86U Merlin VLAN Config help

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Wekiwa67

Occasional Visitor
Greetings all,

I'm new to the forum, but have been following and learning since Merlin released his first offering.

My home network is ATT 1 gig fiber with BGW-210-700..speed test average ~940mg up & down before Covid19.

Have 2 86U in Aimesh config with wired back haul. May add old 68U to aimesh for garage later. All Merlin 384.17

Installed Amtm with Skynet, Diversion, all seem to be working well. My challenges are my very inquisitive and network intelligent nieces.
They rebooted the gateway back to factory specs and connected a small Linksys router for surfing when Im not home...That has been fixed, Gateway now in locked IT area.

My question is how can I create or define several VLANs, or IP ranges to isolate security cameras, home equipment, Firesticks, etc? I found a post from Jimmy-Z about a year ago, however not many responses to his script offering for the 86U with Merlin? I dont understand most of what I read from the script and did not see instructions. Apparently the new 86U hardware presents a few challenges, but I'm willing to cause many router reboots to resolve this puzzle....hopefully not brick my new routers. :)

Im very eager to learn network tricks with or without scripts!

Does anyone know if Jimmy-Z completed the Vlan projects as I looking for guidance and also to give credit to Jimmy-Z.

https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

Jimmy-Z's code is 4 pages!

Options?

1. Config Vlans for each group
2. Create IP tables for each group
3. Purchase Firewall / switch

We moved into new home 90 days ago
Fiber ONT and main router RT-AC86U is located in IT room; Aimesh 86U is Cat6 wired back haul to master closet; could use old 68U for ?
* Cameras and security items are hardwired back to IT room *
* PIA VPN server to avoid a repeat of high school intruders via guest Wifi, no loss or damage, just irritation! I need to isolate my home business network from all, security must be isolated, you get the idea. A local IT person says I must spend $$$$$ but I think it can be done with some clever for thought.

Thanks in advance for your insight.

Wekiwa67
 
Last edited:

CaptainSTX

Part of the Furniture
Without knowing the exact layout of your network and what devices connect using Ethernet and which connect using WiFi it is difficult to say what might be easiest or most effective.

I do know if you purchase an eight port smart switch such as TP-Link SG108E ($29) you can easily set up multiple VLANs. If you need to carry the VLANs over multiple switches this switch will do 802.1Q VLANs. For WiFi if you plug an AP into a port on the switch all WiFi connected to that AP will be members of that VLAN. For even greater segregation you could use a double NAT configuration.

While some people seem to have had success creating VLANs using Merlin's firmware and custom scripts unless you like the challenge for challenges sake purchasing a smart switch might be easier.
 

Wekiwa67

Occasional Visitor
Without knowing the exact layout of your network and what devices connect using Ethernet and which connect using WiFi it is difficult to say what might be easiest or most effective.

I do know if you purchase an eight port smart switch such as TP-Link SG108E ($29) you can easily set up multiple VLANs. If you need to carry the VLANs over multiple switches this switch will do 802.1Q VLANs. For WiFi if you plug an AP into a port on the switch all WiFi connected to that AP will be members of that VLAN. For even greater segregation you could use a double NAT configuration.

While some people seem to have had success creating VLANs using Merlin's firmware and custom scripts unless you like the challenge for challenges sake purchasing a smart switch might be easier.
Thanks CaptainSTX!
All business items are ethernet. Our 2 IOS phones and 2 Ipads are connected to main WiFi; Guest 1 WiFi has FireSticks etc; Guest 2 is for neighbors and kids visiting.
Router is not part of IP pool; WiFi Guest 1 should not see other users or Guest 2.
Currently have office equipment on a Netgear ProSAFE GS105E, game room has a second GS105E. Both provided by ATT during install.

I'll check out the TP-Link option. :)

Wekiwa67
 

CaptainSTX

Part of the Furniture
Simple port based VLANs should work in your case unless you have some devices in the game room that need to be part of your business network then you would need a 802.1Q setup.

Guest networks set with disable intranet which will restrict WiFi devices to connecting to Internet only. You could go on step further and connect APs to their own VLANs. This would protect you if someone does a reset on the APs as the smart switch would still have them on their own VLAN and still no access to your business network devices as long as they can't reset smart switch also. If you have to leave the switch in the open a dab of epoxy makes that really difficult.
 

Wekiwa67

Occasional Visitor
Simple port based VLANs should work in your case unless you have some devices in the game room that need to be part of your business network then you would need a 802.1Q setup.

Guest networks set with disable intranet which will restrict WiFi devices to connecting to Internet only. You could go on step further and connect APs to their own VLANs. This would protect you if someone does a reset on the APs as the smart switch would still have them on their own VLAN and still no access to your business network devices as long as they can't reset smart switch also. If you have to leave the switch in the open a dab of epoxy makes that really difficult.
Per your advise I changed the Topology to;

* 86U Router to TP-SG108E to all office devices on VLAN01
* Business WiFi now exclusive on 86U Router no intranet access
* Security devices now on VLAN02 via TP-SG108E
* Fire sticks and TV's now on VLAN03 via TP-SG108E ( VLAN04 -05 future )
* 86U Router to GS105e to 86U AP for game room on VLAN06 ( WiFi via AP hopefully on VLAN07? )
* WiFi Guest1 now personal WiFi devices no intranet access
* WiFi Guest2 now for visitors no intranet access and daily time limits

Would like to isolate all WiFi with VLAN's, I realize my efforts may be limited with a real black hat, but this should hopefully deter the average bored high school wanna be.

Much to learn I have Sir Yoda!

Wekiwa67
 
Last edited:

Wekiwa67

Occasional Visitor
Per your advise I changed the Topology to;

* 86U Router to TP-SG108E to all office devices on VLAN01
* Business WiFi now exclusive on 86U Router no intranet access
* Security devices now on VLAN02 via TP-SG108E
* Fire sticks and TV's now on VLAN03 via TP-SG108E ( VLAN04 -05 future )
* 86U Router to GS105e to 86U AP for game room on VLAN06 ( WiFi via AP hopefully on VLAN07? )
* WiFi Guest1 now personal WiFi devices no intranet access
* WiFi Guest2 now for visitors no intranet access and daily time limits

Would like to isolate all WiFi with VLAN's, I realize my efforts may be limited with a real black hat, but this should hopefully deter the average bored high school wanna be.

Much to learn I have Sir Yoda!

Wekiwa67
Update:
Upgrades worked to keep teenagers out of business network and unauthorized wireless. However I missed the Loop Prevention setting......I'm need to move the switch as they found it.
Currently have 8 VLANs segmenting everything. If required, guess I'll create more....
Researching a "micro-appliance" with PFsense or OPNsense on Amazon. I need to out maneuver these kids. (*not mine*)

Wekiwa67
 

skeal

Part of the Furniture

Wekiwa67

Occasional Visitor
You can use YazFi follow this link https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/ works really nice and its controlled by your 86U!
Thanks @skeal ! I glazed passed that part. I need to update YazFi and think about the layout. Should I allocate a small IP range or config a VLAN for guest? Not clear how to create a VLAN within YazFi? Did I miss something in the 60+ posts pages?

I'm a strong swimmer but admittedly treading water with all the options and scripts.

Appreciate the guidance from everyone.

Wekiwa67
 

skeal

Part of the Furniture
Thanks @skeal ! I glazed passed that part. I need to update YazFi and think about the layout. Should I allocate a small IP range or config a VLAN for guest? Not clear how to create a VLAN within YazFi? Did I miss something in the 60+ posts pages?

I'm a strong swimmer but admittedly treading water with all the options and scripts.

Appreciate the guidance from everyone.

Wekiwa67
If you load YazFi and look at how it's setup, you will see the ip ranges given and control for accessing the Lan and all that through SSH. However since I used it last he has a gui version now that looks really nice. If you need help ask in the YazFi thread and @Jack Yaz or someone else will give you hand.
 

ColinTaylor

Part of the Furniture
Thanks @skeal ! I glazed passed that part. I need to update YazFi and think about the layout. Should I allocate a small IP range or config a VLAN for guest? Not clear how to create a VLAN within YazFi? Did I miss something in the 60+ posts pages?
YazFi doesn't use VLANs, it just creates separate subnets and controls the routing between them.
 

Wekiwa67

Occasional Visitor
If you load YazFi and look at how it's setup, you will see the ip ranges given and control for accessing the Lan and all that through SSH. However since I used it last he has a gui version now that looks really nice. If you need help ask in the YazFi thread and @Jack Yaz or someone else will give you hand.
@skeal
YazFi is loaded again and I see the IP ranges.

Thanks!
 

Wekiwa67

Occasional Visitor

Jack Yaz

Part of the Furniture
YazFi doesn't use VLANs, it just creates separate subnets and controls the routing between them.
I'd love to do VLANs, but theyr'e a PITA across the different models. All I have is an AC86U so I wouldn't be comfortable trying to develop something I have no way to test myself.
 

Wekiwa67

Occasional Visitor
I'd love to do VLANs, but theyr'e a PITA across the different models. All I have is an AC86U so I wouldn't be comfortable trying to develop something I have no way to test myself.
Hello @Jack Yaz !
As an OEM Supply person, I understand PITA factor. However, the 86U is rapidly growing across many segments, and the VLAN issue keeps appearing in this and other forums. It seems a great opportunity to develop a tool based on the 86U hardware and forward. I dont know about the AX models?

My resent network changes have addressed the segmentation requirements for now using the TP-Link SG108E ( thanks @CaptainSTX ). I and many others would happily test and help debug a new " YazVLN " offering!!! :D
 

Jack Yaz

Part of the Furniture
Hello @Jack Yaz !
As an OEM Supply person, I understand PITA factor. However, the 86U is rapidly growing across many segments, and the VLAN issue keeps appearing in this and other forums. It seems a great opportunity to develop a tool based on the 86U hardware and forward. I dont know about the AX models?

My resent network changes have addressed the segmentation requirements for now using the TP-Link SG108E ( thanks @CaptainSTX ). I and many others would happily test and help debug a new " YazVLN " offering!!! :D
I am tempted, since I recently picked up a NETGEAR GS108Tv2 for L2 VLANs, it'd be nice to dabble with L3 VLANs on the 86U. I've seen a recent post that seems to have a working method. May look into that
 

L&LD

Part of the Furniture
Even the possibility of an @Jack Yaz turbo driven VLAN YazFi and/or an additional/separate script sounds like a dream! :)

Wake me up when I can test too! :D
 

clifton.stokes

Occasional Visitor
Would love to test that out also. I have one main router with two AP's. Would like to have 1 guest VLAN SSID (IP range) for both 2.4 and 5 ghz and one main VLAN. Instead of multiple with no isolation after it leaves the AP as it currently does.
 

Wekiwa67

Occasional Visitor
I am tempted, since I recently picked up a NETGEAR GS108Tv2 for L2 VLANs, it'd be nice to dabble with L3 VLANs on the 86U. I've seen a recent post that seems to have a working method. May look into that
@Jack Yaz - another piece of the puzzle confirmed? I dont understand any of @LeandroBR technical points however he has it working?

https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/

I am amazed daily by the expertise of this forums members!
 

LeandroBR

Occasional Visitor
@Jack Yaz - another piece of the puzzle confirmed? I dont understand any of @LeandroBR technical points however he has it working?

https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/

I am amazed daily by the expertise of this forums members!
Yes! The script I have posted in other thread is working here at home. I took several hours to make it work (specially for the part I mentioned in RED).

I made the following combinations to work with tagged vlan and 3 VLANs:

1- AC68U with Raspberry Pi running OpenWRT
2- AC86U with Raspberry Pi running OpenWRT
3- AC86U with AC68U

Now I’m using the 3rd one at home....The raspberry I enabled only for tests.

You can test, just make sure the other side is working. That’s the reason I used the raspberry pi, to make sure the Ac68u was working well and then focus only on Ac86U.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top