This post will guide you on how to create or setup an isolated/separate guest WiFi network using the Tomato router firmware. The procedure is created using Tomato Mod by Shibby. Nonetheless, the procedure will still be the same if you are running a Toastman, Victek, Teaman build or any other similar tomato firmware.
This tutorial is a part of the Tomato Tutorial Series.
Tomato Guest WiFi
What the heck Tomato Guest WiFi is for, anyway? Well, by creating a guest wifi you will be adding a “virtual network” where your “guest” can connect to. By using this, you are not giving that long password for every friend or colleague that ask you to use your internet connection. Also, you may not also want those guests to communicate to all the devices in your network and possibly browsing files in your NAS (Samba Sharing) they are not allowed to reach. Basically, this can be done to limit the activity of any person other than you and keep yourself safe.
There are many other reasons why you are going to create a guest network.
Preliminary Requirements:
- Router running tomato (any version, Shibby mod recommended)
- Basic knowledge on configuring a router (should know IP/Gateway address and login credentials)
Test Environment:
This tutorial was made using a Catch Tech CW-5358U wireless router running Tomato by Shibby version 121 K26 RT-N NoCat-VPN. As of this writing, the latest firmware released by Shibby via tomato.groov.pl is version 130. However, this version was not stable in my setup/in my hardware (running via wireless client + guest wifi). I found version 121 to be the most stable version for my usage, balancing the latest build possible I could utilize inline with its performance.
More: The instability of the build beyond 121 is due to the additional wireless interface when running under Wireless Client mode. If you use your router as the primary one or if it is directly connected to your modem, the latest build is definitely good for you.
Configuring the Router
Basic Settings
- Login to your router’s default gateway. (It is 192.168.1.1 by default, username: admin, password: admin).
2. Navigate to Basic Settings > Network.
3. Under the LAN category, create a new bridge named br1 (1 in dropdown menu).
4. Chose an IP address different from the first entry (but within the 192.168.xxx.xxx private IP range) , for example: 192.168.2.1 so that the new network will be separated from the primary one. Type in 255.255.255.0 in the netmask field, check DHCP.
5. Other optional settings are altering the DHCP IP range. If you want that only 2 devices can connect at a time, set it like 192.168.2.2 – 192.168.2.3. The least time is the time before a device’s session expires. The default is 1440 min or 24 hours. You may want to make it 60 minutes only or whatever time you like.
6. Hit Save.
You are limited on choosing an IP anywhere in the range of 192.168.xxx.xxx. Meaning, you can have an IP of 192.168.10.1, 192.168.254.1 but not 192.168.1.2 as it is within the IP range of the private network. Thus, not a valid IP for the new bridge.
By limiting the possible connected devices, you are making sure that your network will not slowdown due to huge requests from your guests’ devices. Also your friends may not need a insane long lease time.
Virtual LAN Settings
Now that you already have a bridge (br1), it is now time to dedicate it in a VLAN. You don’t want that guests have access on your stuffs right? This is the way to do it. Separate the primary network from the guest network.
- Navigate to Advanced Settings > VLAN.
2. Create a new entry in the category VLAN. It may be no 3 VLAN or something. VID the same as VLAN number. Then set the bridge to LAN1 (br1).
3. Hit Save. The router will reboot to save the changes.
The port(s) can be remained all uncheck since guest will only primarily connect via WiFi. The ports there are the physical ports found in your router.
Create a Virtual Wireless
This is the last step to have a fully working guest network.
- Navigate to Advanced Settings > Virtual Wireless.
2. Create a new virtual wireless interface. It may be wl0.1 or something depending on your current setup. It will be wl0.2 if you are under wireless client mode.
3. Supply a SSID (the guest wifi name) according to your liking.
4. Set the mode to Access Point and bridge it to LAN1(br1).
5. Hit Add.
6. There is an additional option here to add a security to the guest wifi. If you want to add security, the recommended choice is WPA/WPA2 Personal as it is the best encryption method and is backward compatible for older devices.
7. Review the settings and make sure the virtual wireless is broadcasted (Broadcast option checked). Go back to overview tab and Hit Save.
The new virtual guest network is now live and you can connect to it and test if the internet connection works. Double check the settings in Advanced Settings > VLAN if the LAN 1 (br1) is properly bridged to the virtual wireless. The lines under category wireless should have the wl0.1 being bridged to LAN1 (br1).
Additional Configurations
The following are not required but you may like to apply it to your guest network.
Bandwidth Limiter
This option will limit the available bandwidth for all the devices connected to the guest network. You may not want your internet connection to slowdown and there is no bandwidth left for you when your guests are abusing your connection. This is important especially when your internet connection is not that fast.
- Navigate to Quality of Service/QOS > B/W Limiter.
2. Enable the Bandwidth Limiter for LAN/br0 and set it to the maximum speed of your connection. You may leave it with the default values. 16000kbit/s is equivalent to 16mbps (megabits per second) or or 2MB/s (megabytes per second).
3. Check the bandwidth limiter for br0 and set the priority to highest.* (Explanation below).
4. Also check the bandwidth limit for br1 and set the priority to lowest or anything you like. Supply download and upload limit that you want the devices in guest will have.
5. Hit Save.
*Only available for version 126 and beyond (Shibby Mod).
By setting the priority of the primary network to highest and lowest for the guest wifi, you will still be able to gain enough speed when you are connected to the primary network even the guest wifi is heavily utilized. This is a smart distribution of bandwidth among the two interfaces. The bandwidth ceiling and limit is not set per device but it will be shared by all the devices connected to that bridge. The bandwidth will not be dedicated to the guest bridge and you can still utilized the maximum speed in the primary network when no one uses the guest wifi. This is unlike the usual QOS that limits or somewhat dedicates a certain percentage of bandwidth to a specific activity. If you are already using QOS, the rules should also apply to br1 (guest bridge).
Disabling Gateway Access/Securing the Private Network
We had talk about separating the new bridge by dedicating it to a new VLAN. This makes the devices connected to the primary and guest network to not see each other. However, since there are two interfaces/bridges active, the gateway of your router is also multiplied by 2. You can access the gateway from 192.168.1.1 and 192.168.2.1 in this case whether you are connected to the primary or guest network. Meaning, exposing your gateway to guest users. Although a strong password is the way to go to prevent the access, it is better to fix this problem by inputting the following lines in Administration > Scripts > Firewall.
#!/bin/sh LAN_IP="$(nvram get lan_ipaddr)" LAN_NET="$LAN_IP/$(nvram get lan_netmask)" PRIVATE_IF="br0" GUEST_IF="br1" PORT_DHCP="67" PORT_DNS="53" STATE_NEW="-m state --state NEW" REJECT="REJECT --reject-with icmp-host-prohibited" REJECT_TCP="REJECT --reject-with tcp-reset" # limit guests to essential router services (icmp (echo/reply), dhcp, dns) iptables -I INPUT -i $GUEST_IF -j $REJECT iptables -I INPUT -p tcp -i $GUEST_IF -j $REJECT_TCP iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT iptables -I INPUT -p udp -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT iptables -I INPUT -p tcp -i $GUEST_IF --dport $PORT_DNS -j ACCEPT iptables -I INPUT -p udp -i $GUEST_IF --dport $PORT_DNS -j ACCEPT # deny access to private network by guests (internet only) iptables -I FORWARD -i $GUEST_IF -d $LAN_NET $STATE_NEW -j $REJECT iptables -I FORWARD -p tcp -i $GUEST_IF -d $LAN_NET $STATE_NEW -j $REJECT_TCP
This will deny all requests from the guest network to access the gateways and the devices/resources from the private network retaining other basic functionalities to still work. There are many other ways do it but this is somehow the most complete approach to have the required effect. This script is originally provided by eibgrad. Source: Pastebin.com.
I deleted some lines I found to be unnecessary for this setup to save NVRAM space. The script is given for free to use and you can modify it according to your needs. You may not need a separate VLAN in this case (Setting up the VLAN can be omitted when you opt to use this firewall script).
Troubleshooting
If the internet connection doesn’t work, make sure you have inputted correct values on all of the fields. One wrong digit or missing dot (.) will ruin the setup. Restarting the router is a great help in most cases and solves problems. You can play on the firewall script but be careful and google each command to see how they work.
That’s it. You now have a guest network that is fully separated from your private/primary network. 🙂