Firewalling the Networks
Now you’ll probably want to configure the firewall so users from the new SSID and LAN ports can’t access the main network, and vice versa. Plus, you might want to prevent the users on the new network from accessing the router. To get started, bring up the web-based Control Panel and click Administration > Commands.
If you already have commands listed in the Firewall section, click the Edit button to bring them to the Commands box, and then click Save Firewall when you’re done. Otherwise, just type and paste into the blank Commands box and click Save Firewall when you’re finished.
Enter your desired commands, each on their own line, in the order listed here:
- Restrict br1 (new SSID/LAN) from accessing br0 (main SSID/LAN):
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
You can verify the firewall settings by sending some pings. Connect a computer to each network and reference their IP addresses. Bring up a command prompt on each computer and type ping, then the spacebar, enter the other computer’s IP, and press Enter. It will send four pings. If it says Request timed out, they’ve been successfully segregated. Now connect both computers to the same network and ping each other; it should list the replies.
Look into Other DD-WRT Features
We’ve set up a new SSID and separated the LAN ports. DD-WRT still offers many more interesting features. You might check out the VPN server or client, hotspot solutions, or its repeating capabilities. Even seemingly simple features, like the site survey functionality that shows signal details for clients and nearby APs, can be invaluable.
Don’t forget to support the DD-WRT team and community on the message boards and the wiki.