Asus RT-AC86U vlans plus Unifi UAP-AC-Pro networks

Bufflehead

Occasional Visitor
Good morning,

My home network uses an ASUS RT-AC86U router, and several Unifi UAP-AC-PRO devices to provide wifi coverage. My Asus router is running Asuswrt-Merlin v386.7.

My goal is to create multiple wifi networks on the Unifi devices, mapping to separate tagged Vlans created by my router. This is to separate my IOT devices from my main network, and possibly to move my network storage device onto its own network as well, to help safeguard my backups.

So my first question is, before I invest a lot of time, is this even possible with the RT-AC86U? I have found several postings dealing with this, but nothing that I have been able to get working. If I read things correctly, a (theoretical) solution would require that I do some bridge creation with BRCTL, and some vlan setup with VLANCTL.

Am I on the right track here? And would the changes ultimately require any NVRAM modifications, or could everything be done with JFFS scripts?

Thanks
Mark
 

drinkingbird

Very Senior Member
It is possible with the 8x series but VERY difficult. There are some threads where people seem to have gotten it working.

The other models use robocfg and brctl and those are very easy to write a script for. However yours uses totally different commands and architecture which is very convoluted and may or may not work in AP mode (but sounds like you're using router mode which should be ok).

You can have a look at this link and see if it is something you want to dive into - https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/

Hate to say it, but since you're in the Ubiquiti ecosystem anyway, edgerouters are pretty cheap and very flexible. You could potentially repurpose your Asus for something (AP for one of your SSIDs, hardwired back to the edgerouter) or just sell it to finance the edgerouter purchase.
 

Tech9

Part of the Furniture
My home network uses an ASUS RT-AC86U router

Go full Ubiquiti for better results. This router has bad reliability history and software issues.

 

eibgrad

Part of the Furniture
As other have suggested, given ASUS does NOT natively support user-defined VLANs, VAPs, bridges, etc., doesn't make sense to me to FORCE it just to preserve the use of the ASUS firmware. This is why I do NOT use Merlin for my own primary router (RT-AC68U), but rather FT (FreshTomato), which offers all these capabilities in the GUI, making configuration trivial.

Unfortunately, FT doesn't support the RT-AC86U specifically. So at that point you might want to consider alternatives to ASUS for your routing, such as pfSense, esp. if you have high bandwidth offered by your ISP (e.g., Gigabit). These consumer-grade routers are typically NOT up to the challenge without the use various hacks (e.g., CTF). So you might as well take the opportunity to look elsewhere for your routing needs at that point.
 

Bufflehead

Occasional Visitor
So this raises another question I have been curious about. When you say that the Asus RT-AC86U does not "natively" support VLANS, what precisely does that mean? I understand that it does not offer a GUI interface to create VLANS, but it _may_ offer VLAN functionality through command-line changes (assuming one can figure out how to do it this way--and the jury appears to be out on this router.) Is there anything _more_ than a GUI interface that a router must offer to be considered to offer "native" support for VLANS? Something in the hardware, for example?
 

drinkingbird

Very Senior Member
As other have suggested, given ASUS does NOT natively support user-defined VLANs, VAPs, bridges, etc., doesn't make sense to me to FORCE it just to preserve the use of the ASUS firmware. This is why I do NOT use Merlin for my own primary router (RT-AC68U), but rather FT (FreshTomato), which offers all these capabilities in the GUI, making configuration trivial.

Unfortunately, FT doesn't support the RT-AC86U specifically. So at that point you might want to consider alternatives to ASUS for your routing, such as pfSense, esp. if you have high bandwidth offered by your ISP (e.g., Gigabit). These consumer-grade routers are typically NOT up to the challenge without the use various hacks (e.g., CTF). So you might as well take the opportunity to look elsewhere for your routing needs at that point.

Just to clarify, CTF and hardware routing are not hacks, it is what every enterprise router/switch/firewall/NIC etc uses to get the performance they have. Without hardware forwarding, the biggest most expensive Cisco router would be capable of megs, not gigs.

Your PC uses hardware forwarding, even onboard NICs have it, but good server quality ones have much better ASICs that are capable of even more. So whatever you put your pfsense on is going to be using hardware forwarding too.
 
Last edited:

drinkingbird

Very Senior Member
So this raises another question I have been curious about. When you say that the Asus RT-AC86U does not "natively" support VLANS, what precisely does that mean? I understand that it does not offer a GUI interface to create VLANS, but it _may_ offer VLAN functionality through command-line changes (assuming one can figure out how to do it this way--and the jury appears to be out on this router.) Is there anything _more_ than a GUI interface that a router must offer to be considered to offer "native" support for VLANS? Something in the hardware, for example?

Yeah in this case he's referring to the GUI. The hardware does support it as some have gotten it working via the complex commands I linked to, and in reality these routers all use VLANs out of the box to segment LAN and WAN. Lack of hardware support would be different but unlikely to run into that on any router made in the last 10+ years, since they use a single switch and utilize VLANs to divide the LAN and WAN.

Just a matter of whether they give you an easy way to do it (a few consumer routers do, most don't) or if you have to go digging and figure it out yourself, with the risk you might miss something and leave a security hole open etc.

Several 3rd party firmwares have had VLAN support for years but the chipset your router uses is far more complex for configuring VLANs and that is why they don't support it. Given that the chipset is less common they probably don't want to put the time into adding it. Though there may be one out there, haven't looked.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top