You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
clear search
Home > Advanced Configurations > WiFi Routers > Segmenting your Wi-Fi network with a Linksys OpenWRT router
Segmenting your Wi-Fi network with a Linksys OpenWRT router
print icon

One popular use case for a wireless network is to separate different wireless devices onto different SSIDs. The most common example of this is having a main Wi-Fi network and a Guest network, where the Guest network can’t access anything on the LAN, but does have access to the wider Internet. But there are other use cases for this, too. Maybe you bought a smart TV, but you don’t want it to be able to ‘phone home’. You could put it on its own network that has LAN access but NOT Internet access, allowing you to enjoy the quality of the screen without giving the manufacturer tons of data about your usage habits, etc.

Of course, nothing so powerful comes without downsides. For this, the main downside is that, like cable-splitters of old, the more Wi-Fi networks you create, the more the overall signal to each degrades. You’ll need to find the balance between networks and quality.

With that said, here’s how to create new SSIDs on your Linksys OpenWRT router.

This tutorial is based on OpenWRT documentation to create a guest network found here: there is one additional step needed to create a new network on our Firmware, which is why the code has been copy/pasted below.

For our example, we’re going to have 3 separate SSIDs.

  1. MainWIFI, which is available across all 3 radios (2.4 GHz, 5GHz, 6GHz)
  2. IoTWiFi, which runs on the 2.4Ghz radio for maximum compatibility, and is used for home appliances like Smart TVs, Hue, WeMo, or similar.
  3. WiFi6e, which only runs on the 6Ghz radio for devices that have the latest Wi-Fi chipsets. By adding a separate network, we can ensure they don’t connect at lower speeds like they might on the main Wi-Fi.

To add a guest network that doesn’t allow access to the entire LAN, only the Internet, follow the instructions below to open a terminal window and connect to your router. Then follow the instructions above, but add a line here:

uci -q delete network.guest

uci set network.guest="interface"

uci set network.guest.proto="static"

uci set network.guest.device="br-guest"

uci set network.guest.ipaddr="192.168.3.1/24"

uci set network.guest.type="bridge" #add this line

If you want the guest network on the 5ghz radio, change this line:

WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"

to

WIFI_DEV="$(uci get wireless.@wifi-iface[1].device)"

 

otherwise it will be on 2.4Ghz radio.

 

Change your default Wi-Fi name

If you never changed your Wi-Fi name during setup, doing it afterward is relatively quick and painless. Open a web browser and go to 192.168.1.1 or 10.0.0.1 (depending on your primary network IP) to access the router’s GUI, LUCI. Once there, enter your password. If you haven’t changed the default, it’s the same as the Wi-Fi password printed on the label on the bottom of your router.

From there, you’ll want to navigate to Network->Wireless.

Once you get there, you’ll see a combined list of the Wi-Fi radios and the wireless networks associated with them. As you can see below, I haven’t changed the default SSID yet.

 

You may have already guessed that changing the SSID is as simple as clicking on the ‘edit’ button and changing the setting. You’re right. It’s that simple. Let’s do it.

Note: Since all three radios have the shared MainWifi SSID, we need to repeat this process 3 times. Once for each radio.

Once you’ve changed the ESSID for all three, you’ll notice that the wireless interfaces all say they have pending changes. To save them, you’ll need to click ‘Save & Apply’.

 

Of course, with the Wi-Fi radios restarting and a new SSID, you’ll need to change settings in any devices that were connecting to them.

The GUI is waiting for you to reconnect to confirm nothing was broken. So if you don’t reconnect to the new Wi-Fi on the device you used to change the settings before the popup timer runs out, the changes will be reverted and you’ll need to try again.

Whew, made it! Default Wi-Fi successfully changed to ‘MainWiFi'

 

 

Adding additional networks

The first thing you need to do to add another network is login to the router through a command line terminal.

Open a terminal window.

Windows: click on the start menu, and search for ‘command prompt’. The app will show in search results. Click on it to open.

OSX: apple key + spacebar to open spotlight. type ‘terminal’ and hit enter

Linux: ctrl+alt+T

Setup SSH Access to your router so you can work with the command line

First, create an SSH key

ssh-keygen -R 192.168.1.1

Next, login to the router as root.

ssh -v -oHostKeyAlgorithms=+ssh-rsa [email protected]

You will be asked if you want to connect. Type ‘yes’ and press enter.

You will be prompted for your admin password. Type it in, and press enter. You should see something like this:

 

Open cmdline.png

Now we’re ready to get down to business.

 

Let’s add the IoTWiFi network

Now that you’re connected to your router via the command line, you can copy and paste the following to create the IoTWiFi network. If you want a different name, make sure to replace all instances of IoTWiFi network with your desired Wi-Fi name. There are 62 references, so it’s best to use a document editor with Find and replace functionality to make the change.

Note: If you change the Wi-Fi name here, keep in mind it can’t have any white space.

If you only want to change the SSID, you can do that on this line:

uci set wireless.IoTWiFi.ssid="IoTWiFi"

And it’s also a good idea to change the password, which is here:

uci set wireless.IoTWiFi.key="YOURWIFIPASSWORDGOESHERE"

Here’s the full list of commands. Copy and paste to a text editor, make any necessary changes, and copy and paste into the terminal command line and press enter twice.

uci -q delete network.IoTWiFi_dev

uci set network.IoTWiFi_dev="device"

uci set network.IoTWiFi_dev.type="bridge"

uci set network.IoTWiFi_dev.name="br-IoTWiFi"

uci -q delete network.IoTWiFi

uci set network.IoTWiFi="interface"

uci set network.IoTWiFi.proto="static"

uci set network.IoTWiFi.device="br-IoTWiFi"

uci set network.IoTWiFi.ipaddr="192.168.4.1/24"

uci set network.IoTWiFi.type="bridge"

uci commit network

WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"

uci -q delete wireless.IoTWiFi

uci set wireless.IoTWiFi="wifi-iface"

uci set wireless.IoTWiFi.device="${WIFI_DEV}"

uci set wireless.IoTWiFi.mode="ap"

uci set wireless.IoTWiFi.network="IoTWiFi"

uci set wireless.IoTWiFi.ssid="IoTWiFi"

uci set wireless.IoTWiFi.encryption="psk2+ccmp"

uci set wireless.IoTWiFi.key="YOURWIFIPASSWORDGOESHERE"

uci commit wireless

uci -q delete dhcp.IoTWiFi

uci set dhcp.IoTWiFi="dhcp"

uci set dhcp.IoTWiFi.interface="IoTWiFi"

uci set dhcp.IoTWiFi.start="100"

uci set dhcp.IoTWiFi.limit="150"

uci set dhcp.IoTWiFi.leasetime="1h"

uci commit dhcp

uci -q delete firewall.IoTWiFi

uci set firewall.IoTWiFi="zone"

uci set firewall.IoTWiFi.name="IoTWiFi"

uci set firewall.IoTWiFi.network="IoTWiFi"

uci set firewall.IoTWiFi.input="ACCEPT"

uci set firewall.IoTWiFi.output="ACCEPT"

uci set firewall.IoTWiFi.forward="ACCEPT"

uci -q delete firewall.IoTWiFi_wan

uci set firewall.IoTWiFi_wan="forwarding"

uci set firewall.IoTWiFi_wan.src="IoTWiFi"

uci set firewall.IoTWiFi_wan.dest="wan"

uci -q delete firewall.IoTWiFi_dns

uci set firewall.IoTWiFi_dns="rule"

uci set firewall.IoTWiFi_dns.name="Allow-DNS-IoTWiFi"

uci set firewall.IoTWiFi_dns.src="IoTWiFi"

uci set firewall.IoTWiFi_dns.dest_port="53"

uci set firewall.IoTWiFi_dns.proto="tcp udp"

uci set firewall.IoTWiFi_dns.target="ACCEPT"

uci -q delete firewall.IoTWiFi_dhcp

uci set firewall.IoTWiFi_dhcp="rule"

uci set firewall.IoTWiFi_dhcp.name="Allow-DHCP-IoTWiFi"

uci set firewall.IoTWiFi_dhcp.src="IoTWiFi"

uci set firewall.IoTWiFi_dhcp.dest_port="67"

uci set firewall.IoTWiFi_dhcp.proto="udp"

uci set firewall.IoTWiFi_dhcp.family="ipv4"

uci set firewall.IoTWiFi_dhcp.target="ACCEPT"

uci commit firewall

 

Let’s add the WiFi6e network

The instructions for this network are basically the same as above, with a couple of minor but important differences. Of course, we’ve changed references from IoTWiFi to WiFi6e. Since we can’t have two networks using the same subnet, we’ll also change this:

uci set network.WiFi6e.ipaddr="192.168.4.1/24"

to this:

uci set network.WiFi6e.ipaddr="192.168.5.1/24"

And, because we want this to run on the 6Ghz radio, we’ll change this:

WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"

to this:

WIFI_DEV="$(uci get wireless.@wifi-iface[2].device)"

Finally, change the password here:

uci set wireless.WiFi6e.key="YOURWIFIPASSWORDGOESHERE"

Here’s the full list of commands to use:

uci -q delete network.WiFi6e_dev

uci set network.WiFi6e_dev="device"

uci set network.WiFi6e_dev.type="bridge"

uci set network.WiFi6e_dev.name="br-WiFi6e"

uci -q delete network.WiFi6e

uci set network.WiFi6e="interface"

uci set network.WiFi6e.proto="static"

uci set network.WiFi6e.device="br-WiFi6e"

uci set network.WiFi6e.ipaddr="192.168.5.1/24"

uci set network.WiFi6e.type="bridge"

uci commit network

WIFI_DEV="$(uci get wireless.@wifi-iface[2].device)"

uci -q delete wireless.WiFi6e

uci set wireless.WiFi6e="wifi-iface"

uci set wireless.WiFi6e.device="${WIFI_DEV}"

uci set wireless.WiFi6e.mode="ap"

uci set wireless.WiFi6e.network="WiFi6e"

uci set wireless.WiFi6e.ssid="WiFi6e"

uci set wireless.WiFi6e.encryption="psk2+ccmp"

uci set wireless.WiFi6e.key="YOURWIFIPASSWORDGOESHERE"

uci commit wireless

uci -q delete dhcp.WiFi6e

uci set dhcp.WiFi6e="dhcp"

uci set dhcp.WiFi6e.interface="WiFi6e"

uci set dhcp.WiFi6e.start="100"

uci set dhcp.WiFi6e.limit="150"

uci set dhcp.WiFi6e.leasetime="1h"

uci commit dhcp

uci -q delete firewall.WiFi6e

uci set firewall.WiFi6e="zone"

uci set firewall.WiFi6e.name="WiFi6e"

uci set firewall.WiFi6e.network="WiFi6e"

uci set firewall.WiFi6e.input="ACCEPT"

uci set firewall.WiFi6e.output="ACCEPT"

uci set firewall.WiFi6e.forward="ACCEPT"

uci -q delete firewall.WiFi6e_wan

uci set firewall.WiFi6e_wan="forwarding"

uci set firewall.WiFi6e_wan.src="WiFi6e"

uci set firewall.WiFi6e_wan.dest="wan"

uci -q delete firewall.WiFi6e_dns

uci set firewall.WiFi6e_dns="rule"

uci set firewall.WiFi6e_dns.name="Allow-DNS-WiFi6e"

uci set firewall.WiFi6e_dns.src="WiFi6e"

uci set firewall.WiFi6e_dns.dest_port="53"

uci set firewall.WiFi6e_dns.proto="tcp udp"

uci set firewall.WiFi6e_dns.target="ACCEPT"

uci -q delete firewall.WiFi6e_dhcp

uci set firewall.WiFi6e_dhcp="rule"

uci set firewall.WiFi6e_dhcp.name="Allow-DHCP-WiFi6e"

uci set firewall.WiFi6e_dhcp.src="WiFi6e"

uci set firewall.WiFi6e_dhcp.dest_port="67"

uci set firewall.WiFi6e_dhcp.proto="udp"

uci set firewall.WiFi6e_dhcp.family="ipv4"

uci set firewall.WiFi6e_dhcp.target="ACCEPT"

uci commit firewall

 

Reboot the router

You made a lot of configuration changes. To have them all take effect, reboot the router. Type the following in the command line:

reboot

Then wait for the router to reboot and all the radios to initialize.

Check your work

The easiest way to check your work is to connect to each of the new networks and make sure you have Internet access. On top of that, you can visit your Network->Interfaces settings in the GUI to confirm your interfaces are correctly configured.

It should look like this:

Assuming everything is working as expected, you’re all done. Nice job!

Was this support article useful?
0 out of 0 found this helpful

Contact Us:
Call Us Access our list of global support numbers
Reddit Join and subscribe to our Official Reddit Community
Chat Us We are here to help you with all the questions you have
close button
scroll to top icon