Configuring DD-WRT as a wireless/wired router and bridge

I’ve installed DD-WRT on a WRT54GS and configured it as a router that bridges the wireless AP, the ethernet and WAN connection. I didn’t want DD-WRT configured as a “gateway” as that means NAT and I didn’t want that: my firewall is already doing NAT, so I wanted DD-WRT to just route traffic upstream.

Here’s a diagram of how I set things up:

Network diagram showing WRT54GS running DD-WRT as a router

I wanted the WRT54GS to bridge the network on the WAN port (interface vlan1) to the firewall with the network on the wireless AP side (interface br0). The firewall’s NIC was configured as The WRT54GS’s WAN port was configured with a static IP of and gateway of The local IP was configured to and no gateway. The VLANs were configured so that everything was assigned to the “LAN” bridge, all 4 wired switch ports, the WAN port, and wireless.

This looks like it all should have worked, but it didn’t. What I finally ended up having to do was to set a small startup script to make the final adjustments. I’m going to share the steps to set that script here, since I know I’ll forget it:

nvram set rc_startup='
echo 1 >/proc/sys/net/ipv4/conf/br0/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/vlan1/proxy_arp

ip route add dev vlan1
ip route delete default
ip route add default via dev vlan1
nvram commit

And with that, everything works. Clients can connect wirelessly or wired, get assigned an IP via DHCP in the network, get routed up to the firewall which enforces all my security and routing policies.

What I’d like to do next is play with the AP isolation setting to keep the wireless clients from being able to snoop on the wired connections. I like to keep this configured as an open wi-fi access point, but I don’t want someone who roams up to be able to see the activity of the wired clients. But, for now, what I’ve got working is good enough.

Tags: , , , ,


  1. Thanks – I’ ve been trying to achieve the same thing for ever, with no success.
    I’ll try your method now.

  2. nvram set vlan0ports=”0 1 2 3 4 5*” does the same thing.

Speak Your Mind