1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to setup guest network separate from internal LAN/server

Discussion in 'Tomato Firmware' started by JustinChase, Nov 28, 2013.

  1. JustinChase

    JustinChase Reformed Router Member

    I'm still pretty new to Tomato, and am trying to read and learn, but I'm stuck with something that feels pretty basic.

    I have an e3000 flashed with Tomato Firmware v1.28.7503 MIPSR2Toastman-RT K26 USB VLAN-VPN-NOCAT

    I'm connected to a DSL modem from TelMex in Mexico. It also serves as a router, including wireless.

    I want to setup the modem to accept connections from guests, and keep them separate from my internal LAN/computers.

    I want to have all my internal computers connect to the e3000 directly, and allow all of them to see one another, and communicate at Gb speeds (modem is only 100Mb) internally, and all have internet access, but remain separate from the traffic/machines connected to the modem.

    I also need my unRAID server to have a static IP (192.168.1.150)

    I have turned on DHCP for the e3000 (I think) and all internal machines have access to the internet, if hard-wired, but have no internet access if connected via WiFi to the e3000. Connecting to the modem wirelessly allows internet access.

    So, I think I have a couple of different issues at the same time here, and I'm not sure how to proceed. I can't find a basic "how to do..." for Tomato firmware, so I'm kinda just poking around right now, trying things, but it feels like I'm as likely to break stuff from here, than I am to fix stuff.

    In the end, I want to allow Tomato to control QoS so that my server doesn't use all the bandwidth when we want to use the internet, or watch a movie, but will maximize it's bandwidth when no one else is using the internet.

    Code:
    Bridge    STP    IP Address    Netmask    DHCP    IP Range (first/last)    Lease Time (mins)
    br0    Disabled    192.168.1.100    255.255.255.0    Enabled    192.168.1.101 - 164    1440
     
  2. philess

    philess Networkin' Nut Member

    You have a router with a built-in modem from your provider?

    Code:
    Internet---> Modem/Router ---------> Tomato
                       |                    |
                 Guests/WiFi          Private LAN/WiFi
    Should be quite easy to configure.

    Set your "Modem" to use a certain IP range for the LAN/WiFi, for example
    192.168.0.1 and DHCP 192.168.0.2-20 for LAN and WiFi clients.

    Connect your Tomato router with the WAN port to a LAN port of the modem,
    set Tomato to a static IP (Menu: Basic/Network/Type) and use for example
    192.168.0.100 for Tomato itself, as Gateway enter the IP that the Modem has
    (probably .1). Then setup the Tomate LAN/WiFi settings, change your settings
    for the "br0" that you quoted to a different network than what your modem is
    using! For example use 192.168.1.1 (note the 3rd block is different from your
    modem setting!). Or you can use 192.168.x.x for the modem, and use
    10.x.x.x for the Tomato clients to make it even easier to distinguish.
    Anyway, set the "br0" settings for example to: 10.10.10.1 and DHCP
    range as 10.10.10.2-20. You can leave the WiFi settings at default
    (If you have changed a lot there, you need to post the current settings
    or reset the config and start from scratch).
    Obviously use a different SSID (name) for the two WiFi networks.
    Set your unRAID server to use a static IP in the range you have
    chosen for Tomato... example 10.10.10.100
     
    darkknight93 likes this.
  3. JustinChase

    JustinChase Reformed Router Member

    Sorry for the delayed response. TelMex messed up our internet about an hour after writing my original question. I've waited almost a full week for them to get it working again, which they finally just did.

    I had several pages of "how to's" in my Firefox tabs, and have managed to get much of this setup the way I think it's supposed to work, but I don't have internet access thru my router, only if i connect directly to the modem/router.

    If I connect wifi to the e3000 router, I have full internal LAN access (I can read/write from/to the file server), but I can't get to the internet with this wireless connection. I've not tried a wired connection to the e3000 yet.

    I actually set up 3 new VLAN's (just because I could, and wanted to test/learn) and my intention/hope is to use the e3000 to manage all traffic, so I'll try to make use of them from the beginning. Using the modem/router for Guest traffic is fine, and maybe the better idea, but it seems to be a flaky modem, and I keep having to reset it to get it working again, which resets all customization I do to it. So, I'd rather not put it into the mix, and to just turn off the wireless SSID broadcast, and disable it after each reset, than set it up each time.

    I'd rather just get the e3000 setup to manage everything, so it's completely portable.

    I'm not sure if I should turn off DHCP on the modem, but I suspect I should. I'm waiting to try it until I get internet thru the e3000, so I'm not chasing too many issues at one time. Here is the config page for the modem...

    upload_2013-12-2_16-49-16.png

    Here is the config page for Tomato > Basic > Network

    upload_2013-12-2_16-49-32.png

    Here is the config page for Advanced > DHCP

    upload_2013-12-2_16-50-21.png

    Advanced > Firewall

    upload_2013-12-2_16-50-55.png

    Advanced > Routing

    upload_2013-12-2_16-53-28.png

    Advanced > VLAN

    upload_2013-12-2_16-53-43.png

    Advanced > LAN Access

    upload_2013-12-2_16-54-2.png

    Advanced > Virtual Wireless

    upload_2013-12-2_16-54-27.png

    Where do I need to make changes to get internet access when connected to casita while also maintaining access to the internal LAN/file server?

    Thanks again for any help! upload_2013-12-2_14-57-52.png upload_2013-12-2_16-49-16.png upload_2013-12-2_16-49-32.png upload_2013-12-2_16-50-21.png upload_2013-12-2_16-50-55.png upload_2013-12-2_16-51-22.png upload_2013-12-2_16-53-28.png upload_2013-12-2_16-53-43.png upload_2013-12-2_16-54-2.png upload_2013-12-2_16-54-27.png
     
  4. JoeDirte

    JoeDirte Serious Server Member

    You should probably start over on the tomato router. Stick with one VLAN until you get that working. Also, just use private IP addresses on the internal network. You're currently using public IP's on some of your VLANs (20.x.x.x, 30.x.x.x, 40.x.x.x)

    http://en.wikipedia.org/wiki/Private_network

    When you do set up your VLANs, you can just use 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, etc. Those are separate networks since the netmask is /24 (or 255.255.255.0).

    What Philess described should work.
     
    philess likes this.
  5. philess

    philess Networkin' Nut Member

    At a quick glance...

    you are using 10.0.0.138 as interface on the modem and also 10.0.0.1 as br3 on the tomato.
    That cannot work. Read again what i posted. Your ip-networks MUST be different on the two
    routers! Also, why do you have 4 bridges on the tomato? You did not mention any need for those
    in your original post. And do not use DHCP for the Tomato WAN interface, set it to a static IP
    inside the Modems IP range. Just as i described above.

    I highly suggest you reset the Tomato config and set it up very simple from scratch, only basic
    LAN config and then add WiFi. If that works, add more stuff later. And do not follow "several"
    different tutorials at the same time.

    And i totally agree with what JoeDirte said. DO NOT USE PUBLIC IP RANGES!

    For private networks you can use:
    192.168.xxx.xxx
    10.xxx.xxx.xxx
    172.16.xxx.xxx
     
  6. JustinChase

    JustinChase Reformed Router Member

    I have done a thorough reset of the e3000, then started over. The modem and gateway are both located at 192.168.1.254 so I set Basic > Network to

    upload_2013-12-2_19-19-43.png

    I have also set the LAN to a better private network, as you both suggested, as shown above. I set the unRAID server to 10.10.10.10, and that seems to work fine. I gave a name and security to the wireless 2.4GHz network, and connected to that network. I was able to see/control the Tomato interface and unRAID, but could not access the modem interface, probably because I was had an IP of 10.10.10.15. I could not get the router to assign me to that network, so I set it statically in windows. I was also able to access the internet. When I changed the IP from static to auto-assign, I got assigned an address of 10.10.10.11, but could not access the internet.

    I tried connecting directly to the modem's wireless network, but could not get it to force me into a new IP, so I had to assign one statically in windows again. I could then access the internet and the modem interface, but not the internal network or Tomato interface (unsurprisingly).

    So, it seems like I'm close, but not quite there yet. I want to get this working, so I can backup up the settings, then I can try to add a VLAN to bring the guest access under control of Tomato, so I don't have to rely on the modem for anything, and hopefully better control everything from one place.

    Where am I going wrong here?
     
  7. philess

    philess Networkin' Nut Member

    Try your auto-assign from Tomato (DHCP), when you say you get a 10.10.10.11. Try to ping a outside IP address (example 8.8.8.8 and 8.8.4.4 which are Google┬┤s DNS servers). If that ping works but you cannot open any websites you have a problem with the DNS that is given by DHCP to your computer. do a "ipconfig /all" on windows commandline prompt then, look what DNS servers you are given by DHCP.

    Also when you speak of that windows client, are you connected over LAN or WiFi to the Tomato?
     
  8. JustinChase

    JustinChase Reformed Router Member

    I reset both the modem and the tomato router last night, just so that I could get internal and external access, which I have again.

    Do the settings I show above even look right?

    It seems to me (I know little about subnets and networking in general) that I cannot access 192.168.1.xxx while in a subnet of 10.10.10.x Should that actually work?
     
  9. JustinChase

    JustinChase Reformed Router Member

    Tomato is currently at it's default settings, and can be found at 192.168.1.1, other than I added a password to the 2.4GHz wireless band.

    Modem is currently at it's default settings, and can be found at 192.168.1.254, and is the only current DHCP server in the network, assigning from 192.168.1.64-253

    I'm really confused as to what I need to change, where. it seems to me like I did exactly as suggested above, without success. So, did I do it wrong, or do the instructions need to be changed?
     
  10. JustinChase

    JustinChase Reformed Router Member

    Okay, I'm going to walk thru this and document as I go. Hopefully I will end up successful, and the documentation helps someone else some day.

    As I said, I reset both modem and e3000 last night, setup a password for "wireless" on e300 2.4GHz band. I am currently able to login into Tomato, and to the modem and have internet access.

    I have changed Basic > Network to a static IP, like so...

    upload_2013-12-3_10-42-47.png

    I still have internet, and access to both firmware, but get nothing when I put 192.168.1.100 into the browser, nor does anything show in either firmware setup as having anything connected to 192.168.1.100, but I can ping it from my wireless IP on my laptop, in windows 7x64, like so...

    upload_2013-12-3_10-51-25.png
    upload_2013-12-3_10-53-32.png

    It does show an IPv6 address, but I'm not sure if that's a problem. it looks like tomato can use IPv6 also, but I have not turned it on, I don't think.

    Next, I changed the DHCP on Tomato to 192.168.10.1, with DHCP from 2-54...

    upload_2013-12-3_11-0-50.png

    Now, I don't have access to Tomato firmware, because I'm still connected with IP 192.168.1.72, which is not in the subnet above. I will have to assign a static IP to my wireless in windows to force myself into the range on the Tomato. Historically, after assigning a static IP, things get and stay wonky, so I'm reluctant to do it, but I don't know any other way to re-access Tomato. I will post this now, before I lose internet access, then continue later with an update on my progress.
     

    Attached Files:

  11. JustinChase

    JustinChase Reformed Router Member

    Okay, that wasn't much fun. As a test, I went thru the modem automated setup, which is the only way to change the password (and it doesn't work), and it also didn't offer me any settings for the LAN (was thinking it would let me turn off DHCP). Once it finished, and rebooted the router, it looks like it did shut off the DHCP server...

    upload_2013-12-3_12-8-52.png

    I disabled and re-enabled the wireless in windows and Tomato gave me an IP in it's subnet, so I could connect to Tomato, but not to anything else, including the internet. I noticed that it's using the Gateway of 192.168.10.1, even though the tomato firmware is set to use 192.168.1.254. Not sure if this is a bug, or how to change that.

    upload_2013-12-3_12-1-26.png
    upload_2013-12-3_12-12-33.png

    I was unable to ping 8.8.8.8

    upload_2013-12-3_12-1-47.png

    I was unable to ping 192.168.1.254

    upload_2013-12-3_12-2-16.png

    I looked at the Tomato current routing table, and noticed that the modem is shown as being in 255.255.255.255, and I'm not sure where that's coming from, or if it is a source of my problems.

    upload_2013-12-3_12-3-46.png

    I ended up having to assign a static IP to the laptop in windows to get it to connect to the modem again. Then I was able to reset the modem. It does, in fact, default to using DHCP...

    upload_2013-12-3_12-13-42.png

    So, I'm back to having internet, and access to the modem, but only with a Static IP assigned in windows, and no access to my internal network or Tomato.

    I actually prefer to put the guest network on Tomato, and not use the modem at all, so that the solution is completely portable. However, until I can get internet access with an IP in the Tomato range, I'm stuck. :(
     

    Attached Files:

  12. JustinChase

    JustinChase Reformed Router Member

    Any ideas? I'd sure like to have my internal LAN separate from the guest network.
     
  13. darkknight93

    darkknight93 Networkin' Nut Member

    can you just edit this Picture and enter current IP Ranges/DHCP Servers?


    tmp.pg.jpg


    Edit: This is the configuration I would use:

    tmp2.jpg

    Issues: Devices from Guest Lan 192.168.10.0/24 cannot Access the 10.0.0.0/24 due no route is present/your DSL modem does not know, that this Network exists NAT-ed behind your Linksys

    For Portforwarding to your internal lan e.g. for Webserver on 10.0.0.5 you will Need to port-Forward on DSL Modem to Linksys E3000's Wan IP (e.g. 192.168.10.2) and afterwards create a second port-forwarding roule on the Linksys router pointing to 10.0.0.5.
     
    Last edited: Dec 4, 2013
  14. JustinChase

    JustinChase Reformed Router Member

    Okay, your suggested IP ranges are different still, so I've reset both the modem and the e3000 once again.

    I'm not entirely certain how/where you want me to enter or retrieve the numbers you request above, inside the Tomato firmware, so I'm going to post screenshots of EVERYTHING I'm changing, so if you don't see a screenshot, it's at the default setting.

    First is the wireless, I added a password to the 2.4GHz network, and changed the name

    upload_2013-12-4_15-28-0.png

    Then I made these changes to Basic > Network

    upload_2013-12-4_15-26-46.png

    per this part of your diagram...

    upload_2013-12-4_15-29-35.png

    I will lose internet as soon as I save these changes, so I'm going to wait until someone confirms this is what needs changed in Tomato, and that it is all that needs changed.

    The problem for me is that as soon as I make any change like this, I cannot access the modem AND the router AND the internet any longer. I have to manually force a static IP to get myself into the right IP range to have access to the thing I need to change, or read from.

    I've looked around quite a bit, and cannot just find any 'step-by-step' to setting this all up, considering the fact that you lose access as you go, it seems the order in which the steps are performed is at least as important as the steps themselves.

    Perhaps someone can show me some screenshots of their settings, as I suspect I'm overlooking something simple in all this.
     
  15. JoeDirte

    JoeDirte Serious Server Member

    That looks good, but you may want to add some DNS servers - at least one - or your 10.0.0.x clients won't resolve names. You can use 8.8.8.8 (Google's public DNS) or if the DSL router is set up correctly, you can use its IP of 192.168.10.1. Entering both addresses would be fine. Another option is to use the DNS servers your ISP provides.

    Anyway, give it a try.
     
  16. JustinChase

    JustinChase Reformed Router Member

    Okay, feels like progress. Since philess made this comment below, I figured it'd be better to use a different IP range for my internal LAN.

    So I went with this...

    upload_2013-12-4_18-52-50.png

    This allows me to connect to the internet and both routers, but does not allow me to connect to unRAID, which is set for the static IP of 192.168.1.150. That box is actually connected to the e3000 with 2 ethernet cables, but is currently unreachable when connected to either wireless connection. From either IP 192.168.10.84 with Gateway of 192.168.10.1 (connected via wifi to e3000), nor from 192.168.1.72 with 192.168.1.254 as the gateway (connected via wifi to modem). I'll move the cables to the modem, get into the config, and change the IP to something inside the e3000 LAN.

    Do I need to setup any firewall or VLAN at this time to prevent the modem connections from seeing the internal (e3000) LAN?
     
  17. darkknight93

    darkknight93 Networkin' Nut Member

    What philess wanted to say:
    a) your first idea using 10.x.x.x Network is ok, 20.x.x.x or 30.x.x.x or furthermore 40.x.x.x is for private Networking not allowed due this ip range is declared as public address. in Class A Scope you can use 10.0.0.0 - 10.255.255.255 for private Networking. 11.0.0.0 is reserved for public adresses

    b) Using 192.168.1.0/24 on BOTH DSL Modem scope/lan+wlan AND simultaniously using 192.168.1.0/24 on E3200 is NOT an Option due to IP and Routing conflicts. Imagine sending a packet with Destination 192.168.1.5 e.g. from a Computer connected to E3000. Your router will process this packet and "keeps" it in your lan. furthermore - packets with unrecognized Destination e.g. Internet traffic will Bypass your Gateway adress so called 192.168.1.1 for E3000. Whoups. DSL Modem listens also on 192.168.1.1 as Gateway.
    This Scenario is just a big source for headaches.

    So this is your current configuration right?

    tmp2.jpg
     
  18. darkknight93

    darkknight93 Networkin' Nut Member

    So Internet Access is working on both guest and internal lan?

    unRAID is now connected to E3000 - which is responsible for IP Range 192.168.10.0/24 - so 192.168.10.150 with Gateway address 192.168.10.1 is what you Need.
    please be careful - only use 1 Ethernet cable for testing. It might be that unRAID supports software-Link-Aggregation due you can not have 2 devices having same IP with different mac addresses due to different NICs.
    Just test with single link on E3000.

    So from E3000 LAN is the unRAID reachable via ping with 192.168.10.150 ? via E3000 WLAN too?

    for accessing the unRAID 192.168.10.150 from 192.168.1.0/24 - so your DSL modem scope - you will Need to port-Forward the corresponding port e.g. http (TCP Port 80) on E3000. Did you set up portforwarding before?

    But mind: as soon as you connect the unRAID with your DSL modem you Need to Change the IP and Default Gateway to match the new Network.
    So IP 192.168.1.150 and Gateway 192.168.1.1 is needed

    In your Setup, using a) the WAN port with active NAT on E3000 and b) having a different IP scope on your E3000's lan there is no possibility for users on the guest lan to capture traffic or reach any devices on E3000's lan (due it's Firewall blocks Access from WAN)

    But please mind: Internet traffic caused by devices on E3000's LAN will be visible to users on DSL Scope due this is your so called next hop router seen from E3000. So Internet traffic will travel through your guest LAN and back.
    But capturing this traffic is not possible for non-heavy and professional Network admins/users.
     
  19. JustinChase

    JustinChase Reformed Router Member

    Yes, that's my setup, and it's working fine, other than an occasional hiccup*. I have modified it since getting it working, to test some other things I had previously tried, and they are also working, so I'm not sure where I went wrong originally, but I think I'm good at this point, as to the original request.

    As I mentioned, I'd like to bring the Guest network under control of the e3000 also, and in my reading, I discovered how to have multiple Wifi networks going to other bridges. I created all 4 bridges again, with br0 determined to be the Guest network.

    upload_2013-12-5_13-2-49.png

    I have pointed both the 'regular' wireless connections to br0, which I will use for the guest network. I have Port 1 assigned to this network also, to allow a guest to plug in a machine directly, if ever necessary.

    I have pointed the virtual 2.4GHz wireless to br1, which I will use as the internal/protected LAN. I have included ports 2 & 3 to this bridge, so that the unRAID can connect here.

    I pointed the virtual 5GHz wireless to br2, mainly just to test that it works. Currently, I don't have a phone/device that operates at 5GHz, so this is untested. There is no important reason for doing this, other than to test some combinations of stuff, and to help understand how the software works and ties together. I know it adds to confusion when trouble shooting, but after all I've done and read, I feel like I understand it much more, and have backups from before all these additions.

    Finally, I setup br3 with port 4 and no wireless, for when I need/want to connect an unknown machine to the internet, but nothing else. I have not tested this yet either.

    upload_2013-12-5_13-42-58.png

    *Occasionally, when trying to go to a site on the internet, I get prompted by the modem settings login page. Usually switching from one wireless to the other, then back resolves this issue. It's only happened a couple of times, so I'm not terribly concerned about it at this point.

    Next step is to get the QoS rules up and running to try to control the limited bandwidth I have from being unavailable to surf or download on demand.

    Thanks everyone for all their help, and if anyone sees any flaws, or has other suggestions for improvement, I'm all ears!!
     
  20. darkknight93

    darkknight93 Networkin' Nut Member

    for blocking br1 devices accessing br0 Clients you can use Firewall script (Administration -> Scripts -> Firewall scripts):

    Code:
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
    
    This blocks devices from -i Interface br1 -o OUT to br0 with State New: Means: Connections initiated by devices from br0 -> br1 device will be accepted as soon as the br1 device responds.
    But new recests to br0 devices without any "hello" by any br0 device will be dropped

    EDIT: and just if you have 2 Routers e.g. available, here is my Setup for full-seperated Networks due i mention before Internet traffic can be captured by some Clients due packets pass through more hops/Routers
    http://www.linksysinfo.org/index.php?threads/wan-port-switch-2-routers-2-dhcp-wan-ips.68079/
    in your case the ISP is your DSL modem ;)
     
  21. JustinChase

    JustinChase Reformed Router Member

    I think I understand what you're suggesting, but I'm not sure I understand the reasoning for wanting to do it.

    It appears that you're just blocking the guest network from being seen by either of the 2 internal networks. If I'm not mistaken none of the bridges/LAN's on the e3000 can see one another, unless I specifically allow it. So, I'm a bit unsure why you're manually restricting access. Can you please explain?

    EDIT: I read that thread, and I'm not sure how that works. Wouldn't both routers still have to go thru the modem/router?

    also, I only have one router available to me.
     
    Last edited: Dec 5, 2013
  22. JustinChase

    JustinChase Reformed Router Member

    I setup LAN access rules, like so

    upload_2013-12-5_17-25-26.png

    which I think allows anyone in br1 or br2 see each other and the guest network, but the guest network is not being allowed to see either of them. I'm not sure yet how to test this. It's not terribly important yet, but I'm considering opening an internet cafe in Mexico, so I'm trying to learn all I can in preparation.
     
  23. darkknight93

    darkknight93 Networkin' Nut Member

    try to ping a internal device from guest WLAN - if this is not successful everything is fine!
    i never used the "Lan Access" Webpage to do so. instead i used Firewall rules with iptables due i was familiar with that
     
  24. JustinChase

    JustinChase Reformed Router Member

    from my machine at 192.168.20.134, I can ping the unRAID box at 192.168.20.150, but I cannot ping another laptop at 192.168.20.113

    seems like I should be able to ping that machine, since we're on the same LAN
     
  25. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Likely the laptop's firewall rules are preventing it. Disable it/add subnet to trusted then test again.
     
  26. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    Hi guys..
    I was able to setup the guest network and it's been working great! - Now, can I block certain users from being able to connect to the guest account.. even if they know the password?

    I set this up for my brother, so he wanted the main network hidden and wants the guest one for just that..guests... but he does not want his kids accessing the guest network, even if they find out the password... i know I can restrict access to users, but I need to know if i can restric access to the guest account altogether...thanks.
     
  27. Bird333

    Bird333 Network Guru Member

    I guess you could setup iptables rules based on the mac addresses of the kids' devices that would drop them from the guest network.
     
  28. Magdiel1975

    Magdiel1975 Networkin' Nut Member

    exactly.. now, what is that script? lol
     

Share This Page