Guest WLAN on multiple access points

Discussion in 'Tomato Firmware' started by zaklee, Mar 16, 2014.

  1. zaklee

    zaklee Reformed Router Member

    Firstly, please bear with me if I don't use all of the correct terms/acronyms. I'll do my best.

    Secondly, thanks for all the great info and help already offered here, and thanks in advance for helping me with my specific issue.

    Here's where I am right now:

    1. Primary device is a Linksys E3000 running 1.28.0000 MIPSR2-116 K26 USB BTgui-VPN. The default "br0" is and I have added "br1" as DHCP is enabled for both bridges. I've added a third vLAN with no port or bridge assignments. I also added a virtual wireless interface, wl0.1, and bridged it to LAN1 (br1). The other two wireless interfaces, eth1 and eth2, are bridged to LAN (br0).

    This all seems to work just fine. All of the ethernet ports and the two primary wireless interfaces all have full access on my network while the virtual interface, br1, has internet access only.

    2. Second device is a Linksys E2500 running 1.28.0000 MIPSR2-116 K26 USB Max. Here br0 is and br1 is DHCP is DISABLED for both bridges. I've again created the third vLAN with no assignment, added wl0.1 and bridged it to br1, leaving eth1 and eth2 bridged to br0.

    Again connections to the physical ports or primary wireless interfaces work just fine. But no address is assigned when connecting to the virtual wireless interface wl0.1 (guest wireless). I tried enabling DHCP for br1 and then manually configuring the wireless connection on my computer. DHCP gave me an address but routed traffic to (not surprised) and, even though the manual config matched the config assigned when connecting to br1 on the primary device, routing was still not successful.

    3. Once I've figured this out, I'm going to add a third device with the same configuration as device #2.

    Please help me get the guest access working on this second (and third) device.

  2. blah123

    blah123 Reformed Router Member

    You didn't mention it specifically but I assume that the e2500 is connected to the e3000 by an ethernet cable between the LAN ports of each. You need to assign that third vlan to br1 on both devices and enable it on the ports that connect the two devices and mark those ports to tag that vlan. What you have right now is that subnet is isolated on each router.
  3. zaklee

    zaklee Reformed Router Member

    The two devices are indeed connected by Ethernet. But they are in different buildings which are connected to one another by fiber. Each of the out buildings has a single fiber/copper converter. In other words, I only have one Ethernet cable connection between to work with. Also, there's currently a switch between the E2500 and E3000.

    Since I don't know anything about tagging, this may be a silly question. But given the fact hat I only have one Ethernet link between, won't tagging the third vlan to br1 make it so that br0 on the E2500 won't be able to connect to the main subnet? Or will br0 and br1 both be able to send traffic over that single cable/port?

    I can remove the switch but I can't add a second wired connection without significant cost.
  4. zaklee

    zaklee Reformed Router Member

    I can remove the switch but I can't add a second wired connection without significant cost.
  5. blah123

    blah123 Reformed Router Member

    You are going to turn that wired connection into what is referred to as a trunk by using tagging. 802.1q tagging adds an additional ethernet header which indicates which VLAN a packet is for. This allows multiple VLANs to be carried on a single ethernet connection. I've not used tagging on Tomato but it looks like it should handle this. VLAN 1 which is tied to br0 will be set as the default VLAN which means it won't be tagged so you shouldn't have any trouble getting that to the E2500.
  6. zaklee

    zaklee Reformed Router Member

    Thanks! I'll give it a go and get back to you ASAP!
  7. zaklee

    zaklee Reformed Router Member

    Well, it would appear that vlan tagging is not an option on the E2500 using this Tomato build. The option to tag the port is grayed out. I'm able to do it on the E3000 though.

    There's actually a note here which reads;
    • Tagged - Enable 802.1Q tagging of ethernet frames on a particular port/VLAN (unknown support for this the developper (Victek))
  8. eibgrad

    eibgrad Network Guru Member

    There's probably another way to solve this; configure a bridged (tap) OpenVPN connection from br1 on the e2500 to br1 on the e3000. Doesn’t have to be fancy, static key is fine. You’re not doing it for security, but merely because it establishes a bridge. If this was dd-wrt, you could even use EoIP, which is uber simple to configure and has less overhead. Basically anything that gets the two sides bridged will solve the problem. VLAN trunking/tagging work as well, but has its own limitations/issues.
    Dr Strangelove likes this.
  9. blah123

    blah123 Reformed Router Member

    Sorry, that sounds like a problem. You might be able to use OpenVPN to tunnel the VLAN across that ethernet link but it doesn't look like the web GUI is going to provide enough control to pull that off. You'd have to use the CLI to configure it.
  10. eibgrad

    eibgrad Network Guru Member

    Not sure specifically what limitation(s) the GUI presents, but GUI or CLI, whatever it takes, it should work.

    EDIT: I suppose the fact it's br1 does mean you need to use the CLI. Perhaps another option is have the two networks switch places, at least on the second router. Make br0 the guest network, and br1 the private network. And now you can use the GUI. That would also encrypt the private network, if that's worth considering.
    Last edited: Mar 17, 2014
  11. VirtualNobody

    VirtualNobody Reformed Router Member

    VLAN tagging on the E2500 works just fine with the Shibby build. Try that.
  12. imcamper

    imcamper Networkin' Nut Member

    I came across this thread when searching after experiencing the same lack of support for 802.1q tagging on an e2500 as the original poster. However this is more than a year old so I'm hoping there's an updated version of Toastman's Tomato that supports this tagging. Is there? I'm currently using 1.28.507.2 which seems to be the latest and the options are still greyed out. I did try checking the experimental vlan override support which does enable the boxes. However after doing that and configuring a trunk, I could no longer access my router and had to do a factory reset.

    If I do try Shibby's version, can I still export and copy select "nvram set" commands for things like routes, QoS, etc.?

    I appreciate any input.


  13. imcamper

    imcamper Networkin' Nut Member

    For the next person that stumbles upon this thread, I'll answer some of my own questions from above.

    First for clarification, my Linksys e2500 is a version 1 model. This may explain why my results are different than those of @VirtualNobody.

    I loaded Shibby's tomato-E2500-NVRAM60K-1.28.RT-N5x-MIPSR2-128-Max.bin. It loads fine and I was able to restore my saved config from my Toastman installation.

    However the vlan support is the same. The options are greyed out until I enable experimental vlan override support and reboot. But then after reboot and setting tagging, the router never comes back up after the next reboot.

    Thus it does not appear that either version supports trunking on an e2500 v1 router. :(
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice