Two tomatos: router + AP (internet+LAN) + guest wifi (internet only)

Discussion in 'Tomato Firmware' started by h0m3b0y, Mar 3, 2014.

  1. h0m3b0y

    h0m3b0y Reformed Router Member

    Here is my situation:
    I have one RT-N66U (tomato#1) running tomato shibby located in the basement, connected to a FTTH switch and to my LAN switch. This one is in router mode only, wifi is off.
    I have a second RT-N66U (tomato#2) running tomato shibby located on the first floor, connected to the first RT-N66U via my LAN switch. This one is in AP mode only, wifi is on.

    I have set these up so I can access the internet either from wired wall sockets in my house (connected to my LAN switch) or via wifi (provided by tomato#2).

    I followed this guide (thank you google translate) but sadly no access to internet from guest SSID, normal access to internet and LAN from home SSID. Both SSIDs connect, both assign client IP address (for respective subnet). My guess is that this guide is written for one-router setup.

    How would one setup router and AP (both running latest tomato shibby) to allow home SSID to access internet+LAN and guest SSID to access internet only?
    How would one tweak this configuration to limit guest SSID bandwidth to a low value (1 mbps for example)?
    Is it possible to do this via captive portal? ("Catch" each unknown device on guest SSID and direct it to enter password, then give them bandwidth-limited access to internet only for a limited amount of time)

    If anyone has a link to a tutorial that would help in my situation, please guide me to it! :(
  2. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Some folks like to piggyback the AP-Guest wifi off the AP-Main's internet, and use iptables to block access to the Main's subnet. A google search can turn up some results, I see similar Q/A in dd-wrt forums.

    Other solution is vlan trunking. I've used that in the past but it's a little more frustrating to set-up (hard to debug where you go wrong, when you're slightly wrong it just won't work). See as an example.
  3. eibgrad

    eibgrad Network Guru Member

    The reason you don't have internet access on the guest SSID of the AP is probably because you haven't NAT'd that network. You've introduced a new network (e.g., 192.168.2.x) within the context of the primary network (e.g., 192.168.1.x). So packets from the 192.168.2.x network have a source ip that’s unknown on the primary network, and thus the default gateway of the primary network doesn’t know where to send replies. So it just sends it out its own default gateway; the WAN. But by NAT’ing the 192.168.2.x network, all those clients will have a KNOWN source ip equal to the LAN ip of the AP on the primary network. So it’s either NAT it:

    iptables -t nat -I POSTROUTING -o br0 -j MASQUERADE

    … or else add a static route to the primary router that points to the AP as the gateway to the guest network:

    Subnet Mask:
    Gateway: <lan-ip-of-ap-on-primary-network>
    Last edited: Mar 4, 2014
    Incidentflux likes this.
  4. h0m3b0y

    h0m3b0y Reformed Router Member

    Thanks for the help!

    Adding a static route AND changing mode on the second router from "gateway" to "router" gave me access to the internet from guest SSID, but it also gave me access to my intranet. Do I have to manually block guest access via IP tables, or is there an option in tomato firmware I could use?

    Also please confirm that the correct place to write iptables scripts is Administration->Scripts->Firewall.

    I tried to do it via the linked method from Malitiacurt but locked myself out of both routers and had to do hard reset on them. Might try that one again and follow the instructions more carefully and hopefully divide both networks so they can not see each other.
  5. eibgrad

    eibgrad Network Guru Member

    The fact you now have access to the primary network from the guest network is expected. The lack of NAT (or static route) was preventing access to both. You need a firewall rule on the AP to block access from the guest network to the private network:

    iptables -I FORWARD -i br1 -o br0 -d -j DROP

    And yes, you need to add this to the firewall script.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice