Ubiquiti APs, TomatoUSB, VLANS, and Linksys e3000

Try not to get too shocked, but this actually an article about networking.

Back story, I picked up some Ubiquiti AP’s for a good price to install around the house. While I have these nice enterprise AP’s, I decided to redesign my home network utilizing VLANs to provide a management vlan, home vlan, dmz vlan, and a guest vlan. I set out to do this utilizing gear that I had laying around that consisted of:

To start off, I decided that I was going to utilize my two e3000’s as a router and a smart switch. I decided to continue to use the TomatoUSB ROM on those routers, but upgrade to the Toastman version (1.28.7502.7) that had experimental VLAN support.

The Design
In the end, I wanted to have four different vlans:

  • VLAN2 – Management
  • VLAN3 – Home Use
  • VLAN4 – DMZ
  • VLAN5 – Guest

In addition, I wanted to have multiple SSIDs on the Ubiquiti AP’s that mapped to specific VLANS:

  • Home – VLAN3
  • Automation – VLAN4
  • Guest – VLAN5

The nice thing about the Ubiquiti AP’s is that they allow multiple SSIDs to be set and also it will add tags to the packets. The only gotcha was that the non-vlan SSIDs and AP needed to be setup on a non-tagged vlan or native vlan.

The Problem
After many hours of trying to get Tomato to work correctly, it turns out that the problem is that I needed to have VLAN2 setup as non-tagged, while VLAN3-5 needed to have tagging on. The GUI had an option for setting the default, but that did not work and packets were ignored. The other issue was that the gui didn’t allow you to set VLAN’s that were tagged for a port and then add an untagged VLAN on that same port. It was either all VLANs were tagged or it would only let you select one untagged VLAN and no other VLANS.

The Solution
After many hours of trying to figure out what was going on, I realized that the firmware wasn’t handling untagged traffic correctly. The solution was that I needed to telnet into each of the routers and update the nvram values directly to specify that the port should be used, but not tagged, while the other VLANS would be tagged.

To do that, I started off by going through the gui and marking all the VLANS on that port connected to the AP as tagged. I then telneted into the router and did a
# nvram show | grep vlan2ports
which presented me with
vlan2ports=3t 4t 8*
The problem was that the second port needed to be updated to not allow tags, so it was as simple as removing the “t” from “3t”. I then reloaded the updated line into nvram, commited it, and then rebooted.
# nvram set vlan2ports="3 4t 8*"
# nvram commit
# reboot

When it came back up, the Ubiquiti software controller found the AP on the correct port and configured it correctly. Then the clients started to reconnect and went to the correct VLAN depending on the SSID assigned.

Now when I go to the admin page for VLANs, I see this:
vlan-tagging

  1. Just a side note, but if you go this route, you can no longer use the web interface for VLANs. You can view, just not make edits because it will try to fix what you’ve done.

  2. How did you wire everything? I’m trying to do the same and had no luck. I only have one UAP, but if I turned on tagging for the Port I used for each bridge, I wouldn’t even get an IP.

    I would like Management and Home to be one vlan, and guest another, so my setup is simpler. Maybe knowing how you wired it will help.

    Thanks!

  3. I had wired as:
    Port 1: Smart Switch (Handles 802.1q)
    Port 2: Ubiquiti AP
    Port 3: Voice Bridge (DMZ)
    Port 4: Desktop (Home)

    I also created a new article to give a bad memory walk through on how I setup the different pieces, in an attempt of your scenerio.

  4. I believe you have a typo; should:

    lan2ports=3t 4t 8*

    not read:

    vlan2ports=3t 4t 8*

    Thanks

  5. Thanks for the catch.

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>