DSL-AC68U with 3 SSID and 3 VLAN as AP slow and unstable!

[jetonr]

Hi all,

New around here,


I have been reading through the forums and finally managed to turn my DSL-AC68U into a dumb access point that creates1 IOT wifi, one Guest and the private wifi ( all three have both 2.5GHZ and 5GHZ ). I will add the script below just in case although everything is working but its very slow and unstable. Any help would be appreciated.

I have tried disabling the NAT Acceleration but to no avail!

# brctl show:
bridge name     bridge id               STP enabled     interfaces
br101           8000.000000000000       no
br0             8000.0c9d924dd520       no              vlan1
br1             8000.0c9d924dd521       yes             eth0.501
                                                        eth1.501
                                                        eth2.501
br2             8000.0c9d924dd525       yes             eth0.502
                                                        eth1.502
                                                        eth2.502
br30            8000.0c9d924dd520       no              wl0.1
                                                        wl1.1
                                                        vlan30
br40            8000.0c9d924dd520       no              wl0.2
                                                        wl1.2
                                                        vlan40
br99            8000.0c9d924dd520       no              eth1
                                                        eth2
                                                        vlan99

#!/bin/sh

# multi SSID with VLAN script, for ASUS DSL-AC68U with merlin 386.10-gnuton1.
# DHCP service is configured by main router pfsense in my case,
# This DSL has NAT, DHCP turned off and its acting as a dumb AP


# configure vlans on switch ports
# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility

robocfg vlan 30 ports "4t 5t"
robocfg vlan 40 ports "4t 5t"
robocfg vlan 99 ports "4t 5t"

# add vlan interface on merlin at eth0[switch 5 Port]
vconfig add eth0 30
vconfig add eth0 40
vconfig add eth0 99

# then up it
ifconfig vlan30 up
ifconfig vlan40 up
ifconfig vlan99 up

# remove guest wifis from br0   wl0.x-->guest wifi 2.4 GHz   wl1.x-->guest wifi 5.0 GHz
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl delif br1 wl0.1
brctl delif br2 wl1.1

# add linux network bridge
brctl addbr br30
brctl addbr br40
brctl addbr br99

# add guest wifis to linux network bridge
brctl addif br30 wl0.1 wl1.1
brctl addif br40 wl0.2 wl1.2
brctl addif br99 eth1 eth2

# add interfaces to linux network bridges
brctl addif br30 vlan30
brctl addif br40 vlan40
brctl addif br99 vlan99

# up linux network bridge
ifconfig br30 up
ifconfig br40 up
ifconfig br99 up

# setting nvram values must be correct. if NOT correct, will reject wireless client request.
nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1"
nvram set br0_ifnames="vlan1"

nvram set lan1_ifnames="vlan30 wl0.1 wl1.1"
nvram set lan1_ifname="br30"
nvram set br30_ifname="br30"
nvram set br30_ifnames="vlan30 wl0.1 wl1.1"

nvram set lan2_ifnames="vlan40 wl0.2 wl1.2"
nvram set lan2_ifname="br40"
nvram set br40_ifname="br40"
nvram set br40_ifnames="vlan40 wl0.2 wl1.2"

nvram set lan3_ifnames="vlan99 eth1 eth2"
nvram set lan3_ifname="br99"
nvram set br99_ifname="br99"
nvram set br99_ifnames="vlan99 eth1 eth2"


killall eapd

eapd

# Flush ebtables --> clear all rules
ebtables -F

# Restart HTTP GUI
service restart_httpd

 

[drinkingbird]

Redoing my post to make things clearer.

Since you can't run that router in AP mode, I would avoid Guest Wireless 1 completely as it is creating lots of AiMesh stuff that is interfering. Use 2 and 3. If you do ever need 3 guest VLANs, you can use 1 but you must have "access intranet" enabled to prevent the aimesh stuff from being built, but I'd avoid it completely if you don't need 3 of them.

Honestly unless you don't want devices on each guest network to be able to see each other (usually not an issue if they can, and sometimes even required) then enable LAN access on all of them. All that does is disable AP isolation, your VLANs will still segment the 3 networks. I've noticed on my 68U variant that AP isolation seems to interfere with ARP requests being sent upstream on GW2 and 3 so that could cause issues for you.

Leave VLAN 1 as your main LAN VLAN (with your trusted wireless in it), that needs to be untagged on your trunk link anyway and that's where the management IP for the router sits, etc. On pfsense just have VLAN 1 be your tusted LAN also. Keep it simple.

Create your VLAN 30 and 40 (or 20 and 30 to match the guest ID, or 200 and 300, etc) and re-map Guest 2 (wl0.2/wl1.2) and Guest 3 (wl0.3/wl1.3) into those. The only VLAN ID you can't use is 2 as that is WAN in router mode. Also avoid 501/502 since they get used by aimesh in case you ever enable GW1 it will overwrite and mess with stuff.

Tag your two VLANs on port 4 and 5, leaving VLAN 1 untagged (I'm assuming port 4 is your uplink to pfsense). Ensure PFsense matches, VLAN 1 untagged, your two custom VLANs tagged.

By default the other LAN ports (1 through 3) will have VLAN 1 untagged, you can use robocofg to change those to one of your VLANs (or a mix of the two) untagged if you want them in one of the guest networks. But the important one is the port to your switch (smart switch obviously) or pfsense, you want 1 untagged and your two custom ones tagged.

If you really want your main wireless to be on a different VLAN than 1 you can do that, but just make sure you still have VLAN1 untagged on both ends of the trunk between your pfsense and the AP. You need a default/native VLAN in there. Or you can pick some other vlan ID to use untagged as your native VLAN but that gets more complex. There isn't any issue using VLAN 1 in a home setting.

NVRAM variables - only update the ones the firmware creates, like LAN1_ifnames etc. Creating the new ones isn't doing anything as far as I know, nothing in the firmware would ever know to call those variables. And even the stock ones I believe are only used for traffic monitoring and creating firewall rules so probably isn't even critical to update those, but can't hurt. You can just do an "nvram show | grep -i ifname" to find all the variables, or search for the stock names like wl0.2 and wl1.2 to see where they are listed and move them around as needed.

Keep in mind if you flush iptables and ebtables (need to do both especially if you leave access intranet disabled) clients could potentially access the router GUI but only if they knew to change their IP to a subnet that is the same as the router's LAN IP so not much concern there. You likely don't have to flush those at all if you have LAN access enabled.

No need to disable NAT acceleration. You technically don't even have to disable NAT since you aren't using the WAN. Just disabling DHCP is obviously the critical part, and making sure your router LAN IP is in the pfsense's VLAN 1 subnet, the subnet masks match, and the IP isn't conflicting with anything obviously.

Obviously don't use the WAN port for anything, or if you want to, use robocfg to remove vlan 2 from it and change it to a different VLAN, but I'd just leave it unused, too many potential things to interfere. Or I guess in that router's case the WAN port is probably the RJ11 DSL port? In that case you aren't using it anyway obviously.

I'd factory reset and start over.

 

[jetonr]

Redoing my post to make things clearer.

Since you can't run that router in AP mode, I would avoid Guest Wireless 1 completely as it is creating lots of AiMesh stuff that is interfering. Use 2 and 3. If you do ever need 3 guest VLANs, you can use 1 but you must have "access intranet" enabled to prevent the aimesh stuff from being built, but I'd avoid it completely if you don't need 3 of them.

Honestly unless you don't want devices on each guest network to be able to see each other (usually not an issue if they can, and sometimes even required) then enable LAN access on all of them. All that does is disable AP isolation, your VLANs will still segment the 3 networks. I've noticed on my 68U variant that AP isolation seems to interfere with ARP requests being sent upstream on GW2 and 3 so that could cause issues for you.

Leave VLAN 1 as your main LAN VLAN (with your trusted wireless in it), that needs to be untagged on your trunk link anyway and that's where the management IP for the router sits, etc. On pfsense just have VLAN 1 be your tusted LAN also. Keep it simple.

Create your VLAN 30 and 40 (or 20 and 30 to match the guest ID, or 200 and 300, etc) and re-map Guest 2 (wl0.2/wl1.2) and Guest 3 (wl0.3/wl1.3) into those. The only VLAN ID you can't use is 2 as that is WAN in router mode. Also avoid 501/502 since they get used by aimesh in case you ever enable GW1 it will overwrite and mess with stuff.

Tag your two VLANs on port 4 and 5, leaving VLAN 1 untagged (I'm assuming port 4 is your uplink to pfsense). Ensure PFsense matches, VLAN 1 untagged, your two custom VLANs tagged.

By default the other LAN ports (1 through 3) will have VLAN 1 untagged, you can use robocofg to change those to one of your VLANs (or a mix of the two) untagged if you want them in one of the guest networks. But the important one is the port to your switch (smart switch obviously) or pfsense, you want 1 untagged and your two custom ones tagged.

If you really want your main wireless to be on a different VLAN than 1 you can do that, but just make sure you still have VLAN1 untagged on both ends of the trunk between your pfsense and the AP. You need a default/native VLAN in there. Or you can pick some other vlan ID to use untagged as your native VLAN but that gets more complex. There isn't any issue using VLAN 1 in a home setting.

NVRAM variables - only update the ones the firmware creates, like LAN1_ifnames etc. Creating the new ones isn't doing anything as far as I know, nothing in the firmware would ever know to call those variables. And even the stock ones I believe are only used for traffic monitoring and creating firewall rules so probably isn't even critical to update those, but can't hurt. You can just do an "nvram show | grep -i ifname" to find all the variables, or search for the stock names like wl0.2 and wl1.2 to see where they are listed and move them around as needed.

Keep in mind if you flush iptables and ebtables (need to do both especially if you leave access intranet disabled) clients could potentially access the router GUI but only if they knew to change their IP to a subnet that is the same as the router's LAN IP so not much concern there. You likely don't have to flush those at all if you have LAN access enabled.

No need to disable NAT acceleration. You technically don't even have to disable NAT since you aren't using the WAN. Just disabling DHCP is obviously the critical part, and making sure your router LAN IP is in the pfsense's VLAN 1 subnet, the subnet masks match, and the IP isn't conflicting with anything obviously.

Obviously don't use the WAN port for anything, or if you want to, use robocfg to remove vlan 2 from it and change it to a different VLAN, but I'd just leave it unused, too many potential things to interfere. Or I guess in that router's case the WAN port is probably the RJ11 DSL port? In that case you aren't using it anyway obviously.

I'd factory reset and start over.

Can't thank you enough for this detailed post drinkingbird, I will definitely try this over the weekend and update here.

 

[jetonr]

Hello again drinkingbird,

I have done the config as you recommended and at the beginning it seemed ok as I was testing one device at a time but when I connect a device on each vlan only one works at a time! I don't know why!


The pfsense is connected to the tagged port on the router which is configured like this:

#!/bin/sh

# multi SSID with VLAN script, for ASUS DSL-AC68U with merlin 386.10-gnuton1.
# DHCP service is configured by main router pfsense in my case,
# This DSL has NAT, DHCP turned off and its acting as a dumb AP


# configure vlans on switch ports
# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility
robocfg vlan 40 ports "1t 3u 5t"
robocfg vlan 50 ports "1t 4u 5t"

# add vlan interface on merlin at eth0[switch 5 Port]
vconfig add eth0 40
vconfig add eth0 50

# then up it
ifconfig vlan40 up
ifconfig vlan50 up

# remove guest wifis from br0   wl0.x-->guest wifi 2.4 GHz   wl1.x-->guest wifi 5.0 GHz
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl delif br0 wl0.3
brctl delif br0 wl1.3

# add linux network bridge
brctl addbr br40
brctl addbr br50

# add guest wifis to linux network bridge
brctl addif br40 wl0.2 wl1.2
brctl addif br50 wl0.3 wl1.3

# add interfaces to linux network bridges
brctl addif br40 vlan40
brctl addif br50 vlan50

# up linux network bridge
ifconfig br40 up
ifconfig br50 up

# setting nvram values must be correct. if NOT correct, will reject wireless client request.
nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"

nvram set lan1_ifnames="vlan40 wl0.2 wl1.2"
nvram set lan1_ifname="br40"
nvram set br40_ifname="br40"
nvram set br40_ifnames="vlan40 wl0.2 wl1.2"

nvram set lan2_ifnames="vlan50 wl0.3 wl1.3"
nvram set lan2_ifname="br50"
nvram set br50_ifname="br50"
nvram set br50_ifnames="vlan50 wl0.3 wl1.3"

killall eapd

eapd

# Flush ebtables and iptables --> clear all rules
ebtables -F
iptables -F

# Restart HTTP GUI
service restart_httpd

 

[jetonr]

After some experimenting I disabled security on both Guest networks and they started working simultaneously but I am not sure if that is the cause!

 

[drinkingbird]

After some experimenting I disabled security on both Guest networks and they started working simultaneously but I am not sure if that is the cause!

I've never seen the "u" tag used with robocfg, it should just not say "t" if you want it untagged, not sure if that is related.

As I mentioned before there are no such firmware variables as "br40_ifname" "br50_ifnames" etc. Also you are overwriting the lan if names variables and removing stuff from them which could be causing problems. You need to include the complete string, existing plus changes (removals or additions).

You also have to do nvram commit after changing nvram variables.

What do you mean disabling securing on guest networks - does that mean enabling LAN access or making them open networks with no key/WPA2 etc?

Have you looked at just using freshtomato so you can do this all via the GUI? I think you're maybe in a bit too deep in the CLI.