Setup Wi-Fi VLANs with Tomato on RT-N66U

IMPORTANT: installing custom firmware always pose risk of bricking your device. Do it at your own risk.

This guide will show you how to use custom firmware Tomato by Shibby on Asus RT-N66U as a wireless access point (WAP) to setup multiple Wi-Fi VLANs.

This is an alternate method of setting up Wi-Fi subnets of a 3 steps guide to protect home network using subnets.

Prerequisite: VLAN infrastructure in place for the wired network described in Part 1 and Part 2 of the 3 steps guide.

This guide will step you through the flash of custom firmware Tomato and setup the 3 wireless VLANs.

  • VLAN 40 (SSID: Mobile): Your mobile devices
  • VLAN 42 (SSID: IoT): IoT devices
  • VLAN 44 (SSID: Guest): Guest devices

How to enable recovery mode for RT-N66U?

Asus router has recovery mode that allows you the flash firmware or reset to default settings (or factory reset for official firmware).

reset button
  1. turn off the router
  2. press and hold the reset button (do not release)
  3. turn on the router
  4. wait for about 8 seconds on official firmware (or 5 seconds on Tomato)
  5. release the reset button
recovery mode
Recovery mode

How to factory reset?

There are several ways of performing factory reset. Each method shall achieve the same results.

Hard Reset

The 30/30/30 reset works on older routers, but not new routers like RT-N66U. So don’t use it.

  • with the unit turned on, press and hold the reset button
  • wait until power led started blinking slowly (about 5 seconds)
  • release the reset button

Reset using Recovery mode

  • enable recovery mode
  • click on Restore default NVRAM values
erase NVRAM
Factory reset by clearing NVRAM

Reset using web gui

  • access web gui of the router
  • go to Administration > Restore/Save/Upload Setting
  • click Restore and then OK
factory reset

Note: if you are already on Tomato, go to Administration > Configuration > Restore Default Configuration, select Erase all data in NVRAM memory and click OK.

How to flash Tomato?

Note: The Administration > Firmware Upgrade option available in the web gui of the latest official firmware (v3.0.0.4.382_50624) does not allow you to flash custom firmware.

What you need: A stand alone computer you can connect directly to the router

  • download Tomato firmware (look for build specific for RT-N66U)
  • remove the router from your network
  • perform factory reset using Hard reset method (this will reset router’s IP address to 192.168.1.1)
  • enter recovery mode
  • set your computer’s IPv4 address to something like 192.168.1.100 and connect to the router
  • browse to router’s IP at http://192.168.1.1. The recover mode screen should show up
  • click Choose File and select the Tomato build file downloaded.
  • click Upload

IMPORTANT: Flashing the firmware can take long time (over 10 minutes). Do NOT power off or interrupt the process or you may brick your router.

flash firmware
  • wait for the upload is complete
firmware upload complete
  • wait patiently (could be over 10 minutes) while router is flashing the firmware and reboot. You can ping and try browse http://192.168.1.1 to see if the install is finished.
  • when web browser responses with following screen, congratulations, you have successfully installed Tomato!
Tomato installed

How to revert back to official ASUS firmware?

Configure Tomato to serve as a wireless access point (WAP)

When used as access point, we don’t need the WAN port. So we can disable it.

  • go to Basic > Network
  • select Disabled for WAN Settings > Type
  • click on Bridge br0 in LAN section
  • uncheck DHCP checkbox
  • click OK
  • scroll down and click Save
disable WAN port

Setup multiple SSIDs with VLANs support

To enable multiple SSIDs with VLANs, we will create separate bridges. One bridge for each VLAN and it’s associated wireless interface(s).

RT-N66U has 1 physical 5GHz wireless interface (eth1).

Tomato automatically created a default bridge ‘br0‘ and has wireless interface and default VLAN 1 (for LAN) as it’s members.

Create 3 new Bridges

We will create one new Bridge for each VLAN.

  • go to Basic > Network
  • go to LAN section
  • create bridge for VLAN 40
    • select 1 for Bridge
    • enter 192.168.40.1 for IP Address
    • enter 255.255.255.0 for Netmask
    • click Add
  • create bridge for VLAN 42
    • select 2 for Bridge
    • enter 192.168.42.1 for IP Address
    • enter 255.255.255.0 for Netmask
    • click Add
  • create bridge for VLAN 44
    • select 3 for Bridge
    • enter 192.168.44.1 for IP Address
    • enter 255.255.255.0 for Netmask
    • click Add
  • scroll down and click Save
Create Bridges

Update Wireless Interface eth1 (VLAN 40)

We will update settings for eth1, assign to br1 and enable security.

  • go to Advanced > Virtual Wireless
  • click on eth1 interface
  • enter ‘Mobile‘ for SSID
  • select br1 for Bridge
  • click OK
update SSID for physical wireless interface and assign to bridge br1
  • click on eth1 (wl0) tab
  • select WPA2 Personal for Security
  • enter a good key phrase for Shared Key
  • scroll down and click Overview
  • click Save
enable security for VLAN 40

Create Virtual Wireless Interface for VLAN 42

To enable multiple SSIDs, we need to create virtual wireless interface.

  • continue at Advanced > Virtual Wireless
  • select wl0.1
  • enter ‘IoT‘ for SSID
  • select br2 for Bridge
  • click Add
Create virtual interface for VLAN 42
  • select WPA2 Personal for Security
  • enter a good key phrase for Shared Key
  • scroll down and click Overview
  • click Save
enable security for VLAN 42

Create Virtual Wireless Interface for VLAN 44

  • select wl0.2
  • enter ‘GuesT‘ for SSID
  • select br3 for Bridge
  • click Add
Create virtual interface for VLAN 44
  • select WPA2 Personal for Security
  • enter a good key phrase for Shared Key
  • scroll down and click Overview
  • click Save
Enable security for VLAN 44

Configure VLAN settings

We will configure and use port 4 as trunk port (to connect to the Netgear VLAN switch).

  • setup the VLAN settings according to the screen below
  • scroll down and click Save and then OK to confirm
  • the router will now reboot
Configure VLAN settings for VLAN 40, 42, 44 & 99

Assign static IP to Router

The configuration to the router is done. Now we need to assign an IP address to the router so that it’s ready to join your home network. The IP address should have the same net mask as the management VLAN 192.168.99.x.

  • go to Basic > Network
  • click on Bridge br0
  • enter 192.168.99.66 as IP Address
  • uncheck DHCP checkbox
  • click OK
  • scroll down and click Save
set static IP of router to match home network

You can disconnect your computer from the router and can now set its IPv4 address back to Obtain an IP address automatically.

Note: your computer won’t be able to connect to the router until the router joined your home network to receive an IP address from the DHCP server.

Configure pfSense and Netgear VLAN switch

Now let’s prepare pfSense and the Netgear VLAN switch with the additional VLANs before RT-N66U joins the home network.

Add VLAN interfaces and rules at pfSense

Follow Step 1 through 4 of Setup VLAN interfaces at pfSense firewall to add VLAN 42 and VLAN 44 to the pfSense fireware.

Add VLAN 42 and 44 to Netgear GS108Ev3 switch

  • login to the switch (would be http://192.168.99.108 if you followed the guide in Part 2)
  • go to VLAN > 802.1Q > Advanced > VLAN Configuration
  • enter 42 at VLAN ID field and click Add
  • enter 44 at VLAN ID field and click Add

Configure port 6 as a trunk port

IMPORTANT: changing port 6 to trunk port will temporarily disable the sub-network VLAN 40.

Port 6 was originally setup as VLAN 40 for use of an access point to connect all mobile devices. If you have an access point connected to port 6 for wireless connections, it’s time to unplug the access point from port 6.

Add VLAN 99 to port 6

For VLAN 99, port 6, 7 & 8 should all be untagged (show ‘U‘).

  • go to VLAN Membership
  • select VLAN ID ‘99
  • click on port 6 to show ‘U‘ (untagged)
  • click Apply
add VLAN 99 to port 6

Set port 6 PVID to management VLAN 99

  • go to Port PVID
  • enable port 6‘s checkbox
  • enter 99 to PVID text box
  • click Apply
set PVID to 99 for port 6

Convert port 6 to trunk port

  • go to VLAN Membership
  • select VLAN ID ’40’
  • click on port 6 & port 8 until both show ‘T‘ (tagged)
  • click Apply
convert port 6 to trunk port

Repeat for VLAN 42 and VLAN 44.

completed VLAN configuration
Final VLAN configuration

Hook up to the home network

Connect RT-N66U port 4 to port 6 of the Netgear VLAN switch and the wireless networks should be ready to use.

Configure your mobile devices to use their new SSIDs accordingly.

All set. Your home network is now properly segmented with multiple sub-networks for better protection!

This Post Has 15 Comments

  1. Oran Gol

    14 Nov 2019 Reply

    This is a great guide and exactly what I was looking for. There is not a lot of these out there for this specific configuration, with pfsense, managed switch and Tomato firmware WAP. Now all I need to do is to follow this guide πŸ™‚

    1. Alan Chan

      15 Nov 2019 Reply

      Awesome, glad that it’s useful for you. Thanks for your feedback. 😁

  2. Peter Speers

    28 Dec 2019 Reply

    Alan, in the final vlan cfg screen you show vlan 99 as tagged on port 4 but untagged on the switch port 6. Shouldn’t be untagged at both ends. When I remove all ports from VLAN 1 and change default setting from VLAN 1 to VLAN 99, reboot I am unable to access after reboot, any issues with that from your testing.I am not able to get back into device to set 192.168.99.X address to router.Any suggestions? Did you remove VLAN 1 as well?
    The rest of this is great!

    1. Alan Chan

      28 Dec 2019 Reply

      It was tested fully working following the setup steps. As far as I can remember, I did not remove VLAN 1 on the router and leave it as is on br0.

      And for communication between router and GS108Ev3 switch, yes, traffic of vlan 99 is tagged from router port 4 to GS108Ev3 switch port 6.
      When switch receives tagged vlan 99 packet, it will remove the tag and then forward packet to pfsense (via trunk port 8). GS108Ev3 switch would not forward untagged packets through trunk port.
      That’s how GS108Ev3 behaves. If you are using different switch, may want to check out how your switch handles untagged/tagged packets.

  3. Peter

    30 Dec 2019 Reply

    Thanks Alan

    Got it working by using using VLANs #’s less than 15 instead of VLAN #’s in the forties and higher

    1. Alan Chan

      30 Dec 2019 Reply

      Awesome. Glad that you got it working.
      Just curious though. Are you using RT-N66U or a different router that may have this restriction?
      I did face limitation of using VLAN # <= 15 when working on RT-AC3200 using dd-wrt.
      I had to resort to running administrative script to open up high vlan IDs. But not needed for tomato though in setup used in this post.

  4. Darcey

    11 Feb 2020 Reply

    Many thanks for your guiides. I have enjyed reading them. I plan on following them to set up pfSense and an RT-N66U
    Is it possible to achieve similar without a managed switch, using just a two NIC fSense box and RT-N66U running tomato? I only need 2 wired VLANS. Can RT-N66U/tomato provide the wifi VLANs and wired VLAN separation as per a managed switch?
    Cheers.

    1. Alan Chan

      12 Feb 2020 Reply

      The trunking should work directly from RT-N66U to pfSense without managed switch.
      But as far as I can remember, the wired ports are all assigned to br0 and you can’t split them into different bridges. Therefore, you can only set wired ports up as 1 vlan, not 2.
      cheers Alan

      1. Igor Gocalinski

        20 Jun 2020 Reply

        The switch built into the majority of the consumer grade routers is managed, it just lacks any interface do the configuration. Tomato brings that GUI – and will allow you do port configuration, for instance assign a tagged/untagged VLAN to particular port.

  5. Brad

    16 Feb 2020 Reply

    Awesome guide Alan!

    At the end of “Part 2” you mentioned the below:
    “That’s it. By connecting your computer to port 7 of the switch, you can manage the switch using the browser at 192.168.99.108. And you can manage pfSense at 192.168.99.1.”

    Did the pfSense change to be on 192.168.99.1 – igb2 – OPT1? I thought is was still on 192.168.1.1 – igb0 – LAN.

    I ask as i am having issues with getting my VLANs to work with only having a 2 NIC setup. One NIC for WAN and the other for LAN. I have the VLANs using my LAN interface. This is possibly the first I am seeing a configuration (if the pfSense is on 192.168.99.1 – igb2 – OPT1) that uses only one interface for the LAN / pfSense and the VLANs).

    Thanks

    1. Alan Chan

      17 Feb 2020 Reply

      each subnet has their own network id/range. LAN has 192.168.1.0/24, OPT1 has 192.168.99.0/24. It’s defined in part 1.
      pfSense serves as gateway in each subnet so for LAN it’s 192.168.1.1 and for OPT1, it’s 192.168.99.1.
      similarly, each VLAN has its own network id/range and gateway ip-address.
      therefore, depending on which subnet (192.168.x.0/24) your computer is connecting to, you manage pfSense at 192.168.x.1

      cheers Alan

  6. Franz

    10 Jun 2020 Reply

    Alan, I have followed your steps, but I can’t make it working. I only have a RT-AC68U with tomato and a Netgear GS108E. I have created the various VLANs. I have configured all VLANs Tagged to Port 4.
    I configured the Switch Port 8 with membership to all VLAN IDs (1, 10, 20, 30, 40, 50). Port 8 is configured as Tagged.
    I configured the Switch Port 1 and 2 to be member of VLAN ID 10, Untagged and with PVID 10.
    The RT-AC68U port 4 is connected to the Netgear GS108E port 8.
    My PC is connected to the Port 1 of the Netgear GS108E, but I am not getting anything, no DHCP, nothing….

    Port 7 is configured as Untagged belonging to VLAN 1 and 10 with PVID 1.
    When my PC is connected to Port 7, it works and it has access to the LAN. I also tried to change the PVID of the same port to 10. But then it stops working like as it does on Port 1.

    Help!!!
    Thanks,
    Franc

  7. Franz

    10 Jun 2020 Reply

    Ok, it seems that after all I came out with.
    1. A solution to make it working
    2. The reason why it doesn’t work

    1. I changed the vlan VID that I previously set to 10 to 60

    2. It seems that if I have a vlan with VID 1, I cannot have other vlans beginning with the same number, e.g. 10, 100, 123, 1040. I changed it to 60 and since I don’t have any vlan with the VID 6 it worked.

  8. parry

    21 Sep 2020 Reply

    Thank you for this very useful guide. If I may I would like to ask for some advice. What if I don’t have a managed switch and want to connect the pfsense device (which only has a WAN and LAN port and so all vlans are trunked on the lan port). I would want to use one of the VLANs for a DMZ, one for an internal ethernet wired network and two vlans one connected to the home network and one for guests. Could I accomplish this with the router and the pfsense box ? What always confuses me in these cases is with tomato there is a default gateway on the /basic-network.asp . What IP address should that be assigned to ? Currently I have br0 as 192.168.1.3, br1 as 192.168.10.3, br2 as 192.168.20.3 and br3 as 192,168.30.3 with the pfsense vlan addresses at 192.168.1.1, 192.168.10.1, 192.168.20.1 and 192.168.30.1 . Thank you

    1. Alan Chan

      21 Sep 2020 Reply

      Hi Parry,

      Your tomato router will connect directly to pfSense box LAN port.
      I would use br0’s gateway (192.168.1.1) as default gateway.
      I believe all LAN ports on tomato router use br0. Therefore, all LAN ports use 192.168.1.0/24.
      So base on your configs, you have 1 wired vlan subnet and 3 wireless vlan subnets at your disposal.

      Alan

Leave a Reply

Close Menu