Toastman’s Tomato on WRT 610N

I was looking to get some VLANs up and running to separate traffic on my network into safe zones and fun zones. The Tomato firmware on my router was turning a bit old, so I looked at the newer builds. It’s a jungle out there, but I managed to work my way through it. It was actually quite easy, so read on if you have a 610N and want the even easier way 🙂

The Linksys WRT610N is outdated and my guess is that it was probably never really popular. This makes it a bit hard to find the right firmware and tutorials on how to set it up.

Since the development of the original Tomato firmware is sort of dead there is now a bunch of new branches to choose from. I went through them and found that Toastman’s builds seemed to fit my needs the best. His builds can be downloaded at

Don’t belive the crappy old forumposts 🙂

When you google around for Tomato and 610N, you’ll run into a lot of posts that mention that this and that won’t work. Especially the dual radio function of the router seems to be broken. However, mosts of these posts are old. I’ve been running the old tomato for months now, with dual radio working all the time. The router is never turned off, and it has not crashed once.

This time I read that the VLAN support is experimental, and that it was terribly buggy. On the download site I noticed that Toastman had named the older versions “VLAN BETA”. However the new 1.28.7500.4 VLAN version did not have this beta tag. This was enough to make me want to try it out.

I took a look at the hardware specs for the Linksys 610N v2 and saw that it has 8MB of flash, so any of the Toastman builds should fit. I didn’t need VPN so I picked the Ext version for the “useful tools” that it should contain according to and old forum post I found.

I simply downloaded the tomato-K26USB-NVRAM60K-1.28.7500.4MIPSR2Toastman-RT-VLAN-Ext.trx and installed it using the firmware upgrade menu. I also set the “clear NV-RAM”, just to make sure that no settings would mess up the upgrade process.

The upgrade took a few minutes, but suddenly it was ready. I logged in and noticed that this build also had VPN even though it was not mentioned. Thats a nice bonus if you need it 🙂


Well, well… it was time to set up the VLANs. I read a few tutorials. Most of them consisted of commands sent to the router via SSH, and scripts that had to be inserted into the various windows where you can add scripts. Some of them also mentioned that the VLAN gui didn’t work.
After an hour the only thing I had accomplished was to have turned off several of the LAN ports on the back of the router :-/

I decided to start over. This time I used the GUI for the most part, and it seemed to work just fine.

What I wanted was to have port 1 on the back of the router to belong to a different VLAN. This VLAN should be for guests that arrive with their “disease ridden” machines. It should be sealed off from everything, but still have access to the internet.

The rest of the ports and the WIFI should belong to a normal network for my own machines and general use in my house.

1. First simply remove port 1 from VLAN number one.
2. Then create a new VLAN, number three, with port 1.
For some reason you should NOT use VLAN number zero. Apparently it does not work with gigabit switch thats part of the WRT 610N.
WAN had been set as VLAN 2 as default, and I just left it like that.

Now, to make sure that machines connected to port 1 also get IP adresses, you’ll have to set DHCP for this VLAN. Give the VLAN an IP range that does not mess with your existing range. As a general rule I always set DHCP with some room in the begining of the address pool, to allow for devices with static IP’s.

Now.. since the two networks should be isolated. I added some rules that I found in one of the tutorials. These should be added under Administration / Scripts / Firewall

iptables -I INPUT -i vlan3 -j ACCEPT;
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i br0 -o vlan3 -j DROP;

I’m not really fluent in iptables, but basically how I read this is that it allows traffic from the new VLAN onto the WAN, but drops all packages between the two. Thus, both nets can see the internet, but they can’t see each other.

After a reboot of the router, everything worked just the way it should. GREAT!

Drilling holes in the firewall

Now… isolation between networks is good, but what if you want some exceptions to this?
For example I have a NAS that I would like to access from both networks. Luckily this can be done from the GUI as well. It is done under LAN Access.

I simply added a rule that traffic from LAN1 (The unsecure VLAN)  can enter LAN (The normal LAN) if the destination address is (Which is the address of the NAS.)

It works like a charm!

More features!

I haven’t played around with it yet, but it seems that it is possible to set the WIFI to whichever VLAN you want it to. And even have different SSID’s to allow WIFI access to several VLANs at once, simply by changing which SSID you connect to.

Again… I’m amazed by the posibillities in the Tomato firmware.