Teaman/Toastman Mod - DHCP issue

Discussion in 'Tomato Firmware' started by agrinmote, Mar 23, 2012.

  1. agrinmote

    agrinmote Addicted to LI Member

    I'm using Tomato only for my wireless AP, I have pfsense as my core router / DHCP functions, so I don't need DHCP on tomato. I run a victeck mod without issue for a long time, just simply disabled DHCP under LAN settings. I'm trying to upgrade my firmware support multi ssid/vlan and moved to Teaman mod. The problem now is, if I enable DHCP on tomato, I can have multi lan no problems, but if I disable DCHP that I unable to get IP from my pfsense box. I also tried latest Tostman mod, looks like have the same issue.
  2. agrinmote

    agrinmote Addicted to LI Member

  3. Elfew

    Elfew Network Guru Member

    which version do you use? update to the latest toastman
  4. agrinmote

    agrinmote Addicted to LI Member

    Tomato Firmware v1.28.7633 .2-Toastman-VALN-IPT-ND ND Std
  5. agrinmote

    agrinmote Addicted to LI Member

    I would like to give a bit more details,
    This test done on Tomato Firmware v1.28.0023 Teaman-VLAN-PPTPD ND Std Built on Wed, 14 Mar 2012 08:32:48 -0300
    I created 3 bridge,, please note, i have disabled DHCP for all bridge, I have a separate DHCP device within network

    I leave WAN on DHCP, so my WAN port get ip from my network, in my case, i got and the gateway is (my DHCP server IP)

    I can trace route from tomato to internet without problem, the first node show on trace route is my gateway also my DHCP address

    I create 4 VLAN, VLAN3 for port 1 and port 2 which on br0, VLAN4 for WAN, VLAN10 for port 3 on br1, VLAN15 for port4 on br2

    save all settings and reboot the router

    i try to plug a ubuntu laptop on port 1-4, disable and then enable NIC. no port can get IP form my DHCP server. I also unable to ping tomato address.
    for example, if i plug laptop in port 3 which is same subnet to my DHCP, I expect to get a 192.168.100.x address, however, it's fail to get IP, I unable to ping either. But, if I manually add a 192.168.100.x address to NIC then I can ping tomato but still fail to ping my DHCP server, also fail to visit internet.

    If i have original official tomato firmware installed without VLAN support, i can simply disable DHCP for LAN then get IP from my DHCP server without issue. Not sure if this is bug or a setting issue.

    what I'm trying to do is, my current network have two subnet 192.168.100.x and 192.168.200.x, all devices plugged into a managed switch, 192.168.100.x on VLAN 10 and 192.168.200.x on VLAN 15. Now, I would like to add a wireless AP to support two SSID, one is for 192.168.100.x and another for 192.168.200.x I wish my DHCP server to manage all IP. so, back to my original issue.
  6. teaman

    teaman LI Guru Member

    So, you have 3 LAN bridges set up, right?
    • LAN/br0 - IP on network
    • LAN1 (br1) - IP on network
    • LAN2 (br2) - IP on network

    I guess your box running PFsense is, am I right? Therefore... you're trying to have/get WAN on network, am I right? Did you happen to notice there's some overlapping going on here? That would be problem #1.

    Then, you say you're not getting any response from DHCP... when that machine is NOT on the same physical LAN? That's problem #2 (which is... please review your connectivity/network plan/design). That's problem #2.

    Ok, so what if you move the ethernet cable to your PFsense box from the WAN port to port #3 on your router? Assuming you put a hub/switch in between them (Tomato/PFsense), DHCP for any devices hooked up to that hub/switch would work just fine.

    What about devices hooked up to ports #1/2 (LAN/br0) or port #3 (LAN2/br2)? That could lead me to mentioning problems #3, #4, #5... and possibly a whole lot more... So first of all - those devices would be on different networks, which has at least 2 implications to be considered:

    • by default, LAN bridges are isolated from each other (that is, unless you've explicitly allowed access/rules on Advanced/LAN Access page - advanced-access.asp)
    • even if you've explicitly allowed all/any network traffic to flow between any/all of them, each of these would still act as physically separate networks - any IP packets/communication between any two networks means... there would be routing involved.

    Well - DHCP requests from clients are in fact broadcast packets. The thing is... if you try to put together broadcast and routing, you'll notice there seems to be some kind of contradiction in terms: broadcast communication is not supposed leave the local area network in the first place, so it should never reach anywhere else (and if I'm not mistaken, those would be at different network layers, considering the OSI model).

    Hypothetically: assuming you did setup some kind of DHCP relay agent, what would happen when/if a device sitting on LAN2/br2 performed a DHCP request? Well - that request would be picked up by the relay agent and forwarded to your PFsense box, which would then reply with things like a valid IP address, subnet mask and... and the IP address of the gateway this box should be using. Let's say it did get that information back and got IP, with gw Fine. What happens when it tries to access anything? Say, ping some IP address in the internet? Then it would send an ICMP packet to that IP via its gateway, since it's an address that cannot be reached on the local network, right? But... your Tomato router would get that packet and check its origin/IP address - it is possible it might be forwarded to LAN1/br1, but it also might notices it's getting a packet from an IP address that... should not be there (different network range!). Let's say it does get forwarded to your gateway and it gets a reply from that ping? That packet would be then delivered to If you're running a some kind of monitoring on your Tomato router (i.e. tcpdump), it might be even possible that you do see that reply/response ICMP packet on your Tomato router... but then, even being a gateway/router, it will notice that packed is meant to a machine that is reachable on that interface and won't lift a finger to get it forwarded.

    So - I hope this helps clarify things ;)

  7. agrinmote

    agrinmote Addicted to LI Member

    Thank you Teaman.

    What I'm trying to do is, split my network to two separate subnet for Private and for Public. You are right, I have a pfSense box running in my network, it have three interface,
    WAN: connect to my ADSL modem (bridge mode) by PPPOE
    LAN-PRIVATE: on VLAN 10, so all ports on my core switch that I allocate to VLAN 10 will get a IP 192.168.100.x, the gateway is (pfSense interface IP)
    LAN-PUBLIC: on VLAN 15, so all ports on my core switch that I allocate to VLAN 15 will get a IP 192.168.200.x, the gateway is (pfSense interface IP)

    I also have a WRT54GL running a official tomato firmware, the DHCP on LAN has been disabled, the WAN port connected to my core switch on a VLAN 15 port, so, all wireless devices can get a 192.168.200.x ip from pfSense box.


    No drama for above settings, now, I want to upgrade my firmware to have my WRT54GL support two networks via two SSID. I wish WRT54GL can get DCHP from my pfSense box still,

    I have many questions then,
    #1 about WAN connection on WRT54GL. I try to allocated a port allow both VLAN 10 & 15 (I done this settings on my core switch), not sure if one cable is fine. Of course I can run two physical cables with different VLAN, so I need dual WAN support?
    #2 about vlan tag. A bit confuse here, I try to match the vlan settings on WRT54GL same as the settings on core switch. lets say VLAN10 for Private and VLAN 15 for public. Not sure if I will need to tick "
    " in VLAN settings.

    Sorry about my network knowledge limitation, if my scenario is possible, how?
  8. teaman

    teaman LI Guru Member

    First of all, you should keep in mind this is actually an advanced topic... so I strongly advise you to do some extensive research/reading on this whole thing beforehand, specially if you're considering/planning on using those so-called 802.1Q ethernet trunks (also, you probably wanna check/confirm if your switch actually supports tagging of ethernet frames before proceeding any further down this road):

    If your equipment does support VLAN tagging, then you could think about the possibility of using just one/single ethernet cable between some of your devices and your switch (provided those ports have been properly configured in trunk mode on both ends for each connection). As per the network diagram/plan above, such thing might be possible for both your WRT54GL and your PFsense box (as well as any other piece of equipment able of doing/supporting VLAN tagging).

    Anyways - the main question here seems to boil down about the possibility of using just one single WRT54GL, set up as plain-and-simple wireless access points for two separate networks, is that it?

    I'm sure you already read what's on this page , right?

    If so, I'm pretty sure you already know the short answer to your question would be 'yes' ;)

    Here's some things to keep in mind once you're done with your reading, feeling confident about how to proceed and ready to roll-up your sleeves:
    * start simple, then build up on your previous stage/working configuration
    * you probably should forget about the WAN port on your router (just leave the whole WAN thing alone)

    You might also wanna have a look at some of the threads appearing at the top of this list (Tomato FAQ and Common Topics):

    As well as some other/related threads like this one:

    Best of luck!
  9. agrinmote

    agrinmote Addicted to LI Member

    Teaman, thanks for your hints, very helpful.

    Did some reading, very close now.

    My current settings,
    [​IMG] is just for my local pc to connect wrt54gl, i will have this ip always available (I have my local pc plug in port 1 to talk with wrt54gl)
    192.168.100.x and 192.168.200.x are real ip range that i want test

    so, i want 192.168.100.x on VLAN10 (Port 3)
    192.168.200.x on VLAN15 (Port 4)
    Port 2 is for upper link which connect to my core switch, a trunk port

    My testing result,
    plug laptop to port 3, get ip 192.168.100.x
    plug laptop to port 4, get ip 192.168.200.x

    I can see the ip show up in pfSense which means DHCP and VLAN start working. But the problem is from my laptop I unable to ping gateway and I also can not ping wrt54gl ip and However, I can ping both gateway and from wrt54gl, i can not ping internet ip from wrt54gl.

    Any more hints about this?
  10. agrinmote

    agrinmote Addicted to LI Member

    Just a quick updates here, I did more reading on

    now, a bit clear about the ports relations and all works fine.

    I set port2 as trunk port which connect to my managed switch, so, the port will send vlan10 and vlan15 headers. I allocate port 3 to vlan 10 and port 4 for vlan 15. very confuse here, i actual do not need tick "tagged", now i understand why, for wrt54gl, i only need tell port on which vlan, i don't need set it as trunk.

  11. agrinmote

    agrinmote Addicted to LI Member

    it seems multi-ssid still buggy. I can have physical NIC have separate vlan/dhcp ip without issue, but multi-ssid still have problems.
    My testing result was,

    primary ssid (eth1) -> br1 get dhcp ip fine
    secondary ssid (wl0.1) -> br2 unable to get correct ip, it give me a ip

    both settings are on WPA2-AES, "Use alternate NAS startup sequence" ticked

    Test on WRT54GL based Tomato Firmware v1.28.0023 Teaman-SDHC-VLAN-PPTPD ND Std

    Anyone can help?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice