Tomato WiFi VLANs (Part 2)

In another post, I explained how I was able to configure an ASUS RT-AC68U flashed with FreshTomato to broadcast WiFi networks isolated by VLANs. However, I had to set an IP address for every bridge I created in the GUI.

TL;DR: Stop buying consumer-grade equipment and invest in something like Ubiquiti's UniFi (I would have spent less than 10 minutes in their dashboard/app instead of 2 days researching and testing this).

Getting Started

First, I reset the router's config by clearing the NVRAM.

I also wanted to assign the WAN port of my router to VLAN 1. This is almost impossible witht the GUI, but easy to change in the NVRAM[1][2]:

# Remove vlan config #2 (default for the WAN port)
nvram unset vlan2ports

# Add port 0 (WAN) to vlan config #1
nvram set vlan1ports="0 1 2 3 4 5*"

# Prevent the VLAN config from being cleared on reboot
nvram set manual_boot_nv=1

The 5* is important, since the * configures the SoC to be the default port for VLAN 1. More about that later.

VLANs

My current VLAN setup consists of VLAN 10 for general traffic (what my laptop/phones connect to), and VoIP VLAN (irrelevant here), and VLAN 60 for guest WiFI. Since my previous post, I got rid of the separate IoT VLAN since that caused major issues with Google's Chromecast (mainly audio groups).

Create the WiFi networks

This step can be done in the GUI, since it's more reliable that way. I ended up with the following networks:

Interface SSID
eth0 Main WiFi
eth1 Main WiFi (5GHz)
wl0.1 IoT WiFi
wl0.2 Guest WiFi
wl1.2 Guest WiFi (5GHz)

Note: When adding the virtual interfaces, you don't need to select a bridge since that will be configured later.

Bridge the networks

Now that the virtual wireless interfaces exist, the last step is linking them to a VLAN. I wrote a script that configures 802.1Q tagging on the internal switch, creates VLAN interfaces, and bridges each wireless interface to the VLAN interface. This is based on a script I found[3].

#!/bin/sh


# Setup the trunk port for each VLAN
#     The "t" indicated that frames should be tagged on that port
#     Port 0 is the WAN port
#     Port 5 is the SoC

robocfg vlan 10 ports "0t 5"
robocfg vlan 60 ports "0t 5"

# Create interfaces for each VLAN tag and bring them up
# The interfaces created by this command need to be in the format: vlanXXXX
#     This can be changed using:
#
#     vconfig set_name_type VLAN_PLUS_VID_NO_PAD

vconfig add eth0 10
vconfig add eth0 60

ifconfig vlan10 up
ifconfig vlan60 up

#
# Create a bridge for the "general" network
#
brctl addbr br10

# Remove the 2.4GHz radio from the default bridge and add it to our VLAN bridge
brctl delif br0 eth1
brctl addif br10 eth1

# Remove the IoT network from the default bridge and add it to our VLAN bridge
brctl delif br0 wl0.1
brctl addif br10 wl0.1

# Remove the 5GHz radio from the default bridge and add it to our VLAN bridge
brctl delif br0 eth2
brctl addif br10 eth2

# Add the VLAN interface to the bridge and bring it up
brctl addif br10 vlan10
ifconfig br10 up

#
# Create a bridge for the "guest" network
#
brctl addbr br60 

# Remove the 2.4GHz radio from the default bridge and add it to our VLAN bridge
brctl delif br0 wl0.2
brctl addif br60 wl0.2

# Remove the 5GHz radio from the default bridge and add it to our VLAN bridge
brctl delif br0 wl1.2
brctl addif br10 wl1.2

# Add the VLAN interface to the bridge and bring it up
brctl addif br60 vlan60
ifconfig br60 up

#
# Reconfigure the interfaces for the SoC
#
nvram set lan_ifnames="vlan1"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan10 eth1 eth2 wl0.1"
nvram set lan1_ifname="br10"

nvram set lan2_ifnames="vlan60 wl0.2 wl1.2"
nvram set lan2_ifname="br60"


#
# Reset the wireless services to apply changes
#
killall eapd
eapd
service wireless restart

Internal Ports

The RT-AC68U has some complex internal networks happening[4]. It's not as simple as each port and radio having their own physical interface to the SoC.

Virtual Port Physical port Interface Default VLAN
0 WAN eth0 VID 2
1 LAN 1 eth0 VID 1
2 LAN 2 eth0 VID 2
3 LAN 3 eth0 VID 2
4 LAN 4 eth0 VID 2
5 SoC (CPU) eth0 VID 2
N/A 2.4GHz Radio eth1 N/A; bridged to LAN
N/A 5GHz Radio eth2 N/A; bridged to LAN

https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports ↩︎

https://www.linksysinfo.org/index.php?threads/converting-wan-to-lan-port.26585/ ↩︎

https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/post-360410 ↩︎

https://coertvonk.com/sw/networking/dd-wrt-heading-two-networks-asus-rt-ac68u-11717 ↩︎