DD-WRT /

Guest SSID

After many trails I was finally able to get this router enabled for TWO BSSIDs, in addition to all its other functions. This lets me use an 'internal' SSID for my normal LAN functions, and have an 'external' SSID with access only to the internet for house guests. I ended up blending two sources of how-to to get a working system. I used the dd-wrt.com wiki article on Multiple WLANs, and an external writeup by another user. Turns out that the wiki article's GUI-based setup instructions work fine, but I ended up using the IPTABLES firewall config from the other writeup. Those steps, finally!, produced a working setup:

Use the DD-WRT wiki tutorial on mulitple WLANs (http://dd-wrt.com/wiki/index.php/Multiple_WLANs), stopping before entering the IPTABLES commands:
- Reset router to 'factory config'
- Setup the general basics: WAN IP settings, DHCP, NAT rules, etc.
- Create the Virtual Wireless AP (SSID #2)
- Configure WLAN security settings for both WLAN #1 and WLAN #2
- Create and assign and new bridge ('br1')
- Setup DHCP for WLAN #2

Then, using the following firewall commands (http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html):

if [ "`nvram get wan_proto`" = "pppoe" ]; then
   wanif="`nvram get pppoe_ifname`"
 else
   wanif="`nvram get wan_ifname`"
 fi

 # Make sure br1 has access to the internet:
 iptables -I INPUT -i br1 -m state --state NEW -j logaccept
 iptables -I FORWARD -i br1 -o $wanif -m state --state NEW -j ACCEPT
 # Keep the two wireless networks from talking to each other:
 iptables -I FORWARD -i br0 -o br1 -j logdrop
 iptables -I FORWARD -i br1 -o br0 -j logdrop
 # Keep br1 from accessing the router:
 iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
 iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset