Setting VLAN Ports on Tomato via Command Line

I have some devices I don’t completely trust to be on the same network as all my computers. SmartTVs, a surveillance system, internet enabled toasters, you get the point. (The internet-of-things is going to get a lot more people hacked and spied on in the coming years.)

I needed to set up a VLAN on my router’s Tomato install but due to some bug, I couldn’t isolate a port to a single VLAN. Despite all efforts the port would always end up being a part of both the default VLAN1 and my new, untrusted VLAN3. While the device was accessible on the subnet I wanted it to be, it could also still see the devices on my primary subnet.


After a lot of searching I found this is a bug(s) with certain router hardware (details) and/or the Tomato WebGUI. The solution being to shell into your router and do it manually.

Note: the SSH username for tomato is actually root not admin! Despite the fact that admin is your username for the tomato GUI and despite the fact that the password you set up for the GUI (probably under the username admin) is used for SSH. That’s pretty confusing.


Confusing Tomato Form

To see what ports are on what VLAN run:

nvram show|grep vlan.ports

Note the port with an asterisk is not a physical port.

To set ports on a VLAN run:

nvram set vlanXports="Y Y Y"

Where X is your VLAN number and Y is your port numbers

Then set manual boot, commit your changes, and restart.

nvram set manual_boot_nv=1
nvram commit


This entry was posted in Hardware, Tomato. Bookmark the permalink.

One Response to Setting VLAN Ports on Tomato via Command Line

  1. Pingback: Contornando bug nas configurações de VLANs do Tomato by Shibby e AdvancedTomato - Skooter Blog

Leave a Reply

Your email address will not be published. Required fields are marked *