VLAN Tags: Work for you?

Discussion in 'Tomato Firmware' started by jmcafee, Jun 10, 2011.

  1. jmcafee

    jmcafee LI Guru Member

    So I have put in many hours trying to make VLAN tags and trunking work with Tomato 1.28 on a WRT54GL. No go so far. Have you been successful?

    Creating VLANs is a no-brainer. I cannot seem to successfully tag the packets with the VLAN id using the "t" tag after the port number when defining the VLANs from the CLI. The trunk between a Linksys RVL200 and the WRT54GL seems to tag VLAN 2 and 3, but 0 and 1 tied to a different bridge are not recognized. I cannot get Wireshark to see any VLAN tags (I'm not positive if Windows 7 preserves the tags -- the Intel NIC driver is supposed to do so).

    Here is the irony: The trunking works perfect in DD-WRT v24 14939 with about 10 seconds of programming time. I do not like DD-WRT, so can any of you shed some light so I don't have to eat my Tomato?
  2. teaman

    teaman LI Guru Member

    Yes, I have such thing working between a WRT54GL and a Cisco SLM2008 switch (connected thru an ethernet port in 'trunk' mode).

    Just like yourself (and probably, many others), I also have put in many hours trying to make such thing work until I figured out a few things that unfortunatelly are... not so crystal-clear. So, after endless hours of head-scratching, searching and going thru any/all available documentation I could find, including a few entries on the DD-WRT and OpenWRT wikis... and even some digging onto a few OpenWRT bugs... things started to get a bit more clear on how to set it up on my beloved router (and possibly more important: why it wasn't working as planned) :)

    In fact, I've even put together/written a GUI web page to handle VLAN and tagging management so it might actually help other people trying to set this up with perhaps a little less pain and suffering. I'm planning to upload both the source code as well as firmware images over the weekend (I'll notify here and/or create a new topic when it's done). If you're in a hurry, please PM me and we'll work something out.

    Lastly, but still important: I've tried/tested my patches only with two models.
    WRT54GL v1.1: full VLAN tagging support
    WRT54G v2: only port-based VLANs supported


    EDIT: patches against tomato-sdhc v1.28 (by Tomasz Słodkowicz) and binaries uploaded
  3. Toastman

    Toastman Super Moderator Staff Member Member

    teaman, I'll put a few links around to this article, as you say, it will be very useful because information on this is sparse and hard to find.

    The web GUI is a great idea, maybe it can be extended to other models.
  4. roadkill

    roadkill Super Moderator Staff Member Member

    teaman, if you could publish the source code in the git repo that'll will be great
    looks like a job well done.
  5. jmcafee

    jmcafee LI Guru Member

    Thank you so much, Sir! I will look into your binaries this weekend.
  6. jmcafee

    jmcafee LI Guru Member


    I love the web GUI for the VLAN -- sooo much easier than using the CLI. I would love to see this in a standard Tomato build.

    However, I still could not make it work with my setup. I don't know if it is because I moved eth1 to br1, or if my Cisco RVL200 uses a VLAN protocol version that Tomato doesn't recognize.

    Bottom line: I hope one day that Tomato will work with my config. But until then, DD-WRT remains nearly effortless to make trunking work successfully.

    Thanks again for the great effort.
  7. bluecar

    bluecar LI Guru Member

    +1 for GUI VLAN support.
  8. Toastman

    Toastman Super Moderator Staff Member Member

    I have just uploaded the vlan mod to git repository, the branch name is VLAN-GUI, to make it easier for modders to try it. I based it on Tomato-USB code from a few months ago, meaning that it should merge happily into most branches. Roadkill - feel free to amend the git branch if you see anything that could be improved.

    I guess any extra routers supported need some research into the board flags and internal vlan layout, is that something you might feel like tackling together? Initially to get it onto MIPSR2 the RT-N16 and the Linksys E series are the most popular.

    I have merged (cherry-picked) it into Toastman-ND, and will upload to my K24 MIPSR1 directory as a Beta Tester if anyone wants to experiment with it without losing recent features.

    Augusto, perhaps you could check it to see if it merged OK, and that it does everything that you intended, because this will probably be used by others as a base soon. I flashed it to a WRT54GL. I have not tried creating a new vlan with it yet, but it correctly displays the existing setup.

    Thanks for the contribution to Tomato!

    jmcafee, fancy trying it to see what it does for you? BTW - Is the RVL200 even supported by Tomato? I didn't think it was.

    It would be great to make this into a development thread for this feature.
  9. roadkill

    roadkill Super Moderator Staff Member Member

    thanks for the git commit!
  10. teaman

    teaman LI Guru Member

    Toastman, roadkill - I'm not sure if this is the right place to post this... but I believe I really need your help to understand something... odd... about the contents of the GIT repo and the source code for other mods.

    As you guys suggested, this last weekend I started looking into my patches and how would be the best way to push/publish these VLAN-GUI patches to the GIT repo but... But I'm currently under the impression there is something strange going on with the repository :-/ Not being an expert on GIT myself, I tried a few things to find out more and figure out what seems to be going on, but I'm still not sure. Here's the story (so far):

    A couple of months ago I downloaded/cloned and copied the contents of the GIT repo to a local machine, mostly for learning about it, experimenting, etc... Back then, I just used the following command (pretty straight-forward):
    git clone git://repo.or.cz/tomato.git

    Since I was interested in the most recent version of the SDHC mod (by Tomasz Słodkowicz), I checked out remotes/origin/tomato-sdhc and created a new (local) branch called tomato-sdhc-vlan and developed/wrote/built the whole VLAN GUI on top of the SDHC mod. Here's what I have on my old(er) local repo:
    $ git branch
    * tomato
    $ git branch -a | grep remote | egrep -i 'sdhc|slodki'
    $ git branch -a
    * tomato
    $ git branch -a | wc -l

    Anyways - since I was interested in reconstructing my steps in order to double-check what I had written/done/built so far (against the SDHC mod) ...and... not considering myself an experienced GIT user, I thought it would be best to get started by exploring/browsing the web interface, like I did before, and was somewhat surprised when I couldn't locate branch tomato-sdhc on top of which I based all that work, so not being able to retrace my steps seemed like a show-stopper at the moment.

    While this seemed just fine:

    These links do not (referenced on http://gemini.net.pl/~slodki/tomato-sdhc.html):


    At that point I wasn't quite sure what I was doing wrong, so I decided to get a new/fresh clone of the GIT repository to double-check things and issued:
    git clone git://repo.or.cz/tomato.git

    And noticed something really strange - absolutely no reference to the sdhc and/or slodki and/or a number of others - instead of having 70+ branches like my old(er)/existing local repo cloned a couple of months ago, I could only find these:
    $ git branch -a
    * tomato
    remotes/origin/HEAD -> origin/tomato
    $ git branch -a | wc -l

    Still, I believe I could just extract my patches from my local repo (i.e. with git diff) and recover/rebuild the whole thing my transporting/apply these manually on another branch... but... I wonder what happened to those sdhc/slodki and these other branches?

    Toastman - I'll have a look at the contents of that new VLAN-GUI branch and let you know about anything that might need attention.

  11. teaman

    teaman LI Guru Member

    Toastman - just flashed tomato-ND-1.28.7621.3-VLAN-GUI-Beta-VPN.trx on my dev/spare WRT54GL v1.1 - did a quick trunk/VLAN set up and it's looking good! However, please notice: I have absolutely no idea if any other features on that firmware are working as expected - haven't tested anything but the VLAN GUI :)
    Still - the build looks solid. Cheers!
  12. jmcafee

    jmcafee LI Guru Member

    Oh, no, I ran Tomato on a WRT54GL. I was trunking it to an RVL200 which has a Cavium CPU and doesn't run the xWRT mods. I bet the issue is that Tomato doesn't recognize the VLAN protocol run on the RVL200. So DD-WRT is back in the box and working perfectly, warts and all.

    Thanks to everybody for your effort! Ultimately the Teaman mods will merge into the mainstream Tomato builds.
  13. humba

    humba Network Guru Member

    VLAN tagging is an IEEE standard - there should be no incompatibilities(to make sure.. put a non Linksys router in the middle, configure a trunk on both sides and sniff). One of the issues I've ran into myself is that different routers, and even different router revisions use different port names for different ports. And I've had a really hard time tying access ports to different site2site vpn tunnels (never quite fully tackled that).
  14. roadkill

    roadkill Super Moderator Staff Member Member

    I use SmartGit to resolve situations like that with git, I find it easier to tackle error conditions where there is some sort of graphic representation..

    I advise you to try it, it Java based and works on all platforms.

  15. teaman

    teaman LI Guru Member

    Just a quick status update on the VLAN GUI - I've done some more fixing/patching (and hopefully, some improving as well) on the code. In a nutshell: the method for detecting VLAN capabilities of a particular router at runtime has been modified to check/validate against boardflags instead of boardtype (theoretically, this means many more routers would be included in the 'supported HW', instead of only two models as the current code: WRT54G v2 and WRT54GL v1.x). Trunk-based VLAN support is still checked against boardtype, but the user now has the ability of overriding that check thru the GUI (mostly, for experimental purposes). Also, code for detection/handling of the cpu/internal switch-port has been made 'smarter' (meaning it should work properly on both FastE as well as GigE routers, provided boardflags indicates VLAN capabilities).
    As a sidenote: I've been working with Toastman and we're trying to sort out things on the git repo side (err... this means mostly /me/ bugging him at this stage, but I'm sure we'll succeed eventually) :). So... I'm hoping we'll be able to make this new version of the VLAN GUI available... soon.
  16. teaman

    teaman LI Guru Member

  17. Toastman

    Toastman Super Moderator Staff Member Member


    Augusto, can you try a git post ?
  18. teaman

    teaman LI Guru Member

    Hey there - I've been trying to push/publish the newest/latest version of the VLAN GUI to the git repo (but apparently I don't have enough privileges to do such thing - I've PM'd Toastman with some thoughts and error messages). In any case - while we sort this out, here's a short description of what I've been doing:

    Instead of checking for VLAN capability support by evaluating known values of boardtype from NVRAM, the VLAN GUI now checks for BFL_ENETVLAN on boardflags (0x0100). Trunk-based (802.1q) VLAN support is still checked against known values retrieved on NVRAM variable boardtype (currently: '0x0467' - WRT54GL 1.x, WRT54GS 3.x/4.x, '0x048e' - WL-520GU, WL-500G Premium v2, '0x04ef' - WRT320N/E2000, '0x04cf' - WRT610Nv2/E3000, RT-N16) . Still, the GUI allows this check to be overriden, allowing the user to enable/experiment with this feature (and eventually, report back about other boardtypes that could be included on the list above, 'known to support' 802.1q VLAN tagging). New on this version: initial/experimental handling of physical port ordering on selected models (tested only with WRT54GL v1.x and WRT54G v2).
  19. Mercjoe

    Mercjoe Network Guru Member

    Wow... Thank you for the hard work on this Teaman. VLAN's are one thing that I miss from DD-WRT.

    We have a captive portal.. we are going(hopefully) to have VLAN's..

    All that would be left for me is multiple SSID's and the Tomato would be perfect as far as I am concerned.
  20. teaman

    teaman LI Guru Member

  21. teaman

    teaman LI Guru Member

    Quick status update: I've put together all my patches from tomato-sdhc-vlan so far (including the latest VLAN GUI pushed a few hours ago) and pushed as a big patch/commit onto tomato-sdhc-ND-vlan, bringing it up-to-date with the features published for tomato-sdhc-vlan on Google Code (I'm aware I should probably have 'transplanted' one-commit-at-a-time from my local repo onto tomato-sdhc-ND-vlan, but I must confess I just wanted to get this latest version published specially since I'm the only one working on that branch for the moment...)
    In any case, I'm planning to commit ensure any/all future code updates to the VLAN GUI code onto branch VLAN-GUI, hopefully, making it a bit easier for anyone else to grab the most up-to-date code for the VLAN GUI.

    Speaking of that so-called 'latest version', there are a few items on the changelogs for this version that I'd like to ask your assistance/feedback to check/try/validate these on routers different than the WRT54GL v1.x and WRT54G v2 (the only ones I have access and could run tests):

    a) VLAN capability/support detection: on this version, the GUI relies on nvram variable boardflags. If flag BFL_ENETVLAN (0x0100) is not set, then VLAN support is not available (GUI is hidden, and 'This feature is not supported on this router' is shown

    b) Trunk-based (802.1q) VLAN support is checked against 'known' values on boardtype (currently: '0x0467' - WRT54GL 1.x, WRT54GS 3.x/4.x, '0x048e' - WL-520GU, WL-500G Premium v2, '0x04ef' - WRT320N/E2000, '0x04cf' - WRT610Nv2/E3000, RT-N16), may be others? Let me know if this method looks solid enough, if you have a better/safer idea/method, and/or if we should just add more 'known' values on the list. If you suspect your router model/board does have support for 802.1q VLAN tagging but it's not listed here, you can disable this check by enabling the 'experimental' override at the bottom of the page... if you do that, do at your own risk (but please report about any other models/boardtypes that could be included - thanks!)

    c) There's some experimental support for 'physical port' ordering from model to model (port 1 may not be referred as '1' internally, etc...). Based on what I could find out, most models seem to 'map' in ascending/natural order (ports 1,2,3,4 and WAN are internally as 1,2,3,4 and 0). This seems to be valid for most WRT54G models. Router models WRT54GL 1.x, WRT54GS 3.x/4.x, WL-520GU, WL-500G Premium v2 et al (boardtype '0x0467' and '0x048e') seem to 'map' ports as 3,2,1,0 and 4 for WAN whereas WRT320N/E2000, WRT610Nv2/E3000, RT-N16 et al (boardtype '0x04ef' and '0x04cf') seem to 'map' ports as 4,3,2,1,0. Any help in checking/validating/improving those findings would be great :)

  22. teaman

    teaman LI Guru Member

    Yet another status update: I've tried a few builds by cherry-picking commit e0e595bc9fefc8d79bb6aea456e4ccb404abef81 (from branch VLAN-GUI) and the results look quite promising - no failed builds, flashed and tested successfully two of them, just to be sure they would work on my WRT54GL - looking good :)
    Also, I've uploaded a screenshot of the VLAN GUI onto Google Code, if anyone out there is curious about it but don't want to flash his/her router just now:

    Have fun!
  23. Toastman

    Toastman Super Moderator Staff Member Member

    Seems OK to me too, Augusto. RT-N16 and E3000 tested. Looks like adding more models would be the next course of action.

    I'm making some new releases with this updated code from git.

    MIPSR1 - v7624
    MIPSR2 - v7477.1
  24. teaman

    teaman LI Guru Member

    I just pushed to GIT (branch VLAN-GUI) an early of what-might-someday-become "Tomato MultiLAN" (a very experimental prototype/version). It allows configuring up to 4 different LAN interfaces on the router, and bridge each to their own VLAN. In adition to the regular/standard (and mandatory) primary LAN bridge/interface (br0), up to 3 extra LAN bridges can be set up (br1, br2 and br3). These LAN-side bridges can be configured via basic-network.asp (i.e. IP address, STP, DHCP server settings etc...). The VLAN admin interface has been extended and allows assigning (up to) one VLAN to each LAN bridge (via advanced-vlan.asp). Currently, the code makes the router allow traffic to be forwarded (routed) between all enabled/active LAN bridges (some of those characteristics/behaviors could/should change in future versions). Most of the code is not pretty (or elegant), but initial testing seems to indicate the following features are working properly:

    - IP address/netmask settings for each bridge
    - STP can be enabled/disabled for each configured LAN bridge (Spanning Tree Protocol)
    - DHCP server availability/settings independent on each bridge
    - when MiniuPnPd is enabled, it's automatically configured to listen on all configured LAN bridges

    Here's a (non-exhaustive) list of known issues/limitations:

    - as bridge br0 is supposed to be the 'primary' LAN interface, it cannot be deleted and must always have a IP valid address set
    - if a default gateway is set, it must be reachable via br0 (being the primary LAN interface)
    - WLAN is always bridged to the primary LAN (br0)
    - static routes saved on NVRAM are restricted to br0 for now (same for WDS/hotplugging, ondemand PPP dialing, OpenVPN-related things, RIP, IGMP, etc...)
    - ipv6 support is uncertain to say the least (absolutely no testing has been done so far)

    As usual, your feedback is welcome.

    Have fun!
  25. humba

    humba Network Guru Member

    teaman, you're my hero. Ever since I figured out I could do VLANs with Tomato I've been waiting for somebody to bring that functionality to a GUI and it has been a long wait.
    I cannot afford to use my router as test subject (whenever telephony goes down because I was playing with my home network I get into heaps of trouble) but it looks like you're quite a bit down the path I hoped somebody would some day go.

    As far as I see it, other than the limitations (to truly overcome them probably means quite a bit of refactoring as it's a whole different ballgame when dealing with a single subnet versus multiple ones), I figure one day it would be useful to have a GUI based firewall route builder as not everybody might want to enable full communication between the different subnets (that could be even more so if you allow separating the WLAN from br0 - and when hopefully one day multi SSID makes it into Tomato, a guest WLAN would certainly require complete traffic separation).
  26. teaman

    teaman LI Guru Member

    Another GIT commit: routing is now multi-LAN aware. On advanced-routing.asp, static routes can be added/configured taking into account specific (existing/configured) LAN bridges. Also, if Zebra is available on a particular build, RIP can be enabled (to listen/bind) on a per-interface basis.
  27. teaman

    teaman LI Guru Member

    Following humba's suggestion (at least part of it anyways), another commit on branch VLAN-GUI: WLAN can now be bridged to any existing/configured LAN bridge. The code still assumes there's only one WLAN, but shouldn't be too hard to handle multiple wireless devices (when/if such thing gets implemented). Also, changing VLAN/bridge settings (advanced-vlan.asp) no longer requires rebooting the router: while digging into the code recently, I learned it's enough to just restart network services and wait long enough (around 30 secs seems to be sufficient, provided STP is not enabled).

    I've been thinking about that GUI to configure how traffic should flow between different LAN bridges. I'm think about having the following items for each 'rule':
    - origin/destination: from/to (br0-3)
    - policy: drop, accept (forward) or masquerade (NAT)

    I've been also thinking about the possibility of specifying origin/destination IP addresses (instead of just accepting/dropping packets from/to each LAN zone entirely), but I wonder if having such degree of control thru the web interface would be actually useful to anyone out there...

    As always, your feedback is more than welcome.
  28. teaman

    teaman LI Guru Member

    Quick status update about branch VLAN-GUI: while the DHCP server seemed to be working just fine and handling different settings for each LAN bridge properly, static DHCP entries were not being written to /etc/dnsmasq.conf and being ignored under certain conditions (fixed). Also, since a lot of the code on Tomato assumes there's only one LAN with a single (internal) IP address, the web interface (httpd) was accessible only from WAN (if enabled) and the primary LAN (httpd is now multi-LAN aware).
  29. teaman

    teaman LI Guru Member

    New code pushed to GIT a few minutes ago: the default policy about LAN/bridge access has changed so LAN bridges are no longer accessible from each other by default. Access between LANs can now be granted/managed via a new/experimental GUI :)
  30. humba

    humba Network Guru Member

    Here are my two cents (without having seen the latest update..) on the whole routing GUI thing.
    IP or even port based may seem like an overkill at first, but if you start thinking about doing the same for the WAN, and given that you can run a device in router mode rather than gateway mode, having an easy to use frontend for iptables suddenly makes a lot of sense to me. And seeing as with IPv6 we may suddenly no longer be running in gateway mode, it makes even more sense to me.
    I remember when I was running multiple openvpn connections on multiple vlans I had a really hard time figuring out how to separate traffic but still allow certain protocols (speaking of openvpn.. it might be useful to have the ability to bridge those connections to a bridge of your choice - I do have a manual setup where each port goes to a different openvpn connection to use a single router to bridge into 4 different lab networks that are not directly accessible from my desk at work - openvpn running on tomato might not be the fastest kid on the block, but you can't beat the price).

    Could you perhaps post a few screenshots showing the new GUI?
  31. teaman

    teaman LI Guru Member

  32. KyleS

    KyleS LI Guru Member

  33. humba

    humba Network Guru Member

    looking good :)
  34. Mercjoe

    Mercjoe Network Guru Member

    Holy Cow....

    You have gone on a one man tear and decided to some serious network functionality into Tomato.
  35. shibby20

    shibby20 Network Guru Member

    @teaman = Tomek? :) Cześć.

    can you merge vlan-gui with currect tomato-rt?
  36. teaman

    teaman LI Guru Member

    Hi there! According to Google Translate, that's polish for 'Hi', right? Since I'm not polish, but brazilian, I must confess I have absolutely no idea about what/who is Tomek and/or what that might mean :) I've been considering that might be a reference to another developer - am I anywhere close? :)

    In any case: I'm not entirely sure I would be able to actually do this merge and bring these new VLAN-GUI features onto branch tomato-RT successfully, but I'm willing to try :) However, I believe I'll need to ask for your assistance in order to acomplish this for at least two reasons:
    - I don't have access to a RT-N16 router or similar HW to do any tests
    - it would be nice to have someone else to cross-check and validate the resulting code :)

    I think it would be wise to do some sort of 'staging' first, before risking pushing/publishing to the public GIT repo any unwanted/broken code, and tried different approaches using my local GIT repo/copy. I've put together a ZIP file containing two folders called 'merged' and 'cherry_picked' with files documenting the commands I used on each approach/attempt as well as diff files referenced on each 'terminal.txt' file, so you could have references when trying to reproduce the processes on your local GIT repo.

    I must say I'm not sure if that's the best way to do this (almost-entirely-manual-and-offline 'staging' when we might have more efficient alternatives), but I'm not familiar with any potentially better way at this moment (my main goal has been keeping the public GIT repo untouched/safe until we're sure about the results).

    Please let me know if any of the notes provided might require further clarifications and/or corrections, specially if you hit some sort of unexpected situation while replaying/reproducing my steps - I've been quite diligent putting together these notes, I'm still 'just' human :)

    Have fun!

  37. teaman

    teaman LI Guru Member

    As it might be interesting/useful... I've put together this short/brief list of features currently implemented/available on branch VLAN-GUI as of today (2011-07-19):

    - up to 4 LAN bridges can be set up via web interface
    - each LAN bridge must have it's own IP address/netmask set
    - DHCP server can be enabled/configured independently for/on each LAN bridge (i.e. different IP ranges, lease times)
    - Spanning Tree Protocol can be enabled/disabled on each bridge individually
    - WLAN can be assigned to be part of any existing/configured LAN bridge, not just the primary LAN (br0)
    - when/if enabled, the web management interface on the router should be accessible from/on all LAN bridges
    - up to 16 VLANs can be created/configured on the device (with VIDs ranging from 0 to 15)
    - each VLAN can be configured/treated as: WAN, part of a LAN bridge or unassigned
    - in general, each individual/physical ethernet port on the device can be assigned as a member/participant of a single VLAN
    - on devices (known) to support tagging of ethernet frames, it's possible to configure one (physical) ethernet port as a 802.1q trunk (member of multiple VLANs)
    - static routes can be added/configured onto specific LAN bridges
    - MiniuPnPd and RIP can be configured to listen/bind only on selected/enabled interfaces
    - LAN bridges are isolated from each other by default (not accessible to each other)
    - access/communication between different LAN bridges can be configured via web interface
    - code based on TomatoUSB 1.28.8754 (available on GIT)

    And there's also a (non-exhaustive) list of known issues, limitations and warnings (aka things you show consider/know about VLAN-GUI before trying it out):

    - as bridge br0 is supposed to be the 'primary' LAN interface, it cannot be deleted and must always have a IP valid address set
    - if a default gateway is set, it must be reachable via br0 (being the primary LAN interface)
    - each LAN bridge must have it's own IP address/netmask set (if a LAN bridge is created and a proper IP address/netmask pair is not set or... if two different LAN bridges are configured with similar/conflicting IP addresses and/or overlapping subnets, the outcome/results can be unpredictable)
    - although it's possible to create/configure up to 16 VLANs on devices like the WRT54GL (and possibly even more VLANs on other devices), it's usually a good idea to avoid using VID 0 to prevent 802.1q compatibility issues (as 802.1q specifies that frames tagged with VID 0 do not belong to any VLAN).
    - since a lot of code in Tomato assumes there's only one bridge/LAN (br0), we can probably/safely assume that any functionality/feature not mentioned above should be, most likely, restricted to work/function only on/with br0 (i.e. WDS/hotplugging, ondemand PPP dialing, OpenVPN-related things, IGMP, etc...)
    - ipv6 support is uncertain to say the least (absolutely no testing has been done so far)
  38. shibby20

    shibby20 Network Guru Member

    Tomek (slodki) is a polish programmer, who created tomato-sdhc
    This is the reason why i was thinking it was you ;) Indeed: Cześć = Hi :)

    you have huuuuge knowledge., good work with vlan.

    when i said "merge branches" i have in mind:
    git merge --no-ff origin/tomato-RT

    then fix, test and push changes to git. Thx to patches. I will try patch my sources and will test vlan on netgear 3500L (i have to unbrick him first) and Asus WL500gp v1. I have also rtn16 but this is my primary router well i cant use it for testing.

    Best Regards!
  39. teaman

    teaman LI Guru Member

    So it seems we were not that far... specially since I am the one responsible for the so-called 'original Tomato SD/MMC mod', mentioned on the page above: Augusto Bott :)
    Thanks! Still, since most of the VLAN support/features were already available internally on Tomato, Jonathan Zarate deserves most of the credit - all I did was making these functionalities easily accessible via web/admin interface :)
    Please let us know how it goes!
  40. shibby20

    shibby20 Network Guru Member

    I have error if rc/firewall.c


    if (!ipt_addr(src, sizeof(src), saddr, "src", AF_INET, "LAN access", desc))
    if (!ipt_addr(dst, sizeof(dst), daddr, "dst", AF_INET, "LAN access", desc))
    Can you help?
  41. teaman

    teaman LI Guru Member

    Sorry it took me this long to reply, but sure: I'll try!
    I'll let you know about any findings as soon as I get a chance to look into this.
  42. teaman

    teaman LI Guru Member

    Hi Shibby!

    Good news - I believe I got this figured out :)

    When I was looking at those error messages from your last post for the first time, I was under the impression I've seen something like that before... After a few minutes looking into my notes, I realized very similar problems/errors happened when I was experimenting with code from origin/VLAN-GUI and origin/Toastman-ND :)

    So I kept digging and at some point I realized branch origin/tomato-ND-USBmod was recently merged onto both origin/Toastman-ND and origin/tomato-RT, which seemed like a 'good sign'. Next, I tried another merge VLAN-GUI onto tomato-RT, changed a few other lines of code following my notes from patching/experimenting with Toastman-ND and apparently, the code seems fine now.


  43. shibby20

    shibby20 Network Guru Member

    origin/tomato-ND-USBmod is merged into origin/tomato-RT

    and tomato-RT is a base for my, Toastman and Victek`s branches.

    patches applied to my branch and now compiling (at the moment without error ;) )
  44. teaman

    teaman LI Guru Member

    Glad to hear that! Please let us know how it goes once you get a chance to run some tests.
  45. shibby20

    shibby20 Network Guru Member

    first bug:

    i create new vlan3 with port 3,4 and select br1. After save i dont see bridge name and i cant remove/modify entry.

    screen: http://update.groov.pl/vlan/vlan1.png

    When i create new vlan0 i dont see others vlans.
    screen: http://update.groov.pl/vlan/vlan2.png

    i added LAN br1 ip/mask/dhcp configuration on basic -> network and now i see advanced-vlan correct but will be nice to fix it :) Maybe some message " create br(x)first, before you add ports" or smt.
  46. teaman

    teaman LI Guru Member

    Thanks for your feedback, shibby20!

    It seems we do have a problem/bug, based on what we see on vlan2.png :-(
    Still - what we see on vlan1
    .png is not exactly a 'bug' - it's supposed to be a 'feature' - i.e. allows things like setting up a 802.1q trunk (see attached trunk.png). However... I don't see the 'editor' line in the bottom (so it might be a bug as well).
    I'll have a look into the code and let you know.

    PS: if you've been using Firefox, could you do me a favor? Would it be possible for you to open the 'Error Console' (under the Tools menu) and paste here the javascript error message that shows up when those problems occur? That could become quite useful... Thanks!

  47. shibby20

    shibby20 Network Guru Member

    situation from screen vlan2.png (vlan0 without configured ip/mask/dhcp)

    FF errors:
  48. shibby20

    shibby20 Network Guru Member

    now i have:


    but no matter which one of port i will plug cable, always gets ip 192.168.1.x with gateway What wrong have I done?
  49. teaman

    teaman LI Guru Member

    Thanks for posting that javascript error message (I now have a general idea about what I should be looking for in the code to hunt down and fix that error).

    About that strange DHCP behaviour your having - can you please post the contents of /etc/dnsmasq.conf, /etc/dnsmasq.custom (if you have such file)? Also, it could be useful to know the contents of the following nvram variables:


    EDIT: could be useful to know which router/model you're running...
  50. shibby20

    shibby20 Network Guru Member

    netgear wnr3500L

    /etc/dnsmasq.custom - i haven`t

    nvram show | grep lan:
    wlkn likes this.
  51. teaman

    teaman LI Guru Member

    Hi there!

    Good news - based on the nvram settings you posted earlier, I've been able to reproduce that error on vlan2.png and... there's a good chance I've identified (and fixed) the piece of code responsible for that problem :) Could you please test the new version of advanced-vlan.asp I've linked below and let me know how it goes?
    I suspect you probably already know about this method... but just in case you don't: there's no need to compile/flash a new build, you can just copy (scp?) this new version of advanced-vlan.asp onto /www/ext (/var/wwwext) on your router and access/test it with http://router/ext/advanced-vlan.asp

    I will be looking into that DHCP issue next.

  52. shibby20

    shibby20 Network Guru Member

    thx, now is correct. We have also some progress. When i plug cable to port 4 i get ip with gateway When i plug to port 1 i get but stil with gateway

    great tutorial of manually creating second vlan on tomato:

    example of dnsmasq for second vlan:
    well in my opinion should be:
    i modified manually dnsmasq.conf and added br1 to range and option. Now works correct :) When i plug cable to port 3 or 4 i get ip 192.168.2.x with gateway When i plug to port 1 or 2 i get 192.168.1.x with gateway :)
  53. shibby20

    shibby20 Network Guru Member


    now my dnsmasq.conf looks:

    please verify my patch.
  54. teaman

    teaman LI Guru Member

    I've been able to reproduce that strange/unexpected behaviour you reported earlier with DHCP and I believe I may have figured out what seems to be the underlying cause.

    Short version (quick/easy solution/workaround): once you're done changing VLANs and/or (specially) any ethernet port assignments, reboot your router.

    Long version (what I think could be actually happening): apparently, the underlying cause doesn't seem to be related to dnsmasq settings, but assignment of ethernet ports and VLAN memberships (which ports should be members of a particular VLAN). Anyways, this idea seems to be consistent with what I've seen in one of my tests... Here's what I did:

    I started by setting up these 3 LAN bridges:
    Please notice DHCP is disabled on the primary LAN, since this is handled by another device on my network. At that time, settings for VLANs/ports looked like this:
    Then, I've created VLAN 8, assigned it to br2 and moved port 2 from VLAN 2 to VLAN 8:
    Next, I plugged in a computer onto port 1: as expected, I got IP/GW in the 192.168.2.x range. However, on every single attempt of plugging it onto port 2, I was getting IP/GW in the 192.168.1.x range, which was completely unexpected! I tried connecting to different ports a few times... but got the same results:
    - port 1: 192.168.2.x
    - ports 2 and 3: 192.168.1.x

    At that point... I tried rebooting the router and... voilá! The new port assignments were working as expected. So... can you please test DHCP again after rebooting your router (without those changes on dnsmasq.conf)?

    BTW - thanks for the patch/link :)

  55. shibby20

    shibby20 Network Guru Member

    correct. when i create/modify vlans, sometimes changes will not apply. After reboot all is ok.

    example: i move WAN port into br0 and port1 set as WAN port. After save, WAN port still was my WAN. After reboot. Port1 became as my WAN and WAN port was in LAN (br0). Revert changes, save but still port1 = WAN, WAN=br0. Reboot and now is good, WAN port = WAN, port1 = br0.

  56. teaman

    teaman LI Guru Member

    I have to leave now, but I should be able to review/check this whole thing when I'm back (and possibly even push some patches/updates to GIT today).
    Thanks for your help/feedback on those issues!
  57. shibby20

    shibby20 Network Guru Member

    after reboot, always i got gw IP is correct.
    when i flash tomato with my patch, this problem is resolved.[/quote]
  58. teaman

    teaman LI Guru Member

    New/updated code reviewed and tested - just pushed to git:

    Bugfixes: Dnsmasq config with multiple interfaces/DHCP ranges, VLAN admin interface nvram settings detection (Shibby). Improvements on network settings, helpers on GUI (DHCP ranges, checks), general tidying-up of code in rc/services.c (dnsmasq, upnp).
  59. tvlz

    tvlz LI Guru Member

    Tomato has the code for multi ssid support in wlconf.c
    If somebody (who knows more than me) could look at wlconf.c and figure out what nvram settings need to be set multi ssid should work?
    Would be great when multi ssid works, it could be added to Vlan-GUI.
  60. shibby20

    shibby20 Network Guru Member

    i agree!

    @teaman - great! i will merge vlan-gui with my branch and will make some tests :)

    //edit: Great job. Everything works as it should. Have merged our branches.
  61. KyleS

    KyleS LI Guru Member

    Asus RT-n16

    root@Tomato:/tmp/home/root# nvram show | grep vlan
    lan_ifnames=vlan1 eth1
    landevs=vlan1 wl0
    script_init=iptables -I POSTROUTING -t nat -o vlan2 -d -j MASQUERADE
    script_wanup=ip addr add dev vlan2 brd +
    vlan1ports=1 2 3 4 8*
    vlan2ports=0 8
    Bug 1:
    Click on the br0 section.

    Bug 2:


    Can't select the any other bridges above. I click ok, reselect the new VID and it's all available.


    Bug 3:

    Basically create a new bridge, then the data (End range) is corrupt when you reselect it.

    Bug 4: My bridge assignments are not saving.

    Bug 5: I can't save at all in Basic -> Network.

    Is anyone else having these issues? I tried in FF7 and IE.
  62. Toastman

    Toastman Super Moderator Staff Member Member

    Teaman, I have added the latest mods to test builds -starting at 4400 which is based on Toastman-RT-1.28.7475.1

    Latest will be posted as Toastman-VLAN-RT-BETA-1.28.4401 - this will be the base for any future changes. This build is based on Toastman-RT-1.28.7475.5

    It's very much BETA build - please check carefully.

  63. teaman

    teaman LI Guru Member

    KyleS - thanks for your feedback. I'll look into it.

    Toastman - thanks for the builds!
  64. KyleS

    KyleS LI Guru Member

    Isn't build specific, it's the exact same issues with Toastman's builds (In case if anyone was thinking this).
  65. teaman

    teaman LI Guru Member

    Hi KyleS!

    Let's have a look at each piece of your post, shall we? :)

    On your previous post, I noticed you've got some 'extra stuff' within your nvram settings (custom scripts and perhaps other things). So, I'd like to suggest it might be a good idea disabling any of those 'special' settings when running further tests in the future (mostly, trying to play it safer and rule out as many things as possible in advance).

    About bug 1: during pretty much all my tests so far, it never occurred to me that someone would want to use anything different than a /24 subnet :) It took me a while to go over the entire code (it's around 52k), but I believe I got it all right and it should now work properly with different/smaller subnets (i.e. tested fine with a /27 such as the one mentioned on your previous post).

    About bug 2: apparently, a small portion of the code was missing on my previous commit - I probably forgot to put it back after some test (fixed/included now).

    About bug 3, 4 and 5: see item 1.

    New code just pushed to git:
    commit 41d671a1cd60670414a7c09bb303ce9b78683223
    Author: Augusto Bott <augusto@bott.com.br>
    Date: Wed Jul 27 07:45:17 2011 -0300
    Improved handling of different/smaller subnets on LAN bridges, missing code (re)added to VLAN admin page.
  66. KyleS

    KyleS LI Guru Member

    I can't wait to try out the next build :p Thanks for fixing everything so promptly.

    EDIT: Would it be possible to remove the Wan limitation? or is that beyond the scope of this. I guess I may as well throw another question in here as well. Is it possible to have multiple dynamic external IPs in Tomato without using a switch before hand? or is that again beyond the scope of this. I'd love to use the multiple IPs that my ISP gives me per VLAN.
  67. Toastman

    Toastman Super Moderator Staff Member Member

    Updated build with the new git commit = 4401.1 BETA
  68. Toink

    Toink Network Guru Member

    I tried Toastman's 4401 and I lost my WLAN connection. My phones and laptops can't see my router anymore. I reverted back to 7475.5 WLAN is now working. Anyone else having issues with WLAN in 4401?
  69. teaman

    teaman LI Guru Member

    By 'Wan limitation' I suspect you're referring to one of the requirements/rules being enforced on advanced-vlan.asp: having always one VLAN dedicated/assigned to WAN and one to LAN (br0), right?

    Well... there's a somewhat reasonable explanation for that: one of my main concerns since I first started developing these new features/enhancements has been to avoid breaking any other pieces and/or existing features unintentionally. While digging into Tomato internals, I noticed a significant amount of the code sorta expects/assumes there will be one/single LAN and one WAN interface defined/available on the router at any given time. With that in mind, it seemed a good idea to make sure those requirements are met when using this GUI.

    So... unless someone comes up with a very good reason, I don't see why the GUI shouldn't keep enforcing any of those LAN/WAN requirements :)

    About those (other) questions regarding multiple external IPs: is it possible? It might be... but my knowledge about Tomato isn't quite there just yet. Perhaps this article could be useful and/or give you any hints/clues on how to do it?

  70. tvlz

    tvlz LI Guru Member

    I looked again at the code for multi ssid support in /release/src/wlconf/wlconf.c it looks like if you set the following mutli ssid should work, could somebody try it
    I also think this code needs to be changed in /release/src/router/httpd/wl.c to set the correct virtual mac address
    // assume the slave inteface MAC address is the same as the primary interface
    nvram_safe_get(wl_nvname("hwaddr", unit, 0))
    // virtual inteface MAC address
    nvram_safe_get(wl_nvname("hwaddr", unit, subunit))
    hopefully it will work can somebody try it?
  71. KyleS

    KyleS LI Guru Member

    WLan is indeed bugged in 4401.1

    I don't even have a 5ghz radio lol.

    @teaman thanks for the suggestions/relevant articles! While it would be pretty cool to have GUI support for it, safety should come first. :p

    EDIT: Not sure what's going on here... Some machines on my network are unable to get IPs being in br0. I lost connectivity to br1 as well (Was using Lan Access). Anyone else having these issues?

    EDIT2: It's the Builds I think and not VLan-GUI that's causing the wireless issues. I just flashed tomato-K26USB-1.28.7475.5MIPSR2-Toastman-RT-VPN.trx and lost my Wireless settings entirely.
  72. Toastman

    Toastman Super Moderator Staff Member Member

    Re. the wireless issues, yes, sometimes it's not transmitting and when it does, I can't connect either. I have pulled those builds and will upload them again later when I've fixed the problem.

    7575.5 - hmmm

    It worked for Toink. It didn't work for KyleS. It worked for me when I uploaded it, but today I can't see the wireless either.

    ADDIT: 4400 isn't working either - based on 7475.1 - and it should ..

    Reverting the changes I made to QOS doesn't fix the problem so there's something odd here. This may take a while!
  73. Toastman

    Toastman Super Moderator Staff Member Member

    I compiled 7475.5 again and tested it. It seems fine to me. But no matter what I try, when I add the vlan GUI, the wireless is no longer visible. Augusto, can you try to compile it? I can test it on RT-N16 (ext version) which would confirm if it's my setup or not.

    BTW - here, I don't lose any settings, just the wireless doesn't seem to be transmitting. If the wireless settings are being screwed like this, then maybe the VLAN-GUI is writing something/somewhere it shouldn't?
  74. shibby20

    shibby20 Network Guru Member

    correct. WLAN doesnt work on latest version.
  75. Toastman

    Toastman Super Moderator Staff Member Member

    That's a relief, I thought I was going nuts.
  76. Toink

    Toink Network Guru Member

    That's what I'm thinking too when I first posted (6 posts from yours) my WLAN wasn't working... I got my wirelss LAN back as soon as I reverted back....
  77. teaman

    teaman LI Guru Member

    I've been looking onto the commit logs and might have found two pieces of code that could be... related (at least, seems plausible/possible, but I can't be sure).
    According to http://repo.or.cz/w/tomato.git/shortlog/refs/tags/Toastman-1.28.4401.1

    Possibility #1 - when/if STP gets (re)enabled

    On commit "Merge branch 'VLAN-GUI' into Toastman-RT Toastman-1.28.4400" - 2011-07-26

    file wan.c - (re)enabling STP at wan UP

    file services.c - STP static routes (at the bottom of this commit)

    Possibility #2 - there are some extra TABs on a few lines of network.c
    On commit "WLAN can now be assigned to any LAN bridge. Changing..." - 2011-07-11

    file network.c - on lines 368->380 there's an extra TAB at the beginning of each line (typo), so this could be causing problems with code between #ifdef CONFIG_BCMWL5 / #endif directives (not sure when/if 'wlconf' is getting or should be executed).

    I'll keep digging...

    EDIT: typo on rc/network.c fixed and pushed to git (branch VLAN-GUI)

    EDIT 2: after looking a bit more onto the code, I'm leaning more and more towards Possibility #2 - the extra tabs/typos in front on those CONFIG_BCMWL5 preprocessor directives on rc/network.c (more specifically, because those typos were inside function start_wl()). Apparently, those blocks of code don't seem to be extremely important/relevant on routers/models such as the WRT54GL I've been doing most of my testing/developing on... but they seem to be quite relevant for other models (such as RT-N10, RT-N12, RT-N16, WNR3500L, WNR2000 v2, WRT160N v3, WRT320N, WRT610N v2 and probably many others).
  78. teaman

    teaman LI Guru Member

    Hey Toastman! I just noticed you merged those latest commits/fixes from VLAN-GUI onto Toastman-VLAN a few hours ago. How did the WLAN go this time?
  79. shibby20

    shibby20 Network Guru Member

    Toastman said: wireless is working here now shibby.

    Im compiling and will test :) Tell you fir about 1h.

    //edit. Confirm - WLAN works perfect :)

    btw someone tested VLAN-GUI on router with dual-band? :)
  80. Toastman

    Toastman Super Moderator Staff Member Member

    Augusto, guess you missed my PM's?

    I haven't run it in earnest 'cos I don't normally use wireless except on AP's. But when I tested it after compile it seemed quite normal now.

    On RT compile, the QOS/Details page has a small problem here, the list doesn't populate (the spinner doesn't appear). That's a nice addition to these pages, Thanks!
  81. teaman

    teaman LI Guru Member

    Guess I've may have skipped and/or just got to them anachronistically :-/
    I'll have a look at the javascript code on those pages (I might have hit a similar thing when I tried to merge that against a special brew based on v7624 :)
    Will let you know as soon as find what's wrong (and improve the general looks of the whole filtering thingies as you suggested).
  82. Toastman

    Toastman Super Moderator Staff Member Member

    The list not populating turned out to be something I did - so all is well. I love the new QOS additions :D
  83. shibby20

    shibby20 Network Guru Member

  84. tvlz

    tvlz LI Guru Member

  85. Toastman

    Toastman Super Moderator Staff Member Member

    tvlz - nice going. I think that with a bit more luck you guys are close to cracking this.
  86. teaman

    teaman LI Guru Member

    Hi there - I've been looking onto those messages for the last few mins but unfortunately, I've been unable to figure out what seems to be wrong (specially since I don't speak polish and... Google wasn't very helpful in translating those contents at this time). Still, those reminded me/pointed out some possible/interesting improvements regarding rules/validations on the VLAN GUI... So... thanks!

    PS: I noticed there was an EDIT at some point on kille72 post - is that issue solved by now? If so, anything 'special' had to be done or... it just 'worked' after rebooting/committing NVRAM or something like that?

    EDIT: new code just pushed to git :)

    Enforcement/explicit validation of ports in "trunk mode" at GUI level. If a physical port on the router is being configured as member of more than one VLAN, frame tagging must have been already enabled on any other existing VLAN that port is a member.
  87. shibby20

    shibby20 Network Guru Member

    Problem does not occur on Netgear 3500L. On Wrt54gl he has this problem. He tested my K26 and K24 version.
    I will ask him to check your clean version. Maybe i break something a merger branches.
  88. kille72

    kille72 LI Guru Member


    First of all let me thank all of you for the great work :)

    I have found a bug in the VLAN @ teaman. The strange thing is that this bug only comes up when I try it on WRT54GL and everything looks good on Netgear 3500L.

    I am pasting a few images (tested on the WRT54GL with your software http://code.google.com/p/tomato-sdh...ND-vlan-1.28.8754-VPN-MultiLAN-v8.7z&can=2&q=)

    nvram show | grep vlan:
    lan_ifnames=vlan0 eth1
    vlan0ports=3 2 1 0 5*
    vlan1ports=4 5
    vlan2ports=0 5
    In br0 I remove port 4 and in br1 I select Port 4. After reboot port 4 is enabled twice (br0 and br1)...

    Everything works as it should, it's just bug in the gui.

    Best regards.
  89. teaman

    teaman LI Guru Member

    Thanks for your report, kille72! The updated code pushed to git last night is exactly about this: it no longer allows a port to be a member of more than one VLAN unless frame tagging is enabled on each and all VLANs that port is a member.
  90. shibby20

    shibby20 Network Guru Member

    @teaman - you are the best. Many people will love you for that! :)
  91. teaman

    teaman LI Guru Member

  92. shibby20

    shibby20 Network Guru Member

    indeed. I comment only a fact, you do this.
  93. Toastman

    Toastman Super Moderator Staff Member Member

    I'll post a new version of Toastman-VLAN with these mods added if anyone wants to experiment. Up in a few hours !
  94. tvlz

    tvlz LI Guru Member

    Thanks teaman for the Virtual SSIDs, I know you could get it working. Let the testing begin!!
  95. bluecar

    bluecar LI Guru Member


    I'm not able to locate a K2.4 or K2.6 MIPSR1 version for any of my WRT54G-TM's. I searched for Toastman-VLAN-ND on your 4shared site but no luck. Are you, or any other devs, planning a release for the older routers?

    Appreciate all the work by all the modders in this area!
  96. Toastman

    Toastman Super Moderator Staff Member Member

    I will, only today following power outages here my PC is suffering from motherboard failure. Trying to resurrect it with the aid of local monks.
  97. Hackerivs

    Hackerivs Networkin' Nut Member

    What about the vlan's above 15?
    I heard it's hardware limited.
  98. Toastman

    Toastman Super Moderator Staff Member Member

    Augusto, could this be caused by the mod?

  99. teaman

    teaman LI Guru Member

    Apparently there is indeed some kind of HW limitation on many Broadcom switches: there are many models/devices out there with different kinds of restrictions. Most of these restrictions seem to be related to handling just 4 bits for VIDs (or in some cases, handling up to 16 different VIDs - but I'm not sure if that's the case and/or which models are able to do such thing).

    If you'd like some additional (tech) reading, here's a couple of links that might be relevant and/or interesting:


    PS: unless you've been using a multi/virtual-SSID-enabled build (which is supposed to be experimental, anyways)... I can't see any obvious reason for that wifi/MAC address issue :-/ BTW: my main dev/testing router is also a WRT54GL... and I'm sorry to say I haven't seen anything quite like that... Still, I'll be reviewing the sources/changes soon/next.
  100. Hackerivs

    Hackerivs Networkin' Nut Member

    I don't use the multi SSID build.
    It's a strange issue; even if I do a 30/30/30 the MAC is still 00:90:4C:5F:00:2A instead of C0:C1:C0:XX:XX:C7.
    If I return to stock or DD-WRT firmware, the MAC is then correct.
    I've googled the incorrect mac and it looks like this is a known problem.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice