Menu
What's new
By:
Filters Better Search

RT-AC68U router mode and port isolation

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

E

Enigmas

New Around Here
Hey all,

I've been going through this forum (and also reddit lol) for the whole day. I've been banging my head on this for a while now, so decided to ask you wiser guys :).

I am running RT-AC68U in router mode with the newest AsusWRT-Merlin firmware (installed it today) and my WLAN is configured with Ruckus controller + AP's. My home network is pretty similar to every other; few smartphones/tablets, smart TV, HP printer, laptop and desktop PC. On top of that (which are probably not so common) I have a few IoT things scattered here and there (LAN and WLAN connections), and also a chinese CCTV system (NVR with 6 security cameras) behind a wireless mesh connection in another building.

I've run this combo for 7+ years but it has always bugged me, that all the devices are in my "main subnet" (192.168.1.0/24). Now that I had some spare time I decided to look into this issue and thought it would be easy, but it wasn't (ofc not).

I can handle the WLAN IoT devices easily (I can isolate them from all other clients with my WLAN configuration), but I'd like to configure one (or two) physical ethernet ports on my RT-AC68U to another subnet (ie. 192.168.2.0/24). This subnet must not have any access to the main subnet, but needs to access the internet.

I have the most basic idea how I would do that (for reference: https://wu.renjie.im/blog/network/ax88u-vlan/), but for the life of me I can only see eth0, eth1 and eth2 on my Asus with ifconfig, but robocfg showports shows ports 0-5, 7-8 (0=WAN, 1-4=LAN1-4, 5, 7-8=something related to WLAN). So I can't create a new bridge, which only has one physical ethernet port assigned to it.

How in the name of all that is holy can I manage to do this? :)


BR,

Eddy
 
Maybe see the following discussions and see if anything there helps...
www.snbforums.com

AC68 intermittently VLAN tagging

I have an RT-AC68-U in AP mode running Merlin 386.11. I am trying to segregate my guest network on it's own VLAN. The AC68 is connected via the WAN port to an OpnSense router. I've followed the guidance I've found here on configuring VLANs on the AC68 and believe I have configured it correctly...
www.snbforums.com www.snbforums.com
www.snbforums.com

Some strange VLAN settings

I have a T-mobile brand of Asus RT-AC68U router. I have updated the CFE to Asus 1.0.2.0 and firmware to Merlin 376.47. Everything seems to work fine. Now I want to update VLAN settings to create a private network out of port 4 (following this...
www.snbforums.com www.snbforums.com

Otherwise do a search for robocfg, vlan and rt-ac68u to get a number of returns on past discussions.
 
ColinTaylor said:
Do not use this as a basis for your attempts. As Renjie points out, his AX88U (and the other HND routers) are completely different than the older models, like the RT-AC68U.

Look for existing posts on how to create custom VLANs using robocfg on the RT-AC68U.
Click to expand...
Thanks for the tip :).

I've been going through this forum for quite a while but haven't stumbled upon a similar post.

One thing that bugs me is, do I need to use Jffs scripts or can I write the configuration to nvram?

-E

EDIT:

Allright I had a little more time to look into this. I am sorry for my very noobish questions.. Now I got the hang of it, and I think I know how to do this.

I was able to get an IP address from the guest network range (192.168.101.0/24) from my physical port 4 (commands: robocfg vlan 1 ports "1 2 3 5t" and robocfg vlan 501 ports "1t 2t 3t 4 5t"). And the network acted like a guest network (no access to home network, internet access working). So success, I guess? :)

This just isn't enough right now, because I need to be able to use DHCP and IP reservations for my camera and access point configuration. So I can't use the VLANs created by the guest network, but I do need to create a new VLAN and make a new bridge for it and some miscellaneous configuration. I've scoured this site (and also other sites) and have come up with this (which I will probably run as script services-start):

Code: 
#create vlan100, tag it in port 4 and bring the vlan interface up
vconfig add eth0 100
robocfg vlan 100 ports "0t 4 5t"
ifconfig vlan100 up

#create bridge 100 and add vlan100 interface to it
brctl addbr br100
brctl stp br100 on
brctl addif br100 vlan100

#set ip address for br100 and bring it up
ifconfig br100 192.168.2.1 netmask 255.255.255.0
ifconfig br100 allmulti up

#configure nvram to allocate only vlan1 and wireless home network to br0
nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"

#configure nvram to allocate only vlan100 to br100
nvram set br1_ifname="br100"
nvram set lan1_ifname="br100"
nvram set lan1_ifnames="vlan100"
nvram set br1_ifnames="vlan100"

I have a feeling this is missing a lot of something, but it is a start. I know that I am missing at least routes and probably some firewall rules in iptables. The biggest issue I have, is that this RT-AC68U is up and running and I am very afraid to brick it (because wifey needs her Netflix and such). So that's the main reason I am taking this so carefully and I can't really test these configs anywhere else..


Hope this gives you guys a better view of what I want to achieve and how I might be able to get there.

-E
 
Last edited:
And finally I was able to achieve what I needed by using @eibgrad's tutorial :). Why oh why I did not stumble in to this post earlier..

Actually I went ahead and created two new subnets, for ports 3 and 4. I might have use for the other one too. Now that I know how @eibgrad's script works, I may be able to configure my router without the script!

Default firewall rules in the script were wonderful. I have just a few little quirks here and there which I might need to look into, but so far this has worked like a charm for me :).

Thanks to you guys, and keep the flag high!

-E
 
You must log in or register to reply here.

Similar threads

PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
296
PaulA
PaulA
E
OpenVpn
Replies
11
Views
391
enrico
E
E
Guest network isolation - what did I miss?
Replies
0
Views
585
eightiescalling
E
HELLO_wORLD
Tutorial Adding custom SSID and specific VLAN (for IOT for example)
Replies
14
Views
833
alexnev
A
elrengo
[RT-AC3100] - Internet Connection is degraded
Replies
6
Views
270
sfx2000
sfx2000
Similar threads
Thread starter Title Forum Replies Date
R RT-AC68U Router mode w/ firewall only ASUS AC Routers & Adapters (Wi-Fi 5) 6
Zakalwe How do I check the performance of my router? [RT-AC68U] ASUS AC Routers & Adapters (Wi-Fi 5) 15
Y is my ac68u dying? router is not assigning ips to automatic ip configured devices...static ip works fine ASUS AC Routers & Adapters (Wi-Fi 5) 7
StrikerXXX How to access my ONT huawei EG8145V5 from router asus rt-ac68u v3? ASUS AC Routers & Adapters (Wi-Fi 5) 2
pathe915 RT-AC68U - Issues and problem with upgrading firmware ASUS AC Routers & Adapters (Wi-Fi 5) 4
M Asus RT-AC68U ASUS AC Routers & Adapters (Wi-Fi 5) 5
P Asus 4g ac68u no wifi and lan detection ASUS AC Routers & Adapters (Wi-Fi 5) 0
M ORIGINAL DSL-AC68U CFE DUMP??? ASUS AC Routers & Adapters (Wi-Fi 5) 0
D Asus DSL-AC68U can someone check my line stats ASUS AC Routers & Adapters (Wi-Fi 5) 0
IVB RT-AC68U with really BIG USB disk ASUS AC Routers & Adapters (Wi-Fi 5) 25

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 949 (members: 25, guests: 924)
Top