Tomato WiFi VLANs (Part 2)
In another post, I explained how I was able to configure an ASUS RT-AC68U flashed with FreshTomato to broadcast WiFi networks isolated by VLANs. However, I had to set an IP address for every bridge I created in the GUI.
TL;DR: Stop buying consumer-grade equipment and invest in something like Ubiquiti's UniFi (I would have spent less than 10 minutes in their dashboard/app instead of 2 days researching and testing this).
First, I reset the router's config by clearing the NVRAM.
I also wanted to assign the WAN port of my router to VLAN 1. This is almost impossible witht the GUI, but easy to change in the NVRAM:
# Remove vlan config #2 (default for the WAN port) nvram unset vlan2ports # Add port 0 (WAN) to vlan config #1 nvram set vlan1ports="0 1 2 3 4 5*" # Prevent the VLAN config from being cleared on reboot nvram set manual_boot_nv=1
5* is important, since the
* configures the SoC to be the default port for VLAN 1. More about that later.
My current VLAN setup consists of VLAN 10 for general traffic (what my laptop/phones connect to), and VoIP VLAN (irrelevant here), and VLAN 60 for guest WiFI. Since my previous post, I got rid of the separate IoT VLAN since that caused major issues with Google's Chromecast (mainly audio groups).
Create the WiFi networks
This step can be done in the GUI, since it's more reliable that way. I ended up with the following networks:
|eth1||Main WiFi (5GHz)|
|wl1.2||Guest WiFi (5GHz)|
Note: When adding the virtual interfaces, you don't need to select a bridge since that will be configured later.
Bridge the networks
Now that the virtual wireless interfaces exist, the last step is linking them to a VLAN. I wrote a script that configures 802.1Q tagging on the internal switch, creates VLAN interfaces, and bridges each wireless interface to the VLAN interface. This is based on a script I found.
#!/bin/sh # Setup the trunk port for each VLAN # The "t" indicated that frames should be tagged on that port # Port 0 is the WAN port # Port 5 is the SoC robocfg vlan 10 ports "0t 5" robocfg vlan 60 ports "0t 5" # Create interfaces for each VLAN tag and bring them up # The interfaces created by this command need to be in the format: vlanXXXX # This can be changed using: # # vconfig set_name_type VLAN_PLUS_VID_NO_PAD vconfig add eth0 10 vconfig add eth0 60 ifconfig vlan10 up ifconfig vlan60 up # # Create a bridge for the "general" network # brctl addbr br10 # Remove the 2.4GHz radio from the default bridge and add it to our VLAN bridge brctl delif br0 eth1 brctl addif br10 eth1 # Remove the IoT network from the default bridge and add it to our VLAN bridge brctl delif br0 wl0.1 brctl addif br10 wl0.1 # Remove the 5GHz radio from the default bridge and add it to our VLAN bridge brctl delif br0 eth2 brctl addif br10 eth2 # Add the VLAN interface to the bridge and bring it up brctl addif br10 vlan10 ifconfig br10 up # # Create a bridge for the "guest" network # brctl addbr br60 # Remove the 2.4GHz radio from the default bridge and add it to our VLAN bridge brctl delif br0 wl0.2 brctl addif br60 wl0.2 # Remove the 5GHz radio from the default bridge and add it to our VLAN bridge brctl delif br0 wl1.2 brctl addif br10 wl1.2 # Add the VLAN interface to the bridge and bring it up brctl addif br60 vlan60 ifconfig br60 up # # Reconfigure the interfaces for the SoC # nvram set lan_ifnames="vlan1" nvram set lan_ifname="br0" nvram set lan1_ifnames="vlan10 eth1 eth2 wl0.1" nvram set lan1_ifname="br10" nvram set lan2_ifnames="vlan60 wl0.2 wl1.2" nvram set lan2_ifname="br60" # # Reset the wireless services to apply changes # killall eapd eapd service wireless restart
The RT-AC68U has some complex internal networks happening. It's not as simple as each port and radio having their own physical interface to the SoC.
|Virtual Port||Physical port||Interface||Default VLAN|
|1||LAN 1||eth0||VID 1|
|2||LAN 2||eth0||VID 2|
|3||LAN 3||eth0||VID 2|
|4||LAN 4||eth0||VID 2|
|5||SoC (CPU)||eth0||VID 2|
|N/A||2.4GHz Radio||eth1||N/A; bridged to LAN|
|N/A||5GHz Radio||eth2||N/A; bridged to LAN|