Creating a separate Ethernet network

Discussion in 'Tomato Firmware' started by 90Ninety, Jan 28, 2019.

  1. 90Ninety

    90Ninety Network Newbie Member

    I am creating a 'lab network' which is on a different range ( 10.10.1.X/24 ) , to do this I connected up Tomato ( Asus RT-N16 tomato 1.28 by shibby) to our main network , via the WAN , then I created a separate DHCP range then configured it to a VLAN and assigned to a single port on the router port ( LAN 2 )
    This works perfectly for the Lab, however , is it possible to assign one or more of the other spare ports to the WAN ?

    For example

    Regular work network 10.0.0.x ( in Wan )
    Lab network 10.0.1.x ( Lan 1 )
    Work network 10.0.0.x ( Lan 2 )

    I am short of work network ports , so would appreciate if I could basically use the spare ports, would like some pointers or guidance if possible?

    [Edit] I have edited the network settings to reflect the later posts configurations
    Last edited: Jun 14, 2019 at 3:14 PM
  2. rs232

    rs232 Network Guru Member

    Yeap. Considering you're using tomato as a LAN device WAN is just a port.
    Just head to the Advanced/VLAN page.Before you ask, for your scenario (single device) you don't need tagging just put the port in the right VLAN and you're good to go. You just need to get familiar with the matrix approach that page offers but it's not difficult really.
  3. 90Ninety

    90Ninety Network Newbie Member

    Apologies im still a bit of a Network Rookie , the Tomato WAN settings are set to DHCP , so would receive IP address from the Next hop ( Business Router ) . So not really sure if WAN is just a port , or is being used to route traffic ( lab) to/from internet ?

    . From within Tomato basic at first I created two bridges ( two LANS , BR0 , and BR1 ) each with their own DCHP range .
    Existing Business LAN 10.10.0X/24
    Bridge 0: ~
    Bridge 1: ~

    The idea in mind was to create a matching scope for the existing WAN infrastructure , thinking that I could access devices the business LAN from from the Bridge0 while having the LAB on Bridge1

    I then created VLANS , to Assign VLANS to the Bridges .
    I selected Ports & 2 to Bridge 1 and assgined them to VLAN 1
    I selected Ports 3 & 4 and assigned them the VLAN 2

    This works on the LAB side just fine , however Bridge 1 cannot access the wider business network .

    Last edited: Jun 14, 2019 at 3:15 PM
  4. Sean B.

    Sean B. Network Guru Member

    Don't use the WAN port. Under Basic->Network set the WAN type to disabled. This will bring up a box for default gateway, enter the IP address of the business LAN's gateway/router ( IE: ). Assign br0 an IP address from the existing business LAN ( outside of it's DHCP pool range, or get a DHCP reservation from the business LAN ) we'll say it's . Disable DHCP on br0 . Now lets say you're using LAN port #1 for your lab network connection, and you want ports 2 - 4 to be connected to the business LAN as normal. Under Advanced->VLAN add port #1 to VLAN3/br1 and ports 2 - 4 to VLAN1/br0 . Now clients which connect to ports 2 - 4 will receive a DHCP address from the business LAN's router/gateway and can access the network devices as normal. While port #1 will be segregated.
  5. 90Ninety

    90Ninety Network Newbie Member

    Thanks SeanB and rs232 for your help

    I finally managed to now segregate the networks ( after making mistakes ) . So far I have as follows (also attached) ,
    Bridge 0 (BR0), Work Network, IP: ( settings page attached ) DHCP= Disabled
    Bridge 1 (BR1 ) Lab Network, IP: , DHCP Enabled , Range

    VLAN Matrix ( also Attached) :
    • Work Network VLAN1 (default) , VID1, Ports 2-3 Non tagged , BR0
    • LAB Network VLAN2 , VID2 , Ports 1 & 4 , Tagged , BR1
    Now my question is , How do I access the Internet from the LAB network ?
    [Edit] I would like to add the gateway of the work network is also a Shibby Tomato Router ( RT N66U)

    I am guessing I should add a route between the VLAN 3 ( lab network ) to the work network ? Just too NEWB to know how yet :/

    Attached Files:

    Last edited: Jun 7, 2019
  6. 90Ninety

    90Ninety Network Newbie Member

    Bump ,

    Does anyone know how I would get internet to the Segregated network ?
  7. eibgrad

    eibgrad Network Guru Member

    It's still not clear to me how this router is intended to be used, and for what purpose. I've heard a reference to a "work" port, but not sure if this is say, a VPN to your workplace.

    What I can tell you is that I have many "lab" routers that I use for testing purposes, all of which have their WAN facing the primary network, so internet access is NOT an issue. And if I need to use one of the lab routers, I just connect to its LAN side with either wired or wireless. And if I also wanted to sub-divide that router into separate VLANs and assigned bridges, that's possible too.

    So again, I'm not fully understanding how this router is intended to be used. But it *sounds* like from the little I've been able to gather from the current posts that there's no reason this router shouldn't be treated like any other secondary router, which means having it's WAN connected to the LAN of the primary router. But then maybe I'm missing something.
  8. 90Ninety

    90Ninety Network Newbie Member

    Apologies if not clear ; Let me try to explain further , in principle I am creating a learning environment where I can 'play around' with Windows server and client computers ( DC, ADDS , ect ) during downtime , that will not affect our production network . To do this , I had a concept of creating a separate sub network and or VLANS. I have just one small desk , so Ideally just using one routing switch , with one patch-point connection to the production network
    The environment is a small company I work on some projects with , there is a small network handled by a separate RT N66U AUSUS router with around 20 - 30 computers , a printer and a NAS - I will refer to this as 'Work' or 'production' network . This network is on One Network ( 10.10.0.X/24) , One DHCP scope is handled by the router , and distributed through two Switches ( without any management configurations ) .

    Yes this is what I want to do in this particular case , on my desk I currently have one patch cable going to the production switch ( I can patch another later if absolutely necessary ) .The idea was to divide the tomato , to serve as both environments ; production for my regular projects on two ports , and have the other one port for the LAB server

    I think your inclination is correct , unfortunately I am just neither explaining well enough , nor experienced enough to fully understand what I am doing but , I hope this helps?
  9. eibgrad

    eibgrad Network Guru Member

    Well give the above, I don't see why you would ever use a bridged (LAN to LAN) configuration. Using a routed config (WAN to LAN), the WAN will simply get an IP from the workplace LAN via DHCP and you can experiment all you like behind that WAN without disturbing the workplace network.

    You also mentioned something about adding ports to the WAN, which I didn't understand. IOW, the following makes no sense to me.

    Regular work network 10.0.0.x ( in Wan )
    Lab network 10.0.3.x ( Lan 1 )
    Work network 10.0.0.x ( Lan 2 )

    You never want the same IP network on both sides of the WAN. Not unless you're trying to create some sort of bridge between LAN 2 (is this a VLAN?) and the workplace network.

    So if you want to create multiple IP networks behind that WAN, you can create additional VLANs and/or VAPs, each w/ their own unique IP network, and NONE of which should be using the IP network assigned to the WAN.
  10. Sean B.

    Sean B. Network Guru Member

    First thing I see is your default gateway is wrong. You set it as the br1 IP, when you need to set it as the IP of the upstream router. There is no reason LAN to LAN will not provide internet. But as anything else, it won't work if not set up right. I recommend against WAN to LAN. All you're doing is creating a pointless double NAT situation.
  11. eibgrad

    eibgrad Network Guru Member

    Yes, it's nice to avoid a double NAT situation. Esp. when it's only your home network. But the reason I recommended a routed config (WAN to LAN) rather than bridged config (LAN to LAN) is because he's messing around on his workplace network! The last thing you want to do is be bridged to the workplace LAN while you're fiddling around w/ your various configurations. Next thing you know you make a mistake, perhaps enable a DHCP server by mistake, and the administrator comes around asking what the heck you're doing. If he remains behind his own WAN, there's far less risk. And I'd gladly accept a double NAT over the risk of messing w/ the workplace LAN.
  12. Sean B.

    Sean B. Network Guru Member

    His lab network is separated by VLAN, broadcast domain, and network segment. If you need more isolation than that ( in regards to accidental configuration mishaps ) it should probably just be stand-alone. However, to be overly cautious, one could add a simple iptables rule such as:

    iptables -t filter -A FORWARD -i br1 -d -j DROP
    Which will prevent even routed traffic from hitting the work network, though routed configuration mistakes on the lab side are highly unlikely to cause disruption on the work side.
    Last edited: Jun 8, 2019
  13. Sean B.

    Sean B. Network Guru Member

    And BTW, while I haven't fully read through the latest posts, I would venture to guess the lack of internet on the lab network side is caused by either:

    A) By default, firewall rules prevent traffic forwarding between the networks, not by IP/mask destination but by in and out interfaces. This may very well be blocking attempts to route through br0 to br1. For testing, catch-all accept rules can be used:

    iptables -t filter -I FORWARD 1 -i br0 -o br1 -j ACCEPT
    iptables -t filter -I FORWARD 2 -i br1 -o br0 -j ACCEPT
    B) Configure a static default route for the lab network side.
    Last edited: Jun 9, 2019
  14. 90Ninety

    90Ninety Network Newbie Member

    In Post #5 there are screenshots of the most recent basic network settings, these are as follows :
    Gateway IP: ( this is pointed at the work/production network router which is the gateway to the internet)
    BR0 IP
    BR1 IP:

    . Perhaps you are looking at an earlier post , the Router gateway and the LAN bridge gateway are different - unless I am mistaken?

    Yeah I had this work this way before . which was fine to start with but I fancied learning VLAN's , seems more of an elegant solution.
  15. Sean B.

    Sean B. Network Guru Member

    You're right, I must have mis read, my mistake. Did you try the iptables rules? As I mentioned, by default the firewall rules block forwarding between bridge interfaces. This would most certainly prevent traffic to/from br1 from traversing br0 to reach the internet.
  16. 90Ninety

    90Ninety Network Newbie Member

    I dont know what it means but , I just entered the IP tables script ( copied and pasted ) within the administration>firewall>scripts page . I then rebooted the router and started a continuous ping to the upstream router from the lab network . So far the ping does not get through , neither is there internet yet . Still something wrong .

    Some other findings;
    I am able to ping Bridge 0 (BR0 ,IP : , from the lab Server on Bridge 1 (BR1 , IP: and I can ping the BR1 LAB IP ( from the BR0 IP LAN ( Vice-Versa )
    Does VLAN tagging make any difference ?
    Last edited: Jun 17, 2019 at 4:29 PM
  17. Sean B.

    Sean B. Network Guru Member

    Run a traceroute ( tracert in Windows ) from a client on the br1 network to a destination on the internet. Post output here please.
  18. 90Ninety

    90Ninety Network Newbie Member

    I ran CMD : 'tracert ' then returns 'Unable to resolve target system name'


    I added DNS entries in the Basic> network pages
    Static DNS 1:
    Static DNS 2:

    Then I try tracert again and get a different message :

    Tracing route to []
    Over Maximum of 30 Hops :

    1____<1 ms___<1ms___<1ms__unknown-lan1 []
    1____<1 ms___<1ms___<1ms__Request Timed Out.
    1____<1 ms___<1ms___<1ms__Request Timed Out.
    1____<1 ms___<1ms___<1ms__Request Timed Out.
    1____<1 ms___<1ms___<1ms__Request Timed Out.
  19. 90Ninety

    90Ninety Network Newbie Member

    Made edit to last reply
  20. Sean B.

    Sean B. Network Guru Member

    Reading back through to this post:

    Unless I overlooked it, I don't see you stating what the connection is from this router to the work network. Is it still connected via the WAN port?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice