VLAN with multiple AP's on Tomato?

Discussion in 'Tomato Firmware' started by poldim, Dec 16, 2013.

  1. poldim

    poldim Reformed Router Member

    Ultimately, what I'd like is to have the regular secured networks on 2.4 and 5.0 on the LAN, and a seperate secured guest LAN that can access the WAN. Right now, accessing the WAN from the second router is not working.

    So I followed the discussion in the following thread, http://www.linksysinfo.org/index.php?threads/how-to-set-up-a-vlan-on-tomato.65405/ and https://code.google.com/p/tomato-sdhc-vlan/wiki/MultiSSIDHOWTOForE3000, and got the multiple SSIDs working on the first router. But I'm having trouble setting it up for the second router as its only an AP. I have followed the same procedure as the first router, and have the "HOKIES! Guest" SSID created on router 2, but can only access the LAN and not the WAN. In order connect to this SSID I have to enable the DHCP server on br1, so I guess I'm guessing this is part of the issue. I tried playing with the STP setting but it did not do anything.

    Router 1:

    Router IP Addresses on LAN (br0), on LAN1 (br1)
    DHCP - on LAN (br0), - on LAN1 (br1)

    Router 2:
    Router IP Addresses on LAN (br0), on LAN1 (br1)
    DHCP Disabled on LAN (br0), - on LAN1 (br1)

    Network topology below:
    Last edited: Dec 16, 2013
  2. poldim

    poldim Reformed Router Member

  3. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Trunking vlan's should work.

    ~Edit: Removed steps as I realized my setup was much different than what you described.
  4. mw333

    mw333 Networkin' Nut Member

    VLAN trunking works great. What you may have to do first is map out the physical order of the ports with how they wired them up. They may be in a different order (from the GUI). The red is the gateway, an RT-16n, physical port 1 trunk to physical port 1 green WAP, F7D4301. On the WAP the physical port 2 is br3.

    gateway.PNG wap.PNG
  5. Jeffspears

    Jeffspears Serious Server Member

    Great thread, I have been trying to achieve the same linkage between my two Tomato routers with 2 VLANS but failed miserably. Thank you for clarifying how its done Mw3333.


    Just to clarify, So for example Port 2 of the Main router will be the LAN line that connects the 2 routers (Master Router N66 & Slave N-16) and I will check the Tagged box for in my case (Br0 & Br1) than I`ll go to the slave router and connect the line to port 1 and check the Tagged Boxes for (br0 & Br1) and having it say Yes in both Boxes.

    And this will make the slave which has 2 VLANS linked to the 2VLANS of the main, meaning all IPs, and traffic and bandwidth limitations can be controlled by the primary since its controlling all the IPs?

    Do I have the process right? cause it seems really easy :cool:
    Last edited: Dec 25, 2013
  6. mw333

    mw333 Networkin' Nut Member

    Sounds right. Understaind trunk: GUI VLAN1 Port2 + tagged (br0) and GUI VLAN3 Port 2 + tagged (br1) on your e3000. And on your RT-N16 you will utilize GUI Port 4 (like red above) for what looks like Port 1 on the back of your slave (labeled LAN1).

    From what I understand the Tomato Team may tweak the GUI column names from time to time to get the ports/switchports lined up. Right now, how are the ports mapped out on your main e3000? Is 1=1 and 2=2, etc? Or is it like the RT-N16 where 4=1?
  7. unoriginal

    unoriginal Serious Server Member

    Correct. As the others have pointed out, you use 802.11q tagging to get your access point (Router 2) to tell your gateway (Router 1) what packets are for your guest network and what packets are for your personal network. You disable DHCP on both br0 and br1 on Router 2, and Router 2 tags the packets so that Router 1 still knows whats br0 and br1 (or rather what's vlan0 and vlan2, or whatever the case may be).

    You also need to put in your gateway's dns address ( in Router 2's DNS. You probably did that already but just making sure.

    There is an additional tweak: you'll want to alter the "Mode" of Router 2 to "Router" in Advanced->Routing from the default of "Gateway," since Router 2 isn't acting as an internet gateway.

    I've also written a mini-HOWTO here on the subject, perhaps someone will find it helpful. There are also many others you can search for.
    Last edited: Dec 27, 2013
  8. Jeffspears

    Jeffspears Serious Server Member

    Thanks for replaying, much appreciated, I must admit I am not that network savvy but u made it so easy for me.

    Yes I am aware of the reversed ports in some Tomato installations, thanks for mentioning it. Let me throw you another question which I think I know the answer but I would hearing the answer from an export.

    Let's say between the two routers is a switch L2 and of course in the switch I got about 7 other devices connected including that Slave router, now will this cause any issues for the tagged pockets or will they make their way safely to the slave switch and it will analyze the pocket and understand the tag.

    Thanks for the info, I did not know that, I thought the slave router would figure it out on its own, which I must say sounds silly now.
  9. mw333

    mw333 Networkin' Nut Member

    Please be advised I am no expert. I am an enthusiast.

    To address, "Let's say between the two routers is a switch L2 and of course in the switch I got about 7 other devices connected including that Slave router, now will this cause any issues for the tagged pockets or will they make their way safely to the slave switch and it will analyze the pocket and understand the tag."

    If I understand correctly, you are talking a trunk and hooking it up to a switch. Is the switch VLAN capable (able to decode the VLAN tags on the traffic coming to it)?

    In the previous dialog you discussed going from one VLAN switch (master) to another VLAN switch (slave). With this arrangement you would effectively "multiplex" your multiple bridge packets through the trunk. The master/slave would then receive and examine each packet's VLAN tag and "demux" it, and place it on the correct bridge. So, the slave would do just fine. But if L2 is just a dumb switch and cannot discriminate VLAN tags ...
  10. Jeffspears

    Jeffspears Serious Server Member

    Yeah I forgot I had a switch in the middle, it's a dumb switch and the L2 is just for Link Aggregation to my NAS.
  11. mw333

    mw333 Networkin' Nut Member

    Link aggregation? That's what trunking does - one cable instead of many.

    Chances are L2 will just "pass through" the VLAN tags and your slave/master will do just fine. Other devices that are connected to L2 will not be able to handle the VLAN tags. If they are on br0, which is the default (see the *), they might work. It would be better to utilize your existing cable as br0 to the switch and get a longer cable to trunk the master/slave that understand the tags.
    Last edited: Dec 28, 2013
  12. mw333

    mw333 Networkin' Nut Member

    I checked out the 802.1q wiki:

    Frames belonging to the native VLAN do not carry VLAN tags when sent over the trunk. Conversely, if an untagged frame is received on a trunk port, the frame is associated with the native VLAN configured on that port.

    For example, if an 802.1Q port has VLANs 2, 3 and 4 assigned to it, with VLAN 2 being the native VLAN, frames on VLAN 2 that are sent from the aforementioned port are not given an 802.1Q header (i.e. they are plain Ethernet frames). Frames that are received on that port and have no 802.1Q header are assigned to VLAN 2. Tagging of frames sent to or received from VLANs 3 & 4 is the same as if no native VLAN had been configured – all frames on those VLANs must carry tags to identify their VLAN membership.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice