Monday, March 19, 2012

Multiple SSID on OpenWRT with bandwidth limit

If you're a network junkie and not been living under the rocks, you must have heard of OpenWRT. It's a Linux distribution for embedded devices (routers) and gives you power to do things usually impossible or difficult with inbuilt router firmware. Wireless Freedom indeed.

This was my scenario: I had to create two wireless APs for my office, one for the guests (no password but bandwidth limited) and another for non-guest users (password protected but no limit on bandwidth). That way the visitors will have free wireless internet, but with limited bandwidth. The office staffs will have to connect to a password protected wifi for unrestricted bandwidth.

The requirements for the APs are,

Free Wifi for visitors
- SSID: FreeWifi
- Password: none
- Bandwidth limit: 256Kbps uplink, 128Kbps downlink

Office Wifi for staffs
- SSID: OfficeAP
- Password: 1234567890
- Encryption: WPA2
- Bandwidth limit: none

Here's how I did it on OpenWRT. Connect to OpenWRT shell.

1. First create two wireless APs with above configuration. Add the following lines to /etc/config/wireless (Remove any existing 'wifi-iface' configurations)

# Free Wifi
config 'wifi-iface'
        option 'device' 'wifi0'
        option 'ssid' 'FreeWifi'
        option 'mode' 'ap'
        option 'network' 'lan'

# Office Wifi
config 'wifi-iface'
        option 'device' 'wifi0'
        option 'ssid' 'OfficeAP'
        option 'mode' 'ap'
        option 'network' 'lan'
        option 'encryption' 'psk2'
        option 'key' '1234567890'

As simple as that! Now to enable the wifi, go to shell and

# wifi down; wifi up

2. Now to limit bandwidth, we'll be using wondershaper. To install:

# opkg update
# opkg install wshaper

3. Now find which interface is the FreeWifi assigned to

# iwconfig

On mine, it was on ath0

4. Modify /etc/config/wshaper and start wondershaper

config 'wshaper' 'settings'
    option 'network' 'ath0'
    option 'downlink' '256'
    option 'uplink' '128'

Now, start wondershaper.

# /etc/init.d/wshaper start

5. By default, wshaper isnt enabled at startup. so,

# ln -s /etc/init.d/wshaper /etc/rc.d/S99wshaper


  1. Hello,

    But you said in the configurations that the two WIFI_WIFACE are under the same WIFI_DEVICE named ath0. When in Wshapper you apply the option 'downlink' '256'
    option 'uplink' '128' to ath0 your are applying this limit bandwidth to both wifi-ifaces. So the wireless SSID"FreeWifi" and "OfficeAP" are both limited.

    Can you explain better what you do.

    Best Regards,

  2. Hello Craig,
    one of the device is named ath0, another is named ath0-1. So the wshaper rule will apply to the ath0 device (FreeWifi) only, not ath0-1 (OfficeAP).

  3. This is a good example of how to apply wshaper where you are limiting bandwidth to an external internet ISP.
    In this example the WAN side should NOT be plugged into the company network since you would expose the corp infrastructure to "slower" attacks from the free network.
    As it stands, again - good example.

  4. Hi.
    Will your FreeWIFI SSID be isolated from OFFICE lan ?
    I think it wouldn't.
    option 'network' set to 'lan' in both.

    1. take a look at
      guest lan placed into isolaten vlan for paranoidal security ;)

  5. thanks! small note though: you reversed the order of the arguments in step 5. it should be

    # ln -s /etc/init.d/wshaper /etc/rc.d/S99wshaper

    1. Thanks. I always get confused on that one.

  6. Hello Jwalanta.

    When trying to run wshaper I got the following lines:
    root@OpenWRT:~# /etc/init.d/wshaper start
    insmod: cannot insert '/lib/modules/': invalid parameters (17): Invalid argument
    insmod: cannot insert '/lib/modules/': invalid parameters (17): Invalid argument
    insmod: cannot insert '/lib/modules/': invalid parameters (17): Invalid argument
    insmod: cannot insert '/lib/modules/': invalid parameters (17): Invalid argument

    Any idea what could be the solution?

  7. add "/lib/modules/3.3.8/" to "/usr/sbin/wshaper.htb"

    before:MODULES='sch_ingress sch_sfq...........
    after:MODULES='/lib/modules/3.3.8/sch_ingress /lib/modules/3.3.8/sch_sfq...........

  8. Thanks! Just what I needed.

    By the way, a good way to remember the argument order for ln: it's just like cp: source, then destination.

  9. well jalwanth is it possible to limit the maximum file download size to one of the subnet.... I have volume base internet connectivity ... i want to block users from being download movies and applications of large sizes.