Setting up multiple Wi-Fi SSIDs with VLANs on AdvancedTomato

Posted in Guide on Apr 03, 2020 (updated Apr 04, 2020)

AdvancedTomato is a GUI for the Shibby fork of Tomato, a custom firmware for wireless routers with Broadcom chipsets. After moving to a new apartment, I had an Asus RT-AC68U laying around, which supports AdvancedTomato. At the time of this writing, AdvancedTomato hasn't received an update in almost two years. This is because the project depends on updates to the Shibby fork, which also hasn't been updated. There is another version of Tomato called FreshTomato, which has more recent builds and security fixes. When I have time, I'll probably flash my router with FreshTomato (unless I upgrade to a UniFi system before then).


We'll be configuring three networks and their respective SSIDs: LAN, IoT, and Guest

The LAN network has full access to everything, no VLAN, and is the native SSID on the router.

The IoT network is restricted to internet access only and has mDNS "repeated" between it and the LAN network.

The Guest network is for guests to access the internet only, and has bandwidth restrictions.

AP Mode

Under Basic Settings > Network > WAN Settings:

Set Type to Disabled

Set Bridge WAN to LAN to Enabled


Under Basic Settings > Network > WAN Settings, create two other bridge interfaces br1 and br2:

Bridge IP Address Netmask

br1 will be used for the IoT network, and br2 will be used for the Guest network.

Don't forget to hit Save at the bottom of the page.

Create Virtual SSIDs

Under Advanced Settings > Virtual Wireless:

Create two additional 2.4GHz networks (and additionally 5GHz networks if you prefer), and assign the new networks to each bridge that were created earlier.


To actually segregate traffic, VLANs will be used (in conjunction with a router/firewall that supports them). Under Advanced Settings > VLAN, create two VLANs:

VLAN VID WAN Port Tagged Bridge
8 8 Yes Yes br1
9 9 Yes Yes br2

VLAN 8 is setup for the IoT network, and VLAN 9 is setup for the Guest Network.

Block GUI Access

In order to block access to the GUI from the Guest and IoT networks, a Firewall script must be added:

iptables -I INPUT -i br1 -j DROP
iptables -I INPUT -i br2 -j DROP