Access the router through ssh or telnet. On Windows you can use Putty. On unix you can use the Terminal.
In the router console, type the following command:
nvram show | grep vlan.ports
If you get the following output you are ready to proceed:
vlan0ports=3 2 1 0 5*
*Note: Logical Port 5 is the cpu, and should be included in every vlan. Logical Port 4 is your wlan. You can choose to configure your ports differently.
Here’s a map of the physical ports to their logical (cli) assignment:
Physical port : Logical port
1 : 3
2 : 2
3 : 1
4 : 0
Example uses port-4 and port-3 as the new vlan (vlan2):
nvram set vlan0ports=”3 2 5*”
nvram set vlan2hwname=et0
nvram set vlan2ports=”1 0 5″
nvram set manual_boot_nv=1
Following this, you just need to add a few bits to the Administration>Scripts>Init area of the Tomato GUI.
sleep 10; ifconfig vlan2 10.225.20.1 netmask 255.255.255.0 up;
To setup firewall rules, we add the following to the Administration>Scripts>Firewall section of the Tomato GUI:
iptables -I INPUT -i vlan2 -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state –state NEW -j ACCEPT;
iptables -I FORWARD -i vlan2 -o ppp0 -m state –state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan2 -j DROP;
This restricts traffic from port 4 of the device (vlan2) to all other ports of the lan (access to WAN only from port 4).
Next go to Advanced -> DHCP / DNS and add this at Dnsmasq custom configuration: