[SOLVED] Tagged VLAN for Airport Extreme guest network

    Thank you for making Tomato possible. I’m running Toastman on a Asus RT-N16 (wifi is off). I have a Airport Extreme (in bridge mode) and would like to enable it’s build in wifi guest network.

    The Airport broadcasts it’s guest network on a VLAN tagged 1003. All LAN traffic - including from the Airport - enters the Tomato on physical port 1 (ports 2, 3 and 4 are empty). I've done some reading in forums but I have a hard time understanding it.


    I’ve created br1 as the guest subnet.


    But I can not figure out the VLAN settings. Tag ID 1003 needs to go to WAN only.

    Any suggestions are highly appreciated.
    VID offset = 992 (62*16 = 992+11 = 1003) set VID on WAN to 1003 and TAG WAN port.
    Thanks kthadddock!


    I get a warning when trying to add:

    "WAN port cannot be assigned to more than one VLAN unless frames are tagged on all VLANs WAN port is member".
    You can't TAG Br1 to WAN only WAN = 1003 test to TAG WAN to 1003 only.
    Try also to TAG WAN at same time as br1
    Not sure I'm following. What should I set bridge to?
    Which combination of settings in the UI do you suggest I try?

    There's no tagging going on in the url example. Neither can I assign another physical port then port 1.
    I depends which order you tagg ports, start with wan and then br? ports
    Now it's right.
    Do a new network under: Basic => Network => LAN and turn on DHCP.
    Do a new VLAN and br1. and choose VID
    Do a new guest wifi under: Advanced => Virutal Wirelesss => wl0.1 and bridge to LAN1 br1.

    Now guest network get access to internet. If you have old PC or PHONE delete your old conections and reconnect again.
    So virtual wireless is not limited to the tomato routers own wifi interface? I get to see options about wifi security which do not apply here; my Tomato wifi is off.
    I'm not follow you, you not want guest wifi network. In that case you only need a new VLAN on a port and assign to br1 and guest LAN-network.
    Sorry for my confusing question. Yes, I do want a guest wifi network. It's served by an Airport Extreme (in bridge mode) on VLAN tagged 1003. The Tomato wifi is off. All LAN traffic (which includes the Airport's guest VLAN) enters the Tomato at physical port 1 (it's the only wire available at that location).


    I tried this config but I get an error. I'd welcome any advise.
    # nvram get trunk_vlan_so

    Should that be set to 1 in order to have both tagged and untagged on the same port (trunking)?
    Here is a simple and quick way to get it working:

    First, I will assume that you have already created a second bridge (br1).

    1) Create VLAN 3 and rename the VID to 1003 (which you have done). However, leave Port 1 and tagged checkboxes unchecked.

    2) Enter the terminal or command prompt. Type: telnet (or whatever your address is)

    3) Enter the following commands one line at a time:

    nvram set vlan3ports="1t 2t 3t 4t 8"
    nvram commit

    It would be working after, and your VLAN configuration should look something like this:


    Note: the reason I had you active the VLAN on all the ports is because the RT-N16 has the ports switched when in terminal mode. So if you just want your specific port enabled, play around with the numbers. The GUI will continue to give the error that "port cannot be assigned to more than one VLAN" so if you need to make any changes, you'll lose your configuration for the Airport Extreme and will have to redo it in the Terminal.
    Thanks Xero5. I have it configured. I already had br1 set up (see start of thread). But I don't seem to get an IP address assigned when on the guest network. I have connected the Airport directly to port 4 of the Tomato in order to rule out possible incompatible switches in my network.

    Many threads on this topic involve custom rules for iptables. No need for those?
    This is the exact configuration I have and I have done the configuration multiple times.

    Please place an exact screenshot of your LAN and VLAN configuration so I can check to see what you did.

    Also, what is the exact model number of your Airport Extreme? Are you configuring it on a Mac? iOS? Windows? Some Airport models have issues with guest networks when hard wired. Apple still needs to fix these bugs.
    @Xero5 Thank you for staying with this thread.




    It's a 6th gen Airport Extreme (pillar shape) with latest firmware 7.7.2 in bridge mode. Configured with Airport Utility on Mavericks. Wired from its WAN port (but br1 doesn't work from it's LAN ports either). Main wifi on br0 works without any problem.
    On the Airport Extreme config page, check the following settings:

    1) Under "Wireless" make sure Network Mode is "Create a wireless network". Make sure Guest Network is enabled.

    2) Under "Network", make sure Router mode is "Off (Bridge Mode)".

    Also, make sure you reboot everything and have the Airport Extreme connected directly to the RT-N16.

    Let me know if that helps. If it doesn't I'll write out a complete guide. Another thing is to reset everything to factory and try again. Another issue is if you rapidly switch between the Airport's regular and guest network, the router locks you out from connecting. So try testing on a second wifi device.
    Yes, that's how it's configured. AE in bridge mode. Guest enabled. I tried connecting the AE directly to the Asus. Gave the AE a hard reset to default (reset button). Rebooted all devices when changing the setup. The main wifi (br0) works, guest (br1) doesn’t. I can authenticate for the guest network and network settings on OS X show it's status as connected. But I don't get an ip address assigned. The same goes for other wifi devices (iOS) that I tried. Wifi scanner shows both main and guest wifi active on both 2,4 and 5 GHz.
    Last edited: Feb 23, 2014
    What is your VID offset? Is it set to 0? What is the build for your Toastman firmware? Also, did you give your Asus RT-N16 a hard reset?


    There is a way to troubleshoot to help isolate the problem on whether the issue is with the RT-N16 or the Airport Extreme. To do this you need a Mac that has an ethernet port or an Apple Thunderbolt to Gigabit Ethernet Adapter.

    1) Connect the ethernet cable directly to your router (no switches, no nothing between).

    2) Go to your settings on your Mac. Click on Network.

    3) To the left, there is a "+" and a "-" button. To the right there is an icon that looks like a gear. Click on it. The drop down menu will have a button "Manage Virtual Interfaces".

    4) Click on the "+" and click on "New VLAN".

    5) Set the VLAN name to Guest Network. Set the Tag to 1003. Set the Interface to Ethernet. Click on "Create".

    6) After creating, click on "Apply" to save the new network settings.

    7) Reboot your Mac.

    8) Return to the settings on your Mac. Click on Network.

    Your VLAN 1003 should have a green ball next to it and should be getting an IP address from the router within your Guest Network range. Is it receiving one?
    It is working! I changed the firmware build. I had


    and changed to


    From there your setup tips from post #15 were very simple. I turns out that my netgear GS605 switches pose no problem for the tagged vlan. Thank you Xero5!

    I also wanted to block the guest network from the tomato web interface (or anything else except dns and dhcp): Restrict Access to Web UI on Guest WiFi

    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    The guest network download speed seems throttled. I read about this and it seems there is no way to prevent the AE from doing so.
    Glad you got it working. Just remember that this setup isn't something properly supported, so there might be some quirks. For example, I can't get captive portal working with this setup. So I cannot be sure this setup works on every Tomato router.

    Also, yeah, you definitely downloaded the incorrect build for your router. Glad it's all working. You had me pulling out my hair haha. We had the exact same setup, so why wasn't this working for you? :) Just kidding.
    I would like to thanks Xero5 and mauzzz for their help and posts. I configured the same thing today on an e3000 with the latest Toastman build (tomato-E3000USB-NVRAM60K-1.28.7505.2MIPSR2Toastman-RT-VLAN-VPN.bin).

    A couple of things that I learned along the way that might be helpful for others:
    • Hardware-wise, I have an e3000 as main router/DHCP/NAT and an Airport Express v2 (A1392) that is hardwired to the router.
      • I also have a bunch of the older Airport Express's (A1264) around the house for music, but they don't have Guest network capabilities
    • My Tomato config is very close to the images on post #18, with my only difference being my IP ranges and subnet mask.
    • I tried a shibby build (tomato-E3000USB-NVRAM60K-1.28.RT-MIPSR2-120-VPN.bin), and couldn't get the VLAN to work. That said, I didn't go back and ensure that I'd tried the exact same configuration. The shibby build doesn't have the letters "VLAN" in the name though, which might be indicative somehow.
    • Setting the VID Offset to non-zero doesn't work (i.e., I modified my working config to add a 992 VID Offset, and then it stopped working)
      • As a not particularly relevant side point, when I added the 992 offset, the VID for VLAN 1 and 2 became 993 and 994, but VLAN 3 stayed the same at 1003. I even tried removing it and re-adding it as 1003, but even then, when I removed the offset, 993 and 994 went down by 992, but 1003 stayed the same. I assume this is a quirk of the interface... and, like I said, not very interesting.
    • Having a Mac with an Ethernet port and setting up a VLAN 1003 (see #21 above) makes troubleshooting really easy... green bubble = good; yellow bubble = bad (smile)
    I have some reading to do on IPTABLES and access. Right now, neither VLAN can access the other, even though it appears, based on the LAN Access screen (same as in post #18 above), br0 should be able to ping br1, but not vice-versa. I too will probably put in place mauzzz's IPTABLE rules to limit access to the router from the guest network, but that's not urgent.
    Pardon my resurrecting this thread.

    I used to have this setup working, per post #15.

    Now, I can't seem to repeat the magic. Whenever I tag a port with VID, it blocks all other traffic that's not explicitly tagged. Whereas before, untagged traffic would continue to go through br0.

    I confirmed the tagged traffic is working, both via cable (created VLAN in Network settings), and also via the Apple wifi guest network. When the port is tagged, the only way I can connect to anything is through guest wifi.

    I'm running v1.28.0511 MIPSR2Toastman-RT-AC K26AC USB VPN.

    Is anybody else experiencing this?
