RT-AX88U Vlan bridge/port questions

[torchddv]

I have an RT-AX-88U running the latest (3004.388.4) version of Merlin. Wan type is auto IP. I have a couple of guest networks set up already through the GUI.

I now have a relative that will be staying long term in a guest cabin and wish to provide him a wired VLAN on physical port 1 only (no wireless, no connection to other networks). He can set up his own wifi access point inside the cabin.

From this article, referenced in several threads here at snbforums, Port 1 is interface eth4 and basically the process is to drop eth4 from br0, create a new br1 then bind eth4 to br1. If I understand correctly.

So here's the issue: "brctl show" reveals that I already have a br1 and a br2 with a whole host of strangely numbered interfaces:

bridge name bridge id STP enabled interfaces
br0 8000.7c10c90538c8 yes eth1
eth2
eth3
eth4
eth5
eth6
eth6.0
eth7
eth7.0
wl0.3
br1 8000.7c10c90538c9 yes eth1.501
eth2.501
eth3.501
eth4.501
eth5.501
eth6.501
eth7.501
wl0.1
br2 8000.7c10c90538cd yes eth1.502
eth2.502
eth3.502
eth4.502
eth5.502
eth6.502
eth7.502
wl1.1

Are these additional interfaces related to the guest networks? Does the numbering somehow co-relate the physical port to the guest networks? Do I need to drop eth4.501 from br1 and eth4.502 from br2 to ensure isolation of physical port 1 from the rest of my network? I assume I can create a br3 for eth4. Do I need to also add eth4.501 and eth4.502 to br3, or can I leave them because they are related to the wifi guest networks?

As you can probably tell, I'm not very experienced with this level of configuration. Heck, I struggle to understand the GUI at times. So please speak slowly and use small words ;-)

 

[ColinTaylor]

Bridge br1 and VLAN 501 is 2.4GHz Wi-Fi guest #1.
Bridge br2 and VLAN 502 is 5GHz Wi-Fi guest #1.

These are special cases required to support guest networks on AiMesh nodes. Avoid using these bridges and vlans.

 

[torchddv]

Avoid using these bridges and vlans.

I assume they were created by the GUI interface when I made the guest networks? By "avoid using these bridges" do you mean they shouldn't be there at all, or I should drop eth4 from those bridges and just connect eth4 to a new bridge (eg: br3)?

 

[ColinTaylor]

I assume they were created by the GUI interface when I made the guest networks?

Correct. But only for the first guest network on each band. Like I said, it's a special case.

By "avoid using these bridges" do you mean they shouldn't be there at all, or I should drop eth4 from those bridges and just connect eth4 to a new bridge (eg: br3)?

I mean don't use br1, br2, vlan 501 or vlan 502 in your bespoke modifications because they will conflict with what Asus are already using them for.

 

[torchddv]

Sorry to be a pest, but just to be clear: do I drop eth4 from br1, br2, vlan 501 and vlan 502 to ensure separation?

 

[torchddv]

Sorry to be a pest, but just to be clear: do I drop eth4 from br1, br2, vlan 501 and vlan 502 to ensure separation? Or would that break something?

 

[ColinTaylor]

Sorry, I haven't looked into any of those bespoke modifications. I was just answering your question "Are these additional interfaces related to the guest networks?".

 

[torchddv]

Ah. Have to see what happens I guess.

In order to isolate it from br1, for example, would the correct syntax be

"brctl delif br1 eth4"
or
"brctl delif br1 eth4.501" ?

 

[torchddv]

Well, I tried adding the scripts (modified to create br3 instead of br1). And nothing happened. So I tried entering the lines individually in a command prompt (putty). I successfully created br3, and moved eth4 to br3, as shown by brctl show.

But the next step, "ipcofig br3 192.168.150.0 netmask 255.255.255.0" produced the error message "line 1: sbinifconfig: not found".

Anybody know what sbinifconfig is and where I can get one? Is this a typo in a script that's really looking for sbin/ifconfig ?

 

[octopus]

Well, I tried adding the scripts (modified to create br3 instead of br1). And nothing happened. So I tried entering the lines individually in a command prompt (putty). I successfully created br3, and moved eth4 to br3, as shown by brctl show.

But the next step, "ipcofig br3 192.168.150.0 netmask 255.255.255.0" produced the error message "line 1: sbinifconfig: not found".

Anybody know what sbinifconfig is and where I can get one? Is this a typo in a script that's really looking for sbin/ifconfig ?

You have missed "ipcofig br3 192.168.150.0 netmask 255.255.255.0"
should be: ipconfig or ifconfig

 

[ColinTaylor]

Anybody know what sbinifconfig is and where I can get one? Is this a typo in a script that's really looking for sbin/ifconfig ?

In addition to the previous reply, please post the entire contents of the script that you're running as we have no idea what it is. Also post a screen shot showing how you're running the script and the output it produces.

 

[torchddv]

ipconfig makes more sense, but the series of scripts all call ifconfig repeatedly.

I copy-pasted from this article:

LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16

Although there is no more robocfg command on HND platform and Asuswrt-Merlin lacks GUI support on creating VLAN, port-based VLANs (or static VLAN) can still be achieved by separating ethernet interfaces into isolated bridges and applying firewall (ebtables or iptables) rules.

wu.renjie.im

into a text editor, changed the specifics, then saved the files, copying to the scripts folder and made them executable. Then I rebooted the router.

Here is a screenshot of the putty window where I am trying the commands one by one. As you can see, it couldn't find iptables either. Maybe I need to specify the path?

 

[ColinTaylor]

I don't know where you're getting those sbin commands from. I don't see them anywhere in the article you linked to.

It looks like you've installed an Entware version of ifconfig???

P.S. The correct command is ifconfig. ipconfig is a Windows command not a Linux command.

 

[torchddv]

I tried sbin\iftables just to see if it was a corruption of sbiniftables in the error message "line 1: sbinifconfig: not found". I tried sbin\iptables for the same reason, given the suggestion that iptables was the correct name.

Entware was installed by Diversion automagically. Is that a problem?

 

[torchddv]

The internet tells me that ifconfig has been depreciated by ip -- and I do seem to have that available.

The command ip addr add 192.168.150.1/24 was accepted following which the query ip addr show dev br3 reads back the same address.

I assume this is because I am running the latest version of the Asus-Merlin firmware?

 

[torchddv]

Instead of the "ifconfig br3 allmulti up", I entered these two lines in the command shell and they seem to be accepted (as per the results of "ip addr show dev br3"):

ip link set br3 up
ip link set br3 allmulticast on

So I put those lines in the services-start script and commented out the ifconfig lines and rebooted.

The log shows services-start executed successfully. And eth4 is now on a different network. But it's not handing out IP addresses when I connect a computer to that port. If I manually assign an IP in the 192.168.150.x subnet, there does not seem to be any internet connectivity (eg: can't ping google).

I assume there must be something amiss with dnsmasq.conf.add (which was saved to the jffs/configs/ directory and set to executable). Here is the script, any idea what is wrong?


interface=br3
# DHCPv4 range: 192.168.150.2 - 192.168.150.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br3,192.168.150.2,192.168.150.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.150.1
dhcp-option=br3,3,192.168.150.1
# DHCPv6 RA interval: 10s, router lifetime: 600s
ra-param=br3,10,600
# DHCPv6 range: whole subnet, constructing from br3's prefix
# DHCPv6 prefix length: 64, mode: Stateless DHCPv6
# DHCPv6 lease time: 600s (10 minutes)
dhcp-range=br3,::,constructor:br3,ra-stateless,64,600
# DHCPv6 DNS (option 23): inherit from the router
dhcp-option=br3,option6:23,[::]

 

[ColinTaylor]

I assume this is because I am running the latest version of the Asus-Merlin firmware?

No it's nothing to do with you running Merlin firmware. Both commands should be available. Something on your router is braking the ifconfig command.

 

[torchddv]

I don't know why ifconfig can't be found, but since ip can be found I'm running with that for now.

I may have made an error in setting up the br3 interface though. Comparing results of ip addr show dev br0 to ip addr show dev br3, I noticed there is no broadcast address in the latter results. I'm going to try ip addr add 192.168.150.1/24 brd + dev br3 instead, which results in a broadcast address of 192.168.150.255

 

[torchddv]

That wasn't the answer either, still not getting an ip address, still can't even ping google when manually setting an IP in the 192.168.0 subnet although the results from both br0 and br3 seem to correspond now:

xxxy@RT-AX88U-38C8:/tmp/home/root# ip addr show dev br0
24: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 7c:10:c9:05:38:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
valid_lft forever preferred_lft forever

xxxy@RT-AX88U-38C8:/tmp/home/root# ip addr show dev br3
46: br3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 7c:10:c9:05:38:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.150.1/24 brd 192.168.150.255 scope global br3
valid_lft forever preferred_lft forever
verhey@RT-AX88U-38C8:/tmp/home/root#

 

[torchddv]

That wasn't the answer either, still not getting an ip address, still can't even ping google when manually setting an IP in the 192.168.0 subnet

Sorry, that should be 192.168.150 subnet. IE the computer currently plugged into br3. Obviously this one is working!