I’ve been learning Tomato router firmware. This open-source firmware can enhance a low-end wireless router with some pretty advanced features.
One of my goals was to set up my wireless for guest-only access, i.e. not connected to my internal LAN (which are all hard-wired connections). Here’s one way to do that.
Basically we need a separate VLAN connected only to the wireless. Although this can be accomplished from the command line, Augusto Bott (“Teaman”) has added a nice GUI for VLANs (thread), and “Toastman” has added the VLAN enhancement to his builds tagged as “VLAN”.
So download and upgrade to a Toastman build that includes the VLAN enhancement. You’ll have to find the one that suits your router. I’m using a Cisco Linksys E2000, so I upgraded to tomato-E2000-NVRAM60K-1.28.4407.1MIPSR2-Toastman-VLAN-RT-VPN.bin. Get that set up as a standard wired and wireless router sharing the same LAN. Then follow these steps to split the wireless into a separate VLAN:
1. Under Basic > Network, add a “bridge” with a new gateway IP. Enable DHCP if you want. Here I’m adding 10.0.0.1 for the new bridge 1 (br1) with DHCP enabled:
Click on Add, then click on Save at the bottom of the screen.
Note If you forget to click on Add, nothing will happen when you Save!
2. Under Advanced > VLAN:
- Under VLAN, add VLAN ID 3 and link it to your new LAN1 (br1) bridge. Click on Add.
- Under Wireless, change Bridge eth1 to LAN1 (br1).
If you like, you can also include some wired ports in your new VLAN; if you do, remove those ports from VLAN 1. When you’re done, click on Save at the bottom of the page.
After the router reboots, you should be able to connect to the wireless network and get on the Internet. You can even ping the gateway of the other VLAN (192.168.200.1 in my example). But you will not be able to ping or access other computers on VLAN 1.
Note that what we have now is a single wireless LAN with no access to the main LAN. The next step would be to have two distinct wireless LANs, that is, two SSIDs. Several routers, including the Linksys E2000 with native firmware, offer this now. The idea is to set up one wireless network (e.g. SSID “Office”) that has full access to your network, plus a separate wireless network (SSID “Office-Guest”) that can only browse the Internet. Employees use the password for “Office”, and guests can be given Internet-only access by giving them the separate password for “Office-Guest”.
Currently, multi-SSID capability for Tomato is in the “experimental” stage, so multi-SSIDs will no doubt be a Tomato feature in the future.
Update November 14, 2011 At the moment, VLAN functionality will impede your ability to set up a VPN, but there is an easy workaround: see Set Up VLAN and Site-to-Site VPN with Tomato.
Update March 24, 2012 There’s another gotcha if you want to set up a bridged WDS router on the same VLAN as your wireless. See Configure a WDS Bridge on a Tomato Guest VLAN.
Update November 25, 2013 Here’s a screen shot showing physical ports 3 and 4 on the guest VLAN. Just uncheck those ports in VID 1 line and check them in the VID 3 line.