Setup Wi-Fi VLANs with DD-WRT on RT-AC3200

IMPORTANT: installing custom firmware always pose risk of bricking your device. Do it at your own risk.

This guide will show you how to use custom firmware DD-WRT on Asus RT-AC3200 as a wireless access point (WAP) to setup multiple Wi-Fi VLANs.

This is an alternate method of setting up Wi-Fi subnets of a 3 steps guide to protect home network using subnets.

Prerequisite: VLAN infrastructure in place for the wired network described in Part 1 and Part 2 of the 3 steps guide.

This guide will step you through the flash of custom firmware DD-WRT and setup the 3 wireless VLANs.

  • VLAN 40 (SSID: Mobile): Your mobile devices
  • VLAN 42 (SSID: IoT): IoT devices
  • VLAN 44 (SSID: Guest): Guest devices

How to enable recovery mode for RT-AC3200?

Asus router has recovery mode that allows you the flash firmware or reset to default settings (or factory reset for official firmware).

reset button
Reset button
  1. turn off the router
  2. press and hold the reset button (do not release)
  3. turn on the router
  4. wait for about 20 seconds on official firmware (or 5 seconds on DD-WRT already)
  5. release the reset button

Note: When the router is on official firmware, you need at least about 20 seconds. Otherwise, the recovery mode may only show up briefly for like 10 seconds and the router will proceed to reboot.

recovery mode
Recovery mode

How to factory reset?

There are several ways of performing factory reset. Each method shall achieve the same results.

Hard Reset

The 30/30/30 reset works on older routers, but not new routers like RT-AC3200. So don’t use it.

  • with the unit turned on, press and hold the reset button
  • wait until power led started blinking slowly (about 5 seconds)
  • release the reset button

Reset using Recovery mode

  • enable recovery mode
  • click on Restore default NVRAM values
erase NVRAM
Factory reset by clearing NVRAM

Reset using web gui

  • access web gui of the router
  • go to Administration > Restore/Save/Upload Setting
  • click Restore and then OK
reset using web gui

Note: if you are already on DD-WRT, go to Administration > Factory Defaults, select Yes and click Apply Settings.

How to flash DD-WRT?

Note: The Administration > Firmware Upgrade option available in the web gui of the latest official firmware (v3.0.0.4.382_50624) does not allow you to flash custom firmware.

What you need: A stand alone computer you can connect directly to the router

  • download DD-WRT build for router (search ‘RT-AC3200’ or your router model for the correct build)
  • remove the router from your network
  • perform factory reset using Hard reset method (this will reset router’s IP address to 192.168.1.1)
  • enter recovery mode
  • set your computer’s IPv4 address to something like 192.168.1.100 and connect to the router
  • browse to router’s IP at http://192.168.1.1. The recover mode screen should show up
  • click Choose File and select the DD-WRT build file downloaded.
  • click Upload

IMPORTANT: Flashing the firmware can take long time (over 10 minutes). Do NOT power off or interrupt the process or you may brick your router.

  • wait for the upload is complete
firmware upload complete
  • wait patiently (could be over 10 minutes) while router is flashing the firmware and reboot. You can ping and try browse http://192.168.1.1 to see if the install is finished.
  • when web browser responses with following screen, congratulations, you have successfully installed DD-WRT!
  • provide your credentials and click Change Password to finish initial setup
DD-WRT installed

How to revert back to official ASUS firmware?

Configure DD-WRT to serve as a wireless access point (WAP)

NOTE: DD-WRT web gui could be glitchy and not responding at times. Instead of rebooting, you could try to restart web gui server (faster).

DD-WRT default setup as a router but we only need it to serve as access point. So we will update some settings to make it run as WAP.

  • go to Setup > Basic Setup
  • select Disabled for WAN Connection Type
  • enable Assign WAN port to Switch checkbox
  • select Disabled for DHCP Server
  • click Save
Wireless access point basic setup
  • go to Setup > Advanced Routing
  • select Routing for Operating Mode
  • click Save
setup as router instead of gateway
  • go to Services > Services
  • select Disable for DNSMasq
  • click Save
disable DNS
  • go to Security > Firewall
  • select Disable for SPI Firewall
  • click Apply Settings
disable SPI firewall

Setup multiple SSIDs with VLANs support

To enable multiple SSIDs with VLANs, we will create separate bridges. One bridge for each VLAN and it’s associated wireless interface(s).

RT-AC3200 has 3 physical wireless interfaces (eth1, eth2 & eth3). 2 are 5GHz and 1 is 2.4GHz.

DD-WRT automatically created a default bridge ‘br0‘ and has all wireless interfaces, default VLAN 1 (for LAN) and VLAN 2 (for WAN) as it’s members.

The bridging table can be found at Setup > Networking

default bridge setting

Setup VLAN 40 (SSID: Mobile)

We will use all 3 wireless interfaces for VLAN 40.

Use ‘Mobile’ as SSID

  • go to Wireless > Basic Settings
  • replace ‘dd-wrt’ by ‘Mobile‘ as Wireless Network Name (SSID) for ALL 3 wireless interfaces
  • scroll down and click Apply Settings
update default SSID

Create new Bridge

  • go to Setup > Networking
  • click Add inside Create Bridge section
  • enter ‘br1‘ as Name
  • select Off for STP
  • scroll to bottom and click Apply Settings
create bridge br1

Assign wireless interfaces to the Bridge

  • click Add inside Assign to Bridge 3 times
  • select br1 as Assignment for all 3 rows
  • select eth1 as Interface for 1st row
  • select eth2 as Interface for 2nd row
  • select eth3 as Interface for the last row
  • scroll to bottom and click Apply Settings
assign to bridge br1

Setup VLAN 40 and assign to the Bridge

DD-WRT web gui can only manage VLAN 0 – 15. To use VLAN higher than 15, we would use startup script (startup commands) to perform the setup. This startup script is executed once every time the router finishes rebooting.

Note: VLAN 16 – 21 are used for other purposes. So do not use them.

  • go to Administration > Commands
  • add the following scripts to the Commands text box
  • click Save Startup
echo "4t 5t" > /proc/switch/eth0/vlan/40/ports
/sbin/vconfig add eth0 40
/sbin/ifconfig vlan40 up
/sbin/ifconfig vlan40 txqueuelen 1000
/usr/sbin/brctl addif br1 vlan40

Explanation: Configure and assign VLAN 40 to WAN port tagged (4t) and CPU port tagged (5t). Then set VLAN 40 as a member of bridge br1.

startup script to configure VLAN 40 and assign to bridge br1

Setup VLAN 42 (SSID: IoT)

We will create a virtual wireless interface for VLAN 42.

Create virtual wireless interface

  • go to Wireless > Basic Settings
  • click Add at Virtual Interfaces section below Wireless Physical Interface wl0 section
  • enter ‘IoT‘ as Wireless Network Name (SSID)
  • scroll to bottom and click Apply Settings

note: this virtual interface is named wl0.1

create virtual interface for VLAN 42

Create new Bridge

  • go to Setup > Networking
  • click Add inside Create Bridge section
  • enter ‘br2‘ as Name
  • select Off for STP
  • scroll to bottom and click Apply Settings
create bridge br2 for VLAN 42

Assign wireless interface to the Bridge

  • click Add inside Assign to Bridge
  • select br2 as Assignment
  • select wl0.1 as Interface
  • scroll to bottom and click Apply Settings
assign virtual interface to bridge br2

Setup VLAN 42 and assign to the Bridge

  • go to Administration > Commands
  • click Edit at Startup section
  • append the following scripts to the Commands text box
  • click Save Startup
echo "4t 5t" > /proc/switch/eth0/vlan/42/ports
/sbin/vconfig add eth0 42
/sbin/ifconfig vlan42 up
/sbin/ifconfig vlan42 txqueuelen 1000
/usr/sbin/brctl addif br2 vlan42
append startup script to configure VLAN 42 and assign to bridge br2

Setup VLAN 44 (SSID: Guest)

We will create a virtual wireless interface for VLAN 44.

Create virtual wireless interface

  • go to Wireless > Basic Settings
  • click Add at Virtual Interfaces section below Wireless Physical Interface wl2 section
  • enter ‘Guest‘ as Wireless Network Name (SSID)
  • scroll to bottom and click Apply Settings

note: this virtual interface is named wl2.1

create virtual interface for VLAN 44

Create new Bridge

  • go to Setup > Networking
  • click Add inside Create Bridge section
  • enter ‘br3‘ as Name
  • select Off for STP
  • scroll to bottom and click Apply Settings
create bridge br3 for VLAN 44

Assign wireless interface to the Bridge

  • click Add inside Assign to Bridge
  • select br3 as Assignment
  • select wl2.1 as Interface
  • scroll to bottom and click Apply Settings
assign virtual interface wl2.1 to bridge br3

Setup VLAN 44 and assign to the Bridge

  • go to Administration > Commands
  • click Edit at Startup section
  • append the following scripts to the Commands text box
  • click Save Startup
echo "4t 5t" > /proc/switch/eth0/vlan/44/ports
/sbin/vconfig add eth0 44
/sbin/ifconfig vlan44 up
/sbin/ifconfig vlan44 txqueuelen 1000
/usr/sbin/brctl addif br3 vlan44
append startup script to configure VLAN 44 and assign to bridge br3

Enable wireless network securities

We have setup 5 wireless interfaces (3 physical and 2 virtual). It’s time to enable their security. They are all disabled by default.

WiFi security disabled by default
  • go to Wireless > Wireless Security
  • select WPA2-PSK for Security Mode
  • enter a good key phrase for WPA Shared Key
  • click Save
enable WiFi securities for all wireless interfaces

Repeat for all 5 wireless interfaces. Note: use same password for the 3 physical wireless interfaces (wl0, wl1 & wl2)

  • click Apply Settings

Setup trunk port and management VLAN

We will configure and use WAN port as the trunk port to connect to your home network. And for security best practice, default VLAN 1 will not be used. Instead VLAN 99 will be used for native management VLAN.

IMPORTANT: DD-WRT has rearranged the ports. Starting from the left, the ports assignment are port 1, 2, 3, 4 and WAN respectively. It’s different from what’s labelled on the RT-AC3200 router.

different port assignment by DD-WRT

Setup VLAN 99 and trunk port

  • go to Administration > Commands
  • click Edit at Startup section
  • append the following scripts to the Commands text box
  • click Save Startup 
echo "0u 1u 2u 3u 4t* 5t*" > /proc/switch/eth0/vlan/99/ports
/sbin/vconfig add eth0 99
/sbin/ifconfig vlan99 up
/sbin/ifconfig vlan99 txqueuelen 1000
/usr/sbin/brctl addif br0 vlan99

Explanation: Configure and assign VLAN 99 to port 1 – 4 untagged (0u 1u 2u 3u), WAN port default tagged (4t*) and CPU port default tagged (5t*). Then set VLAN 99 as a member of bridge br0.

append startup script to configure VLAN 99 and assign to bridge br0 to replace VLAN 1

Clear default VLAN 1 and VLAN 2 port assignments

  • go to Setup > VLANs
  • uncheck ALL VLAN 1
  • uncheck VLAN 2
  • click Save
clear VLAN 1 & 2 default port assignments

Assign static IP to Router

The configuration to the router is done. Now we need to assign an IP address to the router so that it’s ready to join your home network. The IP address should have the same net mask as the management VLAN 192.168.99.x.

  • go to Setup > Basic Setup
  • go to Router IP section
  • enter 192.168.99.32 as Local IP Address
  • click Apply Settings
  • reboot the router
set static IP for the router

You can disconnect your computer from the router and can now set its IPv4 address back to Obtain an IP address automatically.

Note: your computer won’t be able to connect to the router until the router joined your home network to receive an IP address from the DHCP server.

Configure pfSense and Netgear VLAN switch

Now let’s prepare pfSense and the Netgear VLAN switch with the additional VLANs before RT-AC3200 joins the home network.

Add VLAN interfaces and rules at pfSense

Follow Step 1 through 4 of Setup VLAN interfaces at pfSense firewall to add VLAN 42 and VLAN 44 to the pfSense fireware.

Add VLAN 42 and 44 to Netgear GS108Ev3 switch

  • login to the switch (would be http://192.168.99.108 if you followed the guide in Part 2)
  • go to VLAN > 802.1Q > Advanced > VLAN Configuration
  • enter 42 at VLAN ID field and click Add
  • enter 44 at VLAN ID field and click Add

Configure port 6 as a trunk port

IMPORTANT: changing port 6 to trunk port will temporarily disable the sub-network VLAN 40.

Port 6 was originally setup as VLAN 40 for use of an access point to connect all mobile devices. If you have an access point connected to port 6 for wireless connections, it’s time to unplug the access point from port 6.

Add VLAN 99 to port 6

For VLAN 99, port 6, 7 & 8 should all be untagged (show ‘U‘).

  • go to VLAN Membership
  • select VLAN ID ‘99
  • click on port 6 to show ‘U‘ (untagged)
  • click Apply
add VLAN 99 to port 6

Set port 6 PVID to management VLAN 99

  • go to Port PVID
  • enable port 6‘s checkbox
  • enter 99 to PVID text box
  • click Apply
set PVID to 99 for port 6

Convert port 6 to trunk port

  • go to VLAN Membership
  • select VLAN ID ’40’
  • click on port 6 & port 8 until both show ‘T‘ (tagged)
  • click Apply
convert port 6 to trunk port

Repeat for VLAN 42 and VLAN 44.

completed VLAN configuration
Final VLAN configuration

Hook up to the home network

Connect RT-AC3200 WAN port to port 6 of the Netgear VLAN switch and the wireless networks should be ready to use.

Configure your mobile devices to use their new SSIDs accordingly.

All set. Your home network is now properly segmented with multiple sub-networks for better protection!

Extra

How to enable SSH?

  • go to Services > Services
  • scroll down to Secure Shell
  • select Enable for SSHd
  • click Apply Settings

How to restart DD-WRT web gui?

There are times when the web gui stopped responding but the router is still working fine and you can ping the router. In this case, restarting the web gui server usually fix the problem and you don’t need to reboot the router.

  • connect to router using SSH: ssh -l root 192.168.1.1
  • enter your password to login
  • run command stopservice httpd to stop the web gui server
  • run command startservice httpd to restart the web gui server

This Post Has 23 Comments

  1. James

    2 Jun 2020 Reply

    Thank you, Alan. Great write up. If I wanted to replicate this setup with multiple DD-WRT access points using the same VLANs, what extra steps would I need to take?

    1. Alan Chan

      9 Jun 2020 Reply

      Hi James, you can check out DD-WRT website about Roaming Access. Cheers, Alan

  2. Florian

    17 Sep 2020 Reply

    Hi Alan,
    a great tutorial.
    Just 2 questions:
    1. Can i use this guide for a linksys WRT3200ACM route to use as AP? I am unsure whether the ports arrangement is the same. So when dd-wrt is flashed on the linksys, will the ports also start at the right with 1?

    2. My management vlan is 10? so can i set up this vlan 10 on the dd-wrt web gui? I am unsure because when using the “tagging” button, it always starts with vlan 0.

    1. Alan Chan

      19 Sep 2020 Reply

      Hi Florian,

      Each router may behave differently (especially different brand) when using custom firmware such as dd-wrt.
      This guide can serve as a reference for you to understand how to install dd-wrt in general but should also expect things could work differently for your router.

      cheers, Alan

    2. martin cote

      27 Sep 2020 Reply

      Hi Florian, I got the same issues of you.

      Does it work since?

  3. martin cote

    27 Sep 2020 Reply

    it wrote:
    RT-AC3200 has 3 physical wireless interfaces (eth1, eth2 & eth3). 2 are 5GHz and 1 is 2.4GHz.

    must be :
    RT-AC3200 has 3 physical wireless interfaces (ath0, ath1 & ath2). 2 are 5GHz and 1 is 2.4GHz.

    1. Alan Chan

      8 Oct 2020 Reply

      Hi Martin, thanks for your feedback. If you look at the images, the 3 wireless interfaces were indeed eth1, eth2 & eth3. If you encounter different wireless interface names, just reference them correspondingly. cheers Alan

  4. martin

    10 Oct 2020 Reply

    it wrote :

    RT-AC3200 has 3 physical wireless interfaces (eth1, eth2 & eth3). 2 are 5GHz and 1 is 2.4GHz.

    .. then, in this command line, eth0 is never mentionned before (we see at br0: vlan1 and vlan2):

    echo “4t 5t” > /proc/switch/eth0/vlan/40/ports
    /sbin/vconfig add eth0 40
    /sbin/ifconfig vlan40 up
    /sbin/ifconfig vlan40 txqueuelen 1000
    /usr/sbin/brctl addif br1 vlan40

    …. eth0 must be eth1 ???

    please, need hekp, I spend to two days to try this on my WRT3200ACM without succes! 🙁

    …or write me in private

    Regards

    1. Alan Chan

      25 Oct 2020 Reply

      hi martin,

      eth0 is network interface connects to CPU in the router. It also trunks to internal switch “CPU” port (usually 5 or 8).

      Alan

  5. martin

    15 Oct 2020 Reply

    it wrote :

    Clear default VLAN 1 and VLAN 2 port assignments
    go to Setup > VLANs
    uncheck ALL VLAN 1
    uncheck VLAN 2
    click Save

    I notice that Assigned to bridge is set to LAN, you did it or it was by default setted to LAN

    In my case, by default , is set to: None In other words, I need to set it to LAN? Nothing is mentionned about this

    regards

    1. Alan Chan

      25 Oct 2020 Reply

      VLAN 1 & VLAN 2 are 2 default VLANs assigned to LAN when installed DD-WRT on RT-AC3200.
      LAN represents the switch ports on the router.
      Typically, VLAN 1 is the default VLAN for all ports on the switch. VLAN 2 is the default VLAN for WLAN (which is not used in the setup).
      I use VLAN 99 instead to replace default VLAN 1. So VLAN 1 & VLAN 2 are not used and are unchecked.

  6. Anonymous

    25 Oct 2020 Reply

    I have a modem-router ( combo) directly connected to internet , let’s call i”A ” and I have a second router directly connected to “A” through ethernet connection ( has DD-WRT firmware on) . I have created 3 virtual networks, under B , and they are all NAT and AP -isolated, meaning don’t see each other and can not access the B’s management web gui ( and that is how I wanted to be) , but the problem is either one of them is able to access the A’s management gui and that is NOT what I want. I cam across this page hoping vlan is the way to achieve that goal.
    Would going through the over mention path, create what I am looking for? And after creating the vlans, do I still need to have the ethernet cable between A and B ?

    Thanks

    1. Alan Chan

      25 Oct 2020 Reply

      Management gui typically uses HTTP/HTTPS which are port 80 and 443.
      You can setup a firewall rules at Router B to block traffic to Router A’s port 80 & 443.

      Given that you are using DD-WRT. Your virtual networks most probably are VLANs already.

  7. Amir V

    8 Dec 2020 Reply

    Hello Alan,

    Can you tell me what the wireless speed of the two bridges you created in the instruction? Would they be at 2.4GHz or 5.0 GHz, when you used eth0 in the configuration? If at 2.4GHz, is there any way to set those bridges at 5.0?

    Thanks

    1. Alan Chan

      15 Feb 2021 Reply

      It depends on the wireless interface you assign to the bridge. Each wireless interface would have info whether they are 2.4GHz or 5.0Ghz.
      eth0 is not wireless interface.

  8. Kim

    18 Dec 2020 Reply

    Hi Alan

    Would you possible be able to create a guide if using openwrt?

    1. Alan Chan

      15 Feb 2021 Reply

      Hi Kim,

      Thanks for asking. But unfortunately there is no plan for a openwrt writeup.

  9. Wayne

    9 Apr 2021 Reply

    This is a really help article, Alan. Thanks!

    You mention that: “Note: VLAN 16 – 21 are used for other purposes. So do not use them.” How did you figure that out? Is this generally true for dd-wrt?

    1. Alan Chan

      27 Apr 2021 Reply

      Yes, there are some hardware attributes assigned to VLAN ports 16 – 21 and as a result, cannot be used.

  10. kay

    24 Oct 2021 Reply

    Alan, why did you decide to move eth1, 2, and 3 to br1 instead of letting them remain at br0? I accomplished something similar but am back to the drawing board since nvram for my broadcom is no longer an option. Now I must use swconfig. The newer updates when WAN port is disabled places the WAN port in vlan1 and vlan2 seems to go “Poof”. I’m trying to refresh myself on this subject as it’s been a few months.

    I was able to accomplish this by having my Assign to Bridge as follows:

    br0 eth1 eth2 eth3 vlan1
    br1 vlan10 wl2.1
    br2 vlan11 wl0.1 wl1.1

    1. Alan Chan

      1 Nov 2021 Reply

      br0 is connected to wired switch ports. Not for Wireless.
      Therefore, need new br for wi-fi interfaces.

  11. Derek

    11 Nov 2021 Reply

    Great write-up and very good at explaining everything! The reason why I landed up here is that I just need something simpler. What I need is just VLAN tagging for all traffic via the WAN port.

    Say for example, on my pfSense I already have VLAN 42 setup and running correctly, and I don’t have a managed switch. Somewhere on the network, I plan to hook up a DDWRT router, and everything behind it (LAN and WLAN) will go out via the WAN port with VLAN42 tagged.

    I think I can reuse your instruction, and tag VLAN42 on all LAN and WLAN port. But I was thinking wouldn’t be easier somehow just tag all traffic going out? (also I don’t mind the mgnt IP to be in VLAN42 space as well)

    1. Alan Chan

      20 Nov 2021 Reply

      Yeah, if all traffic are in VLAN42, you can just have DDWRT WAN port tagged with VLAN42.

Leave a Reply

Close Menu