Making 2nd Tomato Router a dumb access point

Discussion in 'Tomato Firmware' started by personalt, Apr 20, 2012.

  1. personalt

    personalt Networkin' Nut Member

    I have a second linksys router with tomato installed that I would like to make a dumb access point. I see lots of threads about how to do this with WDS but since I have a wired connection between the basement (main) router and this upstairs AP location I would rather not use WDS.
    I swear there was a thread about Toastman did this in his apartment buildings but I checked here
    and read the whole QOS thread again and couldnt find it mentioned.

    Is there any write-ups on what to do to make a AP that just passes through? I seached for a while but when you seach for generic terms like 'access point', 'NAT DISABLE', & 'multiple routers' you pick up a lot of random threads.
  2. crhiles

    crhiles Network Guru Member

    On the second router, disable DHCP, change the IP address of it to one different from the main but on the same subnet, plug the wired connection into one of the LAN ports, configure it as an access point with the same wireless settings as the main router but use a different wireless channel.
  3. fubdap

    fubdap LI Guru Member

    crhiles beat me to it.

    Leave the settings the way they are on your main router (aka router1)

    Plug Router2 (aka AP) directly to your computer LAN port to set it up first.

    On Router2:
    Disable DHCP
    Use an IP address outside of the DHCP pool of Router1, but in the same subnet
    Use the same Subnet Mask as Router1
    Use Router1 IP for the Gateway
    Choose Access Point for wireless
    Match all of your wireless settings exactly on both routers, except for the wireless channel. Use Ch: 1 for Router1 and Ch: 6 or 11 or for Router2 or vice-versa.
    Plug router2 LAN port into router1 LAN port. You can use the WAN port of Router2 if you disable it on the GUI.
    Under Advanced/Routing/Miscellaneous change “Gateway” to “Router”
    zavar likes this.
  4. personalt

    personalt Networkin' Nut Member

    Thanks... this is the part that seems a**backwards to me

    "Under Advanced/Routing/Miscellaneous change “Gateway” to “Router” "

    I have read that a few places but wondered why this seems backward to what you would think... What does putting it in router mode do?

  5. gfunkdave

    gfunkdave LI Guru Member

    Gateway hosts your internet connection; router is just a router that moves traffic on your local network. It can stay in Gateway mode if you don't use the WAN port.

    From the Tomato docs:
    Gateway = Don't let WAN traffic access the LAN, except through port forwarding or DMZ. (Required mode for PPPoE connections connected through WAN port to a bridged ADSL modem.)
    Router = Turn off these features and NAT. (May be incorrect on details, but this is the idea)
  6. Toastman

    Toastman Super Moderator Staff Member Member


    Connecting two devices by cable remains the best method in terms of speed and reliability.
    The router connected to the internet is known as the "gateway".
    The secondary router will now be called just an "AP" (access point).

    Set it up exactly as follows:
    • Set WAN/Internet to "disabled"
    • Router IP Address - something different to your gateway IP address - e.g.
    • Subnet Mask
    • Set "Gateway" to the IP of the gateway e.g.
    • In "Advanced-DHCP/DNS tick "Use user-entered gateway if WAN is disabled"
    • Disable DHCP
    • Enable wireless
    • Set wireless mode to Access Point
    • Use the same security settings and SSID as the main gateway (best for roaming)
    • Set your preferred encryption method etc. as normal
    • There is no need to change advanced/routing setting, leave the router in "Gateway" mode.
    • Connect a cable between LAN port on the AP and a LAN port on the gateway router (LAN not WAN !)
    Do exactly this. Don't do anything else that you "think" is necessary. It isn't.

    You don't need to do anything at all to the gateway machine. Just make sure that "wireless access" is enabled in Administration/Admin Access, if you have previously turned it off.

    You can use several access points if you want to.

    If you want ultimate stability on your gateway machine, you may choose to turn off the wireless and just use the AP('s) for wireless access. Without the complications of wireless, these routers are almost 100% stable and will usually stay up for several months or more.

    I would also encourage anyone NOT to use WDS or any other form of wireless connected access point, as they are inherently very slow and unstable. Use CABLE to connect devices wherever possible -and save yourself a lot of tears! The philosophy I follow is "Keep It Simple". If you really want to bog down a router with Virtual Access Points, VLANS, WDS, Torrent Downloads, VPN, TOR, etc. your router will become as useful as a chocolate teapot. It isn't a PC - it's a little underpowered chipset that has been made as cheaply as possible to do the minimum required of it. If your web pages don't open in less than 1 second, then you should take a good look at everything again.


    EDIT - so many people are posting conflicting information and unnecessary settings on the forums. Please do EXACTLY what I said above, no more, no less.

    You don't need to change routing from GATEWAY to ROUTER. The routing table will be the same whichever it is. You don't need to bind the access point's MAC to IP address either. Keep it SIMPLE until you know it works.

    If your AP doesn't work, then you did something wrong or you have a hardware fault or incompatibility issue.
    Last edited: Dec 1, 2016
    jazzme, momonth and zavar like this.
  7. zavar

    zavar Networkin' Nut Member

    If the AP is assigned a static IP on the gateway, is there any way to configure this on the AP so that the IP does not need to be manually configured?
  8. CardinS2U

    CardinS2U Network Guru Member

    no, you usually have to configure it manually. I leave .1-50 open to add more routers/statics to system/machines that needs them.
  9. personalt

    personalt Networkin' Nut Member

    Thanks.. I did what toastman said and it worked like a champ.. I was not 100% sure what
    "Change mode to AP only" meant but I took it to mean both of these things...
    * Under the wireless settings pick Access Point as type rather then WDS or other type
    * Under Advanced/Routing/Miscellaneous change “Gateway” to “Router” "

    Right away the DHCP flowed through and I got an ip on the original subnet. At first I tried to ping from my main network to the laptop on this AP and it didnt work. But it could have been a windows firewall issue as once I shared a folder on the laptop I was able to ping the laptop on the AP and I dont recall making any changes on the router.
  10. zavar

    zavar Networkin' Nut Member

    Thanks for the help with the setup folks. I'm using this configuration on my old Buffalo WHR-HP-G54 to provide a separate wireless G network from my wireless N. The only thing I changed from Toastman's recommendations was that I have different SSIDs for each network.

    Does anyone know what the DHCP Routes option on the Advance/Routing/Miscellaneous menu does? When I turned this option off, I wasn't able to access my router through the WAN port (configured to use for LAN in the Basic/Network setup).
  11. pwillikers

    pwillikers Network Newbie Member

    Hmm, I've followed these instructions to the letter but continue to have a problem. Devices wired to the "access point" connect and are assigned an IP address from the "gateway" just fine. On the other hand, wireless devices can connect to the "access point" but are not assigned IP addresses. I've reflashed the router and tried many configuration permutations to no avail.

    Any suggestions would be greatly appreciated. ("access point" is the latest Tomato on an ASUS wl500gp v2)
  12. FL Guy

    FL Guy New Member Member

    Thanks for the instructions. I've tried to follow, but it's not working for me, so I must be missing something.

    The symptom is that devices connected to the AP via wired connections (such as a blue ray player/media streamer) do receive IP addresses, but are not able to access the internet.

    One step that I'm not sure that I've done correctly is the following: "Make a Static DNS entry for the IP of the gateway". Is this intended to mean to make an entry in the list of DNS servers with the address of the gateway router? If so, I've done that...

    Any suggestions for what else I might be missing? Must be something obvious, but I'm not seeing it... Thanks for any suggestions.
  13. fubdap

    fubdap LI Guru Member

    Your main router (gateway) and your second router should be configure the same except for the following.
    On your second router you should:
    (1) Disable DHCP Server
    (2) Use an IP address outside of the DHCP pool of main Router, but in the same subnet
    (3) Under Advanced/Routing/Miscellaneous change “Gateway” to “Router
  14. FL Guy

    FL Guy New Member Member

    Thank you for the reply fubdap.

    I have double checked, and confirmed that the AP is set up as you described. Still no luck... Traffic from the media streamer (blue ray player) is not able to reach (find?) the Internet.

    a) This same configuration used to work, until the WRT54 router lost its settings a few days ago (before I loaded the Tomato FW).
    b) If I put a simple switch in place of the AP, everything works (except for the wi-fi features that would have been provided by the AP).
    c) Internet access via the main router works (as long as you are within range of the gateway router)

    So I believe that the gateway router is working, and the wired cable between the AP and the gateway router is in tact.

    Any other suggestions?
  15. fubdap

    fubdap LI Guru Member

    Check the cable connection between the two routers. Try a different cable.
  16. FL Guy

    FL Guy New Member Member

    Replacing the AP with a switch works - using the same cable between the two devices that was used with the AP. So the cable between the devices is working.
  17. vincom

    vincom LI Guru Member

    here is a config setup w/pics making a 2nd router an ap

    make sure internet is working on 1st router
    1st router connected to modem
    wan = to type of internet you have, in this pic its cable = dhcp
    lan settings:
    ip address
    dhcp enabled


    2nd router wired into lan port from 1st router lan port
    wan type = disabled
    lan section:
    set ip for 2nd router same subnet as 1st router , in this eg
    dhcp disabled on 2nd router
    default gateway/dns matches 1st router ip =
    works as a wired & wireless gateway/ap


    get mac address from 2nd router from the tomatoes menu "status>overview" button


    bound the 2nd routers mac & ip in the 1st router menu "basic>Static DHCP/ARP/IPT"

    Last edited: Jul 6, 2015
    momonth likes this.
  18. fubdap

    fubdap LI Guru Member

    @vincom - I have had my setup working without bounding router 2 mac and ip to router 1. What does that bounding do?
  19. vincom

    vincom LI Guru Member

    just makes s
    it wil work w/out as it justs makes sure that no other device can use the ip other than the ap, in this case router 2.
  20. Mercjoe

    Mercjoe Network Guru Member


    If you are hooked directly to the upstream router can you access both router UI's by direct IP?

    and when you are connected directly to the downstream outer? are they both still accessible by direct IP?
    dbaettig likes this.
  21. FL Guy

    FL Guy New Member Member


    Awesome, thanks. I had forgotten about connecting from the first router to a LAN port on the second router (doh!). I knew that, but had forgotten about this bit. I had disconnected and moved the second router / AP in order to connect to a PC so I could flash the Tomato FW into it.

    Pretty busy today, but I'll try this out later, and let you know if that resolves the problem.
  22. momonth

    momonth Serious Server Member

    I'm puzzled with the same question, as I failed to access the AP's (aka downstream router) via the static IP I assigned to it.
  23. vincom

    vincom LI Guru Member

    answer to 1st quote > yes you can.

    answer to 2nd quote >are u trying wireless conection, u must enable wireless login access on downstream router or any router u want to login in from a wireless connection, iirc its disabled by default

    from admin gui

    Last edited: Oct 3, 2015
    momonth likes this.
  24. momonth

    momonth Serious Server Member

    Thanks! Indeed, the 'wireless access' was disabled in my case. It now works as expected.
  25. Papka__

    Papka__ LI Guru Member

    I tried such setup some time before. There were 2 problems. Sometimes AP became unreachable for WIFI clients. AP was visible, but there were not possible to connect to. Second problem was, that I can't access AP GUI neither from LAN nor from WAN (using NAT). Have no idea why this not worked. So I installed on AP (only on AP) original ASUS firmware (it was RT-N12) and switched it into AP mode (actually exactly same setup you provided above) and such setup worked for me. No idea why it was not stable in Tomato-Tomato setup.
  26. Monk E. Boy

    Monk E. Boy Network Guru Member

    I have about a dozen routers configured as access points and wired to the actual gateway, and they're all Tomato-Tomato. Its possible something in your configuration was off.

    As far as the AP becoming unreachable, the RT-N12 (original model) has stability issues with every Tomato release I've tried to use it with. While it can work fine for long periods (as long as a few months) it eventually freezes and require a power cycle. I had mine running for over a year at first w/o any issues, but then they started seizing so I phased them out.
  27. dbaettig

    dbaettig New Member Member

    Dear all,

    I have followed this conversation with lots of interest and also searched for quite a while on the internet, but I am not able to find a solution to the following problem:

    I am not able to access the web user interface of my access point. Neither am I able to ping it. However, when I log into the user interface of my main router ( I can see that the access point is connected ( Also, the access point works just fine (LAN as well as WIFI).

    My set up is as follows:
    - Both devices are Netgear WNR3500Lv2 running Shibby Tomato v 1.28
    - Main router (gateway):
    - Access point:
    - Both have the same subnet mask (
    - Otherwise, my setup is pretty much as described in the above posts (cable from main router goes into LAN port of access point)

    I have tried to connect through WiFi as well as when being connect by cable to the main router or the access point.

    Does anyone of you have an idea how to fix this?

    I would appreciate any input.

    Thanks a lot in advance,
  28. vincom

    vincom LI Guru Member

    what error do u get when trying
    which browser.
    if pc ur using is connected to main router via ethernet or wifi(main routers wifi, not ap) it should work
    dbaettig likes this.
  29. dbaettig

    dbaettig New Member Member

    Hi vincom,

    thanks for your immediate reply.

    I have been trying with Chrome, Firefox and Edge.
    The error message is "The connection has timed out" in Firefox. In Chrome and Edge it is similar.

    Kind regards,
  30. ghoffman

    ghoffman Network Guru Member

    1. did you enable AP isolation in advanced wireless settings? this will prevent wireess clients form seeing anything on lan bridge i think.
    2. do you have separate vlans for lan and wireless? if so, you need to bridge them.
    3. is the .99 address within the dhcp range? if so, then another device may have that address also.
    4. AP should be configured as router, not gateway.
    5. clear your browser cache and renew your laptop IP address.

    like others have said, you will be able to access the gui interface on the AP if you have configured correctly.
    dbaettig likes this.
  31. dbaettig

    dbaettig New Member Member


    thanks for your message. Regarding your suggestions:

    1. I have just checked this setting in my main router. Isolation is disabled there and this is also the default setting. As I did certainly not change this on the AP (I was not aware of this setting), I think it safe to assume that this is not the reason why it does not work.
    2. No
    3. The DHCP range for IPs assigned by the main router (DHCP server) goes from to, hence there should be no conflict with the 99 one.
    4. Not sure about this. However, I am not able to check it... :-(
    5. Tried this; also tried on four different devices (wired and wireless) to connect - to no avail.

    I am getting more and more puzzled. Either there is something really evident that I have not grasped yet - or the only way out is a reset. Here my next question:

    What happens if I push the Factory Reset button at the back of the device? Will it go back to Tomato defaults - or will it destroy my router (obviously I have overwritten the Netgear default and flashed Tomato...).

    Thanks again for all your inputs!

    Kind regards
  32. gfunkdave

    gfunkdave LI Guru Member

    What happens if you plug a cable into the AP and try to connect to it?

    Did you disable the AP's DHCP server? Did you set the main router to the AP's gateway?

    The Gateway vs Router setting is under Advanced -> Routing.

    The reset button will clear Tomato's settings and leave you with Tomato as if it had been freshly installed.

    Have you tried unplugging the AP and rebooting it? Or, disconnect it from your network entirely, reboot it, and try to connect to it with a cable directly into one of its LAN ports.
    dbaettig likes this.
  33. Monk E. Boy

    Monk E. Boy Network Guru Member

    Did you connect the WAN port on the "AP" to one of the LAN ports on the "gateway"?

    Try connecting LAN1 on the AP to one of any of the LAN ports on the gateway.
    dbaettig likes this.
  34. rickmav3

    rickmav3 Serious Server Member

    Start from the scratch with the AP; double check each step; don’t do anything else:

    • Reset configuration on the AP.
    • Disable DHCP on the AP! Very Important!
    • If main router is on, make AP IP
    • Enter main router IP for Gateway and primary DNS.
    • Configure Wireless access on the AP same as main Router: same SSID, same security, same password. But different 2.4GHz channel! Make main router and AP distanced by 4-5 channels: ex: 11 on main, 6 on AP.
    • Connect LAN port from main Router to LAN port on AP.
    • Connect to Internet Wireless and LAN from the AP. Everything should work. Enjoy!
    Last edited: Apr 26, 2016
    dbaettig likes this.
  35. Monk E. Boy

    Monk E. Boy Network Guru Member

    When you disable the WAN port (or assign WAN to LAN) the default gateway field will appear on Basic -> Network. If the WAN is left at default (DHCP) the default gateway field will be hidden.

    This won't stop you from talking to the AP though, not unless you're using HTTPS. Without a default gateway set the router can't NTP its clock, which causes all kinds of encryption issues.
    Last edited: Apr 20, 2016
    dbaettig likes this.
  36. dbaettig

    dbaettig New Member Member

    Dear all,

    thanks again for all your valuable inputs.
    In the end, I simply reset the access point and started over, taking into account all your recommendations.
    Now it seems to work just fine. I can access both the main router's and the AP's web interface.

    Have a great evening!

    Kind regards,
  37. Monk E. Boy

    Monk E. Boy Network Guru Member

    Thanks for checking back. Sometimes these threads never get an update and we're collectively left scratching our heads as to what was the problem.
    koitsu likes this.
  38. wetpaint

    wetpaint Reformed Router Member

    So I have a question please.....
    I have created the AP and it works like a treat....however....i have a guest SSID that has a LAN bridge so that it can only access the Interwebz and not my personal there a way that I can extend that onto the AP along with my personal SSID safely? I cannot see how to do it.
  39. ruggerof

    ruggerof Network Guru Member

    See this
  40. wetpaint

    wetpaint Reformed Router Member

    Thanks ruggerof that was JUST what I was looking for!
    Except, i cannot seem to get DHCP to broadcast on the second vlan on the second router :-(
  41. ruggerof

    ruggerof Network Guru Member

    DHCP is not broadcast, do you mean the SSID?

    Even if you meant DHCP, i.e. serving and associating IPs, it should be done only by the main router, the 2nd router should be an AP only.
  42. wetpaint

    wetpaint Reformed Router Member

    Sorry, my mistake, I meant i cannot get DHCP to serve ips to the second router across the 2nd VLAN, DHCP is only on the primary router and not on the AP, even if i don't use a virtual wireless it is the same, I have tried bridging eth2 to LAN (br1), exactly the same results, no DHCP. if I switch back eth2 to LAN (br1) it works just fine.
    FYI, I am using an Asus RT-AC66U with Advanced Tomato 3.1-132 as the primary router and an Asus RT-N66U with the same firmware version on the AP
  43. Monk E. Boy

    Monk E. Boy Network Guru Member

    So you have your main network and you have a guest network. These are implemented using VLANs. To extend these networks onto an AP you need to recreate those VLANs on the AP. Then you need to tie each of the VLANs on each router together.

    You do this by first making sure the VLAN IDs on both routers are the same - so VLAN 1 is your private network, VLAN 2 is your guest network, etc. Those should match on all devices.

    Tying them together can be done by either using tagging to put both VLANs onto a single ethernet cable strung between the two devices, or via two (or more) cables, one per VLAN, strung between the routers, each containing an untagged VLAN. The ports on both routers have to be configured to either tag both VLANs onto a particular port, or participate (untagged) in a VLAN on different ports. Again, you need to do roughly the same thing on both routers, although which port(s) you choose doesn't matter, just that you connect the ports together using the same style of configuration on both. If port 1 on router A is VLAN 1 and port 4 on router B is VLAN 1, you would connect those two ports together. If port 1 on router A is tagging VLAN 1 and VLAN 2 and port 4 on router B is tagging VLAN 1 and VLAN 2, then you connect those together. You can't tag on one and not tag on the other, it won't work.

    Generally tagging is more prone to failure, so if you have a smart switch (that can itself tag & untag packets) in-between the two routers then you may have issues, but if you have a single cable run from one to the other and they're both running the same version of Tomato then tagging should work. Separate cables is the fall back that pretty much should always work provided there's no VLAN-specific issues on the router (e.g. a bug that resets VLAN configuration on reboots, etc.).

    There are other threads on here that discuss VLANs in greater detail, some discussing this very topic, so you probably should use the search function to find them if you need to understand what you need to do better.
  44. wetpaint

    wetpaint Reformed Router Member

    Thanks for the explanation, I believe that I am doing this right as it is working for the default VLAN but not VLAN 1000
    I am using the VLAN tagging with a single Cat 5 cable from port 1 to port 1
    Primary Router
    I guess I will try tomorrow with 2 Cat 5 cables, although that really is not ideal.
  45. wetpaint

    wetpaint Reformed Router Member

    You know what, I think I found it
    root@Nemo:/tmp/home/root# robocfg show
    Switch: enabled gigabit
    Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:21:d8:d1:f7:db
    Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:d3:3b:58
    Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: b8:27:eb:0c:9f:32
    Port 4: 10FD enabled stp: none vlan: 1000 jumbo: off mac: 00:1e:4f:f4:e9:a0
    Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: e0:3f:49:09:fd:38
    VLANs: BCM53115 enabled mac_check mac_hash
    1: vlan1: 1 2 3 4t 8t
    2: vlan2: 0 8t
    1000: vlan1000: 4t 8t

    root@Dory:/tmp/home/root# robocfg show
    Switch: enabled gigabit
    Port 0: DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
    Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 18:3d:a2:47:d8:f8
    Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 4: DOWN enabled stp: none vlan: 1000 jumbo: off mac: 00:00:00:00:00:00
    Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:d3:3b:58
    VLANs: BCM53115 enabled mac_check mac_hash
    1: vlan1: 1 2 3 4t 8t
    2: vlan2: 0 8t
    1000: vlan1000: 4t 8t

    On the GUI and on the routers it is showing that I am using port 1, but in the VLAN config GUI, that is actually port 4 as you can see that the VLAN 1000 tag is port 4 not port 1.
    I changed the VLAN tagging to port 4 and it is all working a treat now!

    Thanks for your help and patience!
  46. Monk E. Boy

    Monk E. Boy Network Guru Member

    Excellent news, glad you figured it out and got it working.
  47. tvlz

    tvlz LI Guru Member

  48. ericsan256

    ericsan256 Network Guru Member

    Is there any way to show the Hostnames on the access point router? Right now all is working fine, but under "Device list" all I see is MAC, RSSI, etc. "Name" column is blank.
  49. momonth

    momonth Serious Server Member

    It works for me, I only added my access point (runs the same version of tomato) to the static DHCP list.
  50. Monk E. Boy

    Monk E. Boy Network Guru Member

    To my knowledge the only way to get host names on the access point is to create static leases for clients (under basic -> dhcp/arp) then recreate the same information on the access point. Otherwise the AP has no way of figuring out names, all it sees are MAC addresses and IP addresses. Only the DHCP server gets names passed to it.
  51. XeoNoX

    XeoNoX Serious Server Member

    was having xbox nextflix / espn streaming issues with a 2nd AP on the same network and i switched the 2nd ap from "gateway" to "router" mode and the drops and port forwarding seems to be working correctly. i think it 2nd ap on same network should be "router" mode which means it disables NAT.
  52. Monk E. Boy

    Monk E. Boy Network Guru Member

    Gateway & Router basically controls the NAT function. In Gateway mode it performs a NAT operation on every packet going out (or coming in) the WAN, in Router mode it doesn't. Since an AP shouldn't be using its WAN port as a WAN port, gateway vs. router shouldn't make a huge difference to an AP since the only operations being performed on an AP are bridge operations (LAN to WLAN or vice versa). I would check that your WAN is disabled under basic -> network and the WAN is added to LAN (usually an additional checkbox).

    That being said I usually do put APs into router mode because I figure it'll have less rules to deal with. It should be an inconsequential amount of CPU time since they won't get walked through except on LAN to WAN operations, but they aren't needed so they may as well be disabled to simplify the setup.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice