Connecting 2 VLANS for 2 Guest Wifi

[WifiGhost]

So a day ago literally i just installed asuswrt-merlin and love it! I would like to use 2 VLANS setup on my pfsense firewall for each of the guest wifi's now that I have that option. I figured out the guest wifi interfaces from brctl show which are wl0.1 and wl0.2, super simple. Before the switch the ASUS AC87U was in AP mode with just the WAN port connected to the firewall so I have eth0 in use and a normal 2.4 and 5Ghz wifi for me and 2 guest 2.4G wifi networks. I chose to use the below script after spending time figuring out how to get the VLANs to work on the new firmware and the only part I have not figured out yet is " ports "4t 5t" " and the "nvram set lan_ifnames=" part which I think I have wrong below. When I added the 2nd guest wifi I could see the interfaces change and see the new interface name, but I compared the robocfg show output and no change. Here is my robocfg show and brctl show output:

bridge name     bridge id               STP enabled     interfaces
br0             8000.38d547                  yes                   vlan1
                                                               eth1
                                                               wl0.1
                                                               wl0.2

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 5 8t
   2: vlan2: 8t
1045: vlan1045: 1t 2t 3t 5
1046: vlan1046: 4t 7
1047: vlan1047: 2t 4 8u
1099: vlan1099: 1 3t 5 7t
1100: vlan1100: 1t 2t 8u
1101: vlan1101: 0 1t 8t
1102: vlan1102: 7
1103: vlan1103: 0t 4t

Ports I get, 0-4 is WAN,LAN1-4, port 5,7,8 I am guessing wifi but found nothing in the merlin wiki, I thought when adding the 2nd guest wifi I would see a change to help ID the guest wifi's but no change. Here is the script I would like to use from another member on this site, its exactly what I would like to do so if ya'll could help me understand the ports part and help me chose whether to just run the commands or add the script to wan-start or services start I think I am all set to give it a go, here is the script:

Script: https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187

 

[skeal]

So a day ago literally i just installed asuswrt-merlin and love it! I would like to use 2 VLANS setup on my pfsense firewall for each of the guest wifi's now that I have that option. I figured out the guest wifi interfaces from brctl show which are w10.1 and w10.2, super simple. Before the switch the ASUS AC87U was in AP mode with just the WAN port connected to the firewall so I have eth0 in use and a normal 2.4 and 5Ghz wifi for me and 2 guest 2.4G wifi networks. I chose to use the below script after spending time figuring out how to get the VLANs to work on the new firmware and the only part I have not figured out yet is " ports "4t 5t" " and the "nvram set lan_ifnames=" part which I think I have wrong below. When I added the 2nd guest wifi I could see the interfaces change and see the new interface name, but I compared the robocfg show output and no change. Here is my robocfg show and brctl show output:

bridge name bridge id STP enabled interfaces
br0 8000.38d547 yes vlan1
eth1
wl0.1
wl0.2

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: MAC HERE
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 5 8t
2: vlan2: 8t
1045: vlan1045: 1t 2t 3t 5
1046: vlan1046: 4t 7
1047: vlan1047: 2t 4 8u
1099: vlan1099: 1 3t 5 7t
1100: vlan1100: 1t 2t 8u
1101: vlan1101: 0 1t 8t
1102: vlan1102: 7
1103: vlan1103: 0t 4t

Ports I get, 0-4 is WAN,LAN1-4, port 5,7,8 I am guessing wifi but found nothing in the merlin wiki, I thought when adding the 2nd guest wifi I would see a change to help ID the guest wifi's but no change. Here is the script I would like to use from another member on this site, its exactly what I would like to do so if ya'll could help me understand the ports part and help me chose whether to just run the commands or add the script to wan-start or services start I think I am all set to give it a go, here is the script:

Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

#not sure about this section
robocfg vlan 9 ports "4t 5t"

#i think here to the next comment is correct
vconfig add eth0 5
vconfig add eth0 6

ifconfig vlan5 up
ifconfig vlan6 up

brctl addbr br1
brctl addbr br2
brctl delif br0 w10.1
brctl addif br1 w10.1
brctl delif br0 w10.1
brctl addif br2 w10.2
brctl addif br1 vlan5
brctl addif br2 vlan6

ifconfig br1 up
ifconfig br2 up

#not sure this part is right
nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

#this to the end I understand
nvram set lan1_ifnames="vlan5 w10.1"
nvram set lan1_ifname="br1"

nvram set lan1_ifnames="vlan6 w10.2"
nvram set lan1_ifname="br2"

nvram commit
killall eapd
eapd

Thanks for any help! Highly appreciated!

TL;DR have you looked at YazFi yet. I think you may be trying to reinvent the wheel my friend.
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

 

[WifiGhost]

I spent time looking and landed on this

https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187

As I said I just installed merlin a day ago and learning the system

EDIT: it is limited to 2.4Ghz guest nets so what if I want a 5Ghz? Also says nothing about using VLANs

EDIT2: cant use it as I mentioned the ASUS is AP only, this does nothing close to what I would like

 

[skeal]

I spent time looking and landed on this

https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187

As I said I just installed merlin a day ago and learning the system

EDIT: it is limited to 2.4Ghz guest nets so what if I want a 5Ghz? Also says nothing about using VLANs

Check out YazFi here.

 

[WifiGhost]

If the ASUS was a router then yes it would work but ASUS is AP only

per the github it says:

wl01_DHCPSTART
Start of DHCP pool (2-253)

wl01_DHCPEND
End of DHCP pool (3-254)

The ASUS is not a router so cant do this

 

[ColinTaylor]

You have typo's in your initial post. The 2.4GHz guest interfaces are wl0.1, wl0.2, etc. not w10.1, w10.2, etc. That's "W"-"L" not "W"-"one".

 

[WifiGhost]

So i now know "Port 1 on the 87U is 'special' and is indeed tied to the 5GHz Quatenna radio"

0,2,3,4 are the switch ether ports so if I can just get some confirmation which port to use for the guest wifi networks I will be set. I know the interface names, just need to determine the port for the 2.4 guest wifi networks which I think after some research is 4t, maybe? I thought 5, but I have no 5t in robocfg so my other guess is just 5.

 

[WifiGhost]

You have typo's in your initial post. The 2.4GHz guest interfaces are wl0.1, wl0.2, etc. not w10.1, w10.2, etc. That's "W"-"L" not "W"-"one".

you can thank copy and paste into xenforo for that, it is showing fine in my editor, just need to determine which port is being using by the 2.4Ghz guest nets, once I know that I can add more later if needed, not going to use 5Ghz anytime soon.

 

[ColinTaylor]

0,2,3,4 are the switch ether ports so if I can just get some confirmation which port to use for the guest wifi networks I will be set.

You don't need to (and can't) do that. As you said, the robocfg "ports" are the Ethernet sockets connected to the switch. The 2.4GHz radio is a separate chip presented as another interface. They're two different things.

 

[WifiGhost]

You don't need to (and can't) do that. As you said, the robocfg "ports" are the Ethernet sockets connected to the switch. The 2.4GHz radio is a separate chip presented as another interface. They're two different things.

I changed the script per your comment to reflect only the wifi I am working with.

 

[WifiGhost]

What is the highest VLAN number I can create? I know to avoid 1-3 per other posts.

 

[grifo]

Hi, here's how the physical ports match up on the AC87U:

Port 0: WAN
Port 1: LAN 4
Port 2: LAN 3
Port 3: LAN 2
Port 4: it's an internal port
Port 5: LAN 1, connected to the Quantenna 5 Ghz chipset, do not use with VLANs

The 5 Ghz interfaces are called wl1.1 and wl1.2 and they work just like the 2.4 Ghz ones.

If you're using the WAN port on your AC87U in AP mode you should remove the robocfg command you have and use:

robocfg vlan 5 ports "0t"
robocfg vlan 6 ports "0t"

Also on the nvram set lanx command for vlan 6 change lan1 with lan2

See how you get on with the above then let us know.

P.S. for VLAN numbers is considered safer to use higher numbers, I use 201 and 202 and never had any problem.

 

[WifiGhost]

Hi, here's how the physical ports match up on the AC87U:

Port 0: WAN
Port 1: LAN 4
Port 2: LAN 3
Port 3: LAN 2
Port 4: it's an internal port
Port 5: LAN 1, connected to the Quantenna 5 Ghz chipset, do not use with VLANs

The 5 Ghz interfaces are called wl1.1 and wl1.2 and they work just like the 2.4 Ghz ones.

If you're using the WAN port on your AC87U in AP mode you should remove the robocfg command you have and use:

robocfg vlan 5 ports "0t"
robocfg vlan 6 ports "0t"

Also on the nvram set lanx command for vlan 6 change lan1 with lan2

See how you get on with the above then let us know.

P.S. for VLAN numbers is considered safer to use higher numbers, I use 201 and 202 and never had any problem.

Thank you so much, you have been super helpful, i will update with the commands given.

I think you are seeing an older update, i removed robocfg completely after the last post from the person that just said no it wont work.

I actually changed the high VLAN numbers I had preset to lower ones as I saw posts with higher numbers and that causing the VLAN to not work properly. I would rather use high numbers.

I am guessing from previous posters it wont persist over a reboot so i think wan-start would be the best place for this script.

 

[grifo]

Yep, you edited the OP while I was writing mine. It should work with the robocfg commands. I have it running on a AC87U also (though it's in router mode).

 

[WifiGhost]

Yep, you edited the OP while I was writing mine. It should work with the robocfg commands. I have it running on a AC87U also (though it's in router mode).

Opps!

I will add the ones you posted, thanks again!

 

[WifiGhost]

Yep, you edited the OP while I was writing mine. It should work with the robocfg commands. I have it running on a AC87U also (though it's in router mode).

Whats the deal with the "t" and "u" next to the port numbers when running robocfg show?

 

[grifo]

"t" stands for tagged and "u" untagged. If you are using multiple vlans on a single port one will be untagged (in this case vlan 1) and the others must be tagged with their vlan ID so the traffic can be differentiated between vlans. Your box at the other end of the wire has to do the same so configure it to match.

 

[WifiGhost]

"t" stands for tagged and "u" untagged. If you are using multiple vlans on a single port one will be untagged (in this case vlan 1) and the others must be tagged with their vlan ID so the traffic can be differentiated between vlans. Your box at the other end of the wire has to do the same so configure it to match.

Simple enough. Can you confirm if you have this issue for me? I went through all the pages and all work perfectly, but when I went to wireless>professional it was mostly white like the CSS partly failed, i could see and modify the professional settings, but the section around it and the sidebar were messed up, the top was OK but I had to modify the URL to get back to the main page. It seems to only be that page. I am on the latest stable build as of 11/12.

 

[grifo]

The wireless page will break when the router loses communication with the Quantenna chipset and it can be caused by wrong robocfg commands. The communication between the main chipset and the Quantenna goes over the internal ports and it can be lost if you change their vlan membership. It also happens if you remove vlan 1 from any of the ports. I still have this line on my script:

#robocfg vlan 1 ports "2 3 5 8t" !!!This breaks the wifi

I wanted vlan 1 not to be present on LAN 4 but that broke the wireless page and the 5 Ghz wifi, which you wouldn't expect as 'robocfg show' doesn't list any of the internal ports other than port 8 (CPU) as a member of vlan 1, anyways I bought a small managed switch to get around that. This is all specific to the AC87U and its architecture with the separate chipset for the 5 Ghz wifi, on other models you can remove vlan 1 from any of the external ports.

You may have had this problem earlier when you were configuring a vlan on ports 4 and 5 but you shouldn't now with the vlan additions to port 0 only and a reboot. Double check your live script then if it's still happening it could be something else, try if it works with a different browser else try a factory reset. BTW on your updated script on the OP you still have the wifi interfaces mistyped as w10.1 and w10.2 instead of wl0.1 and wl0.2 as pointed out by Colin earlier, it's worth fixing that to avoid them ending up on your live script.

So are your guest wifi's connecting through the correct vlans now? If so do some extended testing over them as they may get performance issues in AP mode, if so check out post #43 of the thread you linked to on your OP.

After that is all working well there's something else you need to do to address what happens when the wireless gets reset, which can be triggered by any change to the wifi page (for example if you change the channel number for a radio) and will cause the guest wifi interfaces to be reassigned back to the default bridge br0.

You need 2 scripts, one that looks out for wireless restarts and after one has happened it triggers the other script which resets the interfaces to the correct bridges. Below are mines, adapt as required.

grifo@r1:/jffs/scripts# cat service-event-end
#!/bin/sh
restart=$1
wireless=$2
#call script to reset bridges
sh /jffs/scripts/bridge-reset &
grifo@r1:/jffs/scripts#

grifo@r1:/jffs/scripts# cat bridge-reset
#!/bin/sh
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl1.1
brctl delif br0 wl0.2
brctl addif br2 wl0.2
brctl delif br0 wl1.2
brctl addif br2 wl1.2
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan201 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan202 wl0.2 wl1.2"
nvram set lan2_ifname="br2"

nvram commit

killall eapd
eapd
grifo@r1:/jffs/scripts#

 

[WifiGhost]

OK so I have not done anything just yet, so I should run the first script i put together to get everything set and then put it in jffs called bridge-reset instead of wan-start and then take the small script above and call it service-event-end so once I run the script to set everything to keep it all in place and working? the bridge-reset looks like the version I had before adding back robocfg so should I leave it out or just use it once and then remove it when adding the script as bridge-reset to jffs?

I am guessing run the script in my OP once and then use your version for bridge-reset and then add the other script as service-event-end to keep everything in place after a reset.