Setting up multiple Wi-Fi SSIDs with VLANs on AdvancedTomato
AdvancedTomato is a GUI for the Shibby fork of Tomato, a custom firmware for wireless routers with Broadcom chipsets. After moving to a new apartment, I had an Asus RT-AC68U laying around, which supports AdvancedTomato. At the time of this writing, AdvancedTomato hasn't received an update in almost two years. This is because the project depends on updates to the Shibby fork, which also hasn't been updated. There is another version of Tomato called FreshTomato, which has more recent builds and security fixes. When I have time, I'll probably flash my router with FreshTomato (unless I upgrade to a UniFi system before then).
Networks
We'll be configuring three networks and their respective SSIDs: LAN, IoT, and Guest
The LAN network has full access to everything, no VLAN, and is the native SSID on the router.
The IoT network is restricted to internet access only and has mDNS "repeated" between it and the LAN network.
The Guest network is for guests to access the internet only, and has bandwidth restrictions.
AP Mode
Under Basic Settings > Network > WAN Settings:
Set Type to Disabled
Set Bridge WAN to LAN to Enabled
Bridges
Under Basic Settings > Network > WAN Settings, create two other bridge interfaces br1 and br2:
| Bridge | IP Address | Netmask |
|---|---|---|
| br1 | 10.8.0.253 | 255.255.255.0 |
| br2 | 10.9.0.253 | 255.255.255.0 |
br1 will be used for the IoT network, and br2 will be used for the Guest network.
Don't forget to hit Save at the bottom of the page.
Create Virtual SSIDs
Under Advanced Settings > Virtual Wireless:
Create two additional 2.4GHz networks (and additionally 5GHz networks if you prefer), and assign the new networks to each bridge that were created earlier.
VLANs
To actually segregate traffic, VLANs will be used (in conjunction with a router/firewall that supports them). Under Advanced Settings > VLAN, create two VLANs:
| VLAN | VID | WAN Port | Tagged | Bridge |
|---|---|---|---|---|
| 8 | 8 | Yes | Yes | br1 |
| 9 | 9 | Yes | Yes | br2 |
VLAN 8 is setup for the IoT network, and VLAN 9 is setup for the Guest Network.
Block GUI Access
In order to block access to the GUI from the Guest and IoT networks, a Firewall script must be added:
#!/bin/sh
iptables -I INPUT -i br1 -j DROP
iptables -I INPUT -i br2 -j DROP