1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato MultiSSID

Discussion in 'Tomato Firmware' started by teaman, Jan 25, 2012.

  1. teaman

    teaman LI Guru Member

    Experimental MultiSSID web interface for Tomato ;)

    Tested with WRT54GL and E3000 only.

    Use at your own risk.

    Check it out here:


    Firmware images for MIPSr1 and just a few MIPSr2 routers:

    NOTE: E4200 v2 is NOT supported.



    EDIT - changelog - http://code.google.com/p/tomato-sdhc-vlan/wiki/Changelog
  2. kthaddock

    kthaddock Network Guru Member

    NICE WORK ! Teaman, I'm looking forward to test it !
  3. Yobo

    Yobo Addicted to LI Member

    This is great news, Teaman! The screenshots look wonderful. It is a very intuitive, yet flexible, interface.

    Is the E4200 version using the RT-N driver? The name suggests it is the RT driver, and in that case it will render the E4200's 5Ghz band unusable (I think). If this is the case, I will have to wait for a toastman build, because for me, the 5Ghz band is indispensable.
  4. teaman

    teaman LI Guru Member

    Unfortunately, yes: these RT builds have indeed the RT driver (those were mostly intended for the E3000, the only K26 firmware image I was able to test, anyways). Not sure about the RT-N driver, though... Anyone?
  5. TomatoE2000

    TomatoE2000 Networkin' Nut Member

    Teaman: is it safe to try it on E2000. sometime back we noticed that nas.sh was not called for e2000 and there is only one instance running(even after setup of Guest wireless).wondering if the code made assumptions on that. btw, i am currently using toastman VLAN build and it is just awesome. the only thing is, i have limited flexibility with Guest SSID(i cannot move around primary and virtual across any LAN bridge)
  6. teaman

    teaman LI Guru Member

    I haven't been able to test the firmware images on Tomato-Teaman-RT-1.28.2019.7z on anything but an E3000 v1.0. However, if we assume the Tomato build system is working as expected (and nothing seems to indicate otherwise ;) ), there's a good chance these binary images for the E2000 might work just fine since branch Teaman-RT shares quite a lot of code (and is somewhat based on code) from branch Toastman-RT, it should be fine (but keep in mind this hasn't been actually verified by anyone for the E2000 just yet).

    The thing with nas.sh is only relevant for K24 builds (the "Use alternate NAS startup sequence" option has been removed from K26 builds as it's not used/needed, so don't worry about it). See notes below this section:

    If you do decide to risk/try/experiment these firmware images on your router, please let us know how it goes!

  7. ladysman

    ladysman LI Guru Member

    I'm going to keep an eye on this thread as i'll want to do this on my RT-N16!
  8. darksamus

    darksamus Networkin' Nut Member

    Does this mean that if I plug a device on port 4, it will be on vlan 3? It is no longer part of vlan 1? If that is the case, we loose one port!
  9. teaman

    teaman LI Guru Member

    Actually, this/one port isn't lost, but there must be some at least reassignment to ensure your LAN bridges will be brought up/online as configured ;)

    One possible hack/trick/alternative would be defining Port 4 as a member of multiple VLANs by enabling the 'Tagged' checkbox on all of them (you can use any other port, as long as it's set as an '802.1q trunk'). Here's an example on how this could be set up:


    Anyways - if you choose to follow this path and set one of your ports like a 'trunk', you can connect any equipment that understands tagging of ethernet frames - the so-called 802.1q VLAN 'trunk' - and configure it to bind/tag/use/listen to ethernet frames on any VLAN that port is a member ;)

    Sorry if that last paragraph sounds confusing - english is not my first language...

    Best of luck!
  10. ladysman

    ladysman LI Guru Member

    so will this be put into the Shibby or Toastman builds? I haven't looked at your links yet so I apologize if it goes to their respective repositories!
  11. Toastman

    Toastman Super Moderator Staff Member Member

    Soon, we are still sorting a few things out.
  12. ladysman

    ladysman LI Guru Member

    Great, i'm patient. great work guys!

    Has the new broadcom driver that was released been tested as well?
  13. Toastman

    Toastman Super Moderator Staff Member Member

    I didn't know anyone had incorporated it yet. Who did it?
  14. ladysman

    ladysman LI Guru Member

    I wasn't sure either but reputation leaves me ok with using the old one.
  15. backwoodsman

    backwoodsman Addicted to LI Member

  16. Toastman

    Toastman Super Moderator Staff Member Member

    The RT-N12/B1 needs the RT-N branch with different wireless driver. Wait a few days and I'll probably be posting some Multi-SSID builds.

  17. humba

    humba Network Guru Member

    Looks yummie :)
    Thanks Toastman
  18. eahm

    eahm LI Guru Member

  19. Yobo

    Yobo Addicted to LI Member

    Thanks again Teaman and thank you Toastman for the quick integration.

    Here are my impressions from the new version, tested on E4200v1. Basically, it works very nicely, but there were some quirks. With no encryption, I was able to easily set up two virtual SSIDs wl0.1, wl0.2 on two new VLANs. (I did not try wl1.1). E4200 does not support tagging, but it turned out that there is no need to assign a physical port to the VLANS. They worked just like that. The GUI for adding security setting to the virtual wireless is a bit quirky - making changes does not activate the 'save' button. I had to go back to the overview tab to save. Not very intuitive.

    Now to the problems. I suspect they are mostly due to bugs in the wireless driver (new version, anyone??), or wrong interaction of Tomato with this driver.

    1) By default, the MAC address of wl0.? and wl1.? collide. It seems to me that this is a bug in wlconf. Is this happening on E3000??

    2) Virtual wireless adapters work after a reboot, but stop working after service restarts. Even "net nas stop; net nas start" (which does minimal stopping-starting) ruins them. After this, the BSSID of wl0.1 is 00:00:...:00 (even if there is no WPA, so nas isn't the culprit).

    Manually disabling radio and enabling it fixes this. This is strange - I look at the code, and try to run the same commands run by "service nas stop/start" manually, and everything works okay. One thing that I am not doing is wl_setmac (in netwrok.c). It seems that it is calculating the wrong MAC address. This is not the one the wlconf provides. wlconf adds 2 to the first hex (the ETHER_SET_LOCALADDR macro), and wl_setmac doesn't. Is this a bug in Tomato?

    3) When WPA2 is on, I could not get any wireless interface to work with VLAN2. SSID is broadcasted, but clients cannot connect. Without WPA2, this works okay.

    If you have any ideas, I will be happy to try them. Problem #2, in particular is pretty annoying.
  20. teaman

    teaman LI Guru Member

    Thanks for your feedback! A couple of comments/questions, though ;)

    a) assigning physical ports: inside rc/interface.c there's function int start_vlan(void), responsible for creating VLAN interfaces when service net is starting. It loops through some NVRAM vars looking for contents of vlanXXhwname (where XX would be the VLAN ID) and it expects to find something. That something (pretty much always) leads it to reading NVRAM var et0macaddr and setting the MAC address of any/all vlanXX interfaces you've configured. Therefore, by not assigning any physical ports via VLAN GUI, I'm curious about how the whole thing is supposed to be working later on ;) I wonder if such thing might have something to do with the missing/strange MAC addresses being set/unset on your experiences...

    b) I agree that disabling the 'save' button on all other tabs but/except for the 'overview' tab wasn't exactly the 'best' design choice in the whole world - that has been put in there due to some issues I noticed during some early tests - it's mostly about just forcing the VerifyFields() JS function to run just one last time to validate any/all fields and update some of the internal/critical data structures kept through the page at runtime (i.e. tracking what needs to be created/updated/deleted in terms of NVRAM objects: a few hacks/overrides required to make that save button 'work').

    In an attempt to mitigate this somewhat-almost-totally-non-intuitive behavior issue, when we hit the 'Add' button for creating a new WL VIF, the web interface switches to that tab and shows this message for a few seconds at the bottom of the page: "After configuring this VIF, review and save your settings on the Overview tab." (which doesn't seem to be really helping, anyways ;)).

    With that being said - what you guys suggest we do instead?
    (screenshots and/or any kind of drawings/sketches would be welcome)

    1) no, not happening on the E3000 or the WRT54GL. Have been working flawlessly on these two devices (BTW, the code was only released after/when I became sorta more 'confident' about it's functionality/determinism, etc...). I wonder if those collissions could perhaps be related to having a physical port assigned as part of a VLAN (which relates do those LAN bridges, created later on...)?

    2) I'm aware this doesn't 'look' like we're talking about the same thing you described, but hear me out as it might be related: whenever we hit the 'save' button on advanced-wlanvifs.asp, there's a 'two-stage' post going on behind the scenes. Stage 1 takes care of a few things that should be either created and/or deleted - sometimes, to be recreated. One of those things would be the MAC addresses of any non-primary WL VIFs (again, possibly related to those MAC-thingies).

    3) that, Im afraid, might be related to some kind of funky/weird restriction of the specific wireless driver being used on the particular build you're using on your device... (there seems to be only a few valid combinations, but those seem to be driver-dependent)

    Now, let's just try to take one step back (at a time): does all this MAC address strangeness happening on your guest WL interfaces still happen if those extra/additional bridges are member of VLANs with a 'proper' MAC address set in the first place?

  21. Yobo

    Yobo Addicted to LI Member

    Personally, I think the tabbed view is great for information, but not very good for settings. I would have been happy if the settings for all wireless interfaces were in one page. I think the model in the Network->Basic page is good. Have a section for each interface. Adding new virtual wireless interfaces would add more sections to the page. Have just one save button on the bottom. That way, you can do all the verifications at once, and the user sees exactly what are the settings that are being saved.

    Yes, it does seem related to the specific driver and hardware. But until someone updates the wireless drivers, perhaps there is some workaround.

    I added physical ports to the VLANs, but it makes no difference. The VLANs all have MAC addresses. Apart from VLAN2 (the WAN), they share the MAC address of br0, which is also the address of br1. Is this the way it should be?

    As for wl0.? MAC addresses (not BSSIDs) - is there any place they are set in nvram besides wlconf? It seems that the algorithm wlconf has to assign them does not take into account two sets of interfaces (wl0 and wl1). If I unset all wl0.?_hwaddr and wl1.?_hwaddr, and run "wlconf eth1 up" and "wlconf eth2 up" the values are reset to the clashing ones. That is why I was surprised E3000 has none of these problems. Isn't wlconf the same? I see the code (if this is the code of what I am running), and it seems that this is a just a shortcoming of this utility.
  22. teaman

    teaman LI Guru Member

    Yup - I've also considered using that very same approach (putting everything onto Network->Basic), but there were a few things hovering my mind back then - aka the three main reasons for /not/ choosing such approach:

    * I wasn't feeling /that/ confident I would be able to actually complete such endeavour due to the current/existing level of complexity on the code already in there ;) (note: the WLAN VIFs page ended up in just a bit over 1800 lines of code - turn out, the basic-network page is just a bit under 1800 lines of code)

    * So, I sorta made sense to build something that would be handling a somewhat smaller scope than 'the whole' set of 'Network' settings at once.

    * Also, after thinking for a while about all those network-related settings available/split across different pages through the web UI (even if sometimes, being sorta related/interdepent and perhaps should be 'moved' and/or put together), I eventually got myself imagining /how/ we could perhaps kinda 'reorganize' all those LAN/WAN/wireless/VPN/routing settings in a (possibly?) better way ;)

    Ideas about how we could improve our 'Networks Settings' pages are welcome ;)

    When/if you do find any workarounds, please do let us know!


    Hm... if I'm not mistaken, the MAC addresses of each wlx.x existing VIFs should match their own BSSIDs, otherwise things like 'nas' might break (i.e. WPAx security, etc...). Have you tried simply 'nvram unset wlx.y_hwaddr' for both/all your guest VIFs and restarted network just to see what happens? It's been reported to have solved problems on tricky/strange situations like that before... (don't nvram unset any hwaddrs of your 'real' interfaces).

    I'm also curious why this whole thing seems to be working just fine on the E3000. In fact, I've actually repeated this whole thing consistently 3 times before publishing these notes ;)

    Still - you're probably right - perhaps the code responsible for this whole MAC address calculation (guessing?) thingie on wireless interfaces does require some kind of revision...

  23. Yobo

    Yobo Addicted to LI Member

    Actually, I wasn't thinking of putting everything under Network->Basic. That would make things crowded. It will also move advanced settings to the basic area, which would make life harder for some users. I just thought the design of Advanced->Virtual Wireless could look like the design of Network->Basic. It would have the table on top, where you can add new virtual interfaces, and then it would have a list of wireless settings, which the same design as in the basic page.

    Yes, I've tried that. They wlx.y are reset to bad values. I think the module that is resetting the values is wlconf. Am I right that this module changed from RT to RT-N? The code of wlconf is under src-rt, and its wlconf function is in charge of setting the wlx.y_hwaddr nvram. It takes the base MAC address, make it "local" by adding 2 to the first hex, and the increments the last hex for every virtual interface.

    The funny thing is - I tried to change the MAC address of eth2 (physical wl1), so that there will be no collision. I see the new MAC address in ifconfig and as the BSSID of eth2, but somehow, wlconf still sets the VIF MACs with the original bad values. It gets the "base" MAC address from a function wl_hwaddr which is in the binaries, so I cannot tell how this is done.

    Bottom line - the wl driver and wlconf in RT-N deal with VIF in a buggy way. I see here
    that someone had the same problem with DD-WRT...

    As for a workaround - as I've reported, "service net restart" causes the wireless VIF to stay down. This can be fixed if I manually by running "wlconf eth1 up; wlconf eth1 start". So, even though we don't know what's wrong with the driver, such a workaround can be coded into Tomato. But since all active developers are running RT platforms :(, that will probably have to wait.
  24. tvlz

    tvlz Addicted to LI Member

    After looking at the dd-wrt link, if you add 1 to the first hex of pci/1/1/macaddr= it will change the MACs of all the wl1 interfaces to non-conflicting settings. When you upgrade to a new build you have to change that setting again.
  25. Yobo

    Yobo Addicted to LI Member

    Thanks tvlz. That actually worked. It finally solved the MAC address conflict.
    However, this did not solve the VIF problem (they are still down after net service restart).
    Worse, after making this change, devices can no longer associate with eth2. Go figure. It seems that the wireless driver is very picky.
  26. tvlz

    tvlz Addicted to LI Member

    have you unset the vif's and changed eth2(wl1) to the same address as pci/1/1/macaddr=. I think linksys set the MACs the same in the CFE that is why you are having the problem, you'll have to dump the CFE to check.
  27. Yobo

    Yobo Addicted to LI Member

    Yes. I have unset all VIF addresses, and set wl1_hwaddr to match the new address. The eth2 wireless as actually up with the right BSSID (i.e. matching the new MAC), but clients could not associate to it.

    I dumped the CFE. It contains the base MAC address (that of the router). I guess it automatically derives the MAC addresses of other interfaces from this base MAC.
  28. tvlz

    tvlz Addicted to LI Member

    Instead of changing the first hex try changing this one in pci/1/1/macaddr=xx:xx:xx:xx:x5:xx, hopefully that change will work.
  29. Yobo

    Yobo Addicted to LI Member

    OK. This works. For the record, I changed pci/1/1/macaddr and wl1_hwaddr from xx:xx:xx:xx:x1:xx to xx:xx:xx:xx:x2:xx, unset all wl1.x_hwaddr values, and rebooted. Now eth2 is working, and finally there are no conflicting VIF MAC addresses.

    Nevertheless, this does not solve the wl0.1 problem. It least we know (?) that it is not caused by conflicting MAC addresses.
  30. Riddlah

    Riddlah Networkin' Nut Member

    Got this working on my RT-N16, settings went without an issue. Only bug/issue I ran into was all computers were reading the second SSID as not having a network connection but it could see it. After a few restarts the connection came up and has been running for the last 2 days without an issue.

    Have roughly 4 mobile devices (blackerry, playbook, iphone, media streaming device) connected with no issues.

    Great work on this feature, its one major feature I missed coming from DD-WRT firmware.
  31. fubdap

    fubdap Addicted to LI Member

    @Riddlah or anyone,

    I want to try this on my RT-N16. I have other routers as AP all over the house wired to the N16. Do I need to install multissid version on the APs also to provide coverage for the whole house?

  32. teaman

    teaman LI Guru Member

    Short version: you probably wanna have a MultiSSID-enabled firmware/build running on every single device you wish to have/serve more than one SSID (i.e. your primary + guest wireless networks). It might be also recommended you reconfigure that wired link (between your APs) into an ethernet 'trunk', capable of transporting ethernet frames from your (multiple) VLANs throughout those routers/APs as well.

  33. dailyglen

    dailyglen Networkin' Nut Member


    (Thanks for the amazing firmware you guys are working on!)

    I'm trying to setup a VLAN guest wireless with it's own SSID and with bandwidth limiting (using tomato-E3000USB-NVRAM60K-1.28.0495MIPSR2-Toastman- VLAN-RT-N-VPN-NOCAT.bin) but can't get the BW limiter to work on my E3000.

    (As an aside, I had problems changing my br0 IP subnet to on Basic > Network from a fresh install...I received a dialog saying something to the effect that the subnet was already in use. So I did a "nvram export --set | grep 192.168.1" and changed those settings to "192.168.0" and then did a "nvram set" and a save. It seemed to work fine.)

    For VLAN and MultiSSID I followed the great instructions here:

    Except when I created LAN1 (br1) I did not select any wired ports since I only want the VLAN to work for wireless. I turned on QOS and the bandwidth limiter and it complains that my ip range "" is outside of "LAN" -- but I want it to be applied to "LAN1". My LAN is and my LAN1 is

    Now I went back to Advanced > Virtual Wireless and I change the settings of wl0.1 (doesn't seem to mattter which) and I get this when I save:

    The field "wl_auth" is invalid. Please report this problem.

    nvram export --set | grep wl_auth

    nvram set wl_auth_mode="none"
    nvram set wl_auth_type="0"
    nvram set wl_auth="0"

    If I change the security settings on wl0.1 I get:

    The field "wl_wpa_psk" is invalid. Please report this problem.

    Now I'm able to make the issue go away if I turn back on QOS. It seems like the above issue shows up after have QOS disabled (maybe after it has been enabled).

    I can connect to the guest SSID and BW limiter is on but the BW limiter does not work. Is there any way to limit the bandwidth of your guests?

    I'm wondering what others do for guest access for their kids teenager friends who come over. I was thinking this setup (with a non-broadcast, open wireless VLAN would do the trick well).

  34. teaman

    teaman LI Guru Member

    Yeah... there are some problems with the Advanced -> Virtual Wireless page... And it's being checked out... Soon, we'll probably have some sort of v2 ;)

    Feel free to open a new issue, here:

    This thread mentions a possible workaround for the QoS BW limiter, but I haven't tested myself (please do try/test if you can, and let us know how it goes!)

  35. fubdap

    fubdap Addicted to LI Member

    I have this installed on my N16 using Toastman’s build. With WPA2 on, I can connect to the guest wireless interface, but I cannot get to the internet. I have rebooted the router and restarted the client without any success. Anyone have any idea what I am doing wrong?
    On a different note, I liked and generally use this feature “Ignore DHCP requests from unknown devices". With this build, when enabled, it denies request to the guest wireless interface. Is it possible to make this feature allow request for the guest wireless interface but deny request to my main LAN?
  36. teaman

    teaman LI Guru Member

    Hi all!

    Teaman v0021 just pushed to git (and few binaries uploaded/available for download):


    Key improvements:

    * MultiSSID: fix saving settings for non-WPAx VIFs (open/WEP)
    See http://code.google.com/p/tomato-sdhc-vlan/issues/detail?id=3

    * IP Traffic can now be disabled completely via web UI (both cstats/history and real-time accounting/rules)

    Have fun!
  37. kthaddock

    kthaddock Network Guru Member

    - I'm testing 0495.2-nocat and when changing Lease time on br1 then MAC-address dissapear shows 00:00:00:00:00:00.
    I have to reboot to get it back.
    - Just noticed when my lap get a new lease,br0 connection droped for a while but come back up again.

    Sorry if it's reported before. :confused:

  38. teaman

    teaman LI Guru Member

    I suspect you're probably talking about saving changes on the Basic/Network page, right? When we do that, all services are restarted, including 'init' (i.e. think 'warm boot' as the Linux kernel is not 'booted' again - but it's like the whole OS inits again).

    About those MAC addresses and connection drops - can you be more specific?

  39. kthaddock

    kthaddock Network Guru Member

    Yes, I change Basic => Network => Lan Lease Time (mins) on Br1, from 240 to 4. Then press "add" then save.
    Then I couldn't se mac BE:AE:C5:xx:xx:82, my android and WireLessNetwiev from Nirsoft shows 00:00:00:00:00:00
    I didn't check "wl0.1_hwaddr=" which I should do next time.

    Connection drop come when my Br0 do a lease, after 24h, I'm unsure if it comes from my testing in that moment or not
    but my GF complain. (I can monitor and come back if it's happend again)

    EDIT: GF complain when eth1, br0, Vlan1 do a lease, she say "I'm not connected" . Connected whith a Atheros AR9...
    Okey, that comes from I have not put static ip outside Dhcp-range.
    EDIT: Wlo.1 shows this when 00:00:00:00:00:00 are displayed: wl0.1_hwaddr="BE:AE:C5:xx:xx:82"
    EDIT: IPT- shows speed x2 (fixed new build)

    Ps: I really love this build with Wlan and multi Ssid ! :)

  40. Henrik Larsson

    Henrik Larsson Networkin' Nut Member

    I'm using "Tomato Firmware v1.28.0496 MIPSR2-Toastman-VLAN-RT-N K26 Std" on a E4200v1

    I tried to create a Virtual Wireless wl0.1, unfortunately this is not working as expected.

    Output show that the MAC address is not set correctly:
    root@router:/tmp/home/root# ifconfig wl0.1 | grep HW
    wl0.1 Link encap:Ethernet HWaddr 5A:6D:8F:8E:2D:9C
    root@router:/tmp/home/root# wl -i wl0.1 bssid

    Any suggestions?
  41. kthaddock

    kthaddock Network Guru Member

    Yes, reboot after you have create your wl0.1. First it's display 00:00:00:00:00:00 after reboot you have 5A:6D:8F:8E:2D:9C changed.
  42. Henrik Larsson

    Henrik Larsson Networkin' Nut Member

    Unfortunately this is not the case.

    Tomato v1.28.0496 MIPSR2-Toastman-VLAN-RT-N K26 Std
    root@router:/tmp/home/root# reboot
    root@router:/tmp/home/root# Connection closed by foreign host.
    router login: root
    Tomato v1.28.0496 MIPSR2-Toastman-VLAN-RT-N K26 Std
    root@router:/tmp/home/root# wl -i wl0.1 bssid
  43. kthaddock

    kthaddock Network Guru Member

    Hmm Then I should recomend to Erase Nvram and start over agin rewrite all settings by HAND and test.
    It's working for me, I have same setup and some more.
  44. teaman

    teaman LI Guru Member

    Please add this to the 'Custom configuration' text-box under Advanced -> DHCP/DNS (advanced-dhcpdns.asp):
    Then, watch the logs as they will be somewhat verbose, recording a lot of information related to each and every DHCP lease/renew events - and this information might lead to some answers...
  45. teaman

    teaman LI Guru Member

    Unfortunately, I have no idea on how that could be done/implemented with dnsmasq. If anyone does, please let us know so such thing might be possibly included at some point in the future in Tomato ;)
  46. Yobo

    Yobo Addicted to LI Member

    I was searching for this some time ago. dnsmasq has some serious shortcomings when it comes to multiple interfaces. For example, suppose you have a client that connects to different interfaces in different occasions, and you want to assign a static IP. If the two interfaces are on two VLANs, you need two IPs - one for each VLKAN. However, you cannot do that, because dnsmasq only allows providing a single IP per MAC address, and will offer this IP even if it not in the VLAN network.
    Perhaps the only solution (using dnsmasq) is to run multiple instances of dnsmasq for each interface. Probably the -i and -z options will come handy. One "main" instance would run the DNS (the DNS on the rest can be disabled with the -p option). I haven't had time to test this, but if it works, it would be very nice.
  47. kthaddock

    kthaddock Network Guru Member

    Se your PM
  48. teaman

    teaman LI Guru Member

    The intents or purpose of that idea was... for you to take a look at your logs ;)

    Here's the thing: change your lease time on any bridge to something not-so-large (i.e. 40 mins). Next, delete/release/renew that lease and keep watching what's on the Status/Devices page and the logs... You'll notice that at some point, that DHCP lease will be renewed. Notice how long does it take between that initial and this last renew/request.

    Next, change the lease on that same bridge to something different (i.e. 30 mins). Rinse, repeat. Notice the interval between DHCP events for that client... and you'll probably notice there seems to be some kind of correlation between the lease time and those renew/request events ;)
  49. kthaddock

    kthaddock Network Guru Member

    Oh sorry :rolleyes: My misstake ! I will do that and see what I can find out.
  50. ladysman

    ladysman LI Guru Member

    I'm having this exact problem. I'll try additional reboots tonight. This is also on an N16.

    I'm using this on a repeater RT-N16 so I can get a stronger signal in my garage/driveway. I have a 66u as a main router and wanted to save a LAN port and since I have the N16 available as an access point, i figured i would do the guest on that router upstairs. This N16 has DHCP disable as any repeater would.

    I assume even though DHCP is disabled, the guest network should work? The regular WLAN i setup works fine on it.
  51. ladysman

    ladysman LI Guru Member

    I'm not sure what is wrong. I wiped my repeater (RT-N16) and set this up on my rt-66u instead. Everything seems fine. I did trunking so I could save the 2nd port. All seems well and the wireless guest is there. However nothing will connect to it. I've triple checked my settings and nothing. I've rebooted multiple times but it still won't connect to the guest network. Anything you guys suggest I try let me know!
  52. ladysman

    ladysman LI Guru Member

    So I had to restore a config from before I created the VLAN's, Guest Wireless, etc. I couldn't delete. It simply didn't work. I couldn't connect to the wireless first off, then I couldn't even delete the Guest Wireless. This has happened to me on an RT-N66U and an RT-N16. I did tag my VLANS so i could keep one of my ports. I really need this port if at all possible.

    I will start all over at some point and NOT do the tagged VLANs to see if that works.
  53. teaman

    teaman LI Guru Member

    I'd suggest cross-checking the MAC addresses between what's stored on NVRAM and runtime settings for bridges, the WL driver and OS interfaces (where wl.X would be one of your WL VIFs):
    nvram show wl0.X_hwaddr
    ifconfig wl0.X | grep HWaddr
    wl -i wl0.X bssid
    brctl show
  54. Elfew

    Elfew Addicted to LI Member

    Will be there GUI for multiSSID? Are you working on this? It would be awesome!
  55. ladysman

    ladysman LI Guru Member

    Its already there on some builds. Which one are you using?
  56. teaman

    teaman LI Guru Member

    See the first post on this thread ;)
  57. rhdcheme

    rhdcheme Addicted to LI Member

    Does anyone have multiSSID working on an RT-N66U? I tried following the E3000 instructions using the firmwares below (first the NVRAM60K version and then the other), and it does not allow me to save the guest network in "Overview" after specifying it in Virtual Wireless. Clicking the "Save" button does nothing.

    I had followed the same instructions on an E4200 and it had worked.

    Any help will be appreciated.

  58. rhdcheme

    rhdcheme Addicted to LI Member

    I got it to work by saving the Virtual Wireless settings before making any changes to Wireless Auto Mode.
  59. teaman

    teaman LI Guru Member

    Yeah... it seems to be a bug in the Advanced/Virtual Wireless admin page (advanced-wlanvifs.asp), causing a javascript/runtime error when you hit save button, preventing the whole thing from submitting the form (that is - if Wireless Mode is not set to 'Auto'). A patch/fix will be released soon...

    As rhdcheme mentioned, a possible workaround would be:
    * go to the Basic/Network page and set Wireless Network Mode to 'Auto' for all/any existing wireless interfaces
    * then, go to the Advanced/Virtual Wireless page and change/save your (new) settings (leaving the Wireless Network Mode on Auto)
    * go back to the Basic/Network page and change back the Wireless Network Mode of your wireless interface(s), if necessary.

  60. ladysman

    ladysman LI Guru Member

    I left it at auto mode. I did change advanced wirless settings....Set to US, antenna power, etc. So any change in wireless?? thanks teaman!
  61. apnar

    apnar Network Guru Member

    Great mod. A couple things I ran into along the way...

    1) I could only get the virtual interfaces to work if they were tied to 'br1'. If I used 'br2' I can see the SIDs but nothing can authenticate. Looks to be the exact same issue bluenote had in this thread: http://www.linksysinfo.org/index.php?threads/multi-ssd-anomaly-with-wpa.36917/

    2) I was testing with 2 different e3000 running the exact same build with exact same settings (I script up the settings so know they are identical). On one of them it worked perfectly. On the other it didn't work with WPA or WPA2, but did with WEP or no auth. I tracked the issue down to the fact that MAC showing via nvram and ifconifg were correct (same offset as on the other e3000), but the MAC shown by "wl -i wl0.1 bssid" was 10 higher in the last number. As I didn't know how to change what wl uses, I went ahead and changed nvram to match. After a reboot it worked for WPA/WPA2 as well.
  62. teaman

    teaman LI Guru Member

    Unfortunately, there was some sort of bug around this particular subject. Good news is: this has already been fixed (Teaman v0023 and later builds as well as recent Toastman builds, AFAIK)

    As it turns out, wlconf and the Broadcom proprietary WL driver (and/or possibly, the 'nas' daemon) don't seem to always 'agree' on a few things here and there - the BSSID/MAC address being used on wireless interfaces is one of those things :/

    See the 'one last/long note' part on this post for details:

    Long story short (from that post):
    Got curious about that pair of routers of yours and their base/eth MAC addresses - more specifically, the last digit: is the least significant bit set in any of them? i.e. odd? even? one of each? (just trying to rule out some crazy theory)

  63. apnar

    apnar Network Guru Member

    That's odd as I was working from Toastman-1.28.7498 which should be new enough to include that (I'd updated to get the fix you put in for N-only networks). I'll try to test again and also check the source I'm using to verify the fix is in there.

    Working Router (spaces added to stop auto smileys):

    Bad Router (before manually fixing):
    Note that the NVRAM variable for wl0.1 is C2:C1:C0:7A:62:10 but wl shows C2:C1:C0:7A:62:20. After manually setting wl0.1_hwaddr to C2:C1:C0:7A:62:20 WPA/WPA2 started working again.
  64. apnar

    apnar Network Guru Member

    I took a look and the code you mentioned was in the source I'm using. I did some more testing and I can get a virtual wireless interface to work on br2, but only if a br1 exists. If I only have a br0 and br2, then it breaks all the wireless connections as soon as I enable a virtual wireless interface on br2.
  65. teaman

    teaman LI Guru Member

    Thanks for the extra info/MAC addresses - just ruled out the only theory I had ;) This next/upcoming version of the MultiSSID GUI should warn the user if there's some discrepancy between those addresses (hopefully!).

    About those issues with br0+br2 (without br1): never thought about that. Please avoid using non-contiguous/continuous LAN bridges for now (added to the TODO list).

  66. e-gaulue

    e-gaulue Networkin' Nut Member

    Hello the community !

    Using tomato-E3000USB-NVRAM60K-1.28.2023MIPSR2Teaman-RT-VLAN-PPTPD-VPN-NOCAT on a brand new e3000 with nvram reset, I experience a strange behavior since I played with Virtual Wireless.

    As often, I played with it without following the howto and so I deserve what I get.

    In fact, I tried to do the following :
    wl0 => SSID A WPA2
    wl0.1 => SSID B Open
    wl1 => SSID B Open
    wl1.1 => SSID A WPA2

    On E3000, wl0 is 2.4 ghz and wl1 is 5 ghz.

    I think it works but since :
    * can't see anymore thing on the Basic / Network page regarding wl1 it ends with "Wireless (5 GHz / eth2)" with nothing under (save on this page doesn't work anymore)
    * can't see anymore thing in overview in Advanced / Virtual Wireless
    * still can see wl1 in Advanced / Wireless

    Could it be link with the Mac Address problem. How to get back those informations ?

    I changed through nvram :
    wl1 => SSID B5 Open
    wl1.1 => SSID A5 WPA2

    My computer can see those networks but nothing change on the web GUI.
  67. e-gaulue

    e-gaulue Networkin' Nut Member

    Sorry, I again,

    I may be wrong but I think I have totaly crazy macaddr :
    wl0.1_hwaddr=5A:6D:8F:2D:13: D8
    wl0.2_hwaddr=5A:6D:8F:2D:13: D9
    wl0.3_hwaddr=5A:6D:8F:2D:13: DA
    wl0.4_hwaddr=5A:6D:8F:2D:13: DB
    wl0.5_hwaddr=5A:6D:8F:2D:13: DC
    wl0.6_hwaddr=5A:6D:8F:2D:13: DD
    wl0.7_hwaddr=5A:6D:8F:2D:13: DE
    wl0.8_hwaddr=5A:6D:8F:2D:13: DF
    wl0.9_hwaddr=5A:6D:8F:2D:13: D0
    wl0.10_hwaddr=5A:6D:8F:2D:13: D1
    wl0.11_hwaddr=5A:6D:8F:2D:13: D2
    wl0.12_hwaddr=5A:6D:8F:2D:13: D3
    wl0.13_hwaddr=5A:6D:8F:2D:13: D4
    wl0.14_hwaddr=5A:6D:8F:2D:13: D5
    wl0.15_hwaddr=5A:6D:8F:2D:13: D6
    wl0_hwaddr=58:6D:8F:2D:13: D7
    wl1.1_hwaddr=5A:6D:8F:2D:13: D9
    wl1.2_hwaddr=5A:6D:8F:2D:13: DA
    wl1.3_hwaddr=5A:6D:8F:2D:13: DB
    wl1.4_hwaddr=5A:6D:8F:2D:13: DC
    wl1.5_hwaddr=5A:6D:8F:2D:13: DD
    wl1.6_hwaddr=5A:6D:8F:2D:13: DE
    wl1.7_hwaddr=5A:6D:8F:2D:13: DF
    wl1.8_hwaddr=5A:6D:8F:2D:13: D0
    wl1.9_hwaddr=5A:6D:8F:2D:13: D1
    wl1.10_hwaddr=5A:6D:8F:2D:13: D2
    wl1.11_hwaddr=5A:6D:8F:2D:13: D3
    wl1.12_hwaddr=5A:6D:8F:2D:13: D4
    wl1.13_hwaddr=5A:6D:8F:2D:13: D5
    wl1.14_hwaddr=5A:6D:8F:2D:13: D6
    wl1.15_hwaddr=5A:6D:8F:2D:13: D7
    wl1_hwaddr=58:6D:8F:2D:13: D8

    Same addresses for different interfaces: strange ? May it come from here ? What to set ?
  68. e-gaulue

    e-gaulue Networkin' Nut Member


    I learn a lot presently regarding tomato and JavaScript.

    According to me, one of my problem is coming from call to 'bands' in basic-network.asp page line 579 and 1609 in my tomato-E3000USB-NVRAM60K-1.28.2023MIPSR2Teaman-RT-VLAN-PPTPD-VPN-NOCAT.

    'bands' looks to be undefined but 'wl_bands' is. Are those two different objects ? Does it sound anything to anybody ? Should I use a newer version ? Where ?

    I don't know why bands is undefined and if it should be. I'm ready to look further but I need help. If I try to modify basic-network.asp, I'm told it's readonly. How do you debug/develop tomato ? Are we force to recompile everytime ? Is there good howtos or videos ?
  69. e-gaulue

    e-gaulue Networkin' Nut Member


    So for the basic-network.asp page 'bands' is defined around line 600. In fact, I can find just 2 items in this object as it's based on wl_sunit. Just wl with sunit<0 are considered. Something like real wireless interfaces.

    The problem is that further in the code, it sometime requests for virtual wireless number that is above the number of bands defined previously. This leeds to a javascript error.

    By the way I don't understand the line 1720 of basic-network.asp:
    value: eval('nvram.wl'+u+'_nband') || '0' == '0' ? bands[uidx][0][0] : eval('nvram.wl'+u+'_nband') },
    According to me first part will always be true so why write it like this ?

    What wl_sunit stand for ? Is there a documentation somewhere explaining each nvram key ? I didn't find anything in the git source code tree.
  70. ryzhov_al

    ryzhov_al Networkin' Nut Member

    teaman, as a world's best professional in a Broadcom's MuiltiSSID^) can you tell how you do it in a wl\nvram terms?

    nvram set wl0_vifs="wl0.1"
    nvram set wl0.1_ssid="openssid"
    nvram commit && reboot
    wlmac=$(nvram get $wlif"_hwaddr")
    wlssid=$(nvram get $wlif"_ssid")
    ifconfig $wlif hw ether $wlmac
    ifconfig $wlif up
    brctl addbr $brif
    brctl addif $brif $wlif
    ifconfig $brif netmask up
    wl -a $wlif bssid $wlmac
    wl -a $wlif ssid $wlssid
    is for second open SSID. Is it right?
  71. apnar

    apnar Network Guru Member

    If you're just looking for nvram variables, this is what I use to setup a second guest network on a separate VLAN (on a e3000):

    # Guest Network
    nvram set dhcp1_lease=120
    nvram set dhcp1_num=50
    nvram set dhcp1_start=100
    nvram set dhcpd1_endip=
    nvram set dhcpd1_startip=
    nvram set lan1_ifname=br1
    nvram set lan1_ifnames="vlan3 wl0.1"
    nvram set lan1_ipaddr=
    nvram set lan1_netmask=
    nvram set lan1_proto=dhcp
    nvram set manual_boot_nv=1
    nvram set vlan1ports='2 3 4 8*'
    nvram set vlan3hwname=et0
    nvram set vlan3ports='1 8'
    nvram set wl0.1_akm='psk psk2'
    nvram set wl0.1_auth=0
    nvram set wl0.1_auth_mode=none
    nvram set wl0.1_bss_enabled=1
    nvram set wl0.1_bss_maxassoc=128
    nvram set wl0.1_closed=0
    nvram set wl0.1_crypto='tkip+aes'
    nvram set wl0.1_ifname=wl0.1
    nvram set wl0.1_mode=ap
    nvram set wl0.1_radio=1
    nvram set wl0.1_security_mode=wpaX_personal
    nvram set wl0.1_ssid=$GUESTWLAN
    nvram set wl0.1_wep=disabled
    nvram set wl0.1_wep_bit=128
    nvram set wl0.1_wme=on
    nvram set wl0.1_wpa_gtk_rekey=3600
    nvram set wl0.1_wpa_psk=$GUESTPASS
    nvram set wl0_vifs=wl0.1
    As I mentioned earlier in the thread, on one router that works perfectly. On the other I needed to add an additional line to set "wl0.1_hwaddr" to match what the driver wanted to use.
  72. teaman

    teaman LI Guru Member

    Not sure about those calls to the 'wl' command/binary, but here's a few important/relevant variables for creating manually an 'open' guest wireless network (no encryption at all):
    nvram set wl0_vifs='wl0.1'          # wl0/virtual interfaces
    nvram set wl0.1_ifname='wl0.1'      # wl0.1 interface name
    nvram set wl0.1_bss_enabled='1'      # this BSSID should be enabled
    nvram set wl0.1_ssid='guest'        # the SSID of this network
    nvram set wl0.1_closed='0'          # broadcast SSID
    nvram set wl0.1_mode='ap'            # access point mode
    nvram set wl0.1_radio='1'            # see NOTE below
    nvram set lan1_ifnames='vlan3 wl0.1' # interfaces bridged to LAN1/br1
    BTW - those were just copied from this wiki - please do read the whole article since the commands above simply do not tell the whole story...

  73. teaman

    teaman LI Guru Member

    Hi there! Indeed, there seems to be (still) a few problems lurking around in the MultiSSID web UI, sometimes causing problems at runtime. It took me a while, but I eventually was able to make it reproducible and figured out what seems to be the actual/underlying problem: the order of the interfaces mentioned on nvram vars such as lan_ifnames et al (it might be worth mentioning this particular problem should only be possible to occur/happen on dual-radio devices and even so, under very specific circumstances). And yes: I'm already working on how to fix this ;)

    There might be a temporary work around - have a look at your settings:
    nvram show | egrep \_ifnames\=\|vifs\|wl._ifname\=
    If you find something like this - we have wl0.1 (a virtual interface) mentioned before eth2, a physical wireless interface:
    lan_ifnames=vlan2 eth1 wl0.1 eth2
    Try changing things into something like this and this might solve things for now:
    nvram set lan_ifnames='vlan2 eth1 eth2 wl0.1'
    What wl_sunit() does? It's a javascript function that should return the 'sub-unit' of a particular wireless interface (non-primary/VIF). Have a look at router/www/wireless.jsx:

  74. e-gaulue

    e-gaulue Networkin' Nut Member

    Good job ! Go on !
  75. e-gaulue

    e-gaulue Networkin' Nut Member

    Just to inform of minor troubles.

    If you set a too short WPA password on one of your virtual wireless interface, you get a message of the kind "wl_wpa_psk is not set..." and not the message "Invalid pre-shared key. Please enter at least 8 characters or 64 hexadecimal digits" present in the advanced-wlanvifs.asp. You can't make anymore change through "Overview/save" and it's a little bit longer to understand where is the problem coming from.

    When everything is set, I don't know if it's a common behavior for a router, but it goes on adverting for all its IP addresses in all its subnets. I mean, if I'm in the subnet with a route to, I don't want to be able :
    1) to ping or even to get replies to ARP "who has ?" (and I do)
    2) to access to the router administration

    Any idea on how to remove this behavior. Is iptables the best and only way ? Or is there other tricky solutions ?

    Edited : I mean arptables for 1) but it's not in Tomato. Iptables for 2) should do the trick.
  76. e-gaulue

    e-gaulue Networkin' Nut Member

    Ok, here is just how I solved point number 2 described above.

    Situation: I want my router to allow those on br0 (and a secured private wireless SSID) to reach the computers of my society through an openvpn tunnel. I also want a broadcast less secure wireless network for all those who comes at home with their computer, iPad, iPhone (or like tools). Those shoulden't have the right to connect to the router and to the compagny openvpn tunnel.

    Here is what I've done: add rules in the firewall script:
    /usr/sbin/iptables -I FORWARD 1 -i br1 -o tun21 -j DROP
    /usr/sbin/iptables -D INPUT -i br1 -j ACCEPT
    /usr/sbin/iptables -A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    /usr/sbin/iptables -A INPUT -i br1 -p udp --dport 53 -j ACCEPT
    /usr/sbin/iptables -A INPUT -i br1 -p udp --dport 67 -j ACCEPT

    I don't think it can be made by simple UI.

    Regarding forbiding acces to the router from the bridge (4 last rules), maybe the best place to add an option would in the bridge definition... Here we just accept connection for DHCP and DNS.

    Regarding forbiding acces to the openvpn tunnel, the best place would be to see it in Advanced/VLAN. We could have an option like for Wireless devices, "Bridge tunXX to..." a possible bridge device. Here it's certainly harder as tunXX state is more subject to changes (connected, disconneted...).

    I didn't try, but we could also implement a solution where all those on the second wireless network could be linked to nocat.
  77. w0lfCry

    w0lfCry Addicted to LI Member

    I have updated my router to tomato-ND-1.28.7633.3-Toastman-VLAN-IPT-ND-Std.trx. It seems to work well with I disable the security. However, when enable "WPA2 Personal", it returns "The filend "wl_wpa_psk" is invalid. Please report this problem", am I am doing just that.
  78. e-gaulue

    e-gaulue Networkin' Nut Member

    I my case, it was due to a WPA password that didn't respect the rules: At least 8 characters and less than ... but I don't have my notebook (so the source) with me.
  79. teaman

    teaman LI Guru Member

    @w0lfCry, e-gaulue - as previously posted, we do seem to have a small problem on the MultiSSID webUI (Advanced -> Virtual Wireless page): a missing 'validation' regarding the WPA PSK/password length (as pointed out, should be a string with at least 8 and max 64 characters). When hitting the 'Save' button, the post/submit process could fail at some point, incomplete (with a laconic message such as 'The field "wl_wpa_psk" is invalid. Please report this problem.'). Therefore, you could have incomplete/inconsistent settings being saved - this could possibly prevent some of your (wireless) interfaces to be successfully configured/brought up when the network subsystem gets started/restarted.

    Thanks for bringing this up - I'll look into it.

  80. streppuiu

    streppuiu Networkin' Nut Member

    I have an e3000 and set up multi ssid on it (tomato-E3000USB-NVRAM60K-1.28.2025MIPSR2Teaman-RT-VLAN-PPTPD-VPN.bin), which works. But any guest vlan client is able to access all services on my router.

    This is bad especially for the file sharing which is enabled without authentication on my router and shouldn't be available to guests.
    The webgui is another big problem in this case, which shouldn't be available to access for guests while it should for my internal lan and wlan.

    I would like to block all access of guests:
    -to the router's services - all of them, especially file sharing and web gui
    -to other guest clients
    -to my private lan (already included in tomatousb)

    They should only have Internet access and absolutely nothing else. I have found this firewall command for ddwrt for restricting br1 from router services but when I try to use it in tomatousb I get an error:

    iptables -I INPUT -i br1 -m state —state NEW -j DROP

    Thank you in advance.
  81. fubdap

    fubdap Addicted to LI Member

    Did you follow the how-to instructions on the first post of this thread. Because, according to the instructions "By default, LAN bridges are isolated/unreachable from each other when created"

  82. shibby20

    shibby20 Network Guru Member

    private network br0 192.168.1.x
    guest network br1 192.168.2.x

    guestion: how to block samba shares for br1 and grand access only for br0 users?
    answer: add to custom configuration of samba:
    hosts allow = 192.168.1.

    well not really. They need access to DNS and DHCP services!
    Best Regards.
  83. fubdap

    fubdap Addicted to LI Member

    @shibby - where in your router do you put this: hosts allow = 192.168.1.

  84. shibby20

    shibby20 Network Guru Member

    as i said go to file sharing -> Samba Custom Configuration and put that line into textarea.
  85. fubdap

    fubdap Addicted to LI Member

    Thanks. it was not clear before, but it is clear now.

  86. streppuiu

    streppuiu Networkin' Nut Member

    Yes, I followed the how-to indicated at the beginning of this thread, the one at the url that ends with "E3000" ad-literam. Still, guests can access samba shares, web gui and ping each other. I probably forgot mentioning this, but br1(guest) is completely isolated from br0(private) so, indeed guests cannot ping private ips. So, this is what they meant in the how-to. But they can ping each other.

    My br0 is 192.168.0.x and br1 is 192.168.1.x

    shibby20, thanks, I will try that later. That will probably prevent br1 users from accessing my samba share.

    What about restricting access to the web gui and isolating guests from each other ? Is there a way to solve these too ?

    Is there a way to lock them out from absolutely everything except internet, dhcp and dns ? For example br1 users shouldn't be able to access my ftp and http server located on the router using internal ips, only the external ip (or domain name) of the router. So, for a 192.168.1.x (br1) user: should not work
    http://mydomain.com/apage.html should work if port 80 is open to wan

    assuming is the internal IP address of the router.

    Ideally, in my opinion, this sould be solved using some general rule (like some firewall set of rules that block everything needed), not as particular rules for each service (like the samba share fix suggested by shibby). Otherwise, we'll have to dig into the config files of each program (httpd, ftpd, transmission web ui, and possibly many others that one could have installed) and possibly forget setting up some of them leaving security holes open.
  87. fubdap

    fubdap Addicted to LI Member

    Don't know if this will help. But if you uncheck "Allow Wireless Access" ( see attached) then no-one can access your GUI though wireless connection. They can only through wired connection.

    Wireless Access.PNG
  88. gfunkdave

    gfunkdave LI Guru Member

    Just did this myself. I wanted users on the guest VLAN to not be able to access the router.

    iptables -I INPUT 10 -p tcp -m multiport --dports 22,23,80 -i br1 -d -j DROP
    iptables -I INPUT 10 -p tcp -m multiport --dports 22,23,80 -i br1 -d -j DROP
    Since the router lets users on any VLAN access the router by any of its IPs, you need a separate iptables rule for each IP address the router has.

    I inserted the rules just before the other rules for the VLANS - iptables processes rules in the order they appear, so we want this to appear before the rules allowing traffic through from each VLAN. The above code will drop connections to the web management, SSH, and telnet servers in the router.

    hth, gl
  89. streppuiu

    streppuiu Networkin' Nut Member

    fubdap, you are right, but the problem is that I need web gui access from my br0 network. Only br1 should be blocked. Unchecking that wil block wireless web gui access from br0 too.

    gfunkdave, you said "I inserted the rules just before the other rules for the VLANS...". I assume you mean inserting them into into the Administration>Scripts>Firewall tab. But I have no other rules for the VLAN traffic on that tab. Are there other hidden rules for the VLANs somewhere? Is it ok if I just add them to that tab or should I look for some config file and insert the rules there ?

    gfunkdave, your rules will block those 3 services. But isn't there a way to block everything except dns and dhcp using only one or two rules for example, by giving a port interval ? Something like "--dports 1-65500" instead of --dports 22,23,80, which is very fine, but if I add other programs to the router then I will have to add the port numbers they use each the time.

    There is this ddwrt rule that I found that they say is blocking access to all router services from br1. Could this be modified to work on tomatousb?

    iptables -I INPUT -i br1 -m state --state NEW -j DROP
  90. gfunkdave

    gfunkdave LI Guru Member

    Well, Tomato adds many iptables rules as it starts up that aren't in the user-viewable config scripts. You can view them by telnetting or sshing into the router (or going to the Tools-System screen on the web) and typing the command iptables -L -v.

    So, in the above, when I say I'm adding rules, I mean I'm adding rules to what Tomato has already put in place. All of Tomato's access restrictions and routing pretty much work through iptables rules. If you look at the INPUT chain in the results of that iptables -L command above, you'll see that there are rules in place for allowing traffic from br1 to others. You just need to ensure that rules you put in place come before the existing rule that allows all traffic from br1 since iptables uses the first rule in the list that matches, and stops processing rules after that. Make sense?

    So, I'm not an iptables expert but it looks like that rule will block all new connections from the br1 interface. I think you'd be able to browse the web since I think that goes through the FORWARD chain, but I'm not quite sure. You could probably do something like the following:

    iptables -I INPUT 1 -i br1 -p udp --dport 53 -d <router IP address>  -j ACCEPT
    iptables -I INPUT 2 -i br1 -p udp --dport 67 -d <router IP address>  -j ACCEPT
    iptables -I INPUT 3 -i br1  -d <router IP address> -j DROP
    Do that for each IP address of the router on each VLAN. Let me know if that works.
  91. streppuiu

    streppuiu Networkin' Nut Member

    Thank you very much gfunkdave, I will let you know as soon as I try those rules. But I'm afraid it will have to wait one or two days since I am not at home right now.
  92. streppuiu

    streppuiu Networkin' Nut Member

    I used the rules you proposed and everything seems to work fine. br1 clients are not able to access the web gui, samba shares, ssh using internat ips of the router but they can successfullly access the internet. This is exactly what I needed. Thanks again.

    There is only one problem now. br1 clients can still ping (access, see) each other. I need an "isolate access point"-like firewall rule but only for br1 clients. Do you have any idea how could this be accomplished?
  93. streppuiu

    streppuiu Networkin' Nut Member

    I tried the following rules to try to isolate br1 clients with no success:

    iptables -I FORWARD -i br1 -o br1 -j DROP

    iptables -I FORWARD -s -d -j DROP

    What am I doing wrong ? Thanks.
  94. ulyan

    ulyan Networkin' Nut Member

    Hi there, one thing, I am on the shibby's mod and I want to ask If there are any known issues when you set a WPA2 AES encryption on the virtual SSID. I mean connection problems. Somehow I can't connect and when I try and enter the password from my mobile the connect button grays out. I don't think it's the phone. Thanks.
  95. streppuiu

    streppuiu Networkin' Nut Member

    I happened to read somewhere that the traffic originating and destined to the same subnet doesn't pass through iptables. So, adding an iptables rule in order to isolate guest ntw (br1) clients is useless. This would explain why my rules (see above) do not work.

    They also said that the "AP isolation" feature is built into the drivers. I also saw that DD-WRT has the possibility of enabling "AP isolation" on each virtual wireless network separately and I believe this would be a wishlist item for future TomatoUSB releases. I think Teaman is the most entitled to answer to answer to these questions since he is the author of the MultiSSID feature, but I see he hasn't visited the forum (or at least this thread) lately

    Is there a "wishlist" somewhere for Teaman releases, that I could add this thing into? Thanks.
  96. tvlz

    tvlz Addicted to LI Member

    I've found the problem with multi-ssid
    After you setup and saved your virtual SSIDs you need to bring the wl interface down then up to get the right mac addresses. If you do this test in tools > system commands you'll see what I mean, the macs have to match.
    wl bssid
    wl -i wl0.1 bssid
    wl -i wl0.2 bssid
    wl -i wl0.3 bssid
    wl down
    wl up
    ifconfig eth1|grep HWaddr
    ifconfig wl0.1|grep HWaddr
    ifconfig wl0.2|grep HWaddr
    ifconfig wl0.3|grep HWaddr
    wl bssid
    wl -i wl0.1 bssid
    wl -i wl0.2 bssid
    wl -i wl0.3 bssid
    The code should be changed to have the save button bring the interface down then up to fix the problem.
  97. tvlz

    tvlz Addicted to LI Member

    You can't set it up that way, they need to be setup in order(wl0.1 before wl0.2, wl1.1 before wl1.2 etc.) the wireless driver sets the next available MAC address
    The test code show what the MACs are before you bring down the wl interface(first set of wl bssid lines) then it brings down & up the wl0 interface(wl down & up) shows what ifconfig has for MACs which have to match the last set of wl bssid lines.

    The wl down & up is all that is really needed, for 5Ghz radio I think it's wl -i eth2 down & up
    Will need to be redone after a reboot or settings change I think.

    Don't know
  98. zbeyuz

    zbeyuz Serious Server Member

    After executing the code, here is what I get:

    wl: wl driver adapter not found
    wl: wl driver adapter not found
    eth0 Link encap:Ethernet HWaddr 10:BF:48:D3:95:XX
    RX packets:567 errors:0 dropped:0 overruns:0 frame:0
    TX packets:583 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:90519 (88.3 KiB) TX bytes:464445 (453.5 KiB)
    Interrupt:4 Base address:0x2000

    wl0.1 Link encap:Ethernet HWaddr 12:BF:48:D3:95:YY
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    ifconfig: wl0.2: error fetching interface information: Device not found
    ifconfig: wl0.3: error fetching interface information: Device not found
    wl: wl driver adapter not found
    wl: wl driver adapter not found

    What should I do with it ?
  99. kthaddock

    kthaddock Network Guru Member

    I think you already have DONE it ! You have get "wl -i wl0.2 bssid" 12:BF:48:D3:95:YY
    eg raplaced "00:00:00:00:00:00" with "12:BF:48:D3:95:YY" to your "wl -i wl0.2 bssid"

    with "bring the wl interface down then up to get the right mac addresses"

    Is this with new wifi driver from Toastman and Shibby (version ?
  100. zbeyuz

    zbeyuz Serious Server Member

    Oh really, but it still says wireless driver error 000000 for both 2.4Ghz and 5Ghz.

    I don't know how to make it work correctly...

    Btw,I am using Shibby latest version 097.

Share This Page