Two isolated separate LAN subnets and rate limiting.

NOTE
This article refers to MIPSR2 builds of Tomato.
It worked for me on Asus RT-N16.
Contributions are welcome.

Multiple LAN subnets

This how-to will be of help in situations where a specified group of users are uncomfortable with protecting shared directories with passwords, where unauthorised users should not be allowed to browse Windows shares on certain PC's, and in cases where it is necessary to completely separate one group of PC's from another.

Router Setup

Access the router through ssh or telnet. On Windows you can use Putty. On GNU/Linux you can use the Terminal.

In the router console, type the following command:

nvram show | grep vlan.ports

If you get the following output you are ready to proceed:

vlan1ports=4 3 2 1 8*
vlan2ports=0 8

Type the following commands one by one:

nvram set vlan1ports="3 2 1 8*"
nvram set vlan3hwname=et0
nvram set vlan3ports="4 8"
nvram set manual_boot_nv=1
nvram commit

This will isolate port 4 from the ethernet bridge and it will be assigned to the virtual LAN vlan3.

You can type exit to exit from the shell prompt.

Launch a browser and go to the tomato GUI. Select Administration -> Scripts -> Init and insert this code at Init:

sleep 10; ifconfig vlan3 10.0.0.1 netmask 255.255.255.0 up;

Click save.

Here I have used class 1 IP. It can be changed if you wish to have a class 3 IP. But see that it will be different from the default subnet (the one you have configured in the GUI).

Next go to Administration -> Scripts -> Firewall and insert this code:

iptables -I INPUT -i vlan3 -j ACCEPT;
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan3 -j DROP;

Click save.

The last rules drops packets between the existing subnet br0 and the subnet you just created vlan3. If you are using QOS and some other firewall rules, the above script should be inserted at the end of the rules you have already specified. This is very necessary for QOS to function properly.

Next go to Advanced -> DHCP / DNS and add this at Dnsmasq custom configuration:

interface=vlan3
dhcp-range=net:vlan3,10.0.0.200,10.0.0.249,255.255.255.0,1440m
dhcp-option=vlan3,3,10.0.0.1
dhcp-option=vlan3,6,208.67.222.222

Click save.

In line 4 I have used Open DNS server IP. You can use any DNS server IP of your preference.

Reboot the router and connect the ethernet cable from the network, which you want on the second subnet, to Ethernet port 1 which is on the left end of the router if the front part of the router is facing you.

PC Setup

Use the following network settings on the PC's. The IP should be changed if there are more PC's.

IP: 10.0.0.2
MASK: 255.255.255.0
Gateway: 10.0.0.1
DNS SERVER: 10.0.0.1

If this doesn't work connect the ethernet cable to the port 4 (right side) and try if it works.

Rate limiting on vlan3

Lets assume that we need 2 Mbits up/down rate and the cieling (hard limit) we want is 2.4 Mbits on vlan3. The following line of code should be put at wan up script.

tc qdisc add dev vlan3 root tbf rate 2mbit burst 10kb latency 70ms peakrate 2.4mbit minburst 1540

Thats it. Reboot the router and it'll do the magic.

You can also login via the shell, and give the above command at the shell prompt.

If you want to see if the rules are applied, you can enter the following code at the shell prompt.

tc -s qdisc ls dev vlan3

If you're trying it on defualt tomato interfaces (vlan2, br0 etc.), the chances are that they already have some tc rules. In such cases the existing rules need to be deleted. This code can be used to delete the rules.

tc qdisc del dev vlan3 root

Once you apply a tc qdisc rule on vlan3, if you want to try alternative tc configurations, you must delete the existing rules. If not deleted you will get an error.

You can refer this page for more information. Creating a separate guest network with tomato.

ADDITION - by Toastman November 2010

I wondered if it were possible to get MiniUPnPd working on the vlans. Looking at the config, it seemed to be a matter of setting the listening_ip to the IP addresses of the vlan ports in router/miniupnpd.conf file and recompiling it, but seems like the router builds a config file of its own at runtime.

I followed a suggestion of Teddy Bear's from this thread http://www.linksysinfo.org/forums/sh...ad.php?t=65290 and established that ports can be opened from the vlans to the outside world, though the config didn't survive a reboot. I solved this by adding the vlan as a upnp "listening port" by loading a small configuration file from JFFS usb stick.

e.g.

listening_ip=10.0.0.1/255.255.255.0
allow 1024-65535 10.0.0.1/255.255.255.0 1024-65535

So QOS and UPnP / NAT-PMP works correctly on all vlans.

The last remaining issue is that of the QOS - details displaying incorrectly - which isn't so important anyway.

July 2 2011

There's now a GUI for vlan setup from Augusto Bott (Teaman). This link refers:

http://www.linksysinfo.org/forums/showthread.php?t=66865

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License