1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[SOLVED] Configure a guest network using 2 tomato routers

Discussion in 'Tomato Firmware' started by vmixus, Nov 22, 2013.

  1. vmixus

    vmixus Serious Server Member

    Hi,
    I've documented the necessary steps in order to configure a guest network using two tomato routers and achieve the desired objectives (listed below)

    Also, please point out any foreseeable issues, recommendations, best practices and optimizations which could be addressed based on this setup so that this thread can serve as a complete guide/reference for others in the future.

    Current Setup:
    The devices are connected to each other as illustrated below:
    Hardware Diagram:
    modem --> [wan] primary router [lan 4] --> [wan] guest router​

    Router Config:
    Primary Router
    Device: WRT300N v1
    Chipset: Broadcom BCM4704 chip rev 9 pkg 0
    Firmware: Tomato Firmware v1.28.0023 Teaman-SDHC-VLAN-SNMP-PPTPD ND VPN
    WAN: Connected to modem for DHCP IP from ISP
    LAN 4: Connected to WAN on Guest router

    Guest Router
    Device: WRT54GS v4
    Firmware: tomato-K26-1.28.RT-MIPSR1-115-Mini
    WAN: Connected to LAN 4 on Primary router
    Desired behavior:
    Primary objective:
    • Restrict access from clients on Guest network to all devices on the Primary network + both routers (including config gui, ssh, telnet)
    • Limit available bandwidth to clients on Guest router
     
    Last edited: Dec 23, 2013
  2. vmixus

    vmixus Serious Server Member

  3. vmixus

    vmixus Serious Server Member

    Begin Here

    After flashing the routers with the appropriate firmware's these are the steps I followed:
    • Login to the web GUI for the primary router
    • From the menu [Basic -> Network] configure a new bridge for the guest network.
      Under LAN select "br1" from the drop down menu and then define a new IP, Netmask and DHCP range.
      Note:Use something different than "br0", for example if br0 is 192.168.1.x br1 can be 192.168.20.x
    • From the menu [Administration -> Admin Access -> SSH Daemon] check the box for "Enable at Startup" then login via ssh to complete the remaining steps.
     
    Last edited: Dec 14, 2013
  4. vmixus

    vmixus Serious Server Member

    Optional Step

    Note
    :
    Depending on your specific router this step may not be necessary for your setup.

    VLAN option on my Primary router's (WRT300N v1) GUI (Advanced -> VLAN) states:
    "This feature is not supported on this router."

    The DDWRT VLAN Support page lists the WRT300n v1 as ?
    According to the DDWRT wiki the problem is related to the BCM4704 chipset and can be overcome:
    I can confirm VLAN support for the WRT300n v1 is working :) using the below commands via ssh:
    Code:
    # nvram get boardflags
    0x0010
    # nvram set boardflags="0×0110"
    # nvram commit
    # reboot
    
     
    Last edited: Dec 14, 2013
  5. vmixus

    vmixus Serious Server Member

    VLAN Setup

    Even though the VLAN GUI is enabled after completing the previous step, it still isn't usable for me since I'm assuming the scripts aren't mapping to the proper ports, so I'll define the VLAN's manually via ssh as well.

    The WRT300N v1 ports numbers are mapped like so:
    Physical LAN 1 2 3 4
    Logical LAN 0 1 2 3

    Next, configure the physical ports labelled LAN 1-3 with vlan1 and LAN 4 with vlan2 on the WRT300N v1.
    Code:
    # nvram set vlan1hwname="et0"
    # nvram set vlan1ports="0 1 2 5*"
    # nvram set vlan2hwname="et0"
    # nvram set vlan2ports="3 5"
    
    With br1 setup through the GUI earlier and the VLAN's defined with the appropriate ports, we need to configure the LAN bridges.

    First, check your existing LAN bridge:
    Code:
    # nvram get lan_ifnames
    eth0 eth2
    
    Then replace eth0 for vlan1 and define another lan for vlan2.
    Code:
    # nvram set lan_ifnames="vlan1 eth2"
    # nvram set lan1_ifnames="vlan2"
    # nvram commit
    # reboot
    
    Note:
    After rebooting (sometimes a shutdown / power cycle) may be necessary.

    If you'd like an explanation for these commands please refer to the links posted above.
     
    Last edited: Dec 14, 2013
  6. vmixus

    vmixus Serious Server Member

    Cleaning Up & Restricting Access

    After connecting a pc directly to LAN 4 on the primary router (WRT300N), it was issued a IP address in a different range than when connected to LAN 1-3, as expected.

    Next, I connected the guest routers WAN port into LAN 4 of the primary router.
    Using a client connected to the guest router I was unable to ping any clients connected to the primary network but could successfully reach the internet.

    However, the primary routers config was still accessible via the browser as well as ssh from the guest network. The following firewall rule will prevent access to the primary router and permit only web traffic for clients on the guest network.

    Using the primary router's GUI navigate to [Administration -> Scripts] and on the Firewall tab paste the following to only allow access to the primary router for dhcp / dns and drop everything else:
    Code:
    # Restrict router access from VLAN
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
     
    Last edited: Jan 2, 2014
  7. vmixus

    vmixus Serious Server Member

    Bandwidth Limiter

    After successfully isolating the two networks I setup the BW Limiter on the guest router which is included with the latest build from Shibby [Build5x-115-EN Dated:11/21/2013]
    -- Thanks Shibby, for staying active and all your efforts!

    To limit available bandwidth for guest traffic:
    • On the guest router GUI, go to Bandwidth Limiter
    • Under IP | IP Range | MAC Address, define the same range as your DHCP range
      i.e. 192.168.5.1-50
    • Then fill in bandwidth limits appropriately
    Some other useful features which come included to monitor guest traffic:
    • [Status -> Web Usage] "Web Monitoring"
    • IP Traffic
     
    Last edited: Dec 23, 2013
  8. vmixus

    vmixus Serious Server Member

    Following up after a month of using this setup:
    • Experienced poor wireless performance on the primary router (although this could be contributed to the other wireless networks present at this site). Was able to significantly improve wireless performance by switching to a dedicated wireless AP and disabling radio on the primary.
    • Disabled all access to guest router for clients
    • Configured 'one way access' from primary to guest (but not the other way around) so the guest router could more easily be administered from the primary network
    To setup one way access to the guest network:
    On the primary router:​
      • From [Advanced -> Routing] setup a static route with the guest subnet as destination and the guest router as gateway
      • Remove the appropriate rule from the iptables FORWARD chain, which was there by default in my case.
    On the guest router:​
      • From [Advanced -> Routing -> Miscellaneous] use drop-down menu to change "Gateway" to "Router"
      • Setup a rule on the guest routers iptables INPUT chain to ACCEPT traffic from primary
     
    Last edited: Jan 1, 2014
  9. lollekatt

    lollekatt Reformed Router Member

    hi vmixus.. thank you very much for taking the time to mentino your steps. I have two enquiries for you..

    A. I don't use your router but nevertheless, here they are:

    1. Do you have gigabit ports between some NIC's in which you would expect say 900+ mb/s throughput normally?

    2. If yes, could you run iperf on them to see, (on same vlan and on different vlans, if you still get more or less same speed or not)?

    My speed is crippled on vlans, although since it is 125 mb/s , and I use old disks, I didn't notice to start with, which perhaps you also haven't.
     
  10. vmixus

    vmixus Serious Server Member

    Sorry, routers I mentioned in my setup are not gigabit and I don't have anything to test with but can update later if I do.
     
  11. lollekatt

    lollekatt Reformed Router Member

    np.. thanks for reply. :)
     

Share This Page