AC68 intermittently VLAN tagging

[SeeJayEmm]

I have an RT-AC68-U in AP mode running Merlin 386.11. I am trying to segregate my guest network on it's own VLAN. The AC68 is connected via the WAN port to an OpnSense router. I've followed the guidance I've found here on configuring VLANs on the AC68 and believe I have configured it correctly. I am able to connect to the guest network and (eventually) obtain an IP provided by DHCP on the OpnSense router but network access is spotty. When I run a test ping it will alternate between success and req. timed out. When running a tcpdump of the interface on the OpnSense side I can see that the pings that are dropped are sent by the AC86 with no VLAN tag. I've tried a few different ways of configuring this, none work. I could use some help. Thanks.

Example:

00:17:27.606937 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype IPv4 (0x0800), length 98: 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5178, seq 1, length 64
00:17:28.538334 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype IPv4 (0x0800), length 98: 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5179, seq 1, length 64
00:17:29.541385 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype IPv4 (0x0800), length 98: 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5180, seq 1, length 64
00:17:30.545394 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype IPv4 (0x0800), length 98: 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5181, seq 1, length 64
00:17:31.549941 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype IPv4 (0x0800), length 98: 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5182, seq 1, length 64
00:17:31.683812 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype 802.1Q (0x8100), length 64: vlan 910, p 0, ethertype ARP, Request who-has 10.9.10.1 tell 10.9.10.100, length 46
00:17:31.683834 0e:b0:9d:9f:ac:a1 > 18:48:ca:1e:b4:ad, ethertype 802.1Q (0x8100), length 46: vlan 910, p 0, ethertype ARP, Reply 10.9.10.1 is-at 0e:b0:9d:9f:ac:a1, length 28
00:17:32.570127 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype 802.1Q (0x8100), length 102: vlan 910, p 0, ethertype IPv4, 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5183, seq 1, length 64
00:17:32.594802 0e:b0:9d:9f:ac:a1 > 18:48:ca:1e:b4:ad, ethertype 802.1Q (0x8100), length 102: vlan 910, p 0, ethertype IPv4, 8.8.8.8 > 10.9.10.100: ICMP echo reply, id 5183, seq 1, length 64
00:17:32.690983 18:48:ca:1e:b4:ad > 01:00:5e:00:00:fb, ethertype 802.1Q (0x8100), length 156: vlan 910, p 0, ethertype IPv4, 10.9.10.100.5353 > 224.0.0.251.5353: 67 [3q] PTR (QM)? _%9E5E7C8F47989526C9BCD95D24084F6F0B27C5ED._sub._googlecast._tcp.local. PTR (QM)? _CFE7FEDA._sub._googlecast._tcp.local. PTR (QM)? _googlecast._tcp.local. (110)
00:17:33.596279 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype 802.1Q (0x8100), length 102: vlan 910, p 0, ethertype IPv4, 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5184, seq 1, length 64
00:17:33.619827 0e:b0:9d:9f:ac:a1 > 18:48:ca:1e:b4:ad, ethertype 802.1Q (0x8100), length 102: vlan 910, p 0, ethertype IPv4, 8.8.8.8 > 10.9.10.100: ICMP echo reply, id 5184, seq 1, length 64
00:17:34.555900 18:48:ca:1e:b4:ad > 0e:b0:9d:9f:ac:a1, ethertype 802.1Q (0x8100), length 102: vlan 910, p 0, ethertype IPv4, 10.9.10.100 > 8.8.8.8: ICMP echo request, id 5185, seq 1, length 64
00:17:34.580115 0e:b0:9d:9f:ac:a1 > 18:48:ca:1e:b4:ad, ethertype 802.1Q (0x8100), length 102: vlan 910, p 0, ethertype IPv4, 8.8.8.8 > 10.9.10.100: ICMP echo reply, id 5185, seq 1, length 64

My current config.

# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0e:b0:9d:9f:ac:a1
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 78:24:af:7c:de:18
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
  56: vlan56: 0t 4 5 7t
  57: vlan57: 0 1 2t
  58: vlan58: 0 1t 2t 5t
  59: vlan59: 0t 1 2t 3 5 7 8t
  60: vlan60: 0 1 2t 3t 4 5t 8u
  61: vlan61: 1t 2t 3 5 8t
  62: vlan62: 1t 2 4 5 7
 910: vlan910: 0t 5t

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.7824af7cde18       no              vlan1
                                                        eth1
                                                        eth2
                                                        wl0.2
br1             8000.7824af7cde18       no              wl0.1
                                                        wl1.1
                                                        vlan910

br0_ifnames=vlan1 eth1 eth2
br1_ifnames=wl0.1 wl1.1 eth0.910
lan1_ifnames=vlan910 wl0.1 wl1.1
lan_ifnames=vlan1 eth1 eth2
br0_ifname=br0
br1_ifname=br1
lan1_ifname=br1
lan_ifname=br0

# ip l
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 32
    link/ether 7a:55:5e:bc:8e:a9 brd ff:ff:ff:ff:ff:ff
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 32
    link/ether 72:8d:d8:fc:0a:9e brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff
5: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff
7: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 78:24:af:7c:de:1c brd ff:ff:ff:ff:ff:ff
8: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff
9: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff
10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff
11: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 78:24:af:7c:de:19 brd ff:ff:ff:ff:ff:ff
12: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 78:24:af:7c:de:1a brd ff:ff:ff:ff:ff:ff
13: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 78:24:af:7c:de:1d brd ff:ff:ff:ff:ff:ff
14: vlan910@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff
15: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT
    link/ether 78:24:af:7c:de:18 brd ff:ff:ff:ff:ff:ff

Commands to configure:

/usr/sbin/robocfg vlan 910 ports "0t 5t"
/sbin/vconfig add eth0 910
/sbin/ifconfig vlan910 up

# Remove Guest from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# Create br1 and add Guest
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan910
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan910 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

killall eapd
eapd

# Tried with an without isolation. It's doesn't have an effect.
wl -i wl0.1 ap_isolate 1
wl -i wl1.1 ap_isolate 1

 

[SeeJayEmm]

I decided to see if vlan1 was the problem and completely removed it:

brctl delif br0 vlan1
robocfg vlan 1 ports ""

So now my config looks like this:

# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0e:b0:9d:9f:ac:a1
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 16:92:bf:ac:d4:54
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   2: vlan2: 5t
  56: vlan56: 0t 4 5 7t
  57: vlan57: 0 1t 2t 3 7
  58: vlan58: 0 1t 2t 5t
  59: vlan59: 0t 1 2t 3 5 7 8t
  60: vlan60: 0 1 2t 3t 4 5t 8u
  61: vlan61: 1t 2t 3 5 8t
  62: vlan62: 1t 2 5
 904: vlan904: 0t 5t
 906: vlan906: 0t 5t
 910: vlan910: 0t 5t
 
 # brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.7824af7cde18       no              vlan904
                                                        eth1
                                                        eth2
br1             8000.7824af7cde18       no              wl0.1
                                                        wl1.1
                                                        vlan910
br2             8000.7824af7cde18       no              wl0.2
                                                        vlan906

Now the default wifi traffic passes over vlan 904 instead of vlan 1 without any discernible problems (which is good). But my guest traffic, instead of being a mix of tagged and untagged packets is now a mix of tagged 910 and tagged 904 packets. It just shifted the problem. It appears that for reasons I can't figure out, it is intermittently sending my traffic out of br0 no matter what I do.

Here's the full script as it stands right now:

#!/bin/sh

### Create VLANs
# Create VLAN 904 (Primary)
robocfg vlan 904 ports "0t 5t"
vconfig add eth0 904
ifconfig vlan904 up

# Create VLAN 906 (IoT)
robocfg vlan 906 ports "0t 5t"
vconfig add eth0 906
ifconfig vlan906 up

# Create VLAN 910 (Guest)
robocfg vlan 910 ports "0t 5t"
vconfig add eth0 910
ifconfig vlan910 up

### Disable VLAN 1
# Remove vlan1 from br0
brctl delif br0 vlan1
# Disable vlan1 in roboctl
robocfg vlan 1 ports ""

### Configure VLAN 904
# Add vlan904 to br0
brctl addif br0 vlan904
# Configure nvram
nvram set lan_ifnames="vlan904 eth1 eth2"
nvram set lan_ifname="br0"
nvram set br0_ifnames="vlan904 eth1 eth2"

### Configure VLAN 910
# Remove Guest from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
# Create br1 and add Guest
brctl addbr br1
brctl addif br1 vlan910
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 up

# Configure nvram
nvram set lan1_ifnames="vlan910 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="vlan910 wl0.1 wl1.1"
nvram set br1_ifname="br1"

### Configure VLAN 906
# Remove IOT from br0
brctl delif br0 wl0.2
# Create br2 and add Guest
brctl addbr br2
brctl addif br2 vlan906
brctl addif br2 wl0.2
ifconfig br2 up

# Configure nvram
nvram set lan2_ifnames="vlan906 wl0.2"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="vlan906 wl0.2"
nvram set br2_ifname="br2"

# Set guest and IoT networks to isolate.
#wl -i wl0.1 ap_isolate 1
#wl -i wl1.1 ap_isolate 1
#wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd

 

[drinkingbird]

I decided to see if vlan1 was the problem and completely removed it:

brctl delif br0 vlan1
robocfg vlan 1 ports ""

So now my config looks like this:

# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0e:b0:9d:9f:ac:a1
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 16:92:bf:ac:d4:54
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   2: vlan2: 5t
  56: vlan56: 0t 4 5 7t
  57: vlan57: 0 1t 2t 3 7
  58: vlan58: 0 1t 2t 5t
  59: vlan59: 0t 1 2t 3 5 7 8t
  60: vlan60: 0 1 2t 3t 4 5t 8u
  61: vlan61: 1t 2t 3 5 8t
  62: vlan62: 1t 2 5
 904: vlan904: 0t 5t
 906: vlan906: 0t 5t
 910: vlan910: 0t 5t
 
 # brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.7824af7cde18       no              vlan904
                                                        eth1
                                                        eth2
br1             8000.7824af7cde18       no              wl0.1
                                                        wl1.1
                                                        vlan910
br2             8000.7824af7cde18       no              wl0.2
                                                        vlan906

Now the default wifi traffic passes over vlan 904 instead of vlan 1 without any discernible problems (which is good). But my guest traffic, instead of being a mix of tagged and untagged packets is now a mix of tagged 910 and tagged 904 packets. It just shifted the problem. It appears that for reasons I can't figure out, it is intermittently sending my traffic out of br0 no matter what I do.

Here's the full script as it stands right now:

#!/bin/sh

### Create VLANs
# Create VLAN 904 (Primary)
robocfg vlan 904 ports "0t 5t"
vconfig add eth0 904
ifconfig vlan904 up

# Create VLAN 906 (IoT)
robocfg vlan 906 ports "0t 5t"
vconfig add eth0 906
ifconfig vlan906 up

# Create VLAN 910 (Guest)
robocfg vlan 910 ports "0t 5t"
vconfig add eth0 910
ifconfig vlan910 up

### Disable VLAN 1
# Remove vlan1 from br0
brctl delif br0 vlan1
# Disable vlan1 in roboctl
robocfg vlan 1 ports ""

### Configure VLAN 904
# Add vlan904 to br0
brctl addif br0 vlan904
# Configure nvram
nvram set lan_ifnames="vlan904 eth1 eth2"
nvram set lan_ifname="br0"
nvram set br0_ifnames="vlan904 eth1 eth2"

### Configure VLAN 910
# Remove Guest from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
# Create br1 and add Guest
brctl addbr br1
brctl addif br1 vlan910
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 up

# Configure nvram
nvram set lan1_ifnames="vlan910 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="vlan910 wl0.1 wl1.1"
nvram set br1_ifname="br1"

### Configure VLAN 906
# Remove IOT from br0
brctl delif br0 wl0.2
# Create br2 and add Guest
brctl addbr br2
brctl addif br2 vlan906
brctl addif br2 wl0.2
ifconfig br2 up

# Configure nvram
nvram set lan2_ifnames="vlan906 wl0.2"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="vlan906 wl0.2"
nvram set br2_ifname="br2"

# Set guest and IoT networks to isolate.
#wl -i wl0.1 ap_isolate 1
#wl -i wl1.1 ap_isolate 1
#wl -i wl0.2 ap_isolate 1

# Restart eapd
killall eapd
eapd

First issue I see is you have multiple ports that have more than one untagged VLAN. Only one VLAN should be untagged on a port. Others either need to be tagged or removed completely.

My suggestion would be focus on getting one VLAN working, then add another, etc.

On the AC68 you only have 5 ports, 0 through 4 (0 being the WAN port). All VLANs should be tagged to CPU port 5 (except VLAN 2 but you're not using that anyway since in AP mode). Leave 6-8 alone.

Looks like you have a lot of extra VLANs probably from toying around with it. You should factory reset at this point and start from scratch, again starting with one VLAN at a time.

This is what your robocfg should end up looking like when you're done:
1: vlan1: 0 5t - add any ports on the asus you want in the main LAN VLAN here without "t" also.
2: vlan2: 5 or 5t (whatever is the default in AP mode, it is not actually used)
904: vlan904: 0t 5t (add any ports on the asus you want in this vlan without "t" here also, but make sure no other VLANs are untagged on those ports)
906: vlan906: 0t 5t (same comment)
910: vlan910: 0t 5t (same comment)

Here is an example with one LAN port in each vlan (access mode, untagged, so you can plug in, get an IP in that VLAN, and be treated with whatever OpnSense rules you have applied to that VLAN):
1: vlan1: 0 1 5t
2: vlan2: 5t (or 5, not sure what AP mode uses, just leave at default)
904: vlan904: 0t 2 5t
906: vlan906: 0t 3 5t
910: vlan910: 0t 4 5t

Obviously make sure your OpnSense port matches the same settings as port 0 on the Asus. 1 untagged, the others tagged. Even if you don't want to use vlan 1 as your main LAN VLAN it should be there as your native trunking VLAN. In reality, using it for your main LAN makes things easier and really no concerns in the home environment with doing this. If you want to alleviate the one possible concern with using VLAN 1, just make sure all your unused ports are set as untagged in some other VLAN so someone can't plug something in and access your main LAN without you making a change.

If you want to be super paranoid then you can use something like 99 or 999 as your native trunking VLAN and some other custom VLAN ID for your main LAN VLAN, eliminating VLAN 1, but again, really not necessary in the home setting and adds a lot of complication.

 

[SeeJayEmm]

First issue I see is you have multiple ports that have more than one untagged VLAN. Only one VLAN should be untagged on a port. Others either need to be tagged or removed completely.

My suggestion would be focus on getting one VLAN working, then add another, etc.

Most of my efforts focused around just vlan 910. My latest attempt has multiple vlans specifically because I tried to eliminate vlan1 from the picture. (904 being normal clients and 910 being guests).

On the AC68 you only have 5 ports, 0 through 4 (0 being the WAN port). All VLANs should be tagged to CPU port 5 (except VLAN 2 but you're not using that anyway since in AP mode). Leave 6-8 alone.

My latest attempt was tagging on ports 0 and 5, nothing else. The only port physically in use is the WAN port. If including a phy port with each br dfn would help I could try that. The AP is directly connected to the OpnSense box.

Looks like you have a lot of extra VLANs probably from toying around with it. You should factory reset at this point and start from scratch, again starting with one VLAN at a time.

If you're referring to VLANs 56-62, I didn't create those. They're there on a fresh wipe/reboot. I found a post on these forms where RMerlin stated it was an unavoidable artifact of how he interfaces with the broadcom chip and to ignore them, but I didn't bookmark it. If I find that post again I'll note it here. This is what robocfg looks like after a fresh reboot:

VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
  56: vlan56: 0t 4 5 7t
  57: vlan57: 0 1t 2t 3 7
  58: vlan58: 0 1t 2t 5t
  59: vlan59: 0t 1 2t 3 5 7 8t
  60: vlan60: 0 1 2t 3t 4 5t 8u
  61: vlan61: 1t 2t 3 5 8t
  62: vlan62: 1t 2 5

This is what your robocfg should end up looking like when you're done:
1: vlan1: 0 5t - add any ports on the asus you want in the main LAN VLAN here without "t" also.
2: vlan2: 5 or 5t (whatever is the default in AP mode, it is not actually used)
904: vlan904: 0t 5t (add any ports on the asus you want in this vlan without "t" here also, but make sure no other VLANs are untagged on those ports)
906: vlan906: 0t 5t (same comment)
910: vlan910: 0t 5t (same comment)

Here is an example with one LAN port in each vlan (access mode, untagged, so you can plug in, get an IP in that VLAN, and be treated with whatever OpnSense rules you have applied to that VLAN):
1: vlan1: 0 1 5t
2: vlan2: 5t (or 5, not sure what AP mode uses, just leave at default)
904: vlan904: 0t 2 5t
906: vlan906: 0t 3 5t
910: vlan910: 0t 4 5t

Obviously make sure your OpnSense port matches the same settings as port 0 on the Asus. 1 untagged, the others tagged. Even if you don't want to use vlan 1 as your main LAN VLAN it should be there as your native trunking VLAN. In reality, using it for your main LAN makes things easier and really no concerns in the home environment with doing this. If you want to alleviate the one possible concern with using VLAN 1, just make sure all your unused ports are set as untagged in some other VLAN so someone can't plug something in and access your main LAN without you making a change.

If you want to be super paranoid then you can use something like 99 or 999 as your native trunking VLAN and some other custom VLAN ID for your main LAN VLAN, eliminating VLAN 1, but again, really not necessary in the home setting and adds a lot of complication.

I wasn't being paranoid. I was just experimenting with potential solutions to it sending packets down the wrong br. I'm fine with wifi clients untagged with guests tagged.

I'm fairly certain the post by RMerlin said to ignore the phantom vlans but I will try purge them to see if it makes any difference. If it breaks anything I can just reboot again.

 

[SeeJayEmm]

If you're referring to VLANs 56-62, I didn't create those. They're there on a fresh wipe/reboot. I found a post on these forms where RMerlin stated it was an unavoidable artifact of how he interfaces with the broadcom chip and to ignore them.

I found it:

Some strange VLAN settings

I have a T-mobile brand of Asus RT-AC68U router. I have updated the CFE to Asus 1.0.2.0 and firmware to Merlin 376.47. Everything seems to work fine. Now I want to update VLAN settings to create a private network out of port 4 (following this...

www.snbforums.com

I tried removing them anyway. It didn't make a difference:

VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
 910: vlan910: 0t 5t

I then reflashed and factory reset (twice).

VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
  56: vlan56: 0t 4 5 7t
  57: vlan57: 0 1 2t 3
  58: vlan58: 0 2t 5
  59: vlan59: 0t 1 2t 3 5 7 8t
  60: vlan60: 0 1 2t 3t 4 5t 8u
  61: vlan61: 1t 2t 3 5 8t
  62: vlan62: 1t 2 4 5 7

 

[drinkingbird]

I found it:

Some strange VLAN settings

I have a T-mobile brand of Asus RT-AC68U router. I have updated the CFE to Asus 1.0.2.0 and firmware to Merlin 376.47. Everything seems to work fine. Now I want to update VLAN settings to create a private network out of port 4 (following this...

www.snbforums.com

I tried removing them anyway. It didn't make a difference:

VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
 910: vlan910: 0t 5t

I then reflashed and factory reset (twice).

VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
  56: vlan56: 0t 4 5 7t
  57: vlan57: 0 1 2t 3
  58: vlan58: 0 2t 5
  59: vlan59: 0t 1 2t 3 5 7 8t
  60: vlan60: 0 1 2t 3t 4 5t 8u
  61: vlan61: 1t 2t 3 5 8t
  62: vlan62: 1t 2 4 5 7

Must be something to do with AP mode or a certain revision of that router, mine has never shown those and haven't seen them on others either.

Regardless you need to set those to have no ports in them (at least not untagged). You can leave them configured just remove the ports from them.

Have you double checked your OpnSense side of the connection, ensure the same thing is set up (VLAN 1 untagged and VLAN 910 tagged)? Also may want to try using a LAN port for your uplink. There have been reports of certain models acting strangely with the WAN port in AP mode.

Something looks odd with the interfaces you have in your bridges too (at least in the first example
eth1 is 2.4ghz main wireless
eth2 is 5ghz main wireless
wl0.1 and wl1.1 are guest wireless 1 (2.5/5ghz respectively)
wl0.2 and wl1.2 are GW2
wl0.3 and wl1.3 are GW3

In one of your examples you have the guest mixed in with your VLAN 1.

Your other option is to set it to router mode, disable DHCP, use a LAN port, and once you enable guest wireless 1 with lan access disabled, you'll have VLANs 501 and 502 pre-configured for you. You can move them around to other bridges if you want. But that is a bit of a messy solution.

It is a bit of a mystery how the nvram variables get used (if at all in AP mode) but generally following their format and adding yours into the existing ones is a good idea.

You may want to reset it into router mode and just see what gets configured for VLAN 501 and 502 and it may flag something you were doing differently. Also curious if those 6x VLANs get created.

Here is what mine shows in router mode, making use of the stock 1/501/502:
robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 64:87:88:20:f7:c1
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 9c:a2:f4:b8:ae:28
Port 2: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: on mac: d0:17:c2:e2:7b:00
Port 7: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 4 5t
2: vlan2: 0 5
501: vlan501: 1t 5t
502: vlan502: 1t 5t
The only customization I did was trim down the ports that 501/502 are on but in reality that isn't necessary.

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.d017c2e27b00       yes             vlan1
                                                          eth1
                                                          eth2
br1             8000.d017c2e27b01       yes             wl0.1
                                                          eth0.501
                                                          eth1.501
                                                          eth2.501
br2             8000.d017c2e27b05       yes             wl1.1
                                                          eth0.502
                                                          eth1.502
                                                          eth2.502

So you can see Asus is configuring sub-interfaces rather than SVIs, however I've seen others do it with VLANx SVIs and have it work as well (and obviously it is working fine with VLAN1 SVI on mine for BR0). But If you want to create sub-interfaces like this I think it may be done with ip link rather than vconfig

You should also do an nvram commit after changing the variables.

Only other thing I can think is you may want to create the vlans before doing robocfg on them.

Things are starting to point to a switch in the path upstream or your Opnsense box though.

 

[SeeJayEmm]

I appreciate you trying to help.

Have you double checked your OpnSense side of the connection, ensure the same thing is set up (VLAN 1 untagged and VLAN 910 tagged)? Also may want to try using a LAN port for your uplink. There have been reports of certain models acting strangely with the WAN port in AP mode.

Yes. Wireless clients are untagged and working fine. VLAN910 is guest.

Something looks odd with the interfaces you have in your bridges too (at least in the first example
eth1 is 2.4ghz main wireless
eth2 is 5ghz main wireless
wl0.1 and wl1.1 are guest wireless 1 (2.5/5ghz respectively)
wl0.2 and wl1.2 are GW2
wl0.3 and wl1.3 are GW3

In one of your examples you have the guest mixed in with your VLAN 1.

This was early on when I had configured multiple guest networks in the UI but was only troubleshooting with the 1st one (wl0.1, wl1.1). I just didn't bother touching wl0.2. Since I've wiped the AP wl0.2 isn't in use anymore.

Your other option is to set it to router mode, disable DHCP, use a LAN port, and once you enable guest wireless 1 with lan access disabled, you'll have VLANs 501 and 502 pre-configured for you. You can move them around to other bridges if you want. But that is a bit of a messy solution.

It is a bit of a mystery how the nvram variables get used (if at all in AP mode) but generally following their format and adding yours into the existing ones is a good idea.

You may want to reset it into router mode and just see what gets configured for VLAN 501 and 502 and it may flag something you were doing differently. Also curious if those 6x VLANs get created.

I can test that later and report back.

So you can see Asus is configuring sub-interfaces rather than SVIs, however I've seen others do it with VLANx SVIs and have it work as well (and obviously it is working fine with VLAN1 SVI on mine for BR0). But If you want to create sub-interfaces like this I think it may be done with ip link rather than vconfig

I started with this and had 0 luck getting any traffic to pass, but it was also the beginning of this journey. I had tried using vconfig based on other forum posts and got some traction so I just stayed on that path. I can certainly try sub-interfaces again now that I know more.

Only other thing I can think is you may want to create the vlans before doing robocfg on them.

I do.

Things are starting to point to a switch in the path upstream or your Opnsense box though.

There isn't one. AP is directly connected to an eth interface on the Opnsense box.

I'm going to try some of the things discussed here and I'll report back with my results.

 

[drinkingbird]

I do.

From your script you aren't creating the VLANs first:
robocfg vlan 904 ports "0t 5t"
vconfig add eth0 904
ifconfig vlan904 up

 

[drinkingbird]

I'm going to try some of the things discussed here and I'll report back with my results.

It's entirely possible that the chipset in yours (must be an older one based on Merlin's discussion about those phantom vlans which I've never seen) just has a very picky way of dealing with VLANs, or maybe they just don't work right at all with it. I would definitely try grabbing the default configs from VLAN 501 and 502 and reverse engineering. Of course if that switch does have issues with VLANs who knows, maybe those stock guest VLANs don't even work right.