VLAN Configuration

Discussion in 'ASUS AC Routers & Adapters' started by Blargh, Nov 30, 2012.

  1. Blargh

    Blargh New Around Here

    Joined:
    Nov 30, 2012
    Messages:
    4
    Good afternoon,

    I'm using RMerlin's 3.0.0.4.246.20 Merlin build software on my new RT-AC66U, and playing around with trying to get VLANs working.

    What I want to do is:
    WAN - Internet access, untagged
    LAN 1, 2, 3, wifi - VLAN A, bridged together (ala fairly normal)
    LAN 4 - VLAN B

    I'm wanting separate address pools on VLAN A and VLAN B, plus needing some specialized NAT configuration. I'm very familiar with Linux in general (so have no problems building the route rules, iptables configs, etc.)

    My problem is getting the Broadcom switch onboard to actually do the VLAN setup.

    I've been poking at the robocfg utility, however it seems to be just slightly incompatible with the newer BCM53125 chipset that's onboard the RT-AC66U - it doesn't quite do VLAN configuration correctly (it looks like the tagging method is getting changed from 802.1Q to something else) and can't even reset the stock settings correctly (comparing robocfg dump before and after - there's a few registers different in page 0x05 - and afterwards no traffic is flowing correctly across the LAN ports).

    I've looked through the init-broadcom.c source code as part of the firmware, and it is doing VLAN configuration with 'et robowr' calls and not using robocfg.

    I don't doubt I'll figure this out eventually with a combination of the source code to the driver and init-broadcom.c, but before I burn a lot of time to do so, I figured I'd ask if anyone here has gotten this to successfully work (either a newer version of robocfg, or some example scripts using 'et robowr' to do it)?
     
    Last edited: Nov 30, 2012
  2. Blargh

    Blargh New Around Here

    Joined:
    Nov 30, 2012
    Messages:
    4
    Alright, so after reading some source code and a little poking, here's a little info on how to do this. I'm fairly sure this is the ugly, brutish way, but it worked for what I needed.

    Keep in mind internally you apparently can only use up to VLAN ID 16 (I see warnings about that in the source) - I didn't care for my purpose, so didn't see if there was a way around this.

    To set up the switching portion takes four commands:

    1. Set the VLAN ID you want to modify in page 0x05, register 0x81, in hex. So for VLAN 3:
      et robowr 0x05 0x81 0x03
    2. Set a bit flag specifying what ports to have in this VLAN in page 0x05, register 0x083, and if they are untagged. There are 18 bits in this - one for each of the 8 ports on the chip (remember port 0 is your WAN port, ports 1-4 are your LAN ports, and port 8 is the CPU aka eth0). The most significant 9 bits get a 1 if that port is untagged (going from 8 at MSB to 0 at LSB), then the least significant 9 bits get a 1 if that port is joined to the VLAN. For my example, I want port 4 untagged and port 8 tagged:
      et robowr 0x05 0x83 0x02110
      (02110 = ..00 0010 0001 0001 0000, or (..87 6543 210) (8 7654 3210) with first grouping marking untagged and second marking membership
    3. Trigger the write. This takes two calls:
      et robowr 0x05 0x80 0x0000
      et robowr 0x05 0x80 0x0080
    4. Set the VLAN untagged frames coming in on a port are assigned to by default in page 0x34, register 0x10+(2*portNumber). You need to set this for every untagged port you change.. For my port 4 to go into VLAN 3:
      et robowr 0x34 0x18 0x03

    After doing this and resetting all VLANs, I was able to add VLAN 3 to eth0 and set it up:

    vconfig add eth0 3
    ifconfig vlan3 192.168.20.1 netmask 255.255.255.0 up

    As a note, "robocfg show" *does* show the correct information, but its VLAN set capability doesn't work (I'm guessing it's using the old set of registers for doing VLAN sets - they changed them in 53115 it looks like).

    Hopefully a bit of info to help folks out. I've been experimenting a fair bit and haven't blown anything up (had to reboot a couple times though), but of course I'm not liable if you turn your router into a steaming pile of slag somehow :)
     
  3. Blargh

    Blargh New Around Here

    Joined:
    Nov 30, 2012
    Messages:
    4
    One thing I haven't quite figured out - it LOOKS like the et command's robowr option only allows up to 16 bits, so how to mark port 8 (the CPU) untagged is a bit of a mystery through that interface.
     
  4. Blargh

    Blargh New Around Here

    Joined:
    Nov 30, 2012
    Messages:
    4
    So, putting a few more pieces together, and using Merlins scripting abilities, here's what I have in /jffs/scripts/services-start (obviously I need to do some fine tuning and such, but this at least gets everything I care about working):

    #!/bin/sh

    # 0x83 format:
    # Untag? Ports
    # (87 6543 2108 7654 3210)

    # Remove ports 3 and 4 from VLAN 1
    et robowr 0x05 0x81 0x01
    et robowr 0x05 0x83 0x0D06
    et robowr 0x05 0x80 0x0000
    et robowr 0x05 0x80 0x0080
    # Create VLAN 3 with port 3 untagged and port 8 tagged
    et robowr 0x05 0x81 0x03
    et robowr 0x05 0x83 0x1108
    et robowr 0x05 0x80 0x0000
    et robowr 0x05 0x80 0x0080
    # Set port 3's default VLAN to 3
    et robowr 0x34 0x16 0x03
    # Create VLAN 4 with port 4 untagged and port 8 tagged
    et robowr 0x05 0x81 0x04
    et robowr 0x05 0x83 0x2110
    et robowr 0x05 0x80 0x0000
    et robowr 0x05 0x80 0x0080
    # Set port 4's default VLAN to 4
    et robowr 0x34 0x18 0x04
    # Create the interfaces
    vconfig add eth0 3
    ifconfig vlan3 XXX.XXX.XXX.XXX netmask 255.255.255.248 up
    vconfig add eth0 4
    ifconfig vlan4 XXX.XXX.XXX.XXX netmask 255.255.255.248 up
    # We allow these two VLANs to do whatever they want
    iptables -I INPUT 1 -i vlan3 -j ACCEPT
    iptables -I INPUT 1 -i vlan4 -j ACCEPT
    iptables -I FORWARD 1 -i eth0 -o vlan3 -j ACCEPT
    iptables -I FORWARD 1 -i eth0 -o vlan4 -j ACCEPT
    iptables -I FORWARD 1 -i vlan3 -o eth0 -j ACCEPT
    iptables -I FORWARD 1 -i vlan4 -o eth0 -j ACCEPT
    ip6tables -I INPUT 1 -i vlan3 -j ACCEPT
    ip6tables -I INPUT 1 -i vlan4 -j ACCEPT
    ip6tables -I FORWARD 1 -i v6in4 -o vlan3 -j ACCEPT
    ip6tables -I FORWARD 1 -i v6in4 -o vlan4 -j ACCEPT
    ip6tables -I FORWARD 1 -i vlan3 -o v6in4 -j ACCEPT
    ip6tables -I FORWARD 1 -i vlan4 -o v6in4 -j ACCEPT
    ip addr add 2001:470:XXXX:XXXX::1/64 dev vlan3
    ip addr add 2001:470:XXXX:XXXX::1/64 dev vlan4


    And also, in /jffs/configs/radvd.conf.add:

    interface vlan3
    {
    IgnoreIfMissing on;
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvHomeAgentFlag off;
    AdvManagedFlag off;
    AdvOtherConfigFlag on;
    AdvLinkMTU 1480;
    prefix 2001:470:XXXX:XXXX::/64
    {
    AdvOnLink on;
    AdvAutonomous on;
    };
    RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
    };

    interface vlan4
    {
    IgnoreIfMissing on;
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    AdvHomeAgentFlag off;
    AdvManagedFlag off;
    AdvOtherConfigFlag on;
    AdvLinkMTU 1480;
    prefix 2001:470:XXXX:XXXX::/64
    {
    AdvOnLink on;
    AdvAutonomous on;
    };
    RDNSS 2001:4860:4860::8888 2001:4860:4860::8844 {};
    };
     
  5. JVWilliams

    JVWilliams New Around Here

    Joined:
    Dec 6, 2012
    Messages:
    2
    Very interested in VLAN capability, as well. I don't have an AC66U yet, but if VLANs can be accommodated (both port-based and trunking), either in stock firmware or an upgrade such as Merlin's version or DD-WRT, I'll be a happy camper.

    In my case, I'll need to bridge together tagged VLANs 1 & 2 coming in through one LAN port for common internet access.
     
    Last edited: Dec 6, 2012
  6. benklop

    benklop New Around Here

    Joined:
    Aug 11, 2013
    Messages:
    3
    These instuctions helped me a lot

    Thanks for posting your discoveries here. With this information I was able to make my router do nearly everything I needed - I've got 4 VLANs being routed through the switch in this router, and everything switch-wise is working perfectly.

    I've posted deatils about my setup based on yours here: http://forums.smallnetbuilder.com/showthread.php?t=12281

    I'm having a few problems with bridging wireless interfaces to VLANs, however.
     
  7. compipark

    compipark New Around Here

    Joined:
    Sep 23, 2013
    Messages:
    1
    Thanks for Your post

    I tried to get a separate guest network with robocfg. Didn't work for me. Perhaps I did something wrong, but using Your et commands made my ac66u run like I wanted it to. I connected my pfSense to VLAN3 and VLAN1 to a switch with the rest of my home network. By doing so I could control the access to my home network by dropping unwanted frame with ebtables:
    ebtables -D FORWARD 1
    ebtables -D FORWARD 1
    ebtables -I FORWARD -o wl0.1 -i eth2 -j DROP
    ebtables -I FORWARD -o wl0.1 -i eth1 -j DROP
    ebtables -I FORWARD -o eth1 -i wl0.1 -j DROP
    ebtables -I FORWARD -o eth2 -i wl0.1 -j DROP
    ebtables -I FORWARD -o vlan1 -i wl0.1 -j DROP
    ebtables -I FORWARD -o wl0.1 -i vlan1 -j DROP
    I am using the GUI to setup one guest WLAN. I put this code into the services-start script.

    My configuration: ac66u in wireless router mode but using as AP, pfsense connected to lan3, switch connected to lan 1, firmware 3.0.0.4.374.35_2, changed resolv.conf for nameserver pfsense and added a default route to the pfsense
    CP
     
    Last edited: Dec 2, 2013

Share This Page