It's completely possible, but I'd like to address a few things first.
My current solution is to plug my cable modem into a switch and
connect two wireless routers to the switch. My computers connect to
the first router, everything else connects to the second router.
It's interesting both routers have internet access when your cable modem
appears to be just a modem. Does your ISP do NAT? If not, I'd recommend
taking the switch out (is it really a switch or is the switch capable of
NAT?), and place one of your DD-WRT routers as the gateway. Your current
setup as it is (without knowing to which port the routers were wired
to), may either have IP address conflicts, or may occasionally
experience random and sporiadic loss of connectivity on one or the other
network.
Is it possible to segregate Wi-Fi traffic into multiple VLANs on a
single access point?
Yes, but it'll take a bit of config work and some testing. I use a
similar setup myself for segregating a guest network. The method I'll
describe below doesn't involve VLANs.
DD-WRT (among others) support creating multiple SSIDs on the same AP.
The only thing needed to do is to create another bridge, assign it to a
different subnet, then firewall it off the rest of the main network.
It's been a while since I last did it this way but it should go
somewhere along like this (be prepared to lose connectivity):
- Open an access point's config page
- Go to Wireless => Basic Settings
- Under Virtual Interfaces click Add[^virtif]
- Give your new IoT SSID a name and leave
Network Configuration
to
Bridged
, enable AP Isolation
as you wish
- Go to tab Wireless Security, set your passwords, and set Security
Mode to nothing less than WPA2-Personal-AES if possible[^nDS]
- Go to tab Setup => Networking
- Under Bridging, click Add
- Give your bridge an arbitrary name[^brname], maybe
br1
?
- Give your bridge an IP address that is not on the same subnet as
your main network[^ipaddr]
- (You may have to click Save then Apply Settings to get this to show
up) Under Assign to Bridge, click Add, then assign
br1
to Interface
wl.01
or what its interface name was given[^virtif], save and apply
Under Multiple DHCP server, click Add and assign it to br1
Go to Administration => Commands and paste these (you might have to
adjust the interface names)[^note2]
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
iptables -I FORWARD -i br1 -m state --state NEW,RELATED -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -j REJECT
And click Save Firewall
You should be all set, I think
For more details, you can take a look at
http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/
A caveat for this is that this setup is effective only for the gateway
router/AP. If you want the same setup to work for the other router,
you'll have to use VLANs. The setup is similar, but it's a bit more
involved. The difference here is that you'll have to configure and
bridge a new VLAN to the IoT SSID and maybe do some routing rules.
[^virtif]: The first is usually the physical interface and often labeled
as wl0. Your virtual interfaces (up to three if I'm not mistaken) will
be labelled as wl0.1, wl0.2, and so on.
[^brname]: This will be the interface name DD-WRT will give to the
bridge interface.
[^ipaddr]: Say your main network is on 172.16.1.0/24, give br1
an
address of 172.16.2.0/24.
[^nDS]: If you have a Nintendo DS, you'll have to use WEP.
Alternatively, you could create another SSID just for the NDS and have
it also bridged to br1
for convenience.
[^note1]: At this point after applying settings, anything that connects
to the IoT SSID will now be assigned to a different subnet. However, the
two subnets can still communicate with each other.
[^note2]: This bit might need some work.
4Separation from your computers is great, but what about separating your insecure smart TV from your insecure WiFi toaster? ;) – ZX9 – 2016-11-04T14:34:56.650
Hmm... Well I do have several more old routers lying around. I wonder how many IPs my ISP will give me? – Chris B – 2016-11-04T15:00:33.993
http://www.reactiongifs.com/r/but-why.gif – Alexander - Reinstate Monica – 2016-11-06T01:55:25.987