LearnTomato

Tomato router firmware tutorials

LearnTomato » Home Network Setup » Setup a Guest Network for Guest WiFi with Tomato VLAN

Setup a Guest Network for Guest WiFi with Tomato VLAN

by

Do you have employees, curious children, guests, or run a WiFi hotspot for your business? If so, then you’re going to like this a lot. You simply can’t find this level of functionality on most consumer-rated routers (unless of course, you upgrade it with Tomato firmware). In this tutorial, we’ll setup a wireless guest network for guest WiFi access on your Tomato router. A Virtual LAN is perfect for guest WiFi networks.

Your Tomato router has a feature known as a VLAN (Virtual Local Area Network). This can be very handy if you need to partition your network into subnets and keep your private network “private.” For example, maybe you want to separate your business computers from your personal computers.

A VLAN is a “virtual LAN” so it essentially functions on the backbone of your existing hardware and therefore, it should not affect the LAN speed of your existing LAN.

In this section, we will first setup a new LAN subnet, and then bridge that to our VLAN, which will be used for our guest network. Once that is complete, we’ll setup our guest WiFi access point. This is a very powerful feature and relatively simple to setup. As we go through this process, just pay close attention to the labels that we use for each LAN.

Setup Virtual Guest Network

First, we must create some form of separation between our primary network, and our Guest network.

This can be accomplished by creating a new LAN segment. First, login to your Tomato router and navigate to Basic > Network

Setup Tomato VLAN for guest network

Tomato LAN

We must first create a new LAN that is different from our primary LAN. So if your primary LAN IP is 192.168.50.1, your new LAN should be different, say 192.168.100.1. Your primary LAN bridge is, by default, labeled as ‘br0‘. So, under the ‘bridge’ column, select ‘br1‘ for your new LAN bridge.

  1. Ensure that STP is disabled
  2. Enter an IP address, such as 192.168.100.1
  3. Enable DHCP
  4. Configure the DHCP range for the new subnet, such as 192.168.100.100~150
  5. Change the lease time to 120 minutes (optional, but recommended)
  6. Click ‘ADD’, then click ‘SAVE’.

Now, let’s create a VLAN and associate it with the LAN bridge that we created a moment ago, which is ‘LAN1 (br1).

Navigate to: Advanced > VLAN

Bridge new LAN to VLAN in Tomato

Tomato VLAN

 

  1. Under the VLAN column, select the next available number (3).
  2. Enter the number ‘3’ in the virtual ID column (VID).
  3. Under the ‘bridge’ Column, choose the LAN we created a moment ago, LAN1 (br1).
  4. Click ‘ADD’, then click ‘SAVE’.
  5. The router will reboot. Click ‘Continue’.

Setup Guest Network

Navigate to: Advanced > Virtual Wireless

Create a virtual wireless interface for your guest network.

Guest Network

If you have a dual band router, you can create a guest wireless interface using either the 2.4GHz band, or the 5GHz band, or both. Under the ‘interface’ column you can choose which frequency to use. To determine which one to use, click next to ‘Wireless Interface Details’, to see the Interface label for each band.

  1. Choose ‘wl0.1’ (to use the 2.4 GHz band).
  2. Choose ‘wl1.1’ (to use the 5GHz band).
  3. Ensure that you ‘enable’ the SSID.
  4. Give your SSID a name and select the mode ‘Access Point’.
  5. Under the ‘bridge’ column, choose ‘br1’. Doing so will associate this wireless SSID with the LAN that we created in the first step.
  6. Click ‘ADD’

Setup Guest WiFi

Immediately upon ‘ADDING’ your a virtual wireless SSID, the router should forward you to the tab labeled ‘wl0.1‘. From here, configure the wireless parameters for your new guest Wifi access point.

Enable the guest network and choose a wireless SSID and password for the guest WiFi.

Guest WiFi

The SSID should be filled in for you. Simply choose your security method. I recommend using ‘WPA2 Personal‘ for maximum protection. Choose ‘AES‘ for the encryption method. Enter a pass phrase, then scroll down and click ‘OVERVIEW’. This will take you to the ‘Overview’ page where you can review the settings for your new guest WiFi broadcast.

Your Tomato VLAN guest network has been created. Click save.

Tomato VLAN Guest Network

Once you are on the ‘OVERVIEW’ page and everything looks correct, scroll down and click ‘SAVE’.

Congratulations! You have just setup a guest network with WiFi access using Tomato VLAN to separate those guest connections from your Primary LAN. Now, you should be able to connect from a wireless client device. Let’s try it out.

Connect to Guest WiFi

The Tomato guest wifi network is now available.

Guest WiFi Network

Well, what do you know? It worked! Now, I can connect my laptop to ‘Tomato_24_guest’ and see if it works the way that it should. Once I connect, we should NOT be to communicate with client computers on the other LAN. In order to be sure our VLAN is segmenting things properly, we need to run a ‘ping’ command.

Be Sure Tomato VLAN Separates Your Guest Network

In windows 7, navigate to the ‘Start’ menu.

Go to ‘All Programs > Accessories, and open the ‘command prompt’

Run a Ping CMD to test your VLAN and ensure that your Guest network is separated.

Ping CMD

In this case, I’ll try to ping my desktop which is on the other subnet.

I’ll type ‘ping‘, followed by the desktop IP address. In my case, it’s “ping 192.168.50.5” and hit ‘Enter’. As you can see, the ‘ping’ command timed-out. That’s a good sign. This means that any client device connected to our new guest WiFi interface will be unable to reach the machines on our primary LAN.

When you browse network locations while connected to the guest network, you should not see other clients.

Browse Network

Now, when our wireless guest connects, they will be unable to browse network locations and start snooping around. They will be unable to see my desktop computer, file servers, or anything else connected to my primary LAN.