.11.0/24) in the range of 192.168.11.25-192.168.11.50.
Go into Services -> Services (I didn't name it) and find the DNSMasq table. EnableDNSMasq and Disable all the other options. Under Additional DNSMasq Options, put:
Click Save at the bottom of the page. Wait for the page to refresh, then click Apply Settings. Now our guests can talk to each other and receive an IP address upon connection.
Setting up NAT
Our guests still can't reach the Internet from this isolated network though. For this we'll setup an iptables NAT table so guest connections can be forwarded through the primary network. We'll block any traffic the guest network attempts to send to the primary network. We'll also want to drop access to any services running on the access point that the guests do not need.
Go into Administration -> Commands. In the Commands textbox, input the following:
# DROP guest access to ap's services - just dummy their internet traffic
iptables -I INPUT -i br1 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
iptables -I INPUT -s 192.168.11.0/24 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
# Block guests from talking to the primary network
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
# Setup guest subnet's NAT translation
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Click Save Startup at the bottom of the page. Go into Administration -> Management. At the bottom of the page, click Reboot Router.
Congratulations! You've bridged your access point to your primary network, setup WiFi access to privileged clients on this primary network, and setup an isolated guest network for untrusted devices!
