[SOLVED] Configure a guest network using 2 tomato routers


vmixus

vmixus

Networkin' Nut
Member
Hi,
I've documented the necessary steps in order to configure a guest network using two tomato routers and achieve the desired objectives (listed below)

Also, please point out any foreseeable issues, recommendations, best practices and optimizations which could be addressed based on this setup so that this thread can serve as a complete guide/reference for others in the future.

Current Setup:
The devices are connected to each other as illustrated below:
Hardware Diagram:
modem --> [wan] primary router [lan 4] --> [wan] guest router​

Router Config:
Primary Router
Device: WRT300N v1
Chipset: Broadcom BCM4704 chip rev 9 pkg 0
Firmware: Tomato Firmware v1.28.0023 Teaman-SDHC-VLAN-SNMP-PPTPD ND VPN
WAN: Connected to modem for DHCP IP from ISP
LAN 4: Connected to WAN on Guest router

Guest Router
Device: WRT54GS v4
Firmware: tomato-K26-1.28.RT-MIPSR1-115-Mini
WAN: Connected to LAN 4 on Primary router
Desired behavior:
Primary objective:
  • Restrict access from clients on Guest network to all devices on the Primary network + both routers (including config gui, ssh, telnet)
  • Limit available bandwidth to clients on Guest router
 
Last edited:
 
Last edited:
Begin Here

After flashing the routers with the appropriate firmware's these are the steps I followed:
  • Login to the web GUI for the primary router
  • From the menu [Basic -> Network] configure a new bridge for the guest network.
    Under LAN select "br1" from the drop down menu and then define a new IP, Netmask and DHCP range.
    Note:Use something different than "br0", for example if br0 is 192.168.1.x br1 can be 192.168.20.x
  • From the menu [Administration -> Admin Access -> SSH Daemon] check the box for "Enable at Startup" then login via ssh to complete the remaining steps.
 
Last edited:
Optional Step

Note:
Depending on your specific router this step may not be necessary for your setup.

VLAN option on my Primary router's (WRT300N v1) GUI (Advanced -> VLAN) states:
"This feature is not supported on this router."

The DDWRT VLAN Support page lists the WRT300n v1 as ?
According to the DDWRT wiki the problem is related to the BCM4704 chipset and can be overcome:
I can confirm VLAN support for the WRT300n v1 is working :) using the below commands via ssh:
Code: 
# nvram get boardflags
0x0010
# nvram set boardflags="0×0110"
# nvram commit
# reboot
 
Last edited:
VLAN Setup

Even though the VLAN GUI is enabled after completing the previous step, it still isn't usable for me since I'm assuming the scripts aren't mapping to the proper ports, so I'll define the VLAN's manually via ssh as well.

The WRT300N v1 ports numbers are mapped like so:
Physical LAN 1 2 3 4
Logical LAN 0 1 2 3

Next, configure the physical ports labelled LAN 1-3 with vlan1 and LAN 4 with vlan2 on the WRT300N v1.
Code: 
# nvram set vlan1hwname="et0"
# nvram set vlan1ports="0 1 2 5*"
# nvram set vlan2hwname="et0"
# nvram set vlan2ports="3 5"

With br1 setup through the GUI earlier and the VLAN's defined with the appropriate ports, we need to configure the LAN bridges.

First, check your existing LAN bridge:
Code: 
# nvram get lan_ifnames
eth0 eth2

Then replace eth0 for vlan1 and define another lan for vlan2.
Code: 
# nvram set lan_ifnames="vlan1 eth2"
# nvram set lan1_ifnames="vlan2"
# nvram commit
# reboot
Note:
After rebooting (sometimes a shutdown / power cycle) may be necessary.

If you'd like an explanation for these commands please refer to the links posted above.
 
Last edited:
Cleaning Up & Restricting Access

After connecting a pc directly to LAN 4 on the primary router (WRT300N), it was issued a IP address in a different range than when connected to LAN 1-3, as expected.

Next, I connected the guest routers WAN port into LAN 4 of the primary router.
Using a client connected to the guest router I was unable to ping any clients connected to the primary network but could successfully reach the internet.

However, the primary routers config was still accessible via the browser as well as ssh from the guest network. The following firewall rule will prevent access to the primary router and permit only web traffic for clients on the guest network.

Using the primary router's GUI navigate to [Administration -> Scripts] and on the Firewall tab paste the following to only allow access to the primary router for dhcp / dns and drop everything else:
Code: 
# Restrict router access from VLAN
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
 
Last edited:
Bandwidth Limiter

After successfully isolating the two networks I setup the BW Limiter on the guest router which is included with the latest build from Shibby [Build5x-115-EN Dated:11/21/2013]
-- Thanks Shibby, for staying active and all your efforts!

To limit available bandwidth for guest traffic:
  • On the guest router GUI, go to Bandwidth Limiter
  • Under IP | IP Range | MAC Address, define the same range as your DHCP range
    i.e. 192.168.5.1-50
  • Then fill in bandwidth limits appropriately
Some other useful features which come included to monitor guest traffic:
  • [Status -> Web Usage] "Web Monitoring"
  • IP Traffic
 
Last edited:
Following up after a month of using this setup:
  • Experienced poor wireless performance on the primary router (although this could be contributed to the other wireless networks present at this site). Was able to significantly improve wireless performance by switching to a dedicated wireless AP and disabling radio on the primary.
  • Disabled all access to guest router for clients
  • Configured 'one way access' from primary to guest (but not the other way around) so the guest router could more easily be administered from the primary network
To setup one way access to the guest network:
On the primary router:​
    • From [Advanced -> Routing] setup a static route with the guest subnet as destination and the guest router as gateway
    • Remove the appropriate rule from the iptables FORWARD chain, which was there by default in my case.
On the guest router:​
    • From [Advanced -> Routing -> Miscellaneous] use drop-down menu to change "Gateway" to "Router"
    • Setup a rule on the guest routers iptables INPUT chain to ACCEPT traffic from primary
 
Last edited:
hi vmixus.. thank you very much for taking the time to mentino your steps. I have two enquiries for you..

A. I don't use your router but nevertheless, here they are:

1. Do you have gigabit ports between some NIC's in which you would expect say 900+ mb/s throughput normally?

2. If yes, could you run iperf on them to see, (on same vlan and on different vlans, if you still get more or less same speed or not)?

My speed is crippled on vlans, although since it is 125 mb/s , and I use old disks, I didn't notice to start with, which perhaps you also haven't.
 
lollekatt said:
hi vmixus.. thank you very much for taking the time to mentino your steps. I have two enquiries for you..

A. I don't use your router but nevertheless, here they are:

1. Do you have gigabit ports between some NIC's in which you would expect say 900+ mb/s throughput normally?

2. If yes, could you run iperf on them to see, (on same vlan and on different vlans, if you still get more or less same speed or not)?

My speed is crippled on vlans, although since it is 125 mb/s , and I use old disks, I didn't notice to start with, which perhaps you also haven't.
Click to expand...

Sorry, routers I mentioned in my setup are not gigabit and I don't have anything to test with but can update later if I do.
 
You must log in or register to reply here.

Back
Top