So after getting a quarter of the way through a comment to a question somebody had on my Ubiquiti APs, TomatoUSB, VLANS, and Linksys e3000 post, I realized it would probably work better as a post instead. Christoph’s question was:
How did you wire everything? I’m trying to do the same and had no luck. I only have one UAP, but if I turned on tagging for the Port I used for each bridge, I wouldn’t even get an IP.
I would like Management and Home to be one vlan, and guest another, so my setup is simpler. Maybe knowing how you wired it will help.
Thanks!
I’m going to walk essentially through what steps I remember taking to get up that far.
Assumptions
- VLAN 2: Home / Management
- VLAN 3: DMZ
- UAP plugged into Port 1
- Admin Computer plugged into Port 4
- Management / Home network is 192.168.1.0/24
- Guest network is 192.168.2.0/24
- You have a VLAN edition of Toastmans TomatoUSB mode
Setting up TomatoUSB
- In the Tomato Web Interface, Advanced -> VLAN, make sure you have VLAN 2 and 3 setup. To add each VLAN, just click the “Add” button and fill in the VLAN and VID so they match. (Fuzzy memory alert) You want to make sure that the existing bridge, br0, is attached to VLAN 2, and make sure that Port 4 has “Yes” for LAN (br0) and Tagged is blank. I set VLAN 15 to WAN. For VLAN 3, the bridge will be set to “none”. Click Save.
- Now navigate to Basic -> Network. Under LAN, click to add a new bridge LAN 1 (br1). Make sure DHCP is enabled, IP address is 192.168.2.1, and netmask is 255.255.255.0. Change the IP Range to whatever range you would like the DHCP server to give out in that ip subnet (so 192.168.2.10 – 192.168.2.200). Scroll down and click Save.
- Now go back to Advanced -> VLAN, for the bridge for VLAN 3, now select LAN1 (br1). Click the OK button and then click the Save button at the bottom of the page.
- At this point, you will want to setup your ports how you want them (assigned VLAN or tagged). On port 1, you will make sure that both VLAN 2 and VLAN 3 are set as Tagged (will fix later).
- Now we need to telnet (or SSH if enabled) into the router to fix port 1 so that VLAN 2 is not tagged, but VLAN 3 is tagged. Follow the steps in the earlier post. Use the “# nvram show | grep vlan2ports” command to which ports are setup on VLAN 2 and with tagging. Just copy those values over into the “nvram set vlan2ports=””” section, and then change 4t to just 4. The ports go in reverse of their name. Click enter, run “nvram commit”, and then “reboot”.
- When you go back into Advanced -> VLAN, you should see that Port 1 has VLAN 2 blank in tagged column, but VLAN 3 has Yes.
- If you want to allow access from one network to another, go to Advanced -> LAN Access. In there you basically handle a basic firewall access by allowing all access from one vlan to another, or one ip address on a vlan to another ip on another vlan or the entire vlan. Unfortunately, it does not do firewally at a port level. You will need to use the command line in Tomato to do that if you need it. This is only for firewalls between VLANs though, as port forwarding from the outside is done the traditional way.
Setting up Ubiquiti AP
When setting up Ubiquiti, your home network SSID should not be assigned to a VLAN (leave it blank). Your guest network SSID should be assigned to VLAN 3. At this point, if all went well, your AP should pick up an IP and clients on each SSID should get assigned to the correct subnet.
Thanks for the post. The issue really was the tagging. When I set both (I only have two) VLANs to Port 4 and Tagged, I would lose all connectivity and had to restore my router.
So for me, I left everything the way it was, and then just set my vlan2ports=”1t 8″ (since Port 1 in this list is Port 4 on the router), resulting in VLAN 1 to remain untagged and VLAN 2 to be tagged. My numbers are different, but the concept the same: Management VLAN untagged (ID 1), Guest SSID VLAN tagged (ID 2 in my case).
Thanks for clarifying!
I can’t tell you the number of times that I locked myself out at first due to the dance you have to play on there. I really wish you could restrict it to applying until you were all done. In the end when configuring I kept port 4 on the right vlan at all times and turned one of the wireless on and set to the vlan also. When I make changes, I usually turn on that AP, make the change, confirm the change, and then turn of the AP again (the 2.4 built into the e3000 that is usually off since Ubiquiti AP does a better job). Glad it helped.
Also to note, if you go back into the VLAN interface and make a change, you have to then go back in and update the NVRAM, because the interface wants to “fix” your change, regardless of if that is the record you’re updating. I could have probably went and patched the interface instead, but didn’t want to get into that at this time.
Just thought I’d drop a great big thank you! I was able to use your instructions to tag multiple vlans on Ubiquiti AP LR with Tomato “Shibby”. Although the ports on my Asus Rt10p were different. Ie, port 1 was labeled as ‘3’ instead of reverse. For my vlan3ports was 3t 5* which I then changed to nvram set vlan3ports=”3 5*”. So in short it seems to work if you just deal with the port configuration your tomato gives you 😀