Tomato newb VLANs shouldn't need IP's???

Discussion in 'Tomato Firmware' started by bluenote, Feb 16, 2012.

  1. bluenote

    bluenote Addicted to LI Member

    Hey guys

    I want to create separate vlan's for each physical port on my RT-N16 running a toastman 1.28 build.
    My problem is, tomato stops me from assigning more than one port to WAN.
    It seems like, I have to perform some acrobatics by adding more interfaces to the lan access page, including IP addresses.

    But I'm not planning to route between VLAN's, and don't need, or want, any extra IP's being assigned. It's all going to be the same subnet.

    I'm a newb and so far I've only used the gui, so information with that in mind would be super helpful.

    As soon as I finish off this task (I thought it would be simple), Im going to set up Multiple SSIDs for a guest wireless config, which will also involve vlanning, and it sounds like, using the 4th physical port even though there wont be anything plugged into it.

    Any help appreciated, thanks
  2. humba

    humba Network Guru Member

    If your machines shouldn't be able to talk to each other, what's the problem putting them into different subnets?
    At some point, your layer2 traffic (in separate VLANs) will get to layer3 where some layer3 routing fuctionality will ask... but hang on a second.. this other guy is in the same subnet so I should be able to talk to him directly. VLANs and Subnets generally go hand in hand - the point is to allow different subnets while remaining on the same switching infrastructure.

    You said you want more than one port on WAN - so are you telling us that your provider gives you multiple IPs, and you want to assign some of them to different machines, while at the same time having other machines behind the router (so the router gets a public IP, and say your webserver gets another)? Firewall issues aside, this is perfectly doable.. I'm not sure if the gui allows it as I'm still running on an older version (waiting for all the multi SSID quirks to be sorted out), but I took one of my LAN ports away from the LAN bridge and assigned it to the WAN VLAN - so now I have one switch port that is directly connected to WAN and if I plug a machine in there, it gets a public IP from my ISP. Could this be what you're looking for?
  3. Tippmann

    Tippmann Networkin' Nut Member

    Hi i need an advice, how can i isolate one clan to the other on (Tomato v1.28.2021 MIPSR2Teaman-RT-VLAN K26 USB VPN-NOCAT). i have dhcp on VLAN 3, ports 4, 3 with a different subnet but i want to isolate that subnet from the main lag which is my router i had tried a lot of commands and GUI settings but none of them seemed to work for me can you please let me know what should i do thank you.
  4. bluenote

    bluenote Addicted to LI Member

    Hey Humba thanks for posting

    I don't want PC's to cross-talk over the VLAN's, hence the fact that I'm using VLAN's in the first place :)

    On the 2nd part - no I don't want more than one IP on the wan, but the VLAN interface seems to want to prevent what Im doing.
    I obviously don't understand a key part of the philosophy behind how VLAN's is implemented under tomato. That part might be bridges.
    I know what bridging IS, but I can't for the life of me understand why I can't configure a plain ol' vlan and select whatever ports I like, and job is done. I'm missing something so basic that I don't even know how to ask the question. I saw in another thread that teaman said the VLAN implementation was built off of ip rules , which of course would explain why none of this makes ANY sense to me. But I still don't know how to go forward.

    Just to clarify - I want vlan segments that contain (port 1 & wan) (port2 & wan) (port3 & wan) (port4 & wan).
    How do I do this?

    thanks for any help
  5. teaman

    teaman LI Guru Member

    When just created, no network traffic is allowed between different LAN bridges/segments by default (that is, as soon as the 'firewall' service starts = i.e. once WAN is up, etc...)

    Unless you've created any access rules like in this HOWTO, they should still be isolated by default (but each should still 'see' the router and the internet):

    About 'loosing' one physical port (due to the need of reassignments), you might wanna take a look at this post:

  6. bluenote

    bluenote Addicted to LI Member

    Hey Teaman

    I'm trying to use your HOWTO however I am getting nowhere.

    Is it a requirement for VLAN function to create a separate lan bridge for each, with a separate subnet?
    It seems impossible to do this on the same subnet.
    Otherwise, how would I create a 4 vlans that all have internet access without enabling tagging (which shouldn't be necessary and breaks my upstream connectivity)?

    Can you point me in the right direction?

  7. teaman

    teaman LI Guru Member

    Yes, each LAN must be on it's own/non-overlapping subnet.
  8. Tippmann

    Tippmann Networkin' Nut Member

    Thank you so much now im at work but as soon i get home im going to check. just want to thank you for the amazing job you have done. i use the how to link that you provide me and still they comunicate but i was talking with my supervisor and he told me that i have to make firewall rules for each vlan. oh is there any link to donate?
  9. bluenote

    bluenote Addicted to LI Member

    So just to make sure I understand - there is no way to use a single subnet, one DHCP scope, and VLAN each port separately so they have access to the WAN?
    Will this ever change? And this is a function of how VLAN is implemented? Using ip firewall rules , is that right?

    Last question - I promise :) Is "true" vlan functionality available through the CLI?

    thanks so much for your work on this. I hope you understand my confusion isn't critiscism, its just not how I expect vlan's (being layer 2.. and therefore don't care about subnets or IP's) to work.


    EDIT: I configured my RT-N16 with subnetted VLAN's and it now works as expected.
    However the guest wireless zone does not work properly with WPAx , WEP works.
    I have stalked all the vlan/ssid/how to's and threads and tried most everything I could understand, but so far, no luck. Suggestions would be so welcome!
  10. humba

    humba Network Guru Member

    As I already tried to explain, you're trying to turn the idea of vlans upside down.What you want, you may be able to achieve with ebtables.. that's firewalling on layer2 and iirc, there are tomato builds that include ebtables (and if you have no additional switches in your house, you wouldn't even need vlans).
    As for cli, unless new tools have been added, vlan creation involves setting nvram variables and the standard linux commands on linux to do vlans don't work.
  11. bluenote

    bluenote Addicted to LI Member

    Thanks for the info. Although I take issue with "turning the idea of VLANs upside down". I'm expecting vlans to work how vlans work the world over. It just doesn't happen to be the way it works in tomato, or so it would appear. And, thanks, but I'm perfectly capable of designing my own network. I'm a newb with tomato, not with networking.
    If you happen to have any insights on how to fix WPAx on the guest SSID I'm all ears.
  12. humba

    humba Network Guru Member

    Have you tried the multiSSID threads on this board?
  13. bluenote

    bluenote Addicted to LI Member

    I have, without success. However I think I have stumbled on an iteration that does work and I'll be posting the details as soon as I properly confirm and test.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice