Improve your home network security on a budget with a guest WiFi network via DD-WRT custom router firmware

Summary

Wireless networks are great and I love mine, but there are some devices (e.g. those belonging to other people) to which I might want to grant access to the internet, but not to the rest of my network. This article explains how to install custom firmware on your WiFi router and configure it for discrete guest access. It also gives an example of a cheap router that you can buy for this purpose.

Background

I don't know about you, but I don't really want to give my WiFi password out to all and sundry. I also don't want all of my guests having access to my entire home network. But if I have invited somebody into my house I might not necessarily want to let them know that I don't trust them by refusing to give them my WiFi password. The least embarrassing way to solve this problem with everybody remaining on speaking terms is to have a separate WiFi network just for guests.

A few months ago my WiFi router wasn't working properly and I decided I needed to upgrade it. Since there were some cool models[*] due to be released soon, I thought I'd buy something cheap as a stopgap.

Since I vaguely remembered reading somewhere that having 2.4GHz and 5GHz networks with the same SSID caused WiFi connectivity problems with some devices (including the Surface Pro 3, although my Surface Pro 3 connectivity problems were solved here) I ended up with this (fairly short) list of requirements:

  • Separate SSIDs for 2.4GHz and 5GHz networks;
  • Guest WiFi network separate from my main home network;

Some routers have this functionality built in, but many of the cheaper ones which don't can have it enabled by installing custom firmware. My current favourite custom firmware is DD-WRT and I'm going to show you how easy it is to install this firmware on your router and then to set up a separate guest network.

This probably seems like a really nerdy thing to do, but it's a lot easier than you might think. Having said that, I should probably issue the following disclaimer:

I take no responsibility for anything bad that happens as a result of you following these instructions and attempting to install DD-WRT firmware on your router. If it all breaks it's not my fault.

Okay, now that's out of the way, here's what I did.

1. Obtain a suitable router

First of all, I bought myself a TP-Link TL-WDR3600 on Amazon UK [*] for just under £45, although I see that you can currently find it on eBay for about £36.

NOTE: This is not a modem router. I have BT Infinity 2 and there is a separate white box (the modem) connected to my telephone line and then that box (the modem) is connected to my router. Make sure you buy the right kit.

I daresay you can buy a better router for similar money and upgrade it in a similar fashion, but since this is the one I'm actually using, I can only give you a first-hand account of upgrading this one.

2. Download the right version of the DD-WRT firmware

Find the DD-WRT firmware by going here and typing WDR into the search box and choosing the one that says WDR3600 v1.x Firmware - Webflash image for first installation.

Here is a direct link to the firmware shown above. If you're feeling adventurous, you can get the latest DD-WRT Beta from 2015-04-09. I am using this version and it seems to work fine, so based on my experience you should go for the latest beta firmware for this particular modem.

You should also grab wdr3600v1_webrevert.rar (shown in the above image) so you can revert to the stock firmware should you so wish.

If you're using a different router then please make sure you download the right firmware and not this one.

3. Read the installation guide on the DD-WRT website

Read the Installation Guide on the DD-WRT Wiki before you do anything. We are going to use Method 1: Flashing with Web GUI.

Also read this basic installation DD-WRT forum post

Okay, since you've read those two links I expect you have connected to your router with an ethernet cable.

4. Login to your router and update the firmware

The upgrade is actually pretty easy. Point your browser at http://tplinklogin.net (or http://192.168.0.1 if that won't resolve) and login with admin/admin as shown on the underside of the router

Now choose System Tools -> Firmware Upgrade in the left hand menu, click Choose file and navigate to the uncompressed DD-WRT ROM you downloaded in step 2, like this.

Click Upgrade and wait for a couple of minutes until you see this:

At this point, according to the official DD-WRT instructions, you are supposed to do a hard reset (or 30/30/30 reset) as follows:

Hold the reset button at the back of the router for 30 seconds and do not release it. Whilst still holding the reset button, unplug the router and leave it unplugged for another 30 seconds. Still holding the reset button, plug the router back in and wait yet another 30 seconds. Unplug the router again and release the reset button, plug it back in and wait at least 2 minutes.

The first time I upgraded my router's firmware I did this and the second time I didn't bother. On both occasions it seemed to work fine, but the official instructions suggest that you should do this.

5. Reset your network adapter

You can't just refresh your browser as your default gateway has now changed and your internet settings are now messed up. You need to reset your network adapter, either in the Control Panel or you could open an Administrator Command Prompt (Windows 8.1 keyboard shortcut: Windows-X-A) and run this: cmd.exe /c "netsh interface set interface \"Local Area Connection\" DISABLED & netsh interface set interface \"Local Area Connection\" ENABLED". If you have several network adapters, you may well need to reset all of them. For some reason I had to do this more than once. I'm not sure why.

Once you have successfully reset your network adapter, navigate to http://192.168.1.1 in your browser. Log in with root/password and change the username and password as instructed.

Congratulations, you have now replaced your stock firmware.

6. Connect to your internet service provider

If you are in the UK and are using BT Infinity then you should do it like this.

Regardless of which internet service provider you are using, if this is your main router, make sure its Operating Mode is set to Gateway in Setup -> Advanced Routing.

7. Create separate SSIDs for 2.4GHz and 5GHz networks

As previously mentioned, I wanted separate SSIDs for my 2.4GHz and 5GHz networks. I set them up like this:

8. Create guest network

Now you need to create your guest network. This is done by adding a Virtual Interface. I chose the 2.4GHz band as this has a longer range and better compatability with devices.

Since Physical Interface ath0 is on the 2.4GHz network, then Virtual Interface ath0.1 is also on the 2.4GHz band.

The important settings here are

AP Isolation: Disable (your choice, see below)

Network Configuration: Unbridged

Masquerade/NAT: Enable

Net Isolation: Enable

IP Address: 192.168.nnn.nnn

Subnet Mask: 255.255.255.0

AP Isolation means that guests can't see each other. So you may or may not want to enable this. I didn't.

Net Isolation: This means that any connected devices are isolated from the rest of your network. You should enable this.

The IP address and subnet mask ultimately determine the IP addresses of the clients which connect to the guest network. You should choose a private address which is distinct from the main IP address of your router (and doesn't fall in its DHCP range).

In practice, that means you can choose from these ranges:

10.0.0.0        -   10.255.255.255  (10/8 prefix)
172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

You can see that I have chosen 192.168.10.1.

Next you need to set up the DHCP Server for guest network. This is actually very easy; just go to Setup -> Networking and click Add.

As you can see below, I have set up two guest networks (one on 2.4GHz and one on 5GHz), with one of them including the password in the SSID, which I have since removed. I merely did this to illustrate that you can create multiple guest networks. I think that's pretty impressive for a £45 router.

At my house the guest WiFi network is called TC-GUEST and if you're ever in the area I'll happily tell you what the password is. Yep, even though the guest network is isolated from the rest of my network and I'm extremely confident that it's secure, I reckon it would be unwise of me to publish the password on the public internet just in case there is some vulnerability in the firmware that I don't know about. You may recall the occasion in January 2008 when Jeremy Clarkson discovered that publishing his bank details wasn't as safe as he thought it was.

9. If you need to revert back to the original firmware, it's easy

Hopefully you won't need to do this, but if you do it's quite straight forward. Go to Administration -> Firmware Upgrade and click Choose file and select the stock firmware you downloaded in Step 2, making sure you have uncompressed the rar file first. You don't need to tell it to reset since it will be using a different firmware, so just click Upgrade.

You'll know when it's complete as the original TP-Link SSIDs will show up again.


Conclusion

If you're going to use WiFi at home (or in your office) then at some point somebody is going to ask to use it. This can be somewhat awkward for various reasons. If you create an isolated guest WiFi network then you can happily give out the password without compromising your network security. You could print the network credentials somewhere prominent, make it very easy to guess or even embed the password in the SSID if you wanted to (although you should probably look at the NAT/QoS -> QoS settings and experiment with the Interface Priority maximum upload and download speeds if you are going to do this).