Creating a separate Guest Network with Tomato

A neighboor recently asked me if he could get access to my wireless network for internet access (with paying me some Euro/month for it). Problem with this was in my current setup giving access to the wireless would mean to give complete access to my network and so to all my machines smb-shares and so on. So I needed a solution to have a seperate network with the neighboors PCs that only has access to internet but not to my LAN. In the following I will explain how I did this with a Linksys WRT54GL router running the latest version of the Tomato firmware.

The steps described here are given to you without any warranty. It worked like this for me, but thats all. If you follow this instructions you alone are responsible for anything that happens. I can't be held responsible for any damages that may be caused by using this instructions. Configuring stuff via CLI may brick your router. So don't do this if you don't know what you are doing!

Prequisites

At first lets see what we need:

  • basic knowledge about networks, routers, firewalls and WLAN
  • a WRT54GL Router running Tomato (version 1.25 at the time of this writing, other routers capable of running Tomato may or may not work)
  • a seperate Wireless Access Point for the Guest WLAN
  • some time to configure and set it all up

Configuring the Router

First step is to set up the router like normal for your internal network. I will not show how this is done here since there are many guides and stuff around the net. Make sure to configure telnet or SSH on the router so you have access to the CLI. Also give the router a strong password, or your neighboor will be able to mess with your routers settings.

The first step is to setup a separate network on the router. The easiest way to do this is to create a separate VLAN. Since Tomato has no GUI for VLAN-Management this has to be done from the CLI. Once logged in perform the following steps to create a separate VLAN for the routers LAN-Port 4:

nvram set vlan0ports="3 2 1 5*"
nvram set vlan2hwname=et0
nvram set vlan2ports="0 5*"
nvram commit

With this we now have port 4 separated form the rest of the switch. Note that you can also have more than one port in the second vlan. just set the according port numbers in vlan0ports and vlan2ports. On the WRT54GL the ports are named internally like this:

External Port WAN 1 2 3 4
Port Number 4 3 2 1 0

Thats all for the VLAN setup, we now can leave the CLI and continue with configuring IPs, DHCP and Firewall through the GUI.

First lets give our new VLAN an IP. This is done with the startup scripts, which can be edited inside the Web-GUI. Go to AdministrationScriptsInit an put the following code in the text-field:

sleep 10; ifconfig vlan2 192.168.11.1 netmask 255.255.255.0 up;

Adjust the IP and Netmask according to your need, and make sure the IP is not in the same subnet as your internal LAN (e.g. if your internal LAN is at the default 192.168.1.x IP-Range you can put the second one on anything other than 192.168.1.x). Of course don't forget to hit Save afterwards

Next lets setup some firewall rules to allow internet access but block access to the internal LAN. go to Firewall in the AdministationScripts section and put the following code there:

iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o br0 -j DROP;

With this the VLAN2 now has access to the internet but not to the internal LAN. Again hit Save when done.

Last thing to do is to setup dnsmasq to give out IPs for the Guest Network. Go to AdvancedDHCP / DNS and put the following code into the Custom Configuration field:

interface=vlan2
dhcp-range=net:vlan2,192.168.11.200,192.168.11.249,255.255.255.0,1440m
dhcp-option=vlan2,3,192.168.11.1
dhcp-option=vlan2,6,208.67.222.222

This will give out IPs from in the Range 192.168.11.200 - 192.168.11.249 with a lease time of 24 hours. It will also set the default gateway announced via DHCP to 192.168.11.1 (the Router) and the DNS server to 208.67.222.222 (openDNS server). Again you will have to change th IPs so they match the IP you gave to vlan2 earlier. Now hit Save again and finally reboot your router.

After reboot, you can now connect a PC to your routers port 4 (or whatever port your separate vlan is on) and see if it gets an IP from the range you configured in DHCP. Also test if you can reach the internet but not your lokal network. If it works like expected the configuration of the router is finished.

Configuring the Wireless Access Point

Next thing is to configure the Separate Access Point. the most important setting here is the IP of the Access Point. It has to be in the same subnet as the vlan2 IPs set on the router. In my example you can use anything from 192.168.11.x, for example 192.168.11.2. The even easier method is to set it to use DHCP, so it will autmoatically get an IP from the routers configured IP-range. The other settings like SSID, encryption and so on depend on your Access Point and how you want your WLAN to be configured. If you are done configuring the AP connect it to your routers port 4 and start it up. If you connect to this WLAN now you should be able to access the internet but not the LAN.

Advanced Stuff: QoS and Access Restriction

If you want some control over what is done with your bandwith you can setup some QoS rules or block access to specific services or sites with Tomatos QoS and Access Restriction settings. I won't go into detail here, just use 192.168.11.0/24 as the Source address for the rules. Also for QoS make sure to put the rule restricting the Guest Network first since the first matching rule will be used (so if you for example have a rule priorising HTTP-Traffic before the Guest-Rule it Tomato will also priorise HTTP-Traffic from the Guest Network).

Thats it, I hope this works as well for you as it did for me. If you have questions or suggestions leave a note below.

Comments

1
Miha Pecnik
22.09.2009 17:11

Could you please confirm that following the steps up to the “Configuring the Wireless Access Point” heading will separate just a single port into a different VLAN so I end up with a configuration where I can hook up infected machines to the internet without worrying the malware will spread to the rest of my network.

2
Seiichiro
23.09.2009 21:43

Yes, thats what the steps up to there do. They setup a separate network on the used port (port 4 in my example) that has only access to the internet but is blocked out from the network on the other ports/the routers wlan. The “save” network has no access to the one on port4, and the net on port4 has no access to the rest. So it should work well for your case.

3
Richard
28.09.2009 23:52

Good article! I think this is a great way to have a true DMZ for servers with tomato. Use the following firewall code: (Untested, should work)

iptables -I INPUT -i vlan2 -j ACCEPT;

# forward traffic between DMZ and LAN

iptables -I FORWARD -i br0 -o vlan2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -i vlan2 -o br0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# forward traffic between DMZ and WAN

iptables -I FORWARD -i vlan2 -o vlan1 -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -i vlan1 -o vlan2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

4
Miha Pecnik
29.09.2009 06:39

Thank you for your relpy.

My setup is a bit different, but not fully thinking about the implementation I went ahead and did it anyway.

I have a WRT54GL downstairs that acts as a router and connects through PPPoE to the internet. A single cable (have no way of dragging another…there's no place) goes upstairs into my second WRT54GL that acts as an AP/switch:

WAN—WRT54GL router—————–WRT54GL AP/switch——–my PC

					|
					|
				I want one of the ports here
				  to be in the 2nd VLAN

Both are running Tomato.

The reason I'm saying I didn't think it through is since I did exactly what you posted (apart from changing my vlan2 IP to 192.168.2.1….vlan0 is 192.168.1.1) on my upstairs AP/switch.

Now I'm still able to access the internet, the rest of the LAN from ports 3 2 1 (vlan0), but have no internet access on port 0 (I get the 192.168.2.x IP from DHCP, gateway, DNS that was configured by following your tutorial).

Since this was meant to be done on a router, not a switch is it still possible to do what I want, and how? Should my router be configured differently (made “aware” of the VLANs), please keep in mind that wireless doesn't reach upstairs and I have no way of getting two cables up as well.

Any assistance would be greatly appreciated.

5
Seiichiro
29.09.2009 12:17

If I understand correctly, the second router works as a switch/AP only? Meaning you only have your 192.168.1.x for vlan1 and also to the router and vlan2 with the 192.168.2.x? For this to work you will have to modify the ipables rules on the switch/ap.

If that is the setup you will have to make a rule that allows traffic to/from your router IP in and out of the VLAN. So you have to insert a rule before the last “DROP” one in my example that allows all traffic coming from the routers IP into the second VLAN. it should be something like this:

iptables -I FORWARD -i br0 -o vlan2 -s <router IP> -j ACCEPT;

(can't test this since I don't have your setup)

6
Miha Pecnik
29.09.2009 17:35

Yes, the WRT54GL upstairs only acts as an AP/switch and has an IP of 192.168.1.2, the router downstairs has an IP of 192.168.1.1 All the configuration I've done has been performed on the AP (the router downstairs was untouched).

The nvram show | grep vlan.ports command outputs my switch configuration:

vlan0ports=3 2 1 0 5*
vlan1ports=4 5
vlan2ports=0 5*

ipconfig/all on a client hooked up to port 4 (vlan2) shows:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-1F-53-24-29-72
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::592b:ec7:bc62:73d3%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.216(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 29. september 2009 15:31:03
Lease Expires . . . . . . . . . . : 30. september 2009 15:31:03
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 201333795
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-69-A1-2C-00-1C-23-2C-29-72
DNS Servers . . . . . . . . . . . : 193.189.160.13
NetBIOS over Tcpip. . . . . . . . : Enabled

route print on a client hooked up to port 4 (vlan2) shows:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1    192.168.2.216     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link     192.168.2.216    276
    192.168.2.216  255.255.255.255         On-link     192.168.2.216    276
    192.168.2.255  255.255.255.255         On-link     192.168.2.216    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.2.216    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.2.216    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  8    276 fe80::/64                On-link
  8    276 fe80::592b:ec7:bc62:73d3/128
                                    On-link
  1    306 ff00::/8                 On-link
  8    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

I'm unable to ping anything on the LAN (other vlan) or internet be it by IP or host.

Windows diagnostics came up with this: http://www.shrani.si/f/1w/c9/10p8LrQQ/fw.png

Here are additional screenshots as to how the AP/switch is configured:

http://www.shrani.si/f/1g/fP/2k6T0eem/basicnetwork.png

http://www.shrani.si/f/3N/Qw/1VjGOYpa/advanceddhcp.png

http://www.shrani.si/f/20/10C/2OZmpnvn/scriptsinit.png

http://www.shrani.si/f/1V/DD/Q1DG00o/scriptsfirewall.png

Please let me know if my config, anything else would benefit you in assisting me.

7
Seiichiro
30.09.2009 18:57

Ok, can you ping the primary router 192.168.1.1 from vlan2? Also you will have to change the line

dhcp-option=vlan2,3,192.168.2.1

in advanced dhcp options to

dhcp-option=vlan2,3,192.168.1.1

This is because router 2 is not really a router and therefore can't be a gateway for the internet. If you can't ping the primary router from vlan2 there is still something wrong with the iptables rules

8
Miha Pecnik
30.09.2009 20:24

I've made the correction in advanced DHCP and still can't ping my router from vlan2.

ipconfig /all output is now (I'm only pasting the relevant part):

IPv4 Address. . . . . . . . . . . : 192.168.2.216(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.2.1

Since the Default gateway is now in 192.168.1.x and the IP I get from the DHCP is 192.168.2.x is that OK? I don't have the slightest idea what to change in the iptables rules…but am more then willing to follow any advice you have to offer.

9
Miha Pecnik
09.10.2009 17:21

Seiichiro, can you offer any suggestions as to what to try next, I'd really like to have this working, but am lacking the knowledge.

10
Ludovic
18.10.2009 23:18

It doesn't work fo me after those commands. I have always the 0 port in VLAN 0 when I reboot even I commit the NVRAM. I don't know why. I have an WRT54GL with Tomato 1.25.

<pre>vlan0hwname=et0

vlan0ports=3 2 1 0 5 vlan1hwname=et0 vlan1ports=4 5 vlan2hwname=et0 vlan2ports=0 5* wan_iface=vlan1 wan_ifname=vlan1 wan_ifnameX=vlan1 wan_ifnames=vlan1

Could you help me ?

11
Seiichiro
31.10.2009 09:52

Well, I just checked how this is on my own router, and actually the “0” port is also listed in vlan0ports after reboot. but the setup is working fine regardless of that…

12
Seiichiro
31.10.2009 09:57

Sorry for the delay, but I switched internet providers at home and also my Laptop broke… Well I just read through our conversation again and somehow I think my last advice wasn't right. So you should set the dhcp-options back to dhcp-option=vlan2,3,192.168.2.1 . Also after this corretion can you try to ping the 192.168.1.1 router from the PC in VLAN2? Furthermore can you post the output of the command “route” on the router (the one with the vlan2) itself?

13
miki
02.11.2009 16:46

Seiichiro, many thanks for your tuto. That was exactly what I looking for It' work like perfectly

BR Miki

14 05.11.2009 23:59

Good stuff, exactly what I needed. Thanks!

While this does work on an older model (WRT54G version 1-4 in my case), the ports have different names internally; the slightly more logical 1 2 3 4 instead of 3 2 1 0. Keep this in mind while performing the first step.

Hopefully this will help somebody else with older routers.

(According to Wikipedia the numbering scheme changed with the WRT54GL)

Thanks again for the guide :)

15
Miha Pecnik
15.11.2009 08:50

Not a problem, just don't give up on me :-)

I've changed it back to dhcp-option=vlan2,3,192.168.2.1 and am unable to ping the router (192.168.1.1).

Here's the output of route on the AP:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 vlan2
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
16
Seiichiro
15.11.2009 10:40

Ok, the routing looks about right, so it seems to be some iptables problem. You could try to add the following rule to the iptables:

iptables -I FORWARD -i vlan2 -o br0 -d 192.168.1.1 -j ACCEPT;

EDIT: typo corrected!

17
Miha Pecnik
15.11.2009 15:50

I now have these iptables:

iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -s 192.168.1.1 -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i vlan0 -o br0 -d 192.168.1.1 -j ACCEPT;

and am still unable to ping the 192.168.1.1 router and naturally connect to any website.

18
Seiichiro
17.11.2009 09:24

try changing the order like this, and also correct my typo, it should have been vlan2:

iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -s 192.168.1.1 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o br0 -d 192.168.1.1 -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP
19
Miha Pecnik
21.11.2009 18:50

Seiichiro, thank you so much for trying to assist me, unfortunately I'm still unable to ping my 192.168.1.1 router even after the last change.

…please don't give up on me, I'll continue to test whatever you throw at me.

20
Simon
23.11.2009 02:33

“vlan0ports=3 2 1 0 5* vlan1ports=4 5 vlan2ports=0 5* ”

Is that correct? You have port 0 assigned to both vlan0 and vlan2. Could that be your problem?

I'm trying to do the same thing. It'd be nice to see your setup working.

21
Simon
23.11.2009 02:39

Oops. Just read the comment below. I guess port 0 being in both vlan def isn't the problem.

I was thinking you have to set the route between the .2.1 vlan IP to the WAN port on the 1st router (the one connected to the internet). And maybe pinging .1.1 isn't working because ping is disabled on the 1st router?

22
Miha Pecnik
23.11.2009 10:53

Simon, I wish that was the case, but I'm able to ping the router from all other machines. Also I have no internet connectivity when on the 192.168.2..x VLAN.

23
Miha Pecnik
07.12.2009 17:46

Seiichiro, would you be so kind to provide the easiest way to get my AP back to the default settings…it appears this won't happen.

Many thanks for all your effort.

24
James
18.12.2009 19:34

Thank you so much for these instructions.

It's working for me on my Asus WL-520gu. I just used 4 instead of 0 for my port numbers.

Now tomato does everything I need it to so I don't have to get it from dd-wrt.
It's great that even the bandwidth and qos tools continue to work with this change.

Perhaps some comments on each of the iptables entries would be useful.
I'm not really sure what the output interface ppp0 is for. Is it for PPPoE?
I'm using a DHCP address from my ISP so do I still need this entry?

# nvram show | grep ifname
lan_ifname=br0
lan_ifnames=vlan0 eth1 eth2 eth3
pppoe_ifname=
wan_ifname=vlan1
wan_ifnameX=vlan1
wan_ifnames=vlan1
wl0_ifname=eth1
wl_ifname=eth1
25
Seiichiro
22.12.2009 16:45

sorry it didn't work for you. normaly pressing the reset button at the back of the router should be enough to reset it to standard settings.

26
Seiichiro
22.12.2009 16:47

Thats right, the ppp0 interface is for PPPoE. Since you seem to have vlan1 as your internet interface and no PPP it should work without the ppp0 line. Also the other way round it should work without the “vlan1” line for people on PPPoE.

27
Ax
23.12.2009 03:28

What about separating the built-in wifi and the lan? Any easy way to do this?

29
Kdub
08.03.2010 20:38

Thanks so much for this post, it has been very helpful and works flawlessly. I do have one question though - what would be the steps to REMOVE a vlan in Tomato?

30
tridernil
16.05.2010 09:05

By following your guide I was able to set up a second subnet 10.0.0.0/24 I am using Asus rt-n16. I have named the vlan as vlan3, because vlan1 and vlan2 are already used by default. The setup is working well, and there no issues about connectivity. But I noticed that the QOS rules that I had assigned from tomato GUI QOS page don't work. Can this be solved.

31
james
31.05.2010 10:44

hi,

i have set this up and seems to be working ok.

but people on vlan2 are reporting problems.

one example is that i cannot access free.fr on vlan2.

ping free.fr does work though, but the website doesn't display.

any ideas?

32
james
31.05.2010 11:54

so, on vlan1, everything works cool.

on vlan2, i have to manually set MTU to 1492 on the clients in order for everything to work OK.

on vlan1, everything works OK with the clients on manual, how can i make this the same on vlan2?

33
james
01.06.2010 23:24

fixed this problem.

reference here:

https://ftp.dd-wrt.com/phpBB2/viewtopic.php?t=69491

for the firewall scripts, instead of:

iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP;

should be this:

iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP; iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu;

34
james
01.06.2010 23:25

oops.

instead of: iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP;

try this:

iptables -I INPUT -i vlan2 -j ACCEPT; iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT; iptables -I FORWARD -i br0 -o vlan2 -j DROP; iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu;

35
james
01.06.2010 23:26

well i can't make it look like code, but you get the idea.

36
sam
03.06.2010 15:04

Great Tutorial! Instead of completely isolating the guest network I would like to offer the guest network access to two networked printers on the first vlan. I have removed all the firewalls but still cannot seem to ping accross the two networks. Once I figure this I was going to re-write the firewall rules to block all access from vlan2 (new) to vlan1 (old) except the specific IP's of the two printers.

How would I do this? Any help is appreciated.

37
pedroporco
07.06.2010 05:59

Sorry for my ignorance. I have a question. The connection to se second router from router 1 should be: port 4 to wan?

thanks.

38
james
13.06.2010 23:49

So I have this setup now.

Some machines on one VLAN can see machines on the other VLAN in the 'SHARED' list that comes up in the sidebar in Finder in Mac OS 10.5 or 10.6.

This is not good, no?

39
Paul Rewston
01.08.2010 16:26

I wanted to do the same thing, I tried the following and it seemed to work:

In Tools → System, paste the following:

nvram set vlan0ports="3 2 1 0 5*"
nvram unset vlan2hwname
nvram unset vlan2ports
nvram commit

Click Execute

Remove the scripts that were added to Administration → Scripts → Firewall and Administration → Scripts →Init, and remove the text add to the Advanced → DHCP / DNS.

Reboot the router.

A bit late for the poster, but others may find handy.

40
lau
13.08.2010 03:05

Hello,

Great tutorial ! My WRT54GL DMZ is running!

But after a reboot, any time I

# nvram show | grep vlan.ports vlan0ports=3 2 1 0 5* vlan1ports=4 5 vlan2ports=0 5

I see the port 0 both in vlan0 and vlan2. I nvram set vlan0ports=“3 2 1 5*” and nvram commit but after reboot the same result. Any idea why the port 0 is splitted like this ?

Thx, Lau

41
muffin
13.08.2010 08:39

Hello!

Thanks for this tutorial! But i got another problem, i didn't want to disconnect a lan port trough vlan. I wan't to disconnect the wlan port. Because im Sharing my Internet Connection with my Neighbour and he is connectet via WLan. I didn't need wlan, so i want to set him in a own subnet.

I already tried this with DD-WRT and it works, but is there any way to fix this with tomato? Still wanna use tomato, because i love the great Qos and the Traffic Monitor.

Thanks for help!

Best regards

42
Jim
20.08.2010 03:57

Thanks for the tutorial. I setup QoS on vlan2 and see is in the QoS Details view that the Source and Destination are reversed. Also the Destination is showing as my external IP only instead of the client on vlan2.

Proto	Source	        S Port	Destination	D Port	Class
TCP	63.245.209.115	443	24.85.xx.xx     2016	Class C
TCP	67.195.9.75	80	24.85.xx.xx	2007	Class C

Anyone else experience that? Any explanation?

43
muffin/Tweek
29.08.2010 10:14

After long time with trying i found the solution to seperate the WLAN from LAN using tomato firmware. Especually anybody need the same, so i attach the answer for you.

Seperate WLAN from LAN

Have a nice day!

44
Christian
26.10.2010 02:07

Hi!

Has anyone tried the guide provided by muffin/Tweek (comment #43)?

Seems simple enough but just wanted to confirm it wasn't some kind of exploit that would open my firewall to everyone on the Internet ;)

Thanks

45
dcbanaynal
12.07.2011 11:57

the last line of the iptables entry: iptables -I FORWARD -i br0 -o vlan2 -j DROP;

should be: iptables -I FORWARD -i vlan2 -o br0 -j DROP;

for our goal to work.

46
Seiichiro
12.07.2011 12:04

@dcbanaynal: actually both does work, since with my version we block responses from the br0 to vlan2. But the better approach indeed is to block out traffic from entering the “normal” LAN like your version does. I updated the page accordingly.

47
zippy114
24.09.2011 19:32

fwiw i have implemented muffin/Tweek (comment #43) and appears to work well for what i want - simply to have the one existing wifi guest subnet separate from the wired subnet (no need for a second private wifi network or AP). i can also confirm that devices connected to the guest wifi subnet appear on tomato's device list, and that the ability to schedule the wifi to turn on/off thru tomato's UI still works … if anyone knows of any security issues with this approach, i'd like to know - otherwise it works for me … also would anyone know if tomato's QoS settings still manage the guest wifi devices using these mods? thanks!

48
zippy114
26.09.2011 18:07

re: my comment #47 above (using muffin/Tweek mod) … turning wifi on/off via the tomato UI doesn't work - it turns back on using the SSID that is in the UI (not the SSID in the script) and is all confused … sigh.

49
Jodur
25.10.2011 08:31

Thanks, was just looking for this. New routers have this kind of functionality onboard, but i want to use as long as possible my WRT54GL Tomato firmware router. The limited WAN Bandwith (30MBPS) isn't an issue for me until now.

With this setup the guests are able to acces the Routers webpage from within the new network. In my example (normal router adress 192.168.39.1, 2nd router adress 192.168.139.1). I want to block this page from the 192.168.139.x side. Tomato's normal acces restriction page don't work with ip-adress. Any suggestions how to add this to the firewall rules with iptables?

50
Seiichiro
25.10.2011 14:26

@Jodur:

a rule like this as first iptables rule (above iptables -I INPUT -i vlan2 -j ACCEPT;) should do the trick:

iptables -I INPUT -i vlan2 -d 192.168.139.1 -p tcp --dport 80 -j DROP;

you may need a second rule if you also have https-access enabled (same as above but with 443 for dport). If you have changed the ports for the web interface you will have to adjust the port numbers for dport according to your setup.

(This isn't tested since I don't have the setup running anymore)

[…] Creating a separate guest network […]

52
Sven
28.11.2011 12:29

Hi,

i would like to use this setup to connect my LAN to my Neigbours LAN. Same setup as in the tutorial, but Switchport 4 should not access the internet, but my internal LAN. So i have a 192.168.1.0 LAN on my Side, and a 10.10.10.0 LAN on Port 4, with full access of Port 4 to my internal LAN. My only problem is i have no idea of iptables, so could someone help me out?

Thanks, Sven

53
Sven, again
28.11.2011 14:16

The longer i look at Comment No 3 i think that would be what i want, besides i should insert the state NEW to the third line:

iptables -I INPUT -i vlan2 -j ACCEPT; # forward traffic between DMZ and LAN iptables -I FORWARD -i br0 -o vlan2 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -i vlan2 -o br0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

Anyone can confirm this?

54
Sven, still me
28.11.2011 16:59

Ok folks, just wanted to let you know it workes.

Created the vlan2 just like stated above, added port 4.

Added IP to vlan2

Firewall, accept all Traffic between the 2 LANs.

iptables -I INPUT -i vlan2 -j ACCEPT;

# forward traffic between LAN 1 and LAN 2

iptables -I FORWARD -i br0 -o vlan2 -m state –state NEW -j ACCEPT

iptables -I FORWARD -i vlan2 -o br0 -m state –state NEW -j ACCEPT

Skipted the DHCP part, as this is my neighbours job. Seems to work fine.

Thanks!

55
Bob
07.12.2011 15:56

Seiichiro/Anyone,

Could you better explain how to set up the wireless access point that connects to port 4?

I set port 4 to 192.168.2.1 on the Tomato router. I set the AP to 192.168.2.2, and turned off DHCP as I assume port 4 is handling this. I then connected from a LAN port on the AP to port 4. If I connect a PC to another LAN port on the AP, everything works. I have internet access but cannot connect to the LAN of the first router. However, if try to connect to the wireless, it takes a few minutes and then says 'Limited or no connectivity' and I have no internet access. At first I set the wireless channels of the two routers to 10 and 11, but seeing the limited connectivity I changed this to channel 1 and 11. I have no idea why it is not working.

Please help, I can't connect wirelessly to my Guest Account.

Thanks.

56
Bob
07.12.2011 16:52

This is Bob, ignore my previous post #55.

Sorry, everything works even wireless. I tried using WEP security for an easier password and I guess I don't know how to use. I switched to WPA2 with a longer password and the wireless works, I can access the internet but not the LAN.

Thanks for the tutorial!

[…] following guide […]

[…] David asks…Max transmit power for Linksys WRT54GL wireless-G router running Tomato firmware?I have Tomato 1.28 firmware installed on my Linksys WRT54GL router. The transmit power is set to its default: 42mW, but I want a better range for signal strength and want to increase it. What is the best mW […]

59
Sven
22.01.2012 19:18

I would turn it up bit by bit, untill you're happy with the signal strength. Just setting it to max could end in reflections, would be like shouting very loud in a small room: It would be very loud, but that doesn't mean you can hear everything just fine.

60 03.02.2012 22:08

Now Tomato does have a GUI for setting up guest wireless networks:

http://code.google.com/p/tomato-sdhc-vlan/wiki/MultiSSIDHOWTOForWRT54GL

Have fun!

[…] Creating a separate Guest Network with Tomato [Seiichiros HP] […]

[…] Creating a separate Guest Network with Tomato [Seiichiros HP] […]

63 06.06.2012 22:33
so to all my machines smb-shares

Just because I allow someone to connect… I'm forced to give them all access to all my machine's shares?

64
Goods57
01.12.2012 17:13

Awesome write up and works like a champ for me.




C J B᠎ R​ Y
blog/creating_a_seperate_guest_network_with_tomato.txt · Last modified: 12.07.2011 12:04 by Seiichiro
CC Attribution-Share Alike 3.0 Unported
Driven by DokuWiki Hosted by Linode Recent changes RSS feed Valid XHTML 1.0