DD-WRT leading two separate networks (Asus RT-N16)

Shows how you can use a $75 consumer class router and dd-wrt to support 2 networks. It will create a secondary network for guests and visitors. Besides the usual primary network, it will create a secondary network supporting both wireless and wired connections. The secondary network could be used to provide internet access to customers or visitors.

The router is assumed to be flashed with open source DD-Wrt firmware. This firmware adds some business class features to your router. The router will be configured by taking advantage of two features that allow network traffic to be separated:

  • VLANs, allows wired LAN ports to be grouped and each group to be treated differently.
  • multiple SSIDs, allows multiple wireless network names (SSID) and security settings. The traffic over each SSID can be treated differently.

Before we start

The router is assumed to be running open source DD-Wrt firmware and configured for a single wired and wireless network. The router should also be configured for shell access (ssh) or telnet. Further, the reader should have a basic understanding of

  • the web based user interface (WebGUI)
  • networking concepts such as IP addresses, sub nets, routing, bridging and network interfaces. Some of the more specific terminology used in this article is:
    • A broadcast domain, is a network segment, in which all nodes can communicate directly by layer-2 broadcasts. Examples are a wired GigE network, or a wireless network.
    • A switch, handles frames at the data link layer (layer 2).
    • A router, handles packets at the network layer (layer 3). A router forms a boundary between broadcast domains.
    • A bridge, connects two or more network segments into a single broadcast domain (layer 2).
    • A virtual LAN (VLAN), creates distinct broadcast domains within one ore more physical networks. A VLAN is a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users.

The configuration presented here has been tested on an Asus RT-N16 router running DD-Wrt mega build 15943. The approach outlined might also apply to other routers or builds, albeit with minor changes.

Inside the router

To create a secondary network, we need to separate the four LAN ports and create an virtual wireless network. The following section builds a basic understanding of the default data paths in the router. The following section describes how the software configuration

Hardware block diagram

Many consumer class routers are based on a chipset consisting of a IP switch and System-on-Chip. For example, the Asus RT-N16 router that is build around:

  • System-on-Chip BCM4718, provides the CPU, WiFi and USB.
  • Switch Fabric BCM53115, provides the WAN and four LAN ports

Other GigE routers such as the Cisco/Linksys E2000 or E3000 are very similar. I you have an Asus RT-AC68, refer to my updated post.

Block diagram before

The block diagram above shows the data paths within the router. Note:

  • the LAN port numbers on the case do not correspond to the port numbers on the switch;
  • the WAN port connects to a special interface on the switch and can’t be reassigned;
  • port 8 connects the VLAN trunk from the switch to interface eth0 on the CPU.

The switch tags incoming frames with a VLAN identifier. Frames arriving on the WAN port are tagged as VLAN2, while frames from the LAN ports are tagged as VLAN1. The frames destined for the CPU are sent on port 8.

The CPU receives the frames over port eth0. Frames with a VLAN2 tag are treated as WAN traffic. Frames with a VLAN1 tag are combined (bridged) with frames from the wireless module (eth1) and treated as LAN traffic.

Firmware mapping

The configuration for the DD-Wrt is stored in nonvolatile memory (nvram). The configuration can be shown as described in the DD-Wrt document Switched Ports. An excerpt:

The tagging configuration is stored in vlan#ports variables where ‘*’ symbolizes the default path. Note that the vlan0ports variable appears to be unused on GigE routers. For the switch to move frames outside of any vlan, it needs to include port 8. This allows the SoC to route the packet. The vlan with the default is used for packets that do not have a vlan tag (see here).

nvram show | grep vlan.*ports | sort
vlan0ports="1 2 3 4 5*"
vlan1ports="4 3 2 1 8*"
vlan2ports="0 8

An other important variable is port5vlans. It identifies every active VLAN plus the number 16 that indicates that tagging is enabled. The other variables appear only for the WebGUI.

nvram show | grep port.*vlan | sort
port5vlans=1 2 16

Every active VLAN needs to have its name set to et0.

nvram show | grep vlan.*hwname | sort

Creating to separate networks

To create a second network, we need to introduce an additional VLAN and an additional SSID for the wireless. The two can then be bridged together and given an unique subnet address. Before you start, I highly recommend making a backup of your current configuration.

Block diagram after

Create a virtual wireless network (wl0.1)

Using a web browser, connect to the router and bring up the WebGUI.

  1. Wireless > Virtual Interfaces > Add. Specify the basic wireless settings. For the network configuration, choose bridged. Click Save.
  2. Wireless > Wireless Security > Virtual Interface wl0.1. Specify the security settings. Click Apply Settings, to save and apply the changes.

Create a virtual local area network (vlan3)

We will use the shell (ssh) interface to configure the VLANs (because the GUI on Broadcom based routers have some related bugs). Login using ssh, and run the following commands:

nvram set vlan3hwname=et0       # VLAN3 is enabled
nvram set vlan1ports="3 4 8*"   # assign LAN1/LAN2 to VLAN1
nvram set vlan3ports="1 2 8*"   # assign LAN3/LAN4 to VLAN3
nvram set port4vlans="1 18 19"  # LAN1 is part of VLAN1 (GUI only)
nvram set port3vlans="1 18 19"  # LAN2 is part of VLAN1 (GUI only)
nvram set port2vlans="3 18 19"  # LAN3 is part of VLAN3 (GUI only)
nvram set port1vlans="3 18 19"  # LAN4 is part of VLAN3 (GUI only)
nvram commit

Bridge vlan3 and wl0.1 (br1)

To make the new wired and wireless network to behave as one, we logically combine interfaces vlan3 and wl0.1 using a new bridge interface br1:

  1. Bridge the vlan3 and wl0.1 interfaces together as br1
    • Setup > Networking > Bridging > Create Bridge > Add. Enter br1 in the first field and click Apply Settings.
    • Setup > Networking > Bridging > Create Bridge > For br1 enter a private IP address and subnet mask. E.g. and Click Apply Settings.
    • Setup > Networking > Assign to bridge > Add. Select br1, interface vlan3 (LAN3 and LAN4) and click Apply Settings.
    • Setup > Networking > Assign to bridge > Add. Select br1, interface wl0.1 (the virtual wireless interface) and click Apply Settings.
  2. Configure the DHCP server for br1
    • Setup > Networking > DHCPD > Multiple DHCP Server > Add. Select br1 and fill in the first m maximum number of DHCP addresses and lease time in minutes. E.g. 200, 50 and 1440. Click Apply Settings.

Separate the networks

Now that we have the two networks up and running, it is time to separate them. The firewall rules listed below added to Administration > Commands > Save Firewall. If you use an USB memory stick, the rules can also be stored in an executable /jffs/etc/config/*.wanup script. Such a script runs automatically each time the WAN link and firewall are up (see Script Execution).

To restrict br1 from accessing br0 and visa versa,

iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

Optionally, to restrict br1 from accessing the management interface of the router.

iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


To test the interfaces, configure a space computer interface for DHCP and connect it to each of the LAN ports. Then verify that the assigned IP address matches the subnet of the network. Do the same with the wireless networks.

10 Replies to “DD-WRT leading two separate networks (Asus RT-N16)”

  1. Great Article, thank for the post. Not only does this article tackle the mystery of creating and implementing seperate VLANs, it also serves as an introduction to more advanced topics.


  2. Again great post! After looking for hours to find the correct config for my Linksys E3200. Thanks for your assistance and time.

    I actually modified this a tad to have an additional vlan (5 & 7)

    I added nvram set port5vlan=”0 1 5 7 16″ to enable tagging for the new vlans before committing to nvram.

    Could you explain the purpose of 18 and 19 in nvram set port2vlans=”3 18 19″

    Thanks again!

  3. Hello

    I separated networks using your guide, but i have one problem. Network on br1 can not connect to internet,(connection to br0 works OK). Can you tell me what i am doing wrong?


  4. Edo,

    You need to add the following command to get your new network br1 out to the Internet:
    For the source network (-s) use the format xx.xx.xx.xx/mask (example

    iptables -t nat -I POSTROUTING -s -o `get_wanface` -j SNAT –to `nvram get wan_ipaddr`

    To make it permanent you need to add this to the firewall script located in Administration ==> Commands


  5. Hello,

    I understand the configuration proccess, I need to go a little further, I was able to configure PXE request to the correct server, but now I would need to set a second PXE server. (I had chained them by menu options on server 1, but that is a problem if server 1 is OFF). Do you know how can I declare a second PXE server? I know that it’s posible on dnsmask, but I have no idea how to implement it in dd-wrt.


  6. Nice writeup! I was struggling with the nvram commands.. terrific information and insight into the RTN16.

    Like some of the others I’m also having a problem, mine is in getting br1 and br0 communicating with each other. The gateway’s can be pinged but nothing beyond the gateway…

    I tried changing the firewall rules to no avail.

    iptables -I FORWARD -i br0 -o br1 -m state –state NEW -j ACCEPT
    iptables -I FORWARD -i br1 -o br0 -m state –state NEW -j ACCEPT

    Any ideas on how resolve that problem?

  7. The problem I was experiencing was caused by the machines behind the gateway were both Windows 7 machines and the Firewall on both machines was blocking ping requests…

    Just wanted to close the loop for those who might run into a similar problem in the future.

  8. For the Asus RT-AC68, there is a dedicated page at DD-WRT leading two separate networks (Asus RT-AC68). For diagnostics, maybe you can ipTables on the interfaces to do traffic counts. Also tags are internal to the router.

    Ronald wrote:

    Great docu on your site !

    i am new to the internals and scripting of a router/switch.
    Recently i went to some courses of Netgear and Ubiquiti and a wanted to do something with vlans, was looking for Edge router X but came across SNB forum and found your blog through google and that the RC68U could do the trick also.
    I have a kind of test environment with 2 netgear switches uplinked to each other, the netgear is also connected to port 1 of my Asus RT-AC68U router.
    i set a port of my Netgear untagged in vlan 100 then at the second netgear on the uplink port tagged, i then at the second switch put a port untagged in vlan 100 and was able to ping my laptop at the other switch so the uplinking works.
    my asus rt68u is connected via port 1 of its LAN port to the switch port and it’s tagged in vlan 100
    at the rc68u i did the following :

    remove port 3 (LAN) from vlan 1 and put i into vlan 100 untagged together with 8t and i made port 1 tagged in vlan 100 , so my expectation was that the vlan 100 traffice would be received at this port 3 , but this wasn’t the case.
    Now i am wondering what i forgot , i am looking for the correlation between switch matrix/br/eth/vlan

    Hope that you can give me a clue on how to get this working.
    thanx in advance for your time.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.