Setting Up a VAP on DD-WRT

Hi,

Since it seems a lot of people are having issues in setting up a VAP (Virtual AP) with DD-WRT on their devices, I’ll write up a guide on how I got my set-up going with Mile-Lile’s help on this thread that I opened on the DD-WRT forums.

I followed the guide here as I mentioned in the linked thread except with the following modifications to the guide that I followed that I just linked. The Firewall and Start-Up script didn’t quite work for the device I have because that guide is based on Broadcom devices. So if you have a Broadcom router and you want to set up a VAP, that guide will work perfectly for you.

Since I have a TP-Link TL-WDR4300 v1.6 with an Atheros chip… I followed the guide that had the pictures so that I knew what to look for, up to the part where the guide asked me to put the Startup and Firewall script in the appropriate sections.

Why? Because the script listed in that guide didn’t work for me, so it took a little bit of fiddling with the Startup and Firewall script, deviating from the guide in order to make it work for routers that had the Atheros chips.

The following Start-up script did the trick:

# Set some important values:
nvram set dnsmasq_enable=1  
if [ "`nvram get dhcpfwd_enable`" = "0" ]; then  
  nvram set dns_dnsmasq=1
  nvram set dhcp_dnsmasq=1
  nvram set auth_dnsmasq=1
fi

# Create bridge br1, move the virtual wireless interface to it,  
 # and setup the interface's IP address:  
 brctl addbr br1  
 brctl delif br0 ath0.1  
 brctl addif br1 ath0.1  
 ifconfig br1 192.168.2.1 netmask 255.255.255.0  
 ifconfig br1 up

# Properly setup NAS  
 killall nas

# Main:  
 nas -P /tmp/nas.ath0lan.pid -H 34954 -l br0 \  
 -i "`nvram get ath0_ifname`" -A -m 128 -k "`nvram get ath0_wpa_psk`" \  
 -s "`nvram get ath0_ssid`" -w 4 \  
 -g "`nvram get ath0_wpa_gtk_rekey`"

# Virtual interface #1:  
 nas -P /tmp/nas.ath0.1lan.pid -H 34954 -l br1 \  
 -i wl0.1 -A -m 128 -k "`nvram get ath0.1_wpa_psk`" \  
 -s "`nvram get ath0.1_ssid`" -w 4 \  
 -g "`nvram get ath0.1_wpa_gtk_rekey`"

For some reason, there’s a NAS reference here in the Startup Script section. It does nothing for me though, as I don’t have NAS on the router. Still, I figured it was probably a good idea to leave it in.

Then, for the DNSMasq setting to work properly with OpenDNS for the wifi, I used this particular setting, under the Services tab, in the DNSMasq section and placing the following text:

interface=br1  
dhcp-option=br1,6,192.168.2.1,208.67.222.222,208.67.220.220  
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h  

… into the Additional DNSMasq Options text box. You’ll need this so that DNS works properly on the router for the VAP.

And finally… the firewall script that enabled me to pass Internet-access only to the guest wifi, along with the use of OpenDNS as the DNS servers for the guest network, which is listed below. If you’re using different DNS servers… such as Google or Level3, update the DNSMasq and firewall script accordingly in order to pass DNS correctly to the guest network.

iptables -t filter -I FORWARD -i br1 -m state --state NEW -j ACCEPT  
iptables -t filter -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP  
iptables -t filter -I INPUT -i br1 -m state --state NEW -j DROP  
iptables -t filter -I INPUT -i br1 -p udp --dport 53 -j ACCEPT  
iptables -t filter -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT  
iptables -t filter -I INPUT -i br1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT  
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`  
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`  
iptables -t mangle -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu  
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 208.67.220.220  
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 208.67.220.220  

This is for the Firewall script.

Thusly, this should allow you to finally have a proper VAP on your router.

Note: I will add images to this post so that you can see for yourself that the images match and the like on your own device.

Note2: This will NOT work on Client Bridge set-ups!