What's new

Accesspoints with multiple ssids and vlans (and maybe mesh)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JensM

Occasional Visitor
I've moved to a new apartment. Unfortunately I have to change some bits of my network setup and I want to improve the network (in regards of isolation / vlans and VPN) at the same time. For that I'm still looking for a wifi solution that fits my needs. I read a lot in forums and blogs about routing in general but advanced wifi stuff is beyond my knowledge.

At the moment I own an Asus ac66u which runs Merlin (Johns Fork), with several SSIDs and VLANs as well as one OpenVPN Server. Unfortunately I also have to use a modem/router combo from my ISP so I'm double NAT but since I don't use a lot of port forwardings this is not an issue for me.

Overview about the current setup

Code:
Internet (200 mbit currently, planned to upgrade to gigabit) -> Kabelmodem/router -NAT-> Asus RT-AC66U -NAT-> internal network

internal network:

VLAN 1: 192.168.1.X private network with internet access
VLAN 15: 192.168.211.X network for stuff from my workplace

WAN port: connected to ISP router
LAN ports: 1+2 = VLAN1, 3+4 = VLAN15
SSIDs:
- private -> VLAN1
- work -> VLAN 15
- guest -> isolated (asus standard guest functionality) but still in VLAN1, could be improved by creating another vlan

OpenVPN Server for my mobile devices (smartphone and tablet with always-on VPN) that connect from inside the network as well as from the internet to the openvpn server to gain internet access. They don't need internal network resources, just internet. The VPN is so that I can use other wifis on the go (even unencrypted) without exposing any traffic.

Improvement Plan and actual appartment wifi coverage issue

Infracstructure / Router improvement
I want to increase the number of VLANs (iot, smart tvs etc) with more SSIDs and also do some experiments with wireguard instead of openvpn. To improve my networking ambitions I want to go with pfsense or opnsense and ordered a board with 4 NICs for it. Lets say opnsense for the next lines to improve readability.
My opnsense box will not have wifi so I also need new accesspoints (or maybe reuse the Asus for that).

The coverage issue in my new appartment
My Asus Router or most likely any modern AP will be able to cover the whole appartment when it is placed centraly. But The ISP connection is on the end of the appartment and the signal is too low then in many parts of the appartment. I also can't use cables and want to avoid using powerline. Since I also don't need a lot of wifi performance and have never experienced problems with low bandwith on wifi. I also used a repeater in the past without having problems regarding performance so I really don't need multiple wired APs with high througput or something like that. Wifi should be available everywhere but not super high speed and not hundreds of devices.

Trying to find a solution
If I only had one wifi SSID and LAN for everything I would use the existing / deprecated Asus router as AP in the room with ISP-connection and just buy a cheap repeater, connect it via wifi to my Asus and the repeater will cover the main area from the appartment center.

I don't know what those repeaters are able to do. Are there repeaters or APs that can connect to one wifi and open multiple SSIDs with VLANs and somehow VLAN-TAG the traffic it sends to my Asus Router/AP in the ohter room?
Since I don't need NAT acceleration anymore on the Asus it would be possible to switch to openwrt or tomato instead of Merlin.

Idea of a Solution - Variant 1
It would look like:
ISP Router -> opnsense box -> AP1 (broadcasting 1 SSID) -> AP2 (broadcasting all the needed networks)
AP1 or 2 would maybe be the Asus and the other a new one.
Do you have any idea of an alternative where I can get use of my existing Asus device or some other cheap solution that will fit my requirements for the moment?

Idea of a Solution - Variant 2
Alternatively I would also be ready to invest some money in new APs but if I do, it should be somehow ready for the future. So I would prefer having Mesh functionality so when I move in a bigger appartment or house, I could extend it. But from what I read, those Mesh APs require at least one AP to be connected with a wire. So I think I need at least two, one near my router and one central in my appartment.
Like this:
ISP Router -> opensense boy --wire-> Mesh AP1 --wireless-> Mesh AP2.

But I'm totally lost in research about all those vendors of APs and their marketing. I don't understand if those Mesh Wifis automatically host multple SSIDs and tag VLANs or if I need special devices and configurations for that. Do you have any recommendations for semiprofessional APs that allow my use cases without having to buy very expensive enterprise devices? I also don't need captive portals and too fancy multidevice central managing or firmwareupdate solutions.
 
I know that this is a somewhat old post, and doesn't actually answer the question you were asking, but I was wondering if you could possibly tell me how you got your Asus AC66U to segregate SSIDs by vlan (in addition to LAN ports by vlan)? I've been trying to figure this out but have had zero luck so far. Any help would be much appreciated. Thanks!
 
I know that this is a somewhat old post, and doesn't actually answer the question you were asking, but I was wondering if you could possibly tell me how you got your Asus AC66U to segregate SSIDs by vlan (in addition to LAN ports by vlan)? I've been trying to figure this out but have had zero luck so far. Any help would be much appreciated. Thanks!
I wish I could write an easy explaination for that. Unfortunately it is highly individual per router and usecase what to do, there are even differences in firmware versions (eg. iptable rules) but at least you have the same routermodel so it is comparable.

You need:
  • a "services-start" script that creates bridge, vlan and configures the ports (mainly robocfg, ifnames, eapd reastart for wpa2)
  • a "firewall-start" script to duplicate br0 rules to br1 rules as well as cutting connection between the vlans
  • a "dnsmasq.conf.add" script to create a second dhcp that assigns another ip range
It doesn't make sense to just post my files here since they only fit my use case and I would have to explain a lot of stuff that's not worth if nobody wants to read it.

Are you familar with ssh and creating those scripts and still interested in this? I think I could help you with this, maybe it would also be interesting for others that find this post in the future.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top