Setting up guest wireless access on Tomato

Setting up guest wireless access on Tomato

Guest wireless access is handy when you want to separate guest devices (your friends’ phones and laptops) from your own devices connected to the main network.

To get started, you need a router capable of guest wireless (not every router can do this) already set up and running either DD-WRT or Tomato. This tutorial explains how to set up a router running Tomato that is used only as access point (WAN is disabled/unplugged).

Create bridge

Navigate to Basic > Network. In the LAN section select bridge number, fill in the IP address / netmask, check DHCP and fill in IP address allocation limits for the new virtual network.

Then click the Add button and setting should look similar to:

tomatovlan_0_createbridge_result

Scroll down and Save settings.

Create VLAN

Navigate to Advanced > VLAN. In the VLAN section fill in data:

  • select VLAN: 3
  • enter VID: 3
  • select Bridge: LAN1 (br1)

and click on the Add button. Double check that settings are similar to:
tomatovlan_1_createvlan_result_restartthen scroll down and click Save. The router will restart at this point.

Virtual Wireless

Navigate to Advanced > Virtual Wireless. In the Overview tab under Virtual Wireless Interfaces, fill in the information
tomatovlan_2_createvirtwl

  • select Interface: wl0.1
  • enter desired SSID for the guest wireless
  • select Mode: Access Point
  • select Bridge: LAN1 (br1)

then click the Add button. You will be taken to the WL0.1 tab to configure the wireless network further:
tomatovlan_3_setupvirtwlHere you can set your wireless SSID (again) and security options. Once you’re done scroll down and you’ll notice the Save button turned into an Overview button. Click it and you’ll be returned to the Overview tab. You can now scroll down to click Save.

Navigate to Advanced > VLAN and in the Wireless section confirm that guest wireless is assigned to the correct bridge:

tomatovlan_3_setupvirtwl_confirm

Your virtual wireless is now all set up. It should be visible, connectible and your device should receive an IP address. However you’ll notice that there’s no internet access (yet).

Internet connectivity

For this last step you’ll need to configure the firewall on Tomato to forward traffic around. For this, navigate to Administration > Scripts and enter the following rules in the Firewall tab:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

tomatovlan_4_firewall

The rules above are the main minimum for guest devices to access internet. They will also be able to access your main network devices (if anyone knows your IPs or scans for them). The next rules block such accesses (only permitting them to 10.0.0.1 and 10.0.0.251-254):
iptables -I FORWARD -i br1 -m iprange --dst-range 10.0.0.2-10.0.0.250 -j REJECT

If you’re having trouble with the router leaking DHCP leases from the guest network to the main network, also add the following:
iptables -I INPUT -i br0 -p tcp --dport 67:68 --sport 67:68 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j REJECT

And you’re done. Enjoy your guest wireless (or better yet, let your guests enjoy it).

References: (1), (2)

20 Comments

    1. The tutorial is about how to configure a wireless network for guest access. In my case I was only using the device in the screenshots as an AP, so its WAN was disabled – you don’t need to configure anything related to the WAN.

      Zed
  1. So after successfully set up a guest network für 2.4 and 5 GHz, none of the clients can access the internet. I’m too do not use the WAN port on my Asus RT-N66U, the router is just connected to a local network that uses a Firewall for connecting to the internet.

    That means that those defined firewall rules, mentioned in the article do not work for my 1.28 Tomato.

    Any hints to get this running properly?
    Thanks,
    Michael

    M
    1. That’s expected, as the firewall rules in the tutorial perform NAT to the WAN port.
      They’d need adjusting, but how should the guests be isolated from your LAN if they share the same IP address block and are forwarded through the same router?

      Zed
  2. Thank you very much! I spent days trying to get this working using DD-WRT on my Asus RT-AC56U. And it worked first time on Tomato Shibby 1.28.

    It seems the firmware is good and your instructions are great! But this is such a common requirement that I’m surprised there isn’t an easier one-step procedure allowed for in the Web GUI.

    Thanks again!

    Paul Beardsell
  3. Worked perfectly. Thanks a bunch!

    Tho im curious on a couple things, first off is there a way to block users on the guest network from downloading stuff?
    I mean browsing, checkin snapchat etc etc should work fine.

    But i dont want some randoms sitting on my guest downloading movies etc.
    Is there a way to block such traffic only on the guest network?

    Secondly, i kinda want to troll my guest users a bit..
    Is it possible to force a rickroll video in the captive portal agreement thingy?
    Or even just always send the users on the guest back to a rickrollpage, regardless of what they type in the browser? Say they want to open google but get redirected right away to a rickroll page 😀

  4. I needed to change this line “iptables -t nat -I POSTROUTING -o br0 -j SNAT –to `nvram get lan_ipaddr`” in “iptables -t nat -I POSTROUTING -o br0 -j SNAT –to $(nvram get lan_ipaddr)” in order to get it working with Shibby 1.28.
    There was no need for “iptables -I FORWARD -i br1 -m state –state NEW -j ACCEPT”; it worked without it

    Joop

Leave a Reply