VLAN Tags: Work for you?

Discussion in 'Tomato Firmware' started by jmcafee, Jun 10, 2011.

  1. Toastman

    Toastman Super Moderator Staff Member Member

  2. Hackerivs

    Hackerivs Networkin' Nut Member

    a moment ago i have extracted my cfe and all the mac values are 00-90-4C-XX-XX-XX instead of C0-C1-C0-XX-XX-XX.
    something is wrong here :/
  3. crazedbinary

    crazedbinary Networkin' Nut Member

    Awesome progress here. I am trying to use tomato-K26USB-1.28.2404MIPSR2-Toastman-VLAN-MultiS SID-BETA-VPN.trx on my wrt610n and having some wireless issues. It is most likely operator error as I am newer to Tomato.

    Here is a breakdown of what I am tring to do using VLANs, multissd's and bridges:

    BridgeSTPIP AddressNetmaskDHCPIP Range
    br1Disabled10.8.8.8255.255.255.0 DHCP Disabled


    LAN br0 Ports 1-3 (LAN)
    LAN1 br1 port 4 (For DMZ)
    LAN2 br2 no ports assigned (For wireless network)


    Both bridges (5ghz. 2ghz) have been changed from br0 to br2. This is to seperate the WLAN from the LAN/DMZ.

    The only custom command I have used was:

    nvram set nas_alternate='1' posted by Teaman.

    Anyway once this works I would like to add another two guestSSID's to the mix using multissid. Unfortunately I cannot get the above setup to work with WPA2. It works with no wireless encryption however. Since I am changing the default wireless from br0 to br2 do I need to do more manual command to get NAS working correctly with this setup?

    Thanks in advance and this is great progress.
  4. Hackerivs

    Hackerivs Networkin' Nut Member

    i have solved the problem with the incorrect wifi mac.
    the problem was in the CFE. i don't know how the CFE changed itself and screwed up the mac addresses.
    i took a deep look into it and found two variables- et0macaddr and il0macaddr.
    et0macaddr is the lan mac, and il0macaddr was the one with the incorrect mac.
    i wondered how dd-wrt and stock linksys firmware are showing the MAC's correctly and tomato not (the wifi mac)
    the reason is the following: dd-wrt and linksys fw generate the MAC's from the et0macaddr without using il0macaddr
    et0macaddr = LAN MAC
    wan mac = et0macaddr + 1
    wlan mac = et0macaddr + 2

    i found out that tomato uses the et0macaddr for generating the wan mac, but not the wlan mac! (therefore it uses the il0macaddr).
    The solution was to edit the il0macaddr in the CFE into the wifi mac.

    After the CFE was modified, i placed it into the /tmp directory and issued the commands

    mtd unlock cfe
    mtd write cfe.bin cfe

    When the unit rebooted, i made a 30/30/30 reset and, VOILA, the MAC's are now correct.
    But the scary question is- HOW DID THE CFE CHANGED ITSELF?!

    p.s. sorry for my bad english :)
  5. shibby20

    shibby20 Network Guru Member

    is it possible that we will have the "Last 24HRs realtime monitoring of multiple clients" in the near future?
  6. teaman

    teaman LI Guru Member

    Since this whole MultiSSID thing is highly experimental, I must confess I haven't been able to do any testing with K26 builds... So there's a pretty good chance this is not just an operator error :confused:
    If I understood correctly how the K26 versions are configured/built, this particular issue might have something to do with a (C preprocessor) directive called CONFIG_BCMWL5. Apparently, it's not enabled on K24 builds (only on K26 builds), so a slightly different code gets compiled. As it turns out, there's a good chance a chunk of code on rc/wnas.c is being simply bypassed - precisely the part handling the 'nas_alternate' setting you mentioned (mostly, because I wasn't sure at the time if changing anything inside that block wouldn't perhaps break other things...).

    Still, we may be able to work around this issue, specially since you have shell access to the device :)

    Could you please test something and let us know how it goes? Try this on a shell session (that's what 'nas_alternate' is about: to fire up one nas process for each wpaX-enabled wireless network):
    killall nas
    nas.sh wl0 br2
    nas.sh wl1 br2
    Also, keep an eye from yet another process/daemon that might be running and/or causing problems, called 'eapd' (don't kill it if you don't have to... I'm not sure what it does... but it looks like it might be needed by 'nas' and/or there might be some sort of interaction between them).

    In any case: please do let us know about any news/findings :)

    Also, you might find this interesting (and possibly relevant):

  7. tvlz

    tvlz LI Guru Member

    I think that Toastman-VLAN-MultiSSID builds are missing the latest fixes, that you will need.

    When you compile new builds of MultiSSID can you make K2.4 builds too.
  8. bluecar

    bluecar LI Guru Member

    Still waiting/hoping for a K2.4 or K2.6R1 version of VLAN Tomato. Is this in the plans or will I need to buy a new router?

  9. Hackerivs

    Hackerivs Networkin' Nut Member

    you already have K.24 versions of VLAN tomato.
  10. bluecar

    bluecar LI Guru Member

    This is great news. I'd be grateful if you could tell me where to find them!
  11. shibby20

    shibby20 Network Guru Member

  12. xlebus

    xlebus Networkin' Nut Member

    please help with the VLAN configuration on WRT54GL 1.1 with tomato-sdhc-vlan-1.28.7z (2011 Jun 9). ISP service scheme below:

    I tried different VLAN options:
    nvram set vlan0ports="1 2 3 5*"
    nvram set vlan1ports="4 5"
    nvram set vlan6ports="4t 0 5t"​

    nvram set vlan1ports="1 2 3 5*"
    nvram set vlan2ports="4 5"
    nvram set vlan6ports="4t 0 5t"​

    nvram set vlan1ports="1 2 3 5*"
    nvram set vlan2ports="4 5"
    nvram set vlan6ports="4t 0 5"​

    WRT54GL port numers:

    Problem is, that when working IPTV on LAN4 port, WAN port does not receive the IP address from DHCP. Internet back only when I remove VLAN 6 from WAN. What am I doing wrong?
  13. teaman

    teaman LI Guru Member

    @xlebus - I never tried to do such thing.... but I think these links might be useful:

    Here's how I got to those links:
    http://www.linksysinfo.org/index.php?search/35445/&q=iptv vlan&o=date&c[node]=33
    http://www.google.com/search?q=iptv stb vlan6

    Also, this post might be useful/interesting and/or... related (who knows?!?):

    Best of luck!
    (and let us know how/if it works out - cheers!)
  14. Vincent Lim

    Vincent Lim Networkin' Nut Member

    is the any possible to tag 3-digit VLAN ID? if there's anyone to customize the firmware, would be gladly thankful =)

    example of what i'm trying to do

    I would like WAN Port for VLAN 500 and VLAN 600 tagging, LAN Port 2 for VLAN 500 tagged and LAN Port 3 for VLAN 600 tagged

    Is that possible for tomato?
  15. teaman

    teaman LI Guru Member

    Currently, I don't think this would be possible (but that might change in the future).

    You might wanna have a look at post #99, on this thread:

  16. bishoptf

    bishoptf Networkin' Nut Member

    I would like to test and use the code but not sure where to go to get the latestest, I will probably be running 2 different platforms, one that requires the ND version, I think an old buffalo and one Linksys GL, and would like to trunk between the two...if anyone can point me into the right direction I would appreciate it..and thatnks for the work on the code. :)

    edit..I just noticed the links at the bottom of Toastman posts...is this the place to go for the latest versions?
  17. mcbsys

    mcbsys Networkin' Nut Member

  18. teaman

    teaman LI Guru Member

  19. mcbsys

    mcbsys Networkin' Nut Member

    Hi Teaman et. al.,

    Thanks for your continued work on this.

    Seeing your post made me think to ask you a question: are you aware of issues or additional requirements when trying to use VPN on the main LAN when there is a separate VLAN for a guest LAN? I'm getting some strange behavior, written up here:


    Is anyone successfully usign VLAN and VPN simultaneously?

  20. Mercjoe

    Mercjoe Network Guru Member

    Just wondering..

    Is there any progress on making a Multi-SSID GUI?

    Or is that still way in the future?
  21. teaman

    teaman LI Guru Member

    This might help:

    Also, please notice there's been some recent changes on the firewall code responsible for the whole 'LAN isolation' thing:

    Hopefully, for the best :)

    mcbsys likes this.
  22. mcbsys

    mcbsys Networkin' Nut Member

    Woohoo! That does it!

    On both the client and sever, my main LAN (that I want to share across the VPN) is on br0. After checking the tunnel names under Advanced > Routing, on the OpenVPN server router, I ran:
    iptables -A FORWARD -i br0 -o tun21 -j ACCEPT
    and on the OpenVPN client router I ran
    iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
    Voila! Bi-directional ping happiness, from server's LAN to client's LAN and vice-versa.

    Note to self: the problem was that the local packets were not making it past the router onto the VPN. These commands tell the router to forward those packets.

    Bless you and thank you.

    Now: where should I put those commands so they are always run? Administration > Scripts > WAN Up? Just paste it in there? Will the tunnel names always be the same? Thanks to your GUI among others, I haven't used scripts in Tomato before!

    Thanks very much for your help,
  23. heuristik

    heuristik Networkin' Nut Member

    I have searched but can not find specific reference to 802.1Q tagging and the 4200. I did notice, however that it is by default flagged as "not known to support tagging." I'm only 4 days into playing with my new router after bricking 2 e2000's over the past several months, so suffice it to say I'm a bit gunshy about going too far "off the reservation" to figure things out myself. My backup wifi is a WRT54G2 v1.5 POS for emergencies only, and if you know that model you know what I mean. Can someone point me in the direction of previous posts on e4200 tagging subject? Also, is there anyway to LAGG a couple of the LAN Ports? I can't find any reference to that, either.....

    Lastly, my experience with both the VLAN variant and Toastman's bits straight up on the 4200 have produced peculiar wireless results, specifically after 8-10 hours, and unique to my Intel Wifi NIC clients only. Without fail, and having tested with .0486 Toast, .0486.2, and VLAN TEAMAN's flavored .0407.1 and .0406.2 variants, the Intel clients drop from respectable throughput levels down to a flat 54 Mbps while my Broadcom and Dell 1505 wifi nics continue operating normally. I use WPA2enterprise with an NPS radius server, but have also tried changing back to just wpa2/aes personal to see if it was an encryption thing, and before you ask, yes... I 30/30/30'd and erased NVRAM like a good boy each time, and the interference levels are minimal. I've upgraded drivers, etc. to no avail. I should mention I'm running Windows 8 on most of the machines, but at least 2 are still Win 7.

    Thoughts or suggestions? Its been nearly a year since I looked at the tomato firmware builds, and i have to say the contributing developers have really outdone themselves in such a short time period. Every one of the various flavors I've been playing with this week have shown a level of elegance and polish that is truly outstanding code. Just wanted to pass on my thanks to all of you for the work you are doing.

    P.S. Has anybody thought about incorporating Unbound as a replacement option for DNSmasq and/or a solution for DNSSEC into these builds yet?
  24. Toastman

    Toastman Super Moderator Staff Member Member

    Take a look at the settings for the Intel clients, set to full power, disable any power saving settings, and anything else that looks suspicious. On the router, Advanced Wireless, also turn off APSD power saving and play around with the interference mitigation setting. [I know this sounds really crap - but many of my students have had to resort to using a USB adapter to use their laptops at university, and quite a wide variety of different routers are in use as AP's, so it's not just Tomato/Broadcom that have difficulties with Intel's rather notorious wireless].

    Good luck!
  25. mcbsys

    mcbsys Networkin' Nut Member

  26. heuristik

    heuristik Networkin' Nut Member

    it was the APSD mode, nice call Toastman. Thanks for the heads up.

    And Mr. Berry, pleasant surprise to *bump* into you here. I just used your Profile CACLS/SUBINACLS Script a week or two ago to pull a client out of a user folder redirection mishap jam ;)
  27. Toastman

    Toastman Super Moderator Staff Member Member

    Mark - I've added a link to that ( and some of your other blogs) in "Common Tomato Topics". Thanks!

    Heuristic - that's good news! One problem with doing that is that it can flatten some phone batteries pretty quick if turned off :(
  28. mcbsys

    mcbsys Networkin' Nut Member

    Thanks guys. Glad that blogging work helps others. Goodness knows I would never remember most of this stuff if I didn't write it up!
  29. Toastman

    Toastman Super Moderator Staff Member Member

    Copied from another thread by TEAMAN, for information purposes...

    Please notice that on VLAN-GUI-enabled builds, when enabling/activating (turning 'on') some features, you must also select/choose on which LAN bridges a particular service/functionality should be 'active' (i.e. for uPnP, which interfaces it should be 'listening', even if you have only one LAN bridge configured/defined on basic-network.asp and/or advanced-vlan.asp).

    Please have a look at forward_upnp.png (attached to this post) and notice the areas marked in red: besides enabling the UPnP service, you must also ensure on which of your LAN interfaces the miniupnp daemon will be actually listenining/available (again: even if you have only one LAN bridge set/configured).


    In any case, here's a few pages that might contain/handle features/services that might require additional attention regarding config/settings (such as the caveat mentioned above):
    • advanced-firewall.asp (multicast)
    • advanced-routing.asp (static routes, RIP)
    • forward-upnp.asp (uPnP, NAT-PMP)
    Please notice this is a non-exhaustive (and most likely, incomplete) list, but it's a start ;)
  30. harlem711

    harlem711 Addicted to LI Member

    Hi Teaman i came across this post in ddwrt which mention about vlan above 15 -->http://www.dd-wrt.com/phpBB2/viewtopic.php?t=86919
    They did it on tomato on linksys e3000. hope will help all include me.
  31. skupi

    skupi Networkin' Nut Member

    Yep, it will be fantastic to get this working on tomato, my internet working on vlan tag 35, actually i must use dmz :(

    EDDYMERCKX Network Guru Member

    Just want to say many thanks for this mod! I have this set up with 4 VLANS in conjunction with an HP ProCurve 1810G-8. I was using Keith Moyer's 1.27OpenVPN mod with 2 additional WRT54's to achieve something similar but have been able to reduce those numbers with the help of this firmware and the managed switch. I'm not too interested in the MultSSID as I bridge eth1 to my guest VLAN and use a bridged Time Capsule w/RADIUS for home wireless access.

    One question I do have though is in regards to assigning VPN clients IP's. Do they (IP's) have to reside on br0 network or can I use a network assignment from a different VLAN?
  33. teaman

    teaman LI Guru Member

    If we're talking about OpenVPN+TAP, then yes. If you're talking about TUN, then you probably should pick a network that doesn't overlap with any other networks known/set on the router.
  34. slab

    slab Serious Server Member

    Would it be possible to add ipv6 capability to the extra bridges created by the VLAN GUI?

    My ISP serves out a /56 prefix via DHCP-PD on the WAN port. By default, tomato then picks the first /64 within the /56 and advertises RAs for that prefix on the br0 interface, when it is configured to do so on the basic-ipv6.asp page. I reckon it would be great that if v6 is enabled, the LAN bridge configuration page had a textbox where I could specify the n-th prefix within the /56 delegated by my ISP to be advertised on that bridge.
    I had a look at the /etc/dhcp6c.conf file on the router and it looks pretty straightforward to enable RAs on multiple interfaces, and to specify which prefix to be advertised on which interface, however that file is obviously not persistent between reboots. I also downloaded the latest Toastman source code but to be honest have no idea where to even begin.

    Anyway, just a suggestion and I hope that all makes sense. It will obviously only work where the ISP is dishing out a prefix shorter than /64 to their customers, but would be great if it did work :)
  35. tas

    tas Serious Server Member


    I splitted LAN to LAN(br0)+LAN1(br1) with Tomato Firmware 1.28.0000 MIPSR2-092 K26 USB BTgui on my Netgear WNR3500L/U/v2 router.
    I want LAN for wired ethernet connections and LAN1 for WLAN connections only.
    I've added LAN Access rules also, but still the PCs on different VLANs cannot see each other. I want them reach each other.... eg. reach my wired PC from another wireless laptop connection and vica versa. How to do that? Do I miss any other things to do to achive my goal?

    Advanced VLAN:
    Bridge eth1 to LAN(br1)
    VID Port 1 Tagged Port 2 Tagged Port 3 Tagged Port 4 Tagged WAN Port Tagged Default Bridge
    1 Yes Yes Yes Yes On * LAN (br0)
    2 Yes WAN
    3 Yes On LAN1 (br1)

    Advanced LAN Access:
    On Src Src Address Dst Dst Address Description
    On LAN LAN1 Wired to Wireless allowed
    On LAN1 LAN Wireless to Wired allowed

    Basic Network:
    Bridge STP IP Address Netmask DHCP IP Range (first/last) Lease Time (mins)
    br0 Enabled Enabled - 103 1440
    br1 Enabled Enabled - 103 1440

    Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface * 0 ppp0 (WAN) * 0 br1 (LAN1) * 0 br0 (LAN) * 0 lo
    default 0 ppp0 (WAN)

    Static Routing Table is blank.
  36. ia1324

    ia1324 Serious Server Member


    I am unable to forward ports from the outside world and route it to an IP on a VLAN. I added an additional VLAN and am sending any requests coming in from the WAN side of the router on port 3389 (RDP) to the IP address which is on vlan3. For some reason, it is not working. What am I doing wrong or what step am I missing?


  37. aztech

    aztech Serious Server Member

    I understand this is a really old thread, but still I need to ask.

    Is it now possible to use VLAN id's with 3 digits on i.e. a E4200?

    My ISP is using tagged VID 243 or 845 for IPTV, as well as untagged default for internet and I would be very happy to replace my Telia provided Thomson router, with my E4200.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice