Multiple Virtual SSIDs across multiple devices

Discussion in 'Tomato Firmware' started by MitchThompson, Mar 2, 2013.

  1. MitchThompson

    MitchThompson Serious Server Member

    Hi, everyone. I'm new to this board, but I've been using Linksys routers (WRT54Gx and E3000s) for several years. I used DD-WRT for a long time, and recently switched to TomatoUSB. I'm wanting to set up a network with two SSIDs (private and guest), using three WRT54GLs, one as the gateway router, and the other two simply as APs. This is to provide coverage throughout a large building (church).

    Currently, all three routers have "tomato-K26-1.28.RT-MIPSR1-107-MiniIPv6.trx from
    The gateway router has been set up with the private SSID and a guest vSSID. WL0.1 is attached to br1, which is assigned to VLAN10. I have separation between the two networks and Internet access from the guest wireless. That part all works OK. Oh, and I assigned LAN ports 1 and 4 to br0 (VLAN1) and LAN ports 2 and 3 to br1 (VLAN10), with tagging turned on on ports 2 and 3 in both VLANs. The two "outlying" WRT54s that will be APs are plugged in to ports 2 and 3.

    From nvram:

    lan1_ifnames=vlan10 wl0.1
    lan_ifnames=vlan0 eth1
    vlan0ports=3 2t 1t 0 5*

    vlan10ports=1t 2t 5

    vlan1ports=4 5


    Next, I have a single CAT-5 connecting the AP routers to the gateway on LAN2 and LAN3. I want these to provide the "admin" SSID and the "guest" vSSID access to the Internet, but not to each other, allow "admin" wireless users access to admin network resources, and not allow the guest users access to resources on the admin network.

    I've done this before, albeit with a Cisco Catalyst and APs capable of assign VLAN numbers to SSIDs and vSSIDs. And the Catalyst was connected to a separate router.

    Anyway, am I looking for a capability in these routers that isn't there?
  2. bmupton

    bmupton Networkin' Nut Member

    I've tried to do this with Tomato as well, and I could never get the virtual SSIDs on the WAPs to have Internet access...I'm sure it just boils down to some firewall rules, but I don't know what they are (I'm no expert...I know just enough to be dangerous)
  3. unoriginal

    unoriginal Serious Server Member

    Is trunking enabled on the APs as well, and on the right port (i.e. port 2 and port 3, respectively)? Same vlan settings as on the gateway? Same wireless settings? It wasn't really clear how you had setup your APs in your description.

    By default, Tomato should keep everything separate between vlans, except the router itself and whatever is beyond it, likely your modem. Put this in Scripts -> Firewall on your gateway to bounce guest access:
    iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br1 -p tcp --dport www -d -j REJECT --reject-with tcp-reset
    For your APs, use everything but the last one, which denies access to the modem config pages for guests. Obviously use whatever address is correct for your situation there.
  4. MitchThompson

    MitchThompson Serious Server Member

    Hi, unoriginal. Thank you for the advice.

    Yes, VLAN trunking is enabled on all routers.

    SSIDs on all routers are identical. The idea is to be able to walk from one end of the building to the other and hop from AP to AP.

    In the routers acting as APs, the physical SSID is attached to br0 and the default VLAN1. Br0 is at

    The vSSID is attached to br1, and assigned to VLAN10. Br1 is at

    The WAN port is disabled and attached to br0.

    I think using the bridges is my problem, because (I think) both Wifi devices, real and virtual, need to be on the same physical segment (br0), but tagged with their respective VLAN. I just can't figure out how to do that. I realize that not everything can be done through the GUI, and I'm not afraid of the command line (I'm a Linux administrator). If I just create the VLAN assignment using the nvram command, will it be recognized a valid? I just thought of that, and I can't test it out for a few days.

    On both AP routers, the CAT-5 link is on port 1. At the gateway, one AP is plugged in to port 2, the other into port 3. Port 1 goes to an Ethernet switch that serves the buildings' computers and VoIP phones.

    On the gateway, ports 2 & 3 are assigned to both VLAN 1 & 10, with tagging (via command line, it doesn't seem to survive a reboot when done through the GUI.

    It'll get there. I'm not having to reset the router as often did to locking myself out with a misconfiguration, so that's a good thing.

    Thanks for the advice.


    Sent from my Nexus 10 using Tapatalk HD
  5. unoriginal

    unoriginal Serious Server Member

    That's the same setup I have, only with one AP instead of two.
    I have all my physical ports and eth0/wl0 attached to br0, and wl0.1 attached to br1. Configured it all through the GUI. Works fine. I use Shibby's latest, but I've had it running for half a year.
    So, just to confirm, on the APs you have tagging enabled on port 1, and port 1 is on both your br0 and br1 vlans, and on the gateway you have tagging enabled on both ports 2 and 3, on both br0 and br1 vlans?
  6. unoriginal

    unoriginal Serious Server Member

    Just going to do a mini-HOWTO with pictures here, in case anyone else wants a simple private/public wireless network spanning across multiple gateways/APs. My setup is for (1) gateway and (1) access point, with (1) private and (1) guest vlan, with the "trunk" ethernet cable going between Port 1 on both routers, but you should be able to easily extrapolate to more vlans and/or APs.

    Add a second bridge (br1) to your gateway for the guest vlan/wireless, which is in Basic->Network:

    On your AP(s) in Basic->Network, disable and attach your WAN port to your default vlan, set up your bridges, and point your AP(s) at the gateway for DHCP assignments and internet access.

    *For any additional APs, you'll have to change the IP address of the AP ( and so on).

    For the remaining settings, the config is the same for both gateway and AP:

    Setup your Advanced->VLAN on both the gateway and APs. All my physical ports and "main" wireless network are for personal use, and the public wireless is assigned to its own VLAN. The ethernet cable connecting AP to gateway is on Port 1 on both AP and gateway, so the config is identical for both routers. I am using the offset because it is recommended not to use VIDs 0 or 1 with trunking enabled :

    Here are the Advanced->Virtual Wireless settings (with SSIDs scrubbed out). Naturally, I have WPA2 on eth1/wl0 while wl0.1 has no protection:

    And finally the Administration->Scripts->Firewall stuff, which should keep your wireless guests from trying anything funny:
    iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br1 -p tcp --dport www -d -j REJECT --reject-with tcp-reset
    You don't need the last one for the APs, just the gateway. It keeps guests from accessing the modem config page and possibly soft-resetting the modem. My SB6121 has its config on

    If you want to control guest bandwidth, the best place to do that is via the Bandwidth Limiter (as opposed to QoS, which is heavier on performance).
    MitchThompson and bmupton like this.
  7. unoriginal

    unoriginal Serious Server Member

    Should add the general tip that on your APs, in Advanced->Routing->Miscellaneous, you should change the Mode from Gateway to Router, as your AP is obviously not being used as a gateway.
    MitchThompson likes this.
  8. MitchThompson

    MitchThompson Serious Server Member

    That's right.

    Thanks for your input. It sounds like I'm close to a solution. I just won't be able to work on it again until the weekend.

    Sent from my Nexus 10 using Tapatalk HD
  9. MitchThompson

    MitchThompson Serious Server Member

    Done. Thanks.

    Sent from my Nexus 10 using Tapatalk HD
  10. gfunkdave

    gfunkdave LI Guru Member

    Not sure if all has been solved, but it seems like y'all are making things very complicated. I have this same setup (with one extra AP, not two) in my dad's dental office. The OP is correct in his thinking.

    1. On the main router
    • Set up each of the LAN bridges and VLANs.
    • Set the two ports that will connect the APs to be Trunked across both VLANs
    2. On the APs
    • Set up each LAN bridge and VLAN - mirror the main router's settings exactly.
    • Give the APs discrete and unique IPs on each LAN segment in each VLAN.
    • Set each to use the LAN router as gateway and DNS server (assuming it hosts DNS for the LAN)
    • Set each AP's WAN Connection type to Disabled.
    • Disable DHCP and DNS service on each AP
    Lastly, to prevent guest wireless users from accessing the routers, add these three lines to Admin-Scripts-WAN Up on each of the three WRT54GLs, substituting that device's IP for the device IP:
    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT 8 -i <guest VLAN Bridge Device - usually br1> -d <VLAN 1 Device IP>  -j DROP
    iptables -I INPUT 9 -i <guest VLAN Bridge Device - usually br1> -d <VLAN 2 Device IP>  -j DROP
  11. MitchThompson

    MitchThompson Serious Server Member


    Thanks for the confirmation. I haven't been back to give it another try yet. I am hoping to do so today. The only thing I haven't done is the firewall rules. Maybe that is the reason it isn't fully working.

    Thanks again. I will definitely report back here when I get it working, and will also write up a wiki describing the steps, if possible.

    Sent from my Nexus 10 using Tapatalk HD
  12. gfunkdave

    gfunkdave LI Guru Member

    The firewall rules have nothing to do with core functionality. They just prevent users on the guest VLAN from accessing the router, except for DHCP and DNS service.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice