I’ve been learning Tomato router firmware. This open-source firmware can enhance a low-end wireless router with some pretty advanced features.
One of my goals was to set up my wireless for guest-only access, i.e. not connected to my internal LAN (which are all hard-wired connections). Here’s one way to do that.
Basically we need a separate VLAN connected only to the wireless. Although this can be accomplished from the command line, Augusto Bott (“Teaman”) has added a nice GUI for VLANs (thread), and “Toastman” has added the VLAN enhancement to his builds tagged as “VLAN”.
So download and upgrade to a Toastman build that includes the VLAN enhancement. You’ll have to find the one that suits your router. I’m using a Cisco Linksys E2000, so I upgraded to tomato-E2000-NVRAM60K-1.28.4407.1MIPSR2-Toastman-VLAN-RT-VPN.bin. Get that set up as a standard wired and wireless router sharing the same LAN. Then follow these steps to split the wireless into a separate VLAN:
1. Under Basic > Network, add a “bridge” with a new gateway IP. Enable DHCP if you want. Here I’m adding 10.0.0.1 for the new bridge 1 (br1) with DHCP enabled:
Click on Add, then click on Save at the bottom of the screen.
Note If you forget to click on Add, nothing will happen when you Save!
2. Under Advanced > VLAN:
- Under VLAN, add VLAN ID 3 and link it to your new LAN1 (br1) bridge. Click on Add.
- Under Wireless, change Bridge eth1 to LAN1 (br1).
If you like, you can also include some wired ports in your new VLAN; if you do, remove those ports from VLAN 1. When you’re done, click on Save at the bottom of the page.
After the router reboots, you should be able to connect to the wireless network and get on the Internet. You can even ping the gateway of the other VLAN (192.168.200.1 in my example). But you will not be able to ping or access other computers on VLAN 1.
Multiple SSIDs
Note that what we have now is a single wireless LAN with no access to the main LAN. The next step would be to have two distinct wireless LANs, that is, two SSIDs. Several routers, including the Linksys E2000 with native firmware, offer this now. The idea is to set up one wireless network (e.g. SSID “Office”) that has full access to your network, plus a separate wireless network (SSID “Office-Guest”) that can only browse the Internet. Employees use the password for “Office”, and guests can be given Internet-only access by giving them the separate password for “Office-Guest”.
Currently, multi-SSID capability for Tomato is in the “experimental” stage, so multi-SSIDs will no doubt be a Tomato feature in the future.
Update November 14, 2011 At the moment, VLAN functionality will impede your ability to set up a VPN, but there is an easy workaround: see Set Up VLAN and Site-to-Site VPN with Tomato.
Update March 24, 2012 There’s another gotcha if you want to set up a bridged WDS router on the same VLAN as your wireless. See Configure a WDS Bridge on a Tomato Guest VLAN.
Update November 25, 2013 Here’s a screen shot showing physical ports 3 and 4 on the guest VLAN. Just uncheck those ports in VID 1 line and check them in the VID 3 line.
Pingback: Set Up VLAN and Site-to-Site VPN with Tomato | MCB Systems
Nice write-up. I will like to give it a try. My setup is slightly different. Maybe you can help clarify the procedure for me. I have three routers. One main one and two that are directly wired to the main one but used as APs. The APs have their dhcp disabled. The APs were added to increase the wireless coverage in the house. Now, to have a separate wireless LAN, do I have to use your procedure on all the three routers or just on the main router?
Also, I will like to do IP monitoring on the wireless. Will that be possible since the wired and the wireless are on different LAN?
JimD, you should be able to control everything on the main router. As the article says, “If you like, you can also include some wired ports in your new VLAN; if you do, remove those ports from VLAN 1.” So basically on the main router, you put the wireless AND two wired ports on the guest VLAN. Then plug the APs into those two wired ports. You can tell if it worked because no matter which AP you connect to, the IP address should be in the guest VLAN range.
Thanks for getting back to me. I tried out your suggestion. By the way I am using Shibby’s latest build (83v) on N-16 with VLAN feature. This version was relased in Dec 2011. On the second step on your write-up, I cannot find “wireless” and ‘bridge eth1 to” on the shibby build. What I have on mine is “bridge wan to”. Anyway, I went ahead with the process. The wireless is working and using the 10.0.0.1 IP. However, when I look under the Device list on the N-16, the interface is showing br0 is issuing the IP and there is no br1. I am hoping I set it up correctly. If you have any other ideas, I will appreciate it. Thanks
JimD, I’m no Tomato expert; I only figured out how to get it going with that one specific firmware back in November. If you bridge your WAN directly to your wireless, that might mean you are directly connecting the WAN to the wireless? But you say that it is assigning IPs so it must be routing… You might need to track down whatever forum does Shibby support and double-check, or try to reach Teaman through the “thread” link in my article. There are people out there who can glance at a routing table and tell you if it’s working right. You could also run ShieldsUp! from a wirelessly-connected laptop to make sure it’s blocking inbound ports: https://www.grc.com/x/ne.dll?bh0bkyd2.
Thanks for all your help. I will do more research.
Mark, I just wanted to let you know that the first sets of instructions you gave me were very accurate. I misread the results I was getting from my testing. Everything is working fine. Thanks again for your help.
JimD, glad to hear it’s working!
Pingback: Configure a WDS Bridge on a Guest VLAN on Tomato | MCB Systems
I am new to multiple ssid. Could you give me step by step procedure? First part is clear enough but I can not make it work for second SSID. Thanks in advance,
nate, As stated in the article, I’m only using a single SSID. Sorry I can’t help with multiple SSIDs.
Thanks for response. I really enjoyed your articles and learned a lot.
Hello Mark,
May i know what’s the point of bridging eth1 to LAN1?
“LAN1 (br1)” is your new VLAN. If you look just above “eth1” in the screen shot, you see if says “Wireless”. So eth1 is for all the wireless connections. By bridging LAN1 to eth1, you are allowing wireless connections to the new VLAN. In other words, this is how you restrict the wireless to only connect to the new VLAN, thus making it “guest wireless” that _cannot_ connect to the main “LAN (br0)”.
I see. But then your guests will have access to any computers that are on your main wireless connection also right? If i want to totally separate guests from anything in the house then i wouldn’t need to bridge eth1 to LAN1 and leave it as default which is br0 right?
I realise i’m talking about Multi-SSID’s already. Okay. I’ve understood the concept. Thanks Mark!
That’s right, if you want some wireless to be public and some private, you’ll need multiple SSIDs. Or tell your guests they can connect to your neighbor’s network :).
That might work. Except where i’m living. The default routers are mostly locked. :p At least with WEP protection.
Pingback: Duong Nguyen » Hacking the ASUS RT-N12B
I created a similar situation. One wired LAN (192.168.1.1 with DHCP enabled for 192.168.1.50-192.168.1.50) and a wireless LAN (192.168.2.1, DHCP enabled, 192.168.2.52-192.168.2.542). Everything seems to work but the ping function seems to be the opposite as described in the article: I can ping from one client on the wired network to another one on the wireless one, but I can NOT ping from one wired client to another one.
Any idea by anybody?
I tried setting my wireless with this guide. It kinda worked. With eth0 pointed to newly created vlan, I was able to connect and get an ip on my wireless devices, but no internet. When eth0 is pointed to lan0, internet works. I’m sure I’m missing something pretty basic. Anyone else have trouble connecting vlan to wan?
mockturtle, it’s been a long time since I set this up, but I don’t seem to have an eth0, just eth1 (see second screen shot). Something must be different in your setup, maybe a different firmware version? I don’t think I had to do anything special to get the new VLAN to see the WAN. There are commands that you can use to see the routing table–browse around on http://www.linksysinfo.org/index.php?forums/tomato-firmware.33/ or start a new thread.
thank you very much sir, after 8 weeks of HAIR and NAIL pulling thanks for this guide for my single router to multi AP setup i have applied this one. Godbless you and your family :)
Hi Mark,
Great job on this post. Following your guide, I have successfully setup two guest wireless SSID’s, one for each band. Which leads me to my question . . . How would I go about using one of the ports for a VLAN? I’ve read about tagging and I have a (very) basic understanding what it does. I don’t think I need tagging, because port #4 would only be used for that VLAN. Care to bestow some of your wisdom? :)
Be blessed, my friend.
Jack, if you just want to put some of your physical ports on the same VLAN as the wireless, just uncheck the ports from br0 and check them on br1. See the new screen shot at the bottom of the post. I don’t think you need or want to mess around with tagging.
Hi..
Thank you for posting this.. I have succesfully created a guest account using Shibby Tomato v121 – one question .. why do some recommend enabling port 4 on br1? – why is this necessary?
Macster – In addition to guest _wireless_, you can have a _wired_ guest attached to port 4 if it’s on br1. In fact, the last screenshot above shows two wired ports, 3 and 4, on the same VLAN as the wireless.
Mark..thanks for your repsonse…
That’s what I thought.. I have limited the bandwidth on the guest account (br1) and it’s working great if I connect to it wirelessly..but, If I assign port 4 to br1, then connect a laptop to port 4 of the router I get full speeds and is not limited at all. . So, just to be sure I understand the assiging of ports to another vlan….
By assigning port 4 or any port to br1, that port should have the same settings or limitations as the br1 account, correct?
By the way, I am not being notified by email when I get a response even after ticking the “Notify me of followup comments via email.” – I just happen to visit the page again and saw you had repsonded to my comment.
Macster – sorry, I haven’t played with bandwidth limiting so I can’t say if/how that works with vlans. You might want to ask on the semi-official forum http://www.linksysinfo.org/index.php?forums/tomato-firmware.33/.
Re. subscriptions to this post, I do see your email address in the list, and I’m getting notifications when someone posts so I know that the server is sending emails. Did it perhaps land in your spam folder?
Mark..
I checked the spam and did not see it there.. I just kept refreshing this page until I saw your message, haha… but, thank you so much for responding and I will check the site you advised to see if they can answer my question.
On another note, would you by any change know if Tomato is able to filter websites by keyword?
Never used it, but there is a top-level menu called “Access Restrictions”.
Yup..I’ve played around with that and it seems to work, but not 100%.. I see that there is another firmware called AdvancedTomato..what’s the difference between that and Shibby Tomato?
Macster – It has been almost three years since I set up Tomato and I will never know all the various permutations available. Please go to the forum for general Tomato questions and support.
Mark..
After fiddling around with the settings, I found out that the order of the ports are backwards by default..so, when I was connecting an eth cable to the back of the router on port 4, the GUI was seeing it was port 1, that’s why the bandwitdh limitation I had I had set for br1 was not working while connecting using the eth port, but it did wirelessly.
Just in case anyone else had a smiilar issue – There is an option in both the AdvancedTomato and Shibby Tomato under the “Basic Network” section to “Invert Ports Order”..once I tcked that and saved it..voila, it worked.. – So, I answered my own question.. when you assign a port to a new Vlan, that port would have the same settings or limitations as the vlan (br1) you create.
I had posted my question on the site you recommended but noone has replied back yet..but Im glad I was able to find this on my own :)
Good info, thanks. Interesting, when I google “E3000 ports picture”, some photos show ports on the back numbered from left to right as 4 – 3 – 2 – 1; others are 1 – 2 – 3 – 4. Looks my older Tomato doesn’t have the invert option; they must have added that later.
Good day,
I am beginner in networking, please help me to set up router.
I have bought up Netgear 300, WNR3500Lv2 and flashed with Tomato open source firmware.
I have 30 crew and i want to allot 1GB data to each.
Is it possible that I can do in tomato firmware (Allot quotas).
Thanks in advance for your generosity.
Gagan, I am not familiar with quotas. Perhaps you can find some help at this forum: http://www.linksysinfo.org/index.php?forums/tomato-firmware.33/.
Pingback: Set Up VLANs with Tomato and a Cisco SMB Switch | MCB Systems
I am missing something here. When I create a new subnet, providing addresses with a DHCP server, how do those addresses access the one gateway that connects to the internet. Surely the routes have to be changed with iptables ? I can’t get any of the devices connected to the new subnet to connect to the internet. See this for example how it might be done. https://zedt.eu/tech/hardware/setting-up-guest-wireless-access-on-tomato/#gallery-8. I must be missing something if the folks in this forum have got their systems working One caveat is that I already have a pfsense firewall ahead of this router, but because I have bridged the WAN port to the primary lan br0 there should be no more NAT-ing. Could you please point out the deficiencies in my approach ?
Jay, it’s been years since I used Tomato but as I recall, the router actually has two gateway addresses as soon as you set up the second LAN. For the router in the first screen shot, it acts as gateway on 192.168.200.1 _and_ on 10.0.0.1. Both of those gateways bridge to the WAN (second screen shot). Pretty sure that I never set up IP tables.