AC86U VLAN Tagging with MerlinWRT

[maxbraketorque]

Am I correct finding out interfaces assignment?
eth1 - ???
ath0 - lan
ath1 - lan
ath2 - lan
ath001 - 2.4 WiFi
ath101 - 5 WiFi
eth0 - wan


I have:
View attachment 49768

Dude, you do have the CT8 set up as an AiMesh node. There is an "AP" mode in the "Administration" tab of the router GUI.

 

[drinkingbird]

Am I correct finding out interfaces assignment?
eth1 - ???
ath0 - lan
ath1 - lan
ath2 - lan
ath001 - 2.4 WiFi
ath101 - 5 WiFi
eth0 - wan


I have:

Find the interfaces by watching ifconfig while you plug/unplug stuff and enable/disable wireless radios.

 

[drinkingbird]

Finally got it working on the AC86U so figured I would share incase anyone else is interested.
In my setup my main network is VLAN 1 Untagged and then VLAN 200 Tagged on the port with the AC86U in AP mode

Adopted from https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

This will take Guest Network 1 for 2.4 and 5ghz and push it into its own VLAN

#!/bin/sh
# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on Untagged VLAN (In my case VLAN 1 is untagged on this port)
#       guest network 1 will be on VLAN 200


#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
# take down both radios to force all clients to deauth
wl -i eth5 down
wl -i eth6 down

# sleep to allow deauth to finish
sleep 1
# echo $PATH > /tmp/script_debug
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

# set up br1, guest LAN, more wl0.1 and wl1.1 to br1 for Guest Networks
brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up


# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

nvram set lan1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set lan1_ifname="br1"


# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

nvram set br1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set br1_ifname="br1"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log



# sleep for 5 seconds just incase a script is still running before we bring up the radios
sleep 5

# bring back up the radios
wl -i eth5 up
wl -i eth6 up

Edit:

Added rules to take down the wifi radios to force all clients to DeAuth and Disassociate and then at the end bring the radios back up and all clients should Auth






Just sharing incase anyone else is interested. I am running a PFSense router and a 24 port managed switch.

Out of curiosity if you remove one of the wired ports (like eth4/port 1) from br0 and put it in your br1 or br2 does it get a guest IP and get guest restrictions? At first I thought you might need to use vlanctl to add and strip tags but I don't think that's the case actually. Probably have to update the nvram variables too. I don't have an HND router to try it on.