how to setup guest network separate from internal LAN/server

Discussion in 'Tomato Firmware' started by JustinChase, Nov 28, 2013.

  1. JustinChase

    JustinChase Networkin' Nut Member

    I'm still pretty new to Tomato, and am trying to read and learn, but I'm stuck with something that feels pretty basic.

    I have an e3000 flashed with Tomato Firmware v1.28.7503 MIPSR2Toastman-RT K26 USB VLAN-VPN-NOCAT

    I'm connected to a DSL modem from TelMex in Mexico. It also serves as a router, including wireless.

    I want to setup the modem to accept connections from guests, and keep them separate from my internal LAN/computers.

    I want to have all my internal computers connect to the e3000 directly, and allow all of them to see one another, and communicate at Gb speeds (modem is only 100Mb) internally, and all have internet access, but remain separate from the traffic/machines connected to the modem.

    I also need my unRAID server to have a static IP (

    I have turned on DHCP for the e3000 (I think) and all internal machines have access to the internet, if hard-wired, but have no internet access if connected via WiFi to the e3000. Connecting to the modem wirelessly allows internet access.

    So, I think I have a couple of different issues at the same time here, and I'm not sure how to proceed. I can't find a basic "how to do..." for Tomato firmware, so I'm kinda just poking around right now, trying things, but it feels like I'm as likely to break stuff from here, than I am to fix stuff.

    In the end, I want to allow Tomato to control QoS so that my server doesn't use all the bandwidth when we want to use the internet, or watch a movie, but will maximize it's bandwidth when no one else is using the internet.

    Bridge    STP    IP Address    Netmask    DHCP    IP Range (first/last)    Lease Time (mins)
    br0    Disabled    Enabled - 164    1440
  2. philess

    philess Networkin' Nut Member

    You have a router with a built-in modem from your provider?

    Internet---> Modem/Router ---------> Tomato
                       |                    |
                 Guests/WiFi          Private LAN/WiFi
    Should be quite easy to configure.

    Set your "Modem" to use a certain IP range for the LAN/WiFi, for example and DHCP for LAN and WiFi clients.

    Connect your Tomato router with the WAN port to a LAN port of the modem,
    set Tomato to a static IP (Menu: Basic/Network/Type) and use for example for Tomato itself, as Gateway enter the IP that the Modem has
    (probably .1). Then setup the Tomate LAN/WiFi settings, change your settings
    for the "br0" that you quoted to a different network than what your modem is
    using! For example use (note the 3rd block is different from your
    modem setting!). Or you can use 192.168.x.x for the modem, and use
    10.x.x.x for the Tomato clients to make it even easier to distinguish.
    Anyway, set the "br0" settings for example to: and DHCP
    range as You can leave the WiFi settings at default
    (If you have changed a lot there, you need to post the current settings
    or reset the config and start from scratch).
    Obviously use a different SSID (name) for the two WiFi networks.
    Set your unRAID server to use a static IP in the range you have
    chosen for Tomato... example
    darkknight93 likes this.
  3. JustinChase

    JustinChase Networkin' Nut Member

    Sorry for the delayed response. TelMex messed up our internet about an hour after writing my original question. I've waited almost a full week for them to get it working again, which they finally just did.

    I had several pages of "how to's" in my Firefox tabs, and have managed to get much of this setup the way I think it's supposed to work, but I don't have internet access thru my router, only if i connect directly to the modem/router.

    If I connect wifi to the e3000 router, I have full internal LAN access (I can read/write from/to the file server), but I can't get to the internet with this wireless connection. I've not tried a wired connection to the e3000 yet.

    I actually set up 3 new VLAN's (just because I could, and wanted to test/learn) and my intention/hope is to use the e3000 to manage all traffic, so I'll try to make use of them from the beginning. Using the modem/router for Guest traffic is fine, and maybe the better idea, but it seems to be a flaky modem, and I keep having to reset it to get it working again, which resets all customization I do to it. So, I'd rather not put it into the mix, and to just turn off the wireless SSID broadcast, and disable it after each reset, than set it up each time.

    I'd rather just get the e3000 setup to manage everything, so it's completely portable.

    I'm not sure if I should turn off DHCP on the modem, but I suspect I should. I'm waiting to try it until I get internet thru the e3000, so I'm not chasing too many issues at one time. Here is the config page for the modem...


    Here is the config page for Tomato > Basic > Network


    Here is the config page for Advanced > DHCP


    Advanced > Firewall


    Advanced > Routing


    Advanced > VLAN


    Advanced > LAN Access


    Advanced > Virtual Wireless


    Where do I need to make changes to get internet access when connected to casita while also maintaining access to the internal LAN/file server?

    Thanks again for any help! upload_2013-12-2_14-57-52.png upload_2013-12-2_16-49-16.png upload_2013-12-2_16-49-32.png upload_2013-12-2_16-50-21.png upload_2013-12-2_16-50-55.png upload_2013-12-2_16-51-22.png upload_2013-12-2_16-53-28.png upload_2013-12-2_16-53-43.png upload_2013-12-2_16-54-2.png upload_2013-12-2_16-54-27.png
  4. JoeDirte

    JoeDirte Networkin' Nut Member

    You should probably start over on the tomato router. Stick with one VLAN until you get that working. Also, just use private IP addresses on the internal network. You're currently using public IP's on some of your VLANs (20.x.x.x, 30.x.x.x, 40.x.x.x)

    When you do set up your VLANs, you can just use,,, etc. Those are separate networks since the netmask is /24 (or

    What Philess described should work.
    philess likes this.
  5. philess

    philess Networkin' Nut Member

    At a quick glance...

    you are using as interface on the modem and also as br3 on the tomato.
    That cannot work. Read again what i posted. Your ip-networks MUST be different on the two
    routers! Also, why do you have 4 bridges on the tomato? You did not mention any need for those
    in your original post. And do not use DHCP for the Tomato WAN interface, set it to a static IP
    inside the Modems IP range. Just as i described above.

    I highly suggest you reset the Tomato config and set it up very simple from scratch, only basic
    LAN config and then add WiFi. If that works, add more stuff later. And do not follow "several"
    different tutorials at the same time.

    And i totally agree with what JoeDirte said. DO NOT USE PUBLIC IP RANGES!

    For private networks you can use:
  6. JustinChase

    JustinChase Networkin' Nut Member

    I have done a thorough reset of the e3000, then started over. The modem and gateway are both located at so I set Basic > Network to


    I have also set the LAN to a better private network, as you both suggested, as shown above. I set the unRAID server to, and that seems to work fine. I gave a name and security to the wireless 2.4GHz network, and connected to that network. I was able to see/control the Tomato interface and unRAID, but could not access the modem interface, probably because I was had an IP of I could not get the router to assign me to that network, so I set it statically in windows. I was also able to access the internet. When I changed the IP from static to auto-assign, I got assigned an address of, but could not access the internet.

    I tried connecting directly to the modem's wireless network, but could not get it to force me into a new IP, so I had to assign one statically in windows again. I could then access the internet and the modem interface, but not the internal network or Tomato interface (unsurprisingly).

    So, it seems like I'm close, but not quite there yet. I want to get this working, so I can backup up the settings, then I can try to add a VLAN to bring the guest access under control of Tomato, so I don't have to rely on the modem for anything, and hopefully better control everything from one place.

    Where am I going wrong here?
  7. philess

    philess Networkin' Nut Member

    Try your auto-assign from Tomato (DHCP), when you say you get a Try to ping a outside IP address (example and which are Google┬┤s DNS servers). If that ping works but you cannot open any websites you have a problem with the DNS that is given by DHCP to your computer. do a "ipconfig /all" on windows commandline prompt then, look what DNS servers you are given by DHCP.

    Also when you speak of that windows client, are you connected over LAN or WiFi to the Tomato?
  8. JustinChase

    JustinChase Networkin' Nut Member

    I reset both the modem and the tomato router last night, just so that I could get internal and external access, which I have again.

    Do the settings I show above even look right?

    It seems to me (I know little about subnets and networking in general) that I cannot access while in a subnet of 10.10.10.x Should that actually work?
  9. JustinChase

    JustinChase Networkin' Nut Member

    Tomato is currently at it's default settings, and can be found at, other than I added a password to the 2.4GHz wireless band.

    Modem is currently at it's default settings, and can be found at, and is the only current DHCP server in the network, assigning from

    I'm really confused as to what I need to change, where. it seems to me like I did exactly as suggested above, without success. So, did I do it wrong, or do the instructions need to be changed?
  10. JustinChase

    JustinChase Networkin' Nut Member

    Okay, I'm going to walk thru this and document as I go. Hopefully I will end up successful, and the documentation helps someone else some day.

    As I said, I reset both modem and e3000 last night, setup a password for "wireless" on e300 2.4GHz band. I am currently able to login into Tomato, and to the modem and have internet access.

    I have changed Basic > Network to a static IP, like so...


    I still have internet, and access to both firmware, but get nothing when I put into the browser, nor does anything show in either firmware setup as having anything connected to, but I can ping it from my wireless IP on my laptop, in windows 7x64, like so...


    It does show an IPv6 address, but I'm not sure if that's a problem. it looks like tomato can use IPv6 also, but I have not turned it on, I don't think.

    Next, I changed the DHCP on Tomato to, with DHCP from 2-54...


    Now, I don't have access to Tomato firmware, because I'm still connected with IP, which is not in the subnet above. I will have to assign a static IP to my wireless in windows to force myself into the range on the Tomato. Historically, after assigning a static IP, things get and stay wonky, so I'm reluctant to do it, but I don't know any other way to re-access Tomato. I will post this now, before I lose internet access, then continue later with an update on my progress.

    Attached Files:

  11. JustinChase

    JustinChase Networkin' Nut Member

    Okay, that wasn't much fun. As a test, I went thru the modem automated setup, which is the only way to change the password (and it doesn't work), and it also didn't offer me any settings for the LAN (was thinking it would let me turn off DHCP). Once it finished, and rebooted the router, it looks like it did shut off the DHCP server...


    I disabled and re-enabled the wireless in windows and Tomato gave me an IP in it's subnet, so I could connect to Tomato, but not to anything else, including the internet. I noticed that it's using the Gateway of, even though the tomato firmware is set to use Not sure if this is a bug, or how to change that.


    I was unable to ping


    I was unable to ping


    I looked at the Tomato current routing table, and noticed that the modem is shown as being in, and I'm not sure where that's coming from, or if it is a source of my problems.


    I ended up having to assign a static IP to the laptop in windows to get it to connect to the modem again. Then I was able to reset the modem. It does, in fact, default to using DHCP...


    So, I'm back to having internet, and access to the modem, but only with a Static IP assigned in windows, and no access to my internal network or Tomato.

    I actually prefer to put the guest network on Tomato, and not use the modem at all, so that the solution is completely portable. However, until I can get internet access with an IP in the Tomato range, I'm stuck. :(

    Attached Files:

  12. JustinChase

    JustinChase Networkin' Nut Member

    Any ideas? I'd sure like to have my internal LAN separate from the guest network.
  13. darkknight93

    darkknight93 Networkin' Nut Member

    can you just edit this Picture and enter current IP Ranges/DHCP Servers?

    Edit: This is the configuration I would use:


    Issues: Devices from Guest Lan cannot Access the due no route is present/your DSL modem does not know, that this Network exists NAT-ed behind your Linksys

    For Portforwarding to your internal lan e.g. for Webserver on you will Need to port-Forward on DSL Modem to Linksys E3000's Wan IP (e.g. and afterwards create a second port-forwarding roule on the Linksys router pointing to
    Last edited: Dec 4, 2013
  14. JustinChase

    JustinChase Networkin' Nut Member

    Okay, your suggested IP ranges are different still, so I've reset both the modem and the e3000 once again.

    I'm not entirely certain how/where you want me to enter or retrieve the numbers you request above, inside the Tomato firmware, so I'm going to post screenshots of EVERYTHING I'm changing, so if you don't see a screenshot, it's at the default setting.

    First is the wireless, I added a password to the 2.4GHz network, and changed the name


    Then I made these changes to Basic > Network


    per this part of your diagram...


    I will lose internet as soon as I save these changes, so I'm going to wait until someone confirms this is what needs changed in Tomato, and that it is all that needs changed.

    The problem for me is that as soon as I make any change like this, I cannot access the modem AND the router AND the internet any longer. I have to manually force a static IP to get myself into the right IP range to have access to the thing I need to change, or read from.

    I've looked around quite a bit, and cannot just find any 'step-by-step' to setting this all up, considering the fact that you lose access as you go, it seems the order in which the steps are performed is at least as important as the steps themselves.

    Perhaps someone can show me some screenshots of their settings, as I suspect I'm overlooking something simple in all this.
  15. JoeDirte

    JoeDirte Networkin' Nut Member

    That looks good, but you may want to add some DNS servers - at least one - or your 10.0.0.x clients won't resolve names. You can use (Google's public DNS) or if the DSL router is set up correctly, you can use its IP of Entering both addresses would be fine. Another option is to use the DNS servers your ISP provides.

    Anyway, give it a try.
  16. JustinChase

    JustinChase Networkin' Nut Member

    Okay, feels like progress. Since philess made this comment below, I figured it'd be better to use a different IP range for my internal LAN.

    So I went with this...


    This allows me to connect to the internet and both routers, but does not allow me to connect to unRAID, which is set for the static IP of That box is actually connected to the e3000 with 2 ethernet cables, but is currently unreachable when connected to either wireless connection. From either IP with Gateway of (connected via wifi to e3000), nor from with as the gateway (connected via wifi to modem). I'll move the cables to the modem, get into the config, and change the IP to something inside the e3000 LAN.

    Do I need to setup any firewall or VLAN at this time to prevent the modem connections from seeing the internal (e3000) LAN?
  17. darkknight93

    darkknight93 Networkin' Nut Member

    What philess wanted to say:
    a) your first idea using 10.x.x.x Network is ok, 20.x.x.x or 30.x.x.x or furthermore 40.x.x.x is for private Networking not allowed due this ip range is declared as public address. in Class A Scope you can use - for private Networking. is reserved for public adresses

    b) Using on BOTH DSL Modem scope/lan+wlan AND simultaniously using on E3200 is NOT an Option due to IP and Routing conflicts. Imagine sending a packet with Destination e.g. from a Computer connected to E3000. Your router will process this packet and "keeps" it in your lan. furthermore - packets with unrecognized Destination e.g. Internet traffic will Bypass your Gateway adress so called for E3000. Whoups. DSL Modem listens also on as Gateway.
    This Scenario is just a big source for headaches.

    So this is your current configuration right?

  18. darkknight93

    darkknight93 Networkin' Nut Member

    So Internet Access is working on both guest and internal lan?

    unRAID is now connected to E3000 - which is responsible for IP Range - so with Gateway address is what you Need.
    please be careful - only use 1 Ethernet cable for testing. It might be that unRAID supports software-Link-Aggregation due you can not have 2 devices having same IP with different mac addresses due to different NICs.
    Just test with single link on E3000.

    So from E3000 LAN is the unRAID reachable via ping with ? via E3000 WLAN too?

    for accessing the unRAID from - so your DSL modem scope - you will Need to port-Forward the corresponding port e.g. http (TCP Port 80) on E3000. Did you set up portforwarding before?

    But mind: as soon as you connect the unRAID with your DSL modem you Need to Change the IP and Default Gateway to match the new Network.
    So IP and Gateway is needed

    In your Setup, using a) the WAN port with active NAT on E3000 and b) having a different IP scope on your E3000's lan there is no possibility for users on the guest lan to capture traffic or reach any devices on E3000's lan (due it's Firewall blocks Access from WAN)

    But please mind: Internet traffic caused by devices on E3000's LAN will be visible to users on DSL Scope due this is your so called next hop router seen from E3000. So Internet traffic will travel through your guest LAN and back.
    But capturing this traffic is not possible for non-heavy and professional Network admins/users.
  19. JustinChase

    JustinChase Networkin' Nut Member

    Yes, that's my setup, and it's working fine, other than an occasional hiccup*. I have modified it since getting it working, to test some other things I had previously tried, and they are also working, so I'm not sure where I went wrong originally, but I think I'm good at this point, as to the original request.

    As I mentioned, I'd like to bring the Guest network under control of the e3000 also, and in my reading, I discovered how to have multiple Wifi networks going to other bridges. I created all 4 bridges again, with br0 determined to be the Guest network.


    I have pointed both the 'regular' wireless connections to br0, which I will use for the guest network. I have Port 1 assigned to this network also, to allow a guest to plug in a machine directly, if ever necessary.

    I have pointed the virtual 2.4GHz wireless to br1, which I will use as the internal/protected LAN. I have included ports 2 & 3 to this bridge, so that the unRAID can connect here.

    I pointed the virtual 5GHz wireless to br2, mainly just to test that it works. Currently, I don't have a phone/device that operates at 5GHz, so this is untested. There is no important reason for doing this, other than to test some combinations of stuff, and to help understand how the software works and ties together. I know it adds to confusion when trouble shooting, but after all I've done and read, I feel like I understand it much more, and have backups from before all these additions.

    Finally, I setup br3 with port 4 and no wireless, for when I need/want to connect an unknown machine to the internet, but nothing else. I have not tested this yet either.


    *Occasionally, when trying to go to a site on the internet, I get prompted by the modem settings login page. Usually switching from one wireless to the other, then back resolves this issue. It's only happened a couple of times, so I'm not terribly concerned about it at this point.

    Next step is to get the QoS rules up and running to try to control the limited bandwidth I have from being unavailable to surf or download on demand.

    Thanks everyone for all their help, and if anyone sees any flaws, or has other suggestions for improvement, I'm all ears!!
  20. darkknight93

    darkknight93 Networkin' Nut Member

    for blocking br1 devices accessing br0 Clients you can use Firewall script (Administration -> Scripts -> Firewall scripts):

    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
    This blocks devices from -i Interface br1 -o OUT to br0 with State New: Means: Connections initiated by devices from br0 -> br1 device will be accepted as soon as the br1 device responds.
    But new recests to br0 devices without any "hello" by any br0 device will be dropped

    EDIT: and just if you have 2 Routers e.g. available, here is my Setup for full-seperated Networks due i mention before Internet traffic can be captured by some Clients due packets pass through more hops/Routers
    in your case the ISP is your DSL modem ;)
  21. JustinChase

    JustinChase Networkin' Nut Member

    I think I understand what you're suggesting, but I'm not sure I understand the reasoning for wanting to do it.

    It appears that you're just blocking the guest network from being seen by either of the 2 internal networks. If I'm not mistaken none of the bridges/LAN's on the e3000 can see one another, unless I specifically allow it. So, I'm a bit unsure why you're manually restricting access. Can you please explain?

    EDIT: I read that thread, and I'm not sure how that works. Wouldn't both routers still have to go thru the modem/router?

    also, I only have one router available to me.
    Last edited: Dec 5, 2013
  22. JustinChase

    JustinChase Networkin' Nut Member

    I setup LAN access rules, like so


    which I think allows anyone in br1 or br2 see each other and the guest network, but the guest network is not being allowed to see either of them. I'm not sure yet how to test this. It's not terribly important yet, but I'm considering opening an internet cafe in Mexico, so I'm trying to learn all I can in preparation.
  23. darkknight93

    darkknight93 Networkin' Nut Member

    try to ping a internal device from guest WLAN - if this is not successful everything is fine!
    i never used the "Lan Access" Webpage to do so. instead i used Firewall rules with iptables due i was familiar with that
  24. JustinChase

    JustinChase Networkin' Nut Member

    from my machine at, I can ping the unRAID box at, but I cannot ping another laptop at

    seems like I should be able to ping that machine, since we're on the same LAN
  25. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Likely the laptop's firewall rules are preventing it. Disable it/add subnet to trusted then test again.
  26. Magdiel1975

    Magdiel1975 Addicted to LI Member

    Hi guys..
    I was able to setup the guest network and it's been working great! - Now, can I block certain users from being able to connect to the guest account.. even if they know the password?

    I set this up for my brother, so he wanted the main network hidden and wants the guest one for just that..guests... but he does not want his kids accessing the guest network, even if they find out the password... i know I can restrict access to users, but I need to know if i can restric access to the guest account altogether...thanks.
  27. Bird333

    Bird333 Network Guru Member

    I guess you could setup iptables rules based on the mac addresses of the kids' devices that would drop them from the guest network.
  28. Magdiel1975

    Magdiel1975 Addicted to LI Member

    exactly.. now, what is that script? lol
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice