Tutorial How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

[drinkingbird]

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models.
This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but haven't tried), it does NOT work in standalone AP mode, you will not have the option to enable LAN isolation (and thus create the VLANs) but still need 100% confirmation on that. It does work with Aimesh slave/nodes as long as you have a master router set up, these VLANs are definitely on the WAN port, so you can put the switch inline with that (in that case your uplink to main router and downlink to the AIMESH node must have all 3 or 4 VLANs configured as described below). I believe the VLANs will also be on the LAN ports too but again need confirmation on that. Even in wireless backhaul mode the VLANs should be there on both wireless and wired.

1. Ensure you have one of the code versions above (either Asus stock or Merlin) installed. If you are upgrading from 384 or earlier, good idea to hard factory reset and start from scratch, not from a backup. In fact that's a good idea for any code upgrade.
2. Enable guest wireless 1 (must be #1) and set access intranet to "disabled". Note this is the stock or Merlin Asus guest VLAN config. Does not work with Yazfi as far as I can tell.
   -If you only need one VLAN, you can pick either 2.4 or 5ghz, if you want two, enable them both. Technically an additional SSID can slightly hurt the performance of your wireless, usually negligible, but if you just need one probably use 2.4G so as not to impact your higher performance 5G. However I have both enabled and no noticeable impact, even with SSID broadcasts on, so may as well just enable both for future use/flexibility, even if you don't need 2 now.
   -If you do not need guest wireless and only want this for wired (or to feed another wireless AP) you can set the SSID to any random name (that isn't in use around you) and check off to "hide" it. You can even shut off the wireless radios if you need no wireless at all on the main router.
3. Hit apply, and when finished applying, reboot router.
4. Now all LAN ports (and WAN port on Aimesh Nodes) will have vlan 501 (2.4ghz guest, subnet 192.168.101.0/24) and/or 502 (5ghz guest, 192.168.102.0/24) tagged on them. Normal devices plugged into these ports will ignore those tags and just use your main LAN VLAN 1 as always, so for main LAN devices you can plug right into the router LAN (or the external switch on VLAN 1).
5. Get a switch with VLAN support. Netgear 5 port GS305E is typically around $20 and TP-Link 8 port TL-SG108E is usually around $27. Of course you can get larger switches for more money too, just make sure they are "smart" switches with 802.1Q vlan support.
6. Connect one port of that switch to any LAN port on the Asus (on Aimesh nodes, can use the WAN port too). Usually you'll use either the first or last port on your switch and the asus for this, those are the unofficial "uplink" ports on any switch. Note on Asus routers with 8 ports, stick with LAN ports 1-4 for the uplink.
7. On your switch, set that port to have VLAN 1 untagged, VLAN 501 and/or 502 tagged, PVID set to 1
8. The rest of the ports (or at least ones that won't be linked to another VLAN aware device) set to a single vlan, (1, 501, or 502), UNTAGGED. Choose the VLAN based on what network you want the port to have access to - VLAN 1 will be on your main LAN, 501 and/or 502 will be on your guest network(s).
9. Set the PVID of those ports to match the same VLAN as step 8 above (1, 501, or 502).

Your wired devices will now be in the respective VLAN/subnet and isolated from your main LAN (and also isolated from wireless devices in that same guest network)

Few notes
-If you have a tri-band router (5ghz-2) you will likely also have a VLAN 503/192.168.103.0/24 if you enable guest on that band. You can make use of that as well if you want.
-You cannot set DHCP reservations or modify the DHCP scope for the 192.168.101 and 192.168.102 subnets without doing a script (fairly easy script though). May be possible with YazDHCP, not sure.
-Two wired devices in the same VLAN on your switch will not be isolated from each other so they can communicate (but they will be isolated from main LAN and wireless devices in that same guest vlan).
If you want two "guest" wired devices to be isolated from each other, put one in 501 and one in 502.

If you want to feed a downstream AP, there are a few options:
-If using AIMESH, set the port facing the AP the same as the uplink port from the router - vlan 1 untagged, vlan 501 and 502 tagged, PVID 1. That will allow aimesh to work. (Include 503 also for tri-band routers). Of course you can just plug it directly into the Asus router too if you have enough wiring.
-If using just a standard AP, decide which VLAN/subnet you want those devices to be in, and set that port to the corresponding VLAN ID and PVID (no tagging), all wireless clients (and physical ports) on that AP will be in that VLAN. Again if you want it on VLAN 1 then you can just plug it directly into the Asus if wiring is in place.
-If you use an AP with VLAN support you can do similar to aimesh, VLAN 1 untagged, VLAN 501 and 502 tagged, PVID 1, then configure the AP SSIDs into the respective VLAN(s). Plugging directly into the asus is an option here too.

If you want to feed a downstream switch from this switch, basically the same as an AP above. You can send all 3 VLANs with 501 and 502 tagged just like the uplink port (assuming that downstream switch is a smart switch with VLAN support) or just put the port into one VLAN (untagged) and that downstream switch will have all ports in that VLAN.

In addition to above you can still use guest wireless 2 and 3 but it will only work on the main router, you can't add it to the switch to put wired devices in them or feed them to another AP, etc. They use VLAN 1/main subnet along with firewall rules to isolate them off the main LAN, not VLANs, totally different setup. It is possible to use scripting to move them around but that is not the intent of this post.

More advanced things are possible with scripting such as:
Allowing certain traffic to flow between VLANs, such as letting guest print to main LAN
Disabling isolation so wireless clients on the guest can see each other (and also the wired devices)
Changing the subnets on those VLANs, the DHCP scope, lease time, adding DHCP reservations, etc
Again, out of scope of this post though.

If you want more flexibility in the GUI or to configure ports on the asus into specific VLANs (or you need more than the 3 VLANs), you can check out Fresh Tomato. It only supports certain router models, and the GUI is pretty complex and aimed at more advanced users, but it gives a lot of options for VLANs.

 

[DiliMe]

Thank you @drinkingbird for the detailed HowTo!
I can confirm it works very well as you described it.

To add few more details, I have in the middle a switch Cisco SF302P with 2 trunks ports (tagged) in between the Asus router and the Netgear switch.
I confirm that on the TV connected to the Netgear switch I receive IP addresses from VLAN-501 in the range 192.168.101.X served by the Asus router.

TV --> Netgear switch -> Cisco switch -> Asus router -> internet


I also have a TP-Link Outdoor AP connected to the Cisco switch trunk port and the TP-Link Guest-WiFi recognizes VLAN-501 and receiving IP addresses in the range 192.168.101.X served by the Asus router.


Note: I am note sure if it is very intuitive for the steps 8 & 9 described above, on the Netgear switch for the ports that you want VLAN-501, be sure that you have that port with PVID=501

 

[drinkingbird]

Thank you @drinkingbird for the detailed HowTo!
I can confirm it works very well as you described it.

To add few more details, I have in the middle a switch Cisco SF302P with 2 trunks ports (tagged) in between the Asus router and the Netgear switch.
I confirm that on the TV connected to the Netgear switch I receive IP addresses from VLAN-501 in the range 192.168.101.X served by the Asus router.

TV --> Netgear switch -> Cisco switch -> Asus router -> internet


I also have a TP-Link Outdoor AP connected to the Cisco switch trunk port and the TP-Link Guest-WiFi recognizes VLAN-501 and receiving IP addresses in the range 192.168.101.X served by the Asus router.


Note: I am note sure if it is very intuitive for the steps 8 & 9 described above, on the Netgear switch for the ports that you want VLAN-501, be sure that you have that port with PVID=501

Same for TP-LInk and many others, you have to specify both the Outbound and inbound VLAN on the port. The PVID tells the switch what VLAN to put incoming untagged frames into, and the main 802.1Q VLAN setting for the port tells it what to send out the port (tagged, untagged, which vlan if untagged, etc).

Basically on a trunk port (a port that carries any tagged VLANs) your PVID will always be 1.
On access ports (no tagging, connecting normal devices like a PC or dumb switch) your PVID should always be the same as the VLAN you assigned to the port.

There is a separate discussion that can be had regarding not using VLAN 1 at all, a common security practice in the enterprise environment, but not really an issue in the home environment and would require some extensive scripting on the Asus to change that VLAN ID and tag it. Essentially in that design you pick a native trunking VLAN (say, 666 or 999) and it is only used as the untagged "control" VLAN on trunk ports. Then you use tagged custom VLAN IDs for all your "real" vlans, so like 50 for LAN, 501 for Guest 1, 502 for Guest 2. That's overkill and way outside this discussion since it would be major changes to the Asus and again, not really a concern in the home environment.

 

[kyosaur]

Works great on firmware 388.2.2 on my AX85U! Drinkingbird helped me in another thread

 

[Qbcd]

Thanks so much for this detailed tutorial!

I want to do something similar with my AX86U, which is to set up a second subnet without DHCP where I manually put certain devices by assigning them IPs in that subnet (this will include wired devices). That subnet will then have its own WAN by enabling the dual WAN load balancing function and only assigning a WAN to the devices in that subnet. Devices will only be able to see other devices in their own subnet and the router, but won't be able to see the devices in the other subnet.

But I don't want to have a separate VLAN or SSID or guest network, I just want two subnets. DHCP will handle all "regular" devices, and I will manually put the ones I want in the other subnet. Is this at all possible with the AX86U or even the Pro version? I can't find any information on subnetting as separate from VLANs. I'd be ok using Merlin if it's needed for this, but I don't know how to do scripting.

 

[drinkingbird]

Thanks so much for this detailed tutorial!

I want to do something similar with my AX86U, which is to set up a second subnet without DHCP where I manually put certain devices by assigning them IPs in that subnet (this will include wired devices). That subnet will then have its own WAN by enabling the dual WAN load balancing function and only assigning a WAN to the devices in that subnet. Devices will only be able to see other devices in their own subnet and the router, but won't be able to see the devices in the other subnet.

But I don't want to have a separate VLAN or SSID or guest network, I just want two subnets. DHCP will handle all "regular" devices, and I will manually put the ones I want in the other subnet. Is this at all possible with the AX86U or even the Pro version? I can't find any information on subnetting as separate from VLANs. I'd be ok using Merlin if it's needed for this, but I don't know how to do scripting.

What you're looking to do would require VLANs (or two separate routers). Unfortunately without scripting you can't do what you want on a single standard Asus router, but the Pro does have VLAN support and advanced guest so may be possible there.

 

[Qbcd]

What you're looking to do would require VLANs (or two separate routers). Unfortunately without scripting you can't do what you want on a single standard Asus router, but the Pro does have VLAN support and advanced guest so may be possible there.

Thanks. Is there any chance that the VLAN support from the Pro could be adapted by Merlin to the non-Pro AX86U Merlin firmware?

 

[drinkingbird]

Thanks. Is there any chance that the VLAN support from the Pro could be adapted by Merlin to the non-Pro AX86U Merlin firmware?

0% chance

 

[snaky69]

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models.
This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but haven't tried), it does NOT work in standalone AP mode, you will not have the option to enable LAN isolation (and thus create the VLANs) but still need 100% confirmation on that. It does work with Aimesh slave/nodes as long as you have a master router set up, these VLANs are definitely on the WAN port, so you can put the switch inline with that (in that case your uplink to main router and downlink to the AIMESH node must have all 3 or 4 VLANs configured as described below). I believe the VLANs will also be on the LAN ports too but again need confirmation on that. Even in wireless backhaul mode the VLANs should be there on both wireless and wired.

1. Ensure you have one of the code versions above (either Asus stock or Merlin) installed. If you are upgrading from 384 or earlier, good idea to hard factory reset and start from scratch, not from a backup. In fact that's a good idea for any code upgrade.
2. Enable guest wireless 1 (must be #1) and set access intranet to "disabled". Note this is the stock or Merlin Asus guest VLAN config. Does not work with Yazfi as far as I can tell.
   -If you only need one VLAN, you can pick either 2.4 or 5ghz, if you want two, enable them both. Technically an additional SSID can slightly hurt the performance of your wireless, usually negligible, but if you just need one probably use 2.4G so as not to impact your higher performance 5G. However I have both enabled and no noticeable impact, even with SSID broadcasts on, so may as well just enable both for future use/flexibility, even if you don't need 2 now.
   -If you do not need guest wireless and only want this for wired (or to feed another wireless AP) you can set the SSID to any random name (that isn't in use around you) and check off to "hide" it. You can even shut off the wireless radios if you need no wireless at all on the main router.
3. Hit apply, and when finished applying, reboot router.
4. Now all LAN ports (and WAN port on Aimesh Nodes) will have vlan 501 (2.4ghz guest, subnet 192.168.101.0/24) and/or 502 (5ghz guest, 192.168.102.0/24) tagged on them. Normal devices plugged into these ports will ignore those tags and just use your main LAN VLAN 1 as always, so for main LAN devices you can plug right into the router LAN (or the external switch on VLAN 1).
5. Get a switch with VLAN support. Netgear 5 port GS305E is typically around $20 and TP-Link 8 port TL-SG108E is usually around $27. Of course you can get larger switches for more money too, just make sure they are "smart" switches with 802.1Q vlan support.
6. Connect one port of that switch to any LAN port on the Asus (on Aimesh nodes, can use the WAN port too). Usually you'll use either the first or last port on your switch and the asus for this, those are the unofficial "uplink" ports on any switch. Note on Asus routers with 8 ports, stick with LAN ports 1-4 for the uplink.
7. On your switch, set that port to have VLAN 1 untagged, VLAN 501 and/or 502 tagged, PVID set to 1
8. The rest of the ports (or at least ones that won't be linked to another VLAN aware device) set to a single vlan, (1, 501, or 502), UNTAGGED. Choose the VLAN based on what network you want the port to have access to - VLAN 1 will be on your main LAN, 501 and/or 502 will be on your guest network(s).
9. Set the PVID of those ports to match the same VLAN as step 8 above (1, 501, or 502).

Your wired devices will now be in the respective VLAN/subnet and isolated from your main LAN (and also isolated from wireless devices in that same guest network)

Few notes
-If you have a tri-band router (5ghz-2) you will likely also have a VLAN 503/192.168.103.0/24 if you enable guest on that band. You can make use of that as well if you want.
-You cannot set DHCP reservations or modify the DHCP scope for the 192.168.101 and 192.168.102 subnets without doing a script (fairly easy script though). May be possible with YazDHCP, not sure.
-Two wired devices in the same VLAN on your switch will not be isolated from each other so they can communicate (but they will be isolated from main LAN and wireless devices in that same guest vlan).
If you want two "guest" wired devices to be isolated from each other, put one in 501 and one in 502.

If you want to feed a downstream AP, there are a few options:
-If using AIMESH, set the port facing the AP the same as the uplink port from the router - vlan 1 untagged, vlan 501 and 502 tagged, PVID 1. That will allow aimesh to work. (Include 503 also for tri-band routers). Of course you can just plug it directly into the Asus router too if you have enough wiring.
-If using just a standard AP, decide which VLAN/subnet you want those devices to be in, and set that port to the corresponding VLAN ID and PVID (no tagging), all wireless clients (and physical ports) on that AP will be in that VLAN. Again if you want it on VLAN 1 then you can just plug it directly into the Asus if wiring is in place.
-If you use an AP with VLAN support you can do similar to aimesh, VLAN 1 untagged, VLAN 501 and 502 tagged, PVID 1, then configure the AP SSIDs into the respective VLAN(s). Plugging directly into the asus is an option here too.

If you want to feed a downstream switch from this switch, basically the same as an AP above. You can send all 3 VLANs with 501 and 502 tagged just like the uplink port (assuming that downstream switch is a smart switch with VLAN support) or just put the port into one VLAN (untagged) and that downstream switch will have all ports in that VLAN.

In addition to above you can still use guest wireless 2 and 3 but it will only work on the main router, you can't add it to the switch to put wired devices in them or feed them to another AP, etc. They use VLAN 1/main subnet along with firewall rules to isolate them off the main LAN, not VLANs, totally different setup. It is possible to use scripting to move them around but that is not the intent of this post.

More advanced things are possible with scripting such as:
Allowing certain traffic to flow between VLANs, such as letting guest print to main LAN
Disabling isolation so wireless clients on the guest can see each other (and also the wired devices)
Changing the subnets on those VLANs, the DHCP scope, lease time, adding DHCP reservations, etc
Again, out of scope of this post though.

If you want more flexibility in the GUI or to configure ports on the asus into specific VLANs (or you need more than the 3 VLANs), you can check out Fresh Tomato. It only supports certain router models, and the GUI is pretty complex and aimed at more advanced users, but it gives a lot of options for VLANs.

Would you mind sharing the script for DHCP? Does it require Merlin?

 

[glens]

I arrived at post #9 in response to a notification.

Would you mind sharing the script...

struck me as funny being's the thread title includes "no scripting required"! Will now review the thread...

 

[glens]

Well, I started the review and will have to defer. While I find the subject of VLANs interesting, I have no use for them at this time...

 

[snaky69]

The reason I ask is that if I can get DHCP reservations along with VLANs, I see no reason to upgrade my perfectly working network equipment.

I have managed/smart switches on the way to my house to replace dumb switches so that if I ever make a move towards a controller etc the rest of the network is ready.

 

[ColinTaylor]

The reason I ask is that if I can get DHCP reservations along with VLANs, I see no reason to upgrade my perfectly working network equipment.

I have managed/smart switches on the way to my house to replace dumb switches so that if I ever make a move towards a controller etc the rest of the network is ready.

If your interest is still only DHCP reservations rather than VLANs in particular I suggest you continue in your original thread here: https://www.snbforums.com/threads/p...on-merlin-or-stock-firmware.84105/post-829323

As it says in post#1 this thread is about VLANs and discussions about things like DHCP are out of scope for this thread.

 

[snaky69]

If your interest is still only DHCP reservations rather than VLANs in particular I suggest you continue in your original thread here: https://www.snbforums.com/threads/p...on-merlin-or-stock-firmware.84105/post-829323

As it says in post#1 this thread is about VLANs and discussions about things like DHCP are out of scope for this thread.

In an ideal world I would do both, VLAN with DHCP reservations. Hence my interest in this thread.

 

[truglodite]

@drinkingbird , a big thanks to you for the OP, which lit the way to meeting my networking needs without having to purchase a new pro router I don't otherwise need. Many years ago I bought a used but fancy 24port hpe poe managed gigabit switch so I could I add some poe cams to my home. The switch does vlans and my ax86u (running merlin of course) has had internet only guest networks running for a while. I've seen the 101 and 102 subnets for wifi guests for a while, but I had no idea the dang router already tags the guest networks on the ports. My kids insist on playing fortnite with that sketchy kernel level anti cheat software, and they recently have been bugging me for wired access (we do have 1G u/d service). After reading your post, I'm ready to get them wired up safely.

FWIW, I am using link ag between the router and switch... not sure if anyone has tested 501 and 502 with bonded ports yet, but I'm planning to try it tomorrow morning.

 

[snaky69]

FWIW, I am using link ag between the router and switch... not sure if anyone has tested 501 and 502 with bonded ports yet, but I'm planning to try it tomorrow morning.

Interested in the results

 

[truglodite]

I'm happy to report back that it is working well with the bonded ports. On my HPe switch when I create a group of LACP bonded ports, the group shows up in the webui as "BAGGX" (X=1 for first bonded group, X=2 for second group, etc). In the switch's VLAN settings I simply tagged 501 and 502 to the router's bond group (BAGG2 in my case... incidentally the switch sync'd both of the individual ports used for BAGG2 with the same 1 untagged, 501 & 502 tagged). Then I changed the untagged pvid on the ports my kid's pcs are plugged to from 1 to 501 and 502 (all ports were previously PVID 1... aka it was just being used as a simple switch). After resetting the connections to their PC's, they got the proper 101 and 102 subnets and are now segmented from my main lan (pvid 1).

I presume on my switch this would work the other direction as well... for example if I wanted BAGG1 to be on VLAN501 (pvid 501) instead of my main lan (pvid 1), I could just change it from untagged 1 to untagged 501 (although for me this would be silly since my guests are isolated from each other as well). I also assume most other switches with 801.1q & LACP would work similarly. The process overall went quick and smooth, with a service interruption of only a few seconds as the connections were reset.

 

[hotboi]

Thanks @drinkingbird for your post! I know the post says no scripting is required, but I believe I just may have to use scripting to acheive what I'm after. I have two RT-AC5300's and I want to simply use them as access points with opnsense. I want to do all of my routing in opnsense. When I switch the AC5300 to AP mode, the bridges and vlans disappear. Where does ASUS write those? Maybe it will help me with the script.

​

 

[truglodite]

I feel like I may be dredging up an old thread, but the question I have is intimately related with the OP so...

I recently configured vlans on my switch connected to my ax86u using info from this thread, and I am having a problem with severely slow download speeds (dl/ul ~10/900, not missing a zero... with a 1000mbps symmetrical connection) on one particular client that is connected through an untagged vlan port (pvid 501). OTOH this issue goes away when I connect this PC the main vlan (pvid 1) instead. Another much older PC is using connected to same vlan and is having no issues and gets a consistent dl/ul of ~930/930.

This makes me think there may be a problem with the newer intel ethernet hardware or drivers on the affected PC. It's running a z590 mobo which has an intel 225 nic (all latest drivers). I read across this page that made me think wonder if it is the 225 nic causing the problem... but no idea what hyper-v is lol:

Very slow up/slow download speeds if Hyper-V external switch enabled

A long standing issue for many Hyper-V users is when you set up an external wifi switch in Hyper-V, it kills the download and/or upload speeds. I have found a simple solution for Intel NICs. I have no idea how general this solution is...

www.elevenforum.com

Has anyone else seen or heard intel 225 nic's having issues with vlans? Any solutions to help me get this PC full DL speed with the vlan? It's my son's "infested gaming pc" so I really want to keep it off pvid 1. I have a fancy HPe switch with some L2 features that I don't really use, but maybe something there could be of use so figured I should mention it. Any helps is greatly appreciated... TIA.

Kevin

 

[truglodite]

Just wanted to follow up with more info I found since I posted...

The switch is an HPe v1910, which actually has some layer 3 functions (static routing etc). So it may be a bit more complicated to configure for this. The switch has a webui page that contains vlan interfaces, and only the subnet for vlan1 appears there (22.3 is the switch itself, router is at 22.1).

Not sure if that's all that's needed there. There's also several lines in the ipv4 routing page (vlan1=*.22.X):

I disabled the dhcp functions on the switch since I thought that could be a problem, but that didn't seem to change anything. Reading on this I saw some folks mention similar issues that may be related to the router connected switch ports being of the hybrid type (rather than trunk or access). I noticed that the ports connected to my router also are in hybrid mode. I think that's because I have 1 untagged, and 501 tagged... it won't call it a trunk port with the untagged membership I think... but I'm worried I'll lock myself out of the switch if I remove pvid1 from the router connected ports. I was hoping I could configure this switch to work like the ones mentioned in the OP.

I know very little about networking outside of the very basics. I really don't need any L3 features, and figure a simpler switch like mentioned in the OP would just work. However I got the switch years ago for the POE (used on ebay... for cameras), and really don't want to add more clutter to my gadget closet if possible. I'm sure this switch is capable of doing everything the $30 basic switches can do, and it certainly meets all my needs otherwise.

Any tips on how to get vlans working with my ax86u and this switch would be very much appreciated. I'd also appreciate any links to info that would help me learn the parts of networking I need to know to understand how/why this happens. It is weird that the older PC seems to work fine regardless, but I figure I may have something misconfigured on the switch that's making the newer nic puke when connected to a pvid besides 1. Seems like many lessons about networking to be learned here.