VLAN setup - possible?

Discussion in 'Tomato Firmware' started by aztech, Jan 16, 2014.

  1. aztech

    aztech Serious Server Member

    I've been trying to set this up, but my lack of knowledge on configurating VLAN's in Tomato and the limitations in the webgui makes it very hard for me to understand.

    My ISP (Telia) sends me ordinary internet directly via ethernet (no VLAN tagging) and I receive a public IP via DHCP, nothing special about that.
    But on top of that, they send me IPTV via VLAN id 845 on the same port. Currently my provided Thomson router do all the magic and is working as a proxy for the STB, since the IP on the STB is on the same subnet as the rest of my LAN.

    Anyway, I want to set up my Linksys E4200 to do all this for me, but I'm having problems with configurating the WAN port to handle both internet and VLAN 845.

    I'm considering 2 ways to set up the LAN side of things.
    1. Set up a proxy (similar to the Thomson way).

    2. Dedicate a swithport on the E4200 to trunk both LAN and VLAN 845 to a Netgear GS105E and this way put the STB directly on VLAN 845 and in the same time provide my other gadgets by the my TV with LAN/Internet access. (need trunking due to only one cable available to this location)

    I'm not 100% sure right now, but assume the following port layout on the E4200.
    Lanports: 0 1 2 3
    Wanport: 4
    Internal: 5

    Can someone please help me with this?

    regard, Andreas
  2. mw333

    mw333 Networkin' Nut Member

    Probably the best way to understand the GUI is to follow some of Teaman's examples. For example,



    Don't worry about the wireless - that can always be implemented later.

    The goal is to set up a couple of bridges, one for "normal" traffic and one with VID=845. So you will need some sort of offset to get that. It sounds like your WAN is a trunk, so you want to break out the different channels (tagged or untagged) on separate bridges. Utilize the GUI to indicate if there are tags. It's possible that the WAN will just pass through anything it has (tagged and untagged). My ISP does not provide a trunk so I cannot test.

    Here's an example that may work. On my gateway the 1st lan port is GUI switchport 4. GUI Port 4 is the LAN trunk and has all the traffic. br0 Ports 1 and 2 are normal traffic. br1 Port 3 is what has tag=6 (which you want to be 845).
    I hope this gets you started. How does your thompson "proxy" work? Is it just decoding the vlan tags and breaking out the different vlans (demux analogy).

    Last edited: Jan 17, 2014
  3. aztech

    aztech Serious Server Member

    I found a guy who set up something similar, but the difference is that he's using PPPoE on a VLAN to get internet connectivity and I have no VLAN for my ordinary internet traffic, only for IPTV.

    Here's some links to his articles about him setting it up.
    Info : http://zipleen.blogspot.fr/2010/10/how-to-make-meo-fiber-iptv-service-work.html
    Setup : http://zipleen.blogspot.fr/2010/10/howto-setup-netgear-3500l-using-tomato.html

    My Thomson works in what I suppose, the exact way as his, although with differens networks and the thing about PPPoE ..

    I managed to create a new VLAN (vlan3) yesterday and setting the VID to 845 via the GUI and this persists after reboot, so I can see it using 'ifconfig' in the terminal. Not sure how to set the correct parameters via CLI, to "connect" it to the WAN port and such.

    I've tried to read about VLAN multiplier, but I never really could understand it.
    Maybe I don't have to use it, since I see a 'vlan845' device using 'ifconfig'.

    Unfortunately I've no access the the router right now, so I can't post NVRAM settings, but if it will help, I can do it later at home.
  4. mw333

    mw333 Networkin' Nut Member

    You are on the right track. Here is some more good reading:


    In summary, you can have many "channels" on the same cable, e.g. a trunk. If your device is vlan aware it can figure it out with the vlan tags (and route each channel to it's own port). If an Ethernet frame does not have a tag it can deal with it too - on the GUI that is the default * on br0.

    How many Ethernet cables do you have coming our of your Thompson? If you have vlan tags it is a trunk - you several links that are aggregated on that one cable - sounds like you want to one link on one router port and another link on another port. Is this correct?

    In one of the articles:
    • Local Interface (my case: br0 - maybe it will change) - ip 192.168.1.XX
    • Internet Interface - PPPoE over VLAN id 10 (my case, ppp0 over vlan10, over vlan1 -> vlan1 is my WAN port) - public ip address
    • IPTV interface - DHCP (my case, vlan12) - ip 10.x.x.x

    The first one is your br0, as defined on the GUI Basic Network LAN page. The next one is probably defined as br1 on the GUI Basic Network LAN page as 10.x.x.x

    Then it looks like he went to the GUI Advanced VLAN page and made LAN(br0) with default *, maybe with VID=10.
    Then made LAN1(br1) with VID=IPTV tag.

    After the reboot check your routing tables (GUI Advanced Routing) and firewall (GUI Tools System,
    iptables -L, iptables -t nat -L). The nat table should have something like:

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DROP all -- anywhere
    DROP all -- anywhere 10.x.x.x/24

    Depending on your subnet mask.

    For what it is worth, the GUI does a good job and for my application the CLI was not necessary.
  5. aztech

    aztech Serious Server Member

    Thanks for the input, I've been trying to understand it all and while it looks rather simple, I still can't figure it out.

    Is there any way of checking if a VLAN interface has "link" or status "connected" or something?
    All my tries of obtaining a DHCP lease over the VLAN interface, has failed and since I'm not sure that my VLAN is upp and running, I really can't tell if the problem is in the VLAN config, or if it's just a really picky DHCP server in the other end.

    Main focus now is to the the VLAN up and running.

    My currect VLAN setup looks like this...

    vlan 1.JPG

    I'm not sure about the Trunk VLAN support and has not touched it. (maybe I should?)

    LAN's and bridges look likte this...
    lan 1.JPG
    DHCP on the LAN side is not set to ON, since I really don't need it for the moment.

    Here are the VLAN related NVRAM stuff..
    root@unknown:/tmp/home/root# nvram show |grep vlan
    lan_ifnames=vlan1 eth1 eth2
    landevs=vlan1 wl0 wl1
    vlan1ports=0 1 2 3 8*
    vlan2ports=4 8
    vlan3ports=4t 8
    I'm not to sure, but aren't vlan845 supposed to be in the wan_ifxxxxx lines also?
  6. aztech

    aztech Serious Server Member

    By the way, forgot to mention that I do get a public IP on the WAN side, so ordinary internet is working just fine.

    Skickas från min iPhone via Tapatalk
  7. mw333

    mw333 Networkin' Nut Member

    Is there any way of checking if a VLAN interface has "link" or status "connected" or something?
    - Yes. For testing, forget the tagging and try this and verify that it works first (including routing and firewall rules):
    1. br0 with DCHP enabled with valid range, e.g. and lease
    2. br1 with DCHP enabled with valid range, e.g. and lease
    3. In Avanced VLAN, keep VLAN1 (br0) the way it is except deselect one port , e.g. port 1 (Have you figured out how the physical ports are wired to the switchports GUI Port 1,2,3,4,wan ?)
    4. Keep the WAN as is. (This WAN VLAN will be bridged to both br0 and br1).
    5. Add the port you deselected on br0 to br1 and deselect the br1 wan port and tagging. (Having the wan port on br1 means direct connection to the internet).
    6. Set VID Offset to 0.
    7. Save and reboot.

    I am not sure if the vlan tags > 15 are supported. If not you many need the offset (832+1=833).

    1. Connect a PC/laptop to any port on br0 and verify you get a DHCP address and it is what you expect, e.g. Ping and verify reply. Ping should fail.
    2. Connect another PC/laptop to any port on br1 (port 1) and verify you get a DHCP address and it is what you expect, e.g. Ping and, both should reply.
    3. Trying pinging the PCs on different subnets - should fail. However, you should have access (from both subnets) to the internet through the WAN.
    4. Again, look at your routes and firewall rules.

    This testing setup is not that different that the recommend links in post #2 above. Have you tried the recommendation on post #2? With that configuration you are not bypassing your firewall and you would have a port (port 3) attached to br1.
    Last edited: Jan 21, 2014
  8. aztech

    aztech Serious Server Member

    Detailed and good, but I'm not sure you understood my problem(?).

    Internet is working just great, not issues what so ever, but I can't get a DHCP lease from the ISP on VLAN/VID 845. But, since the ISP is delivering IPTV to me directly on VLAN 845, from the WAN side, I don't see how setting up a local DHCP on two local VLAN's would help testing the tagging on the WAN side? (perhaps I completely missed your point?)

    The thing I need to test and figure out, is the VLAN setup on the WAN side. Bridging and local routing, proxying and so on, will be taken care of after that.

    SO basicly .. the mission is:
    1. Setup router to get a public IP from ISP for internet traffic, with NAT and local DHCP (in router), to provide internet to my computers and stuff on the LAN side.
    2. Setup router to get a IP from my ISP for the IPTV services, IP should be offered on VLAN/VID 845 via the same cable (only one incomming physical WAN link).
    What comes after that will be decided and tested out for flexibility.
    Preferably the router will act as a IGMP proxy with routing between the local VLAN's for the STB. I rather have the STB on the same LAN as the rest of my computers and stuff.
  9. mw333

    mw333 Networkin' Nut Member

    Can't get a DHCP lease from the ISP on VLAN/VID 845? Where's your DHCP server on that subnet? Is it your ISP?

    Recommend you contact your ISP. Sounds like they are handing your router an IP address. Sounds like you want them to hand you an external address for your STB also?

    I am confused.

    Take another look at the links you shared with us on post#3.

    In one of the articles:
    • Local Interface (my case: br0 - maybe it will change) - ip 192.168.1.XX
    • Internet Interface - PPPoE over VLAN id 10 (my case, ppp0 over vlan10, over vlan1 -> vlan1 VLAN2 is my WAN port) - public ip address
    • IPTV interface - DHCP (my case, vlan12 VLAN3 (br1)) - ip 10.x.x.x
  10. mw333

    mw333 Networkin' Nut Member


    Tomato has an IGMP proxy that you can tell to listen to say LAN1.
  11. aztech

    aztech Serious Server Member

    That's correct, the DHCP server for the IPTV services is also at my ISP and it it the router that should get leases on both Internet and IPTV.

    The image below shows the WAN side interfaces. (in swedish)


    The STB get's a LAN IP on the same subnet as my cumpters and stuff, so the IPTV traffic is handled by some kind of IGMP proxying magic on the router it self and get's shuffled in and out on the VLAN845 interface.

    ps. The router has a built in xDSL modem and can also handle VOIP, but I'm not using those services and my connection is direct fiber, in case you were wondering about the other interfaces on the picture.

    Trying to be a bit artistic here to further explain my need.
    Last edited: Jan 22, 2014
  12. mw333

    mw333 Networkin' Nut Member

    Thank you. If I had that set up I would try the recommendation on post #2 and establish the correct VIDs. This includes the LAN trunk port (e.g. the GUI Port 4) (trunk=br0 + br1 traffic) . The IPTV traffic should show up on GUI Port 3 (br1). [Pick he ports you want to. Mine are wired up in reverse order with 1=4.]

    You will have to choose a subnet for br1 and an IP address. Perhaps would work with the DHCP server enabled? (Isn't private?)

    Under Advanced - Firewall enable IGMPproxy and listen/snoop on LAN1 (br1). The IGMPproxy magic should join a group. I have never used it and I am not sure if any further IGMPproxy configuration is required.

    Please let us know. Many are struggling.
  13. aztech

    aztech Serious Server Member

    Um, don't know. How can I find out?

    Skickas från min iPhone via Tapatalk
  14. mw333

    mw333 Networkin' Nut Member

    About - Broadcom Wireless Driver
  15. aztech

    aztech Serious Server Member

    I'm still working on the single wan port alternative and now I've run into even more problems.

    Internet is up and running and thats good.

    I've created a new vlan845 and attached it to the WAN port with tagging checked and it's connected to br1.

    Then via SSH I'm trying to get a lease on this vlan.
    Running udhcpc -i vlan845 -V <identifier>

    For the moment I can't remeber the identifier, but I'm using the correct one.

    I earlier put a switch (gs105e) between the wall and my Thomson router, to look at the DHCP reauests that it made (using wireshark) and then I did the same with the E4200 with Tomato, but when the E4200 is connected this way, I can't see any traffic at all!

    With the Thomson I can see requests from bot the internet vlan and the IPTV vlan (different MAC addresses), but the E4200 only shows the internet vlan.

    So with this in mind, I'm pretty sure that this vlan setup is not working at all.

    Skickas från min iPhone via Tapatalk
  16. mw333

    mw333 Networkin' Nut Member

    Correct - sounds like it's not working. Regarding new vlan845 attached WAN port with tagging checked and it's connected to br1, could you share your setup (both Basic and Advanced)? Usually when the DHCP server is working you should see -i theWanPort. Check with ps. Most of us start up the service on Basic --> LAN --> brN, DHCP enable.

    There is also the possibility you many need to define 845 as 832+13 (offset).
  17. mw333

    mw333 Networkin' Nut Member

    Sounds like you are comfortable with wireshark. Have you considered looking at the 802.1Q headers? If it's there it should be right after the source mac.
  18. aztech

    aztech Serious Server Member

    I'm on Windows with a realtech onboard nic, so I can't see those headers, even in wireshark.
  19. aztech

    aztech Serious Server Member

    tomato basic.JPG

    I've tried with Trunked vlan support both checked and unchecked.
    Also, tried with offset and whithout.
    tomato advanced vlan.JPG

    Btw, port order are very strange.
    Regarding ordering on the vlan page, they are OK, but on the picture, my computer is connected to the physical port 4 and when I plug in the cable in the wan port, port number 3 lights up in the overview page.
    tomato bonus.JPG

    The Linksys is not connected to WAN right now because ppl are watching TV here, but the command I run for obtaining DHCP for IPTV vlan is...
    udhcpc -i vlan845 -V IPTV_RGW_PRIV
    But still when I do, I see nothing at all in wireshark, no ARP or anything.
    I take that as the vlan845 interface is not working at all.
    Last edited: Jan 26, 2014
  20. mw333

    mw333 Networkin' Nut Member

    On your br1, recommend enable dhcp and give it a range and lease time. The system was designed to work this way.

    I am not really sure how the tomato vlan offset works but you may be limited to vlan 1-16. Based on offset use in the past if you have an offset place 13 in the VID column. What you may have 832+845 for vlan3 (and 13 < 16).

    Please look at the picture on post #2. Recommend you place the wan port only on the wan bridge, try tagging it, and remove the wan port from br1 (creates a bridge from the wan vlan to br0 and br1 the way the system was designed). You and I have seen some posts where they do not do this and some even like it. Good luck.

    br1 will need a switchport to connect to. Pick one that maps out to the physical port you like. The traffic should be wan physical port to wan switchport to br1 to the switchport mapped to the physical port you want.

    Port order strange? In some cases the vendor did not wire up the physical ports in switchport order. Like I stated before, on my device GUI swicthport 4 is wired up to physical port 1. You need to map this out. If you have to, do it one port at a time (e.g. br0 port 1 = yes only, plug in physical ports 1-4 and write down number when it works).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice