Monthly Archives: May 2013

Ubiquiti APs, TomatoUSB, VLANS, and Linksys e3000

Try not to get too shocked, but this actually an article about networking.

Back story, I picked up some Ubiquiti AP’s for a good price to install around the house. While I have these nice enterprise AP’s, I decided to redesign my home network utilizing VLANs to provide a management vlan, home vlan, dmz vlan, and a guest vlan. I set out to do this utilizing gear that I had laying around that consisted of:

To start off, I decided that I was going to utilize my two e3000’s as a router and a smart switch. I decided to continue to use the TomatoUSB ROM on those routers, but upgrade to the Toastman version (1.28.7502.7) that had experimental VLAN support.

The Design
In the end, I wanted to have four different vlans:

  • VLAN2 – Management
  • VLAN3 – Home Use
  • VLAN4 – DMZ
  • VLAN5 – Guest

In addition, I wanted to have multiple SSIDs on the Ubiquiti AP’s that mapped to specific VLANS:

  • Home – VLAN3
  • Automation – VLAN4
  • Guest – VLAN5

The nice thing about the Ubiquiti AP’s is that they allow multiple SSIDs to be set and also it will add tags to the packets. The only gotcha was that the non-vlan SSIDs and AP needed to be setup on a non-tagged vlan or native vlan.

The Problem
After many hours of trying to get Tomato to work correctly, it turns out that the problem is that I needed to have VLAN2 setup as non-tagged, while VLAN3-5 needed to have tagging on. The GUI had an option for setting the default, but that did not work and packets were ignored. The other issue was that the gui didn’t allow you to set VLAN’s that were tagged for a port and then add an untagged VLAN on that same port. It was either all VLANs were tagged or it would only let you select one untagged VLAN and no other VLANS.

The Solution
After many hours of trying to figure out what was going on, I realized that the firmware wasn’t handling untagged traffic correctly. The solution was that I needed to telnet into each of the routers and update the nvram values directly to specify that the port should be used, but not tagged, while the other VLANS would be tagged.

Read more »