Getting beyond the four bridge limit

Discussion in 'Tomato Firmware' started by Steve Christensen, Dec 15, 2017.

  1. Steve Christensen

    Steve Christensen New Member Member

    I was wondering if there was a good way to add a fifth bridge to Shibby Tomato, as the GUI limits it to a maximum of four bridges. My searches for this topic have come up empty, so am just curious if anyone has ever been able to successfully relax this restriction.
  2. ajtish

    ajtish Connected Client Member

    I too had looked into this and didn't find anything. I tried to edit and compile the source code and was not able to get it to work with more than 4 bridges. Bricked a few routers in my efforts as well.

    I may start down the road of doing something in the firewall script to create a new interface and set firewall rules, but haven't dug into going that route yet.
  3. Steve Christensen

    Steve Christensen New Member Member

    Thanks for the reply, that's what I was afraid of. I have four different parties that need to share a printer, so I was going to put the printer on the 5th bridge to keep everything securely separated. There's probably another way to achieve this, but I don't have a lot of experience or confidence in networking to set this up.
  4. Sean B.

    Sean B. LI Guru Member

    root@Storage:/tmp/home/root# brctl addbr br2
    root@Storage:/tmp/home/root# brctl addbr br3
    root@Storage:/tmp/home/root# brctl addbr br4
    root@Storage:/tmp/home/root# brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.0862663a5720       no              eth2
    br1             8000.0862663a5720       no              eth1
    br2             8000.000000000000       no
    br3             8000.000000000000       no
    br4             8000.000000000000       no
  5. mw333

    mw333 Networkin' Nut Member

    I saw a post regarding changing the limits of a for loop but nothing on successful implementation. Although this may not help you, you can create additional VLANs that are not bridged. For example, an RT-n66u utilized as a multi-SSID AP connected to an opnsense gateway.

    I recently needed an untagged VLAN1 as part of an existing trunk (VLAN2 - br0, VLAN3 - wan, VLAN4 - br1, VLAN5 - br2, VLAN6 - br3). So I added VLAN1 as tagged and no-bridge the GUI way, then changed vlan1ports="1t 3 8" with nvram set vlan1ports="1 3 8" / commit, reboot, and all VLANs work.
  6. Steve Christensen

    Steve Christensen New Member Member

    Thank you Sean. I tried this and it looked like it created the bridge, but after a commit and reboot, the new bridge was gone. Not sure what I'm doing wrong, and my comfort level with the command line is about as low as it gets.

    That's pretty cool, I have to investigate this. Would this still allow me to attach a wireless interface to the VLAN and keep all the bridges isolated from each other, but each bridge still able to communicate to the new VLAN where the printer is? In other words, would security be comparable to a five-bridge solution?

    My firewall rules currently look something like this:

    iptables -P FORWARD DROP
    iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
    iptables -A FORWARD -i br1 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o br2 -j ACCEPT
    iptables -A FORWARD -i br2 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o br3 -j ACCEPT
    iptables -A FORWARD -i br3 -o eth0 -j ACCEPT
    So add lines like this, assuming new VLAN is VLAN5?

    iptables -A FORWARD -i vlan5 -o br0 -j ACCEPT
    iptables -A FORWARD -i br0 -o vlan5 -j ACCEPT
    iptables -A FORWARD -i vlan5 -o br1 -j ACCEPT
    iptables -A FORWARD -i br1 -o vlan5 -j ACCEPT
    Last edited: Dec 18, 2017
  7. Sean B.

    Sean B. LI Guru Member

    A commit only saves new or changed variables that have been set in NVRAM, not the overall state/configuration of everything on the router. The best way to have a custom configuration as such survive a reboot is to put the command line commands a long with checks/balances in script format in the Administration->Scripts section. If you get a working configuration going so we know this does what you need, I can code a script for you so it will survive reboots.
    Monk E. Boy likes this.
  8. Steve Christensen

    Steve Christensen New Member Member

    Back again...

    Because of my lack of basic programming skills and rudimentary networking knowledge, I didn't get very far with getting a working configuration. I combed through OpenWRT examples, but wasn't comfortable enough to try on real hardware. The best I could come up with was a crude diagram of what I'm trying to achieve and a guess at the script.

    The current configuration has all 4 GUI bridges (br0, br1, br2 & br3) configured, each with access to the internet but firewalled so they cannot see each other.

    What I'm trying to do is create a 5th bridge (br4), with a virtual wireless AP (wl0.4) attached so that a wireless printer can be connected. The bridge and wireless AP is highlighted in blue on the diagram.
    • Clients on both br0 and br1 should be able to access the printer on br4
    • br0 and br1 will still have a firewall between themselves
    • I don't really need the printer on the new bridge to have internet access.

    From what I could gather on OpenWRT, is this what I need to add the Administration->Scripts to set up the bridge and access point? Refer to the diagram for a graphical representation.
    config interface lan
            option ifname 'br4'
            option type 'bridge'
            option gateway
            option netmask
            option dns
            option proto 'dhcp'
    config wifi-iface
            option device 'wl0.4'
            option network 'lan'
            option mode 'ap'
            option ssid 'C2'
            option hidden '1'
            option encryption 'psk2'
            option key 'C2PrinterPW'
    From this point, I'd use iptables to configure the firewall:
    iptables -P FORWARD DROP
    iptables -A FORWARD -i br0 -o br4 -j ACCEPT
    iptables -A FORWARD -i br4 -o br0 -j ACCEPT
    iptables -A FORWARD -i br1 -o br4 -j ACCEPT
    iptables -A FORWARD -i br4 -o br0 -j ACCEPT

    Attached Files:

  9. Steve Christensen

    Steve Christensen New Member Member

    Can someone point me to resources and tutorials for creating custom scripts?
  10. Monk E. Boy

    Monk E. Boy Network Guru Member

    But there really are gobs of guides on learning scripting under Linux.

    You should run a normal Linux installation in a virtual environment on your desktop/laptop to get familiar with shell scripting rather than do it all under Tomato. The reason is that under Linux you will have a lot more resources to help you past roadblocks since Google searches for just about anything will yield gobs of results, while Tomato will yield fewer results.

    Under Tomato the shell isn't bash, its ash, so there are some differences. They're similar, in that both bash and ash are based on the bourne shell. As you get more familiar with scripting you'll learn the differences on your own just because some things that work under bash don't work under ash. Which is why I suggest learning scripting under Linux. I'd say 90% of what you learn will transfer over, and most of that remaining 10% likely won't transfer over to other Linux distributions either which is why its not worth sweating over.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice