1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wifi guest network, Tomato as AP with VLAN

Discussion in 'Tomato Firmware' started by GPz1100, Nov 7, 2017.

  1. GPz1100

    GPz1100 Network Guru Member

    I'm using several wifi routers as AP's (RT-AC68U, R7000, and something else). All running tomato firmware.

    Upstream of these routers is a hardware firewall appliance (sophos utm). It handles all dhcp, dns, routing, security, and other network related tasks.

    Since I have no need for any routing or firewall functions within the AP's, all those functions are disabled.

    My question is, considering the above, will guest networks still work on the routers with dhcp and other tasks performed at the router, or should I configure configure the guest wifi via vlan. I would also like non guests wifi clients to have have access to the full network.

    This also brings up the question of whether wifi can even be assigning to multiple vlans like ethernet.

    Any advice how to proceed?

    Thanks!
     
  2. Monk E. Boy

    Monk E. Boy Network Guru Member

    If you want the guests to be on a different network than the non-guests, then yes, you need to implement the two networks using VLANs. A VLAN is a Virtual LAN, meaning its a discrete network from other VLANs, which are themselves discrete networks. Take two switches and don't connect them to each other, voila, you have two LANs. VLAN is the same concept, except you can implement VLANs without multiple Ethernet runs defining each LAN.

    I suggest reading up on VLANs so you can understand what it is you want to do.
     
  3. GPz1100

    GPz1100 Network Guru Member

    I know what a vlan is and what my ultimate goal is. My question was how to configure it in tomato.
     
  4. pomidor1

    pomidor1 Serious Server Member

  5. GPz1100

    GPz1100 Network Guru Member

    I think I need to clarify my confusion. Since the tomato based routers are all being used as AP's, services such as dhcp, dns, firewall, etc are all disabled. Am I correct in understanding that I'd be configuring the dhcp, dns, firewall rules, etc related to the vlan all on the upstream router/firewall appliance?

    From this pic - https://openlinksys.info/images/multissid/vlan_2.png

    He doesn't have any of the lan ports associated with vlan 3 as it's an internal bridge only. In my case I think i'd need to link it to one of the lan ports so data could flow to the firewall appliance. Likely even on a tagged vlan because the tomato box will also be used as a switch.
     
  6. Sean B.

    Sean B. LI Guru Member

    The configuration is rather straight forward. What needs to be confirmed before chasing tails is that your upstream router that is handling all DHCP/firewall etc supports VLAN tagging/trunking as it will be required if you want to run more than one VLAN on any of the APs.

    **NOTE** Keep in mind that confirming the upstream router supports VLAN tagging/trunking does not guarantee it will be compatible with Tomato + the hardware you're running it on. Tagging/trunking functionality came in variations from manufacturers over the years and is still somewhat ambiguous on playing nice together.
     
    Last edited: Nov 9, 2017
  7. GPz1100

    GPz1100 Network Guru Member

    I do believe sophos utm is an enterprise level firewall/router appliance, it does support vlan tagging. NICs in use are intel I211 which I'm also sure support vlan tagging. You do bring up a valid point though, just because tomato supports some form vlan tagging does not mean it's fully compatible with 802.1q.

    Lets assume it is.
     
  8. Sean B.

    Sean B. LI Guru Member

    In that case:

    For this description lets set some terminology. I will refer to the sophos utm as "main router" and the AP running tomato as the "AP". We will say ethernet port #1 on both main and AP are used to link them together. 2 VLANs will be used, VLAN3 will use the 192.168.1.x subnet and VLAN4 will use the 192.168.2.x subnet.

    On the main router: Both VLANs are created on the main router, VLAN3 with VID3 and bridge interface having the IP of 192.168.1.1 and DHCP range as desired within the subnet starting at 192.168.1.3. VLAN4 with VID4 and bridge interface having the IP of 192.168.2.1 and DHCP range as desired within the subnet starting at 192.168.2.3. Port #1 will be included in both VLANs and marked for tagging/trunking.

    On the Tomato AP: Disable the WAN. Configure the LAN as

    br0 - IP Address = 192.168.0.1 and DHCP disabled.
    br1 - IP Address = 192.168.1.2 and DHCP disabled.
    br2 - IP Address = 192.168.2.2 and DHCP disabled.
    Default gateway = 192.168.1.1

    For the VLANS on AP:

    VLAN1/VID1/br0 - remove all LAN ports.. leave set as DEFAULT
    VLAN2 = WAN - leave alone
    VLAN3/VID3/br1 - Add port #1 and check the box for tagged. Include any of the AP's other LAN ports you want in this VLAN, if any, however do not check the box for tagged and do not add any ports that are in the other VLAN.
    VLAN4/VID4/br2 - Add port #1 and check the box for tagged. Include any of the AP's other LAN ports you want in this VLAN, if any, however do not check the box for tagged and do not add any ports that are in the other VLAN.

    For the wireless section under VLAN, match the wireless interfaces to whichever bridge/VLAN you want them to be in.

    Depending on how the main router handles the VLANs. it may work just like this. However, the main router may want the gateways separated by VLAN. In which case you will have to add a static route on each bridge interface encompassing it's respective subnet via'd to the corresponding subnet on the main router. IE: route dev br1 192.168.1.0/24 via 192.168.1.1 etc.

    VLAN ID's MUST MATCH AS CONFIGURED ON BOTH MAIN ROUTER AND AP.
     
    Last edited: Nov 10, 2017
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    Sophos UTM supports 802.11q tagging. Tomato's VLANs predate 802.11q. It may or may not work, you may need to run individual untagged ports into a 802.11q capable switch to handle the tagging/untagging between the Tomato routers and the Sophos. So one untagged VLAN per port run from Tomato into multiple switch ports and then the port connected to Sophos does 802.11q. There's a little 5-port Netgear switch that runs around $40-$50 that does 802.11q tagging.
     
    Last edited: Nov 9, 2017
    Sean B. likes this.
  10. GPz1100

    GPz1100 Network Guru Member

    ^^Yes, a managed switch would be easier. I already have these, so will give it a shot. Should have time tomorrow or saturday to mess with this.
     
  11. i1135t

    i1135t Network Guru Member

    GPz1100, I have the same setup as you. It will work. I'm running Ubuntu Server as my gateway instead of sophos. Everything stated above is correct.

    1. setup your br(x) interfaces in tomato and assign vlan IDs to the network interfaces
    2. associate the wlans to the interfaces you want them on
    3. setup 802.11q switch with tagged vlan IDs defined in tomato (might not be necessary if your gateway supports vlan tagging or trunk)

    I had to create my vlan interfaces and configure dnsmasq with network configs (actually have two instances running since I wanted my guests to route via opendns). Also, I had to properly separate my networks via iptables on my gateway so each network is "truely" vlan'ed since they all share a common gateway for dns/dhcp. Good luck because it can get intimidating but once it works, it'll be worth it!
     
  12. GPz1100

    GPz1100 Network Guru Member

    I made some headway on this today. Routers apparently already had somewhat recent versions of ddwrt so I tried with that first. Tagged vlans worked as expected using the gui to configu. It wasn't until I tried to add untagged vlans to the mix (technically single untagged vlan). Ddwrt's support of this is through CLI only it appears. Making sense of it didn't go over too well. I said screw it and put tomato on. Success both with both tagged and untagged.

    I really don't care which firmware is used. Wifi performance with both has improved greatly. Ddwrt doesn't force you to add ip's to the bridges (br). Tomato does. Not a big deal, but adds more things to keep track of.

    What happens in tomato if you want to add more than 4 bridges? Seems the ui only lets you create br0..4

    I don't know if i'll need more than 4, but it looks like I really have only 3 to play with as br0 is assigned already┬┐?

    In more positive aspects of this exercise, utm interfaced nicely with tomato/ddwrt, dhcp and routing worked without a hitch once configued. Routing and firewall rules too. Essentially all the packet routing is offloaded to the utm.

    @i1135t dnsmasq in ubuntu or in the tomato router? One of my primary goals (which I think has been achieved) is to not have to do any iptables config or anything similar on the router. Just want to behave like a semi smart switch and AP only. There will be some bridging of wlans for primary and guest networks, but that's about it.

    This exercise is aided by the fact that my utm is in a box that has 4 nics of which only 2 are in use, and 2 spare RT-AC68U's. This doesn't require taking down the whole network while making sense of this mess.

    Oh, and to add one more layer of complexity, utm is run under esxi on the above box.
     
  13. i1135t

    i1135t Network Guru Member

    Dnsmasq is disabled on my APs since I want all my lookups passed to the gateway. I was referring to my Ubuntu box. You running utm as a VM on ESX? Why not have dedicated hardware for the gateway? I don't know of the limit of 4 interfaces in tomato so others can chime in if there's a way to add via cli. Make sure the different interface traffic don't bleed into each other. Run wireshark and/or test connecting to clients on different vlans to ensure privacy.
     
  14. GPz1100

    GPz1100 Network Guru Member

    The box came with 8gb of ram. UTM barely uses 2gb. Thought I'd put the rest to good use by running a few other servers such as pbx, a ups monitor, and something else (tbd). Exsi is on static ip on a totally different subnet then anything else on the network. Good point about testing the insulation between vlans and interfaces.

    As a non linux person I've been very impressed with utm. I may give pfsense a try at some point too. I do find it more difficult to configure.
     
  15. GPz1100

    GPz1100 Network Guru Member

    Goal:
    Once completed, network topology will be as follows:

    Modem <> UTM box (4 nics) <vlans> R7000 <vlans> RT-AC66U <vlans> <> RT-AC68U

    Each RT or R7000 unit will serve as a 2.4/5ghz wifi ap along with isolated guest network and carry vlan traffic to the next router. Untagged ports will be assigned to vlans for IoT uses, VOIP, and to feed dumb switches. A serial network arrangement like this isn't ideal. Given the physical layout of the premises, that's what I have to work with.

    More issues, more progress, more headaches!!!

    I ran into more challenges trying to add standard (not virtual) wifi to the tagged vlan. After some hours, returned back to ddwrt. Getting the initial vlan config had to be done through gui. I finally made sense of the port numbering as it relates to /proc/switch/eth0/vlan/X . For some reason, settings in nvram don't work when it comes to trying to set up a port with tagged and untagged vlans.

    In case anyone cares, they are as follows (DD-WRT v3.0-r33675M kongac (11/03/17)

    RT-AC68U
    0 - wan
    1 - lan 1
    2 - lan 2
    3 - lan 3
    4 - lan 4
    5 - cpu
    ---
    RT-AC66U (DD-WRT v3.0-r33607 giga (10/25/17))
    Same except 8 for cpu)
    ------

    There's still much more work to do, but to get an understanding I wanted to start out with 2 vlans, vlan1 (untagged) and vlan 3 (tagged). For testing, an unused interface on firewall was set up similarly - untagged and vlan 3. Both on different subnets, dhcp servers, etc.

    [​IMG]

    For ease of testing, wifi end point were used. Eth1 (2.4ghz) was bridged to the untagged vlan1, and eth2 (5ghz) bridged to vlan 3.

    [​IMG]

    Setting up the bridges was done through the GUI. The real fun was in the console. Initial vlan config was in the GUI too, but this didn't set the port tagging properly.

    It took hours to arrive at these 4 lines :)

    Code:
    sleep 10
    echo "" > /proc/switch/eth0/vlan/2/ports
    echo "0 1 2 3 4 5t*" > /proc/switch/eth0/vlan/1/ports
    echo "0t 1t 5t" > /proc/switch/eth0/vlan/3/ports
    
    Much difficulty was encountered in figuring out if I wanted port 0 tagged, or default or untagged (u) for vlan1. My understanding is since vlan1 is assigned as the default vlan, it doesn't get tagged. Since port 0 (wan) is my trunk line, other vlans on it do need to be tagged (such as with vlan3 with "0t 1t 5t").

    It seems I can't get rid of vlan2 (see bridging table above), even though it's unselected in the vlan tab. It keeps coming back after a restart. It just won't get used.

    Things are progressing well and i've learned much in the last few days. Eventually I'll update main equipment on the network once I'm satisfied with the test set up.

    Edit: Just realized this is in the tomato section. My apologies. I was truly undecided which firmware to use for this. Went with ddwrt only because of added versatility the network bridging section.
     

Share This Page