How to? wireless client mode, diff subnet w/o NAT

Discussion in 'Tomato Firmware' started by SlickNetAaron, Jan 27, 2008.

  1. SlickNetAaron

    SlickNetAaron LI Guru Member


    I am trying to figure out how to setup a wireless client running Tomato and have the LAN side of the tomato run on a different subnet without using NAT.

    To state a different way: I need to understand how to use wireless client mode for the WAN and use a different subnet for the LAN side but not use NAT. I want the LAN side to be fully routable and visible from the WAN.

    Network Diagram:

    Internet >> firewall/router/NAT device > standard AP > tomato wireless client >
    tomato wired clients on the LAN ports.

    Firewall/router/NAT device has static public IP > my AP has > tomato wireless client should be 10.0.0.xx > and tomato wired clients should be 10.5.yy.zz (each tomato on a different subnet)

    I have successfully setup wireless client bridge mode and/or wireless client mode with NAT. When I change from gateway mode to router mode I can no longer access the WAN side of the tomato. I think I am missing a static route or need to open the can of worms of routing protocols.???

    Any help is greatly appreciated!
  2. mstombs

    mstombs Network Guru Member


    If I understand correctly you want to avoid double NAT?

    I've never used router or wireless client mode, but the issue may be that the main router does not have a route to reply back to client as it will not know it has to send messages to 10.5.yy.zz via 10.0.0.xx. Is the main router Tomato as well?

    I also see problems in getting non routed protocols such as upnp to pass transparently through the AP.
  3. humba

    humba Network Guru Member

    Why do you think about the WAN port on the second router in this case? You want to bridge the distance between the primary and secondary router via wireless and have a different subnet behind the secondary router, is that correct?

    I also take it you'll have wired/wireless clients connected to the primary router, correct?

    Are there any security concerns in between clients connected to the primary and secondary router?

    As I said.. the WAN port on the secondary router really shouldn't matter.. what you want is basically to detach the WLAN interface from the secondary router from the br0 (that's the bridge all LAN ports and the WLAN are normally connected to so they appear to be on the same network and can "talk" to each other). You then enable routing between the now separated eth1 interface and br0 and have a DHCP server (I presume.. you didn't say if you want dhcp on your 10.5.x.x network or not) running on br0 so that wired clients will get an IP address from the appropriate IP range (via iptables you'll also want to make sure that dhcp doesn't pass between eth1 and br0).

    I'm not sure how the various wireless modes work but I assume that in the bridged scenario, there'll be a dhcp client running on br0, which gets an IP address and since br0 contains both wired and wireless interfaces, wired clients connected to the router will get an IP address via main DHCP server.

    I think if you look at roadkill's instructions on how to separate wireless from wired lan, and by using the wireless client mode you'll get on the right track (just know that vlan1 (the wan port) is of no interest on the secondary router.. instead you route between eth1 and br0).
  4. SlickNetAaron

    SlickNetAaron LI Guru Member

    thanks mstombs and humba!

    It looks like all that was missing was a route from my primary NAT/firewall to the 10.5.xx.yy network. Tomato set to Router mode, Wireless Client (the wireless interface becomes the WAN port and using DHCP Client for WAN), and DHCP server on tomoato servers 10.5.xx.yy and I can talk from my primary router to clients on the 10.5.xx.yy network! Yaay!

    Now, is there a way to automate the route building on the primary firewall? I have RIP & OSPF available. I haven't had time to check into RIP and how it works on Tomato. never used RIP. (I will do that now :))

    Thanks again! Loving Tomato BTW!

  5. HennieM

    HennieM Network Guru Member

    Enable RIP on both routers - they will learn from each other - but be sure to have the Firewall/router/NAT device's RIP on the LAN side only.

    Static routes are so much cleaner....
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice