Is the following possible using vlan?

Discussion in 'Tomato Firmware' started by blackjackel, Jan 15, 2014.

  1. blackjackel

    blackjackel LI Guru Member

    I have 3 routers, lets call them 1,2,3. They have the ip addresses,, respectively.

    I also have two computers, let's call them A and B.

    router 1 is the one connected to my modem, and hosts dhcp for the 192.168.1 net. All computers on my network are connected to this router. Router 2 is on the other side of the house, dosen't host dhcp and allows computers to connect to 1 through it, so it's just a wireless access point.

    I want to be able to create a 2nd lan (vlan) at IP 192.168.2.whatever and connect two computers on my network together, and have only those two computers connected to eachother. Router 3 will be the wireless access point for the 192.168.2.whatever vlan... (this is how computer A accesses the vlan)

    I want router 1 to host the DHCP for this 2nd vlan (but this isn't a necessity, router 3 can host the DHCP for the 2nd lan if need be) and at the same time it will run a wifi network that will have any client connect be in this vlan (this is how computer B access the vlan).

    So to review:

    router 1 has two wifi networks, one regular lan, one on the vLAN (where computer A accesses the network)

    router 2 sits between router 1 and router 3.

    router 3 is connected to router 2, and hosts a wifi network where all clients connected are on the vlan (this is how computer B accesses vlan)

    I tried this:

    On router 1 basic-> Network, under LAN I created a 2nd one at and set "Bridge" to "br1", turned DHCP on.

    On router 2 I did nothing because I figure it dosen't need to be configured to pass the vlan over, but I may be wrong, I think I'm wrong.

    On router 3 on basic -> LAN I made the routers ip to and turned off DHCP

    This is not working at all.

    A full detailed explanation is not necessary, if someone could point me to a howto video or website that would explain how this can be done, I would be much obliged.

    Attached Files:

  2. unoriginal

    unoriginal Serious Server Member

    Perhaps the first thing to say, to help you understand the process, is that you are already technically running vlans, as are all routers which act as internet gateways, one for the "regular lan" and the other for the wan. On many Tomato routers, vlan0 is the "regular lan" with br0, the main wifi (perhaps eth1) and all the lan ports attached to it, and vlan1 has the wan port attached to it. So technically you will be making a third vlan, not a second one.

    In the case of Router 2, which you have likely configured as a WAP partly by pointing default gateway, dns and wins at Router 1 (Basic: Network) and disabling WAN/Internet and bridging the wan port to br0, you have effectively disabled the wan vlan. If you want you can go to the Advanced:VLAN configuration page on Router 2 right now and take the WAN port off the wan vlan and put it on your br0 vlan explicitly, without changing how the WAP works. Everything on the WAP is treated like "regular lan" / vlan0 traffic, pushed forward to your gateway, Router 1, where the stuff going out moves to vlan1 and out the wan port.

    The point I'm making is that you are already using vlans without really thinking about it. What you want is just one step up from that.

    Because you are now running two DHCP services ( and you need two things you haven't taken into account: consistent vlans across all three routers, and you need 802.1q vlan tagging so the downstream routers can tell Router 1 what packets go to which vlan and get which DHCP pool.

    So on each router, look at the vlan page, and make sure your vlan is the same numbered vlan (say, vlan0) on each router, with the same bridge (br0) attached, and the same WiFi connected to that bridge. Make sure your wan vlan is the same (say, vlan1), whether there are ports attached to it (Router 1) or not (Router 2, 3). And make sure your vlan is the same across all routers. (say, vlan2)

    To get tagging to work, you put the port that holds the ethernet cable that connects two routers together on both the br0 and the br1 vlans, and check the "tagging" box next to that port. So if Router 1 has the cable going to Router 2 in Port 1, and it goes to Port 1 on Router 2, on each of those routers you put Port 1 in each non-wan vlan and enable tagging. The cable connecting Router 2 to Router 3 goes from Port 2 of Router 2 to Port 1 of Router 3, meaning you attach Port 2 to both vlans on Router 2 and tag it, and attach Port 1 to both vlans on Router 3 and tag it. So Router 2 ends up with both Ports 1 and 2 getting shared and tagged, while Routers 1 and 3 wind up with only Port 1 being used that way.

    I will furthermore suggest that since you'll be setting up all the prerequisites anyway, you might as well turn on the WiFi on Router 2 if that router supports multiple SSIDs.

    Finally, in Advanced:Routing, change the setting of Routers 2 and 3 from "gateway" to "router." That simplifies their routing table.

    EDIT: on Router 3, make sure you are putting in the address of Router 1, not Router 2, in gateway, dns, and wins on Basic:Network. That's where you want all the stuff to go for processing.
    Last edited: Jan 15, 2014
    blackjackel likes this.
  3. blackjackel

    blackjackel LI Guru Member

    Thanks, your explanation was awesome and I got my vlan working correctly. I want to add a few more things for search engines to find this post better (I did a lot of googling before I posted and found nothing). This is how to connect a vlan to two or three seperate routers!

    I have another problem now, and I took a few screenshots to serve both as a learning tool for others and a diagnostic tool.

    So the vlan that works now is br1, everything works AWESOME! I figured why end with 1 vlan? So I set out to create a 2nd vlan for my guests who come to my house... so they can be seperate from the rest of my network...

    I figured the same settings for vlan 1 (br1) would work, right? Nope. For some reason it's not working, is this a vlan limitation where no more than a certain number of vlans can be sent over one port?

    Here are my configuration pages from routers 1 and 2 (for this vlan I don't want it to run to router 3 which is why I only dealt with routers 1 and 2).

    The problem is when I try to connect to the wifi that is br2 (the new vlan) the connection won't establish, as if the router wasn't recieving DHCP from

    Uploaded are router configs for (the main router with dhcp) and

    Attached Files:

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice