Eric W Geier

My Publications - Tutorials

Implementing Inexpensive Multiple SSID Networks: Part I

By Eric Geier

- Originally Published by Wi-Fi Planet on November 13, 2007 -

 

If you thought that having multiple service set identifier (SSID) and virtual local area network (VLAN) support could only be possible in enterprise-level access points (APs), we have good news. With help from DD-WRT, a popular open-source firmware replacement, you can pack countless extra and enterprise-level features into your inexpensive home Wi-Fi router.

 

This part of the tutorial series will introduce you to the multiple SSID feature, discuss its existence in off-the-shelf APs, and walk you through installing the free DD-WRT firmware replacement. In the next part, we’ll dive deeper into using multiple SSIDs with DD-WRT.

 

What are multiple (or virtual) SSIDs?

 

In general, multiple (or virtual) SSIDs allow you to create multiple network names or SSIDs on one AP or radio with the ability to customize their individual security and broadcast settings. Additionally, you can assign the virtual SSIDs to different VLANs to provide segregation between the virtual wireless networks.

 

Here are some examples of what you could do with virtual SSIDs:

 

  • Offer public wireless Internet: For example, you could use encryption on your main SSID (for private use) and create a virtual SSID (for public use) on its own VLAN and without wireless encryption. This would give visitors easy access to your wireless Internet, but protects the contents of your network.

  • Segment your network users: You could, for example, limit access to files and services between your groups or departments by creating a virtual SSID (on their own VLANs) for each group. For instance, regular employees (like, say, on the sales or marketing SSID) won’t be able to access sensitive records on the management SSID used by the supervisors. This approach could work well for small organizations without an existing network segmentation method, such as active directory.

  • Offer different levels of security: Implementing multiple SSIDs may help in situations when all your wireless clients don’t have the same encryption and security abilities. For example, your older wireless clients may not have Wi-Fi protected access (WPA) or WPA2. But, you want to support these better encryption techniques for your newer clients. In this case, you could setup your main SSID with your desired security settings and create a virtual SSID (on the same VLAN as your main network) with the lower security requirements. Doing this along with other techniques, such as only having this virtual SSID applied to your inter APs, could help to keep people from outside your location from eavesdropping on your “less-secure” communications.

Multiple SSID vs Multiple BSSID

Before you jump into this virtual world you should understand the difference between the two ways this feature can be implemented:

 

  • Multiple BSSID: Each virtual interface is assigned to its own basic service set identifier (BSSID), or MAC address, which provides a better user experience. This is implemented in most off-the-shelf APs equipped with the multiple SSID feature.

  • Multiple SSID: Each virtual interface is under the same BSSID, the device’s original MAC address, which (as we’ll discuss more later) can confuse the wireless clients; and the users themselves. However, using this method can still be practical, especially since you can get it from a cheap simple router with firmware replacements like DD-WRT.

Before choosing a solution, be sure to figure out exactly what method is used.

 

Other Options: Lower Cost Hardware

Before plunging into installing and using DD-WRT for the virtual SSID feature, take a moment to consider the possibility of using off-the-shelf hardware. These days you can get an access point with multiple BSSID and VLAN support for under $200─and some are almost as low as $100.

 

Here are a few access points you can look into:

 

If you find these products are out of your price range, or if you would like to try replacing your firmware first, then you can continue to the next section to get started with DD-WRT.

 

Installing the DD-WRT Firmware

First a word of caution: Before continuing, you should understand that modifying a router’s firmware or loading it with firmware not released from its manufacturer (like DD-WRT) usually voids the factory warranty and support. Yet, on the other hand, this might not be the case with some APs; for example Buffalo Technology and DD-WRT recently began a partnership to address these types of issues.

 

Also, be very careful when upgrading any firmware; follow all directions and precautions. One slip-up may brick your router¾or in other words make it unusable and very difficult to revive.

 

Installing and setting up the DD-WRT firmware replacement consists of the following three steps:

 

  1. Get a Supported Router: For example a Linksys WRT54G/GL/GS or Buffalo WHR-G125 or WHR-HP-G54. Click here for a full list of support routers. The chances of you or someone you know having a supported router lying around are high; many of the popular wireless routers will do.

  2. Download the DD-WRT Firmware: Browse through the Downloads section of the DD-WRT website. At the time of this writing the latest version of DD-WRT that includes the multiple SSID feature is a release candidate: v24 RC4. Be sure to pick the correct firmware type (generic or vendor-specific) for your particular router. If you need help choosing the correct type, you can refer to the notes listed for each particular router on the list of support routers, and/or refer to the installation guide. Keep in mind, once version 24 is released as stable, or a newer version arrives, you should use that.

  3. Flash Your Router: Using the recommended method in the DD-WRT installation guide (such as Trivial File Transfer Protocol (TFTP) or via the Web-based configuration screen) flash or upload the firmware replacement to your router. As you’ll probably be told by the DD-WRT or factory documentation, you should only upgrade firmware via an Ethernet connection--and do not interrupt the upgrade.

Part II: The next installment in our series shows exactly how to configure multiple SSIDs with the DD-WRT firmware, and discusses overcoming the connectivity issues brought up by using this multiple SSID (not rhe BSSID) method.