How to Setup two Subnets with Tomato: A Guide

Discussion in 'Tomato Firmware' started by onehomelist, May 15, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    I did this on Asus RT-N16 running teddy_bear beta11.

    Access the router via ssh

    Run the following command

    nvram show | grep vlan.ports
    see if you get this output
    vlan1ports=4 3 2 1 8*
    vlan2ports=0 8
    Enter the following commands one by one

    nvram set vlan1ports="3 2 1 8*"
    nvram set vlan3hwname=et0
    nvram set vlan3ports="4 8*"
    nvram set manual_boot_nv=1
    nvram commit
    Launch a browser and go to tomato GUI. Select Administration -> Scripts -> Init
    and paste this code at Init
    sleep 10; ifconfig vlan3 netmask up;
    Click save

    Next go to Administration -> Scripts -> Firewall
    Paste this
    iptables -I INPUT -i vlan3 -j ACCEPT;
    iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT;
    iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT;
    iptables -I FORWARD -i br0 -o vlan3 -j DROP;
    Click save

    Next go to Advanced -> DHCP / DNS
    Add this at Dnsmasq custom configuration
    Click save

    Reboot the router and connect the pc, which you want on the second subnet, to Ethernet port 1, it's on the left end of the router if the front part of the router is facing you.

    Add the following network settings on the pc


    If it doesn't work you can connect your pc to the 4 port (right side) and try.

    One curious thing is QOS doesn't work on the second subnet. I believe this can be solved by adding some script to the firewall. Let's wait for someone to come up with a fix.

    You can refer this page for more information.
  2. michse

    michse Addicted to LI Member

    Hi,mh fine. but works a few years at my site. You forgott a comand: nvram set manual_boot_nv=1
  3. onehomelist

    onehomelist Addicted to LI Member

    Thanks. Yes you are right. Many guides include the command. But for me it worked without that command. Can you please explain what changes does it make?
  4. michse

    michse Addicted to LI Member

    Tomato on wrt54gl forgets the nvram comands after restart. this comand change this. nothing more.

    Qos works on second subnet, but it seams to be a little confused. But I mean it works in my tests. Nobody could help repair this.

  5. onehomelist

    onehomelist Addicted to LI Member

    Yes, I add the line to the code. I wanted to clarify one more doubt

    In this code why the numbers 3 and 6 are used immediately after the vlan3 parameter. What are they actually? I found it in the original guide, so I added it here too.
  6. michse

    michse Addicted to LI Member

    -O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>],[<value>[,<value>]]
    Specify different or extra options to DHCP clients. By default, dnsmasq sends some standard options to DHCP clients, the netmask and broadcast address are set to the same as the host running dnsmasq, and the DNS server and default route are set to the address of the machine running dnsmasq. If the domain name option has been set, that is sent. This configuration allows these defaults to be overridden, or other options specified. The option, to be sent may be given as a decimal number or as "option:<option-name>" The option numbers are specified in RFC2132 and subsequent RFCs. The set of option-names known by dnsmasq can be discovered by running "dnsmasq --help dhcp". For example, to set the default route option to, do --dhcp-option=3, or --dhcp-option = option:router, and to set the time-server address to, do --dhcp-option = 42, or --dhcp-option = option:ntp-server, The special address is taken to mean "the address of the machine running dnsmasq". Data types allowed are comma separated dotted-quad IP addresses, a decimal number, colon-separated hex digits and a text string. If the optional tags are given then this option is only sent when all the tags are matched.

    Special processing is done on a text argument for option 119, to conform with RFC 3397. Text or dotted-quad IP addresses as arguments to option 120 are handled as per RFC 3361. Dotted-quad IP addresses which are followed by a slash and then a netmask size are encoded as described in RFC 3442.

    Be careful: no checking is done that the correct type of data for the option number is sent, it is quite possible to persuade dnsmasq to generate illegal DHCP packets with injudicious use of this flag. When the value is a decimal number, dnsmasq must determine how large the data item is. It does this by examining the option number and/or the value, but can be overridden by appending a single letter flag as follows: b = one byte, s = two bytes, i = four bytes. This is mainly useful with encapsulated vendor class options (see below) where dnsmasq cannot determine data size from the option number. Option data which consists solely of periods and digits will be interpreted by dnsmasq as an IP address, and inserted into an option as such. To force a literal string, use quotes. For instance when using option 66 to send a literal IP address as TFTP server name, it is necessary to do --dhcp-option=66,""

    Encapsulated Vendor-class options may also be specified using --dhcp-option: for instance --dhcp-option=vendor:pXEClient,1, sends the encapsulated vendor class-specific option "mftp-address=" to any client whose vendor-class matches "PXEClient". The vendor-class matching is substring based (see --dhcp-vendorclass for details). If a vendor-class option (number 60) is sent by dnsmasq, then that is used for selecting encapsulated options in preference to any sent by the client. It is possible to omit the vendorclass completely; --dhcp-option=vendor:,1, in which case the encapsulated option is always sent.

    Options may be encapsulated within other options: for instance --dhcp-option=encap:175, 190, iscsi-client0 will send option 175, within which is the option 190. If multiple options are given which are encapsulated with the same option number then they will be correctly combined into one encapsulated option. encap: and vendor: are may not both be set in the same dhcp-option.

    The final variant on encapsulated options is "Vendor-Identifying Vendor Options" as specified by RFC3925. These are denoted like this: --dhcp-option=vi-encap:2, 10, text The number in the vi-encap: section is the IANA enterprise number used to identify this option.

    The address is not treated specially in encapsulated options.

    These are the option numbers. 3 is standard gateway, 6 is dns
  7. onehomelist

    onehomelist Addicted to LI Member

    Thanks michse, your post was very informative and it cleared my doubts.

    I have one more query. dnsmasq conf file has the following option
    It'll "send any host in to a local webserver".
    In the same way is there any option to force a LAN user to a local webserver, regardless of the url the user enters in the browser.

    For example if there is a user who's ip I know about, and I want to redirect him to a specific webpage which will have warning or anything whenever he tries to browse.
  8. rhester72

    rhester72 Network Guru Member

    You're talking about a captive portal - they exist, but I'm not sure if any are available for Tomato. If so, it would likely be via Optware.

  9. onehomelist

    onehomelist Addicted to LI Member

    Not the full fledged captive portals like chillispot or coovachilli. I was looking for something that I can add into dnsmasq conf manually. If I see heavy malware or botnet traffic on the network, if I diagnose the LAN ip from where it is coming, at least I can inform that certain user about it.
  10. rhester72

    rhester72 Network Guru Member

    I see what you mean - unfortunately, dnsmasq doesn't support it. You might be able to do it with some clever iptables MASQUERADE rules.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice