Has anyone successfully create a VLAN?

[coldheat]

I've got an asus RT5300 router currently. About to install -Merlin on it but only after I can confirm someone here has actually got VLAN to work... before I go out and buy one of those pfsense boxes. I only see like 2-3 tutorials via google search with no confirmed actions. Damn, wish this was just a feature already.

 

[Tech Junky]

buy one of those pfsense boxes.

If you have a PC laying around you can just convert it to a router w/ the OS. For that matter you could just use Linux and make a few configuration changes to enable routing.

I wouldn't rely on consumer gear to do much more than the basics and even then some models have a struggle hitting 1gbps on a 1gbps port.

 

[coldheat]

I bought an ubiquiti mini managed switch but I can't use it because the stock Asus firmware does not support vlan's... at least the guys on reddit were telling me that. Is that accurate? I do not have hardware laying around, would rather buy the nice aio's they offer for $300'ish.

So back to the question, has anyone actually gotten VLANs to work without hiccups? I see some threads about tagging the 5ghz in scripts but not official how-to guide or step by steps

 

[heysoundude]

You read correctly on reddit, so no.

 

[amplatfus]

On RT5300 I do not know.
But on AX88U is working as a separate bridge. You can put in a new bridge LAN or Wi-Fi.

 

[coldheat]

Yea I'm about to buy a dream machine pro and get this over with! I have old routers but they are not 1gb ports.

 

[Tech9]

Go full Ubiquiti with all VLAN capable components from the firewall to the access points. Do it once right. UniFi and Omada systems in basic configuration come close to expensive home routers, but work better and offer more configuration and expansion options. You won't go wrong with either.

 

[slackjaw99]

I can't speak for your particular flavor of ASUS, but I've got tagged vlans including multi-tagged trunk ports running on my dual gt-ax6000s for sandboxing my IoT crap, and multiple ASUS routers do support vlans as they are used to extend the first guest wifi to AiMesh nodes. I have no idea why there are those who say ASUS stock firmware does not support vlans. The next generation of stock firmware will even have vlan configuration built into the GUI. For now below is how I do it via CLI.

#create a trunk port on eth1
/usr/sbin/ip link add link eth1 name eth1.102 type vlan id 102
/usr/sbin/ip link set eth1.102 up
/bin/brctl addbr br2
/bin/brctl addif br2 eth1.102
/usr/sbin/ip link add link eth1 name eth1.86 type vlan id 86
/usr/sbin/ip link set eth1.86 up
/bin/brctl addif br0 eth1.86

 

[Mrs_Esterhouse]

[Wireless Router] What is VLAN and how to setup in ASUS Wireless Router? | Official Support | ASUS USA

For those running a RT-AX86U Pro or GT-AX11000 Pro with stock firmware, does this VLAN tab appear for you? I'm running Merlin on my RT-AX86U Pro and don't have this menu. I should have looked before flashing. Does anyone know if @RMerlin is planning on adding VLANs for the RT-AX86U Pro or GT-AX11000 Pro firmware?

 

[Jeffrey Young]

Does anyone know if @RMerlin is planning on adding VLANs for the RT-AX86U Pro or GT-AX11000 Pro firmware?

If Asus includes it in any the GPL blobs that they send to Merlin, then it will get implemented.

It is nice to see that Asus is finally moving into the 21st century. I highly doubt you see it come to any of the AC models now.

 

[drinkingbird]

I've got an asus RT5300 router currently. About to install -Merlin on it but only after I can confirm someone here has actually got VLAN to work... before I go out and buy one of those pfsense boxes. I only see like 2-3 tutorials via google search with no confirmed actions. Damn, wish this was just a feature already.

I have VLANs running on RT-AC1900 via script, not sure if the 5300 is the same architecture or not. Others have gotten it working on the HND architecture but it is a bit more involved.

 

[TechN23]

I also have a RT-AX86U Pro and I am missing the VLAN tab as well under my LAN area. The article from Asus that mentions the VLAN tab is https://www.asus.com/us/support/FAQ/1049415. In fact the article even mentions the RT-AX86U Pro as a supported model. I have opened a case with Asus support. My ticket was escalated with Asus support. But I have not heard anything back so far. I am also running the latest firmware of 3.0.0.4.388.22525.

 

[Tech9]

I am also running the latest firmware of 3.0.0.4.388.22525.

VLANs are not available in this firmware. The firmware with Pro features is currently in Beta stage:

Beta - RT-AX86U_Pro Beta firmware 9.0.0.6.102_3506

This seems to have gone under the radar... https://www.asus.com/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax86u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro ASUS RT-AX86U Pro Firmware version 9.0.0.6.102.3506 Version 9.0.0.6.102.3506 Beta Version 54.47 MB Be noted: This is an...

www.snbforums.com

The official release won't happen any time soon. You can try the Beta now or wait for the official release when ready.

 

[TechN23]

@ Tech9 Thanks for the explanation. That makes sense.

 

[Tech9]

This is why I'm Tech #9 and you are Tech New and #23.

 

[mpetersen]

Will VLAN's be on the gt axe 6000?

 

[Tech9]

There is a Beta Pro firmware for it:

It will get Pro firmware unless Asus changes their mind before the official release.

 

[arx]

Any chance of adding support for vlan for TUF-AX5400?

 

[jiveman]

So I read about a dozen or so threads with different advise and finally put together a script to create vlans on boot that seems to work as intended. Unlike many of the examples out there, my script relies solely on brctl and ip link to create simple bridges. I'm open to feedback if I setup something wrong. I'm using OPNSense => ASUS AX92u (AP Mode) LAN4 (eth1) => WAN (eth0) Asus AX92u (AP Mode) / non-ai-mesh. Non-tagged traffic works fine when plugging into ethernet ports, but tagged traffic also gets distributed via the eth0 trunk back to OPNsense. I've created 4 guest networks and assigned each to a separate vlan. The code below is what I run on the first AX92u connected directly to OPNSense. The second AP shouldn't need the eth1.vNN sub interfaces added to each bridge (br1-br4) as it doesn't have another AP hooked up to it's LAN4 port. You can search for how to get scripts to auto start from a shell script e.g. /jffs/scripts/myvlanscript.sh called by /jfffs/scripts/services-start (you may need to enable jffs scripts in the webui => admin section > enable jffs scripts, and I think I had to install a usb disk, format it, then install packages by logging into AP via ssh then running amtm, then ep and selecting the formatted disk.

#!/bin/sh
set -x
# multi SSID with VLAN script, for ASUS AX92u with gnuton/merlin
# RT-AX92U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> WLAN 2.4 GHz (but not used?)
# eth6 -> WLAN 5-1 GHz (but not used?)
# eth7 -> WLAN 5-2 GHz (but not used?)
# wl0.1 -> WLAN 2.4 GHz - 1st guest 2.4Ghz radio
# wl0.2 -> Wireless - 2nd guest 2.4Ghz radio
# wl1.1 -> WLAN 5Ghz - 1st guest 5Ghz-1 radio
# wl2.1 -> WLAN 5Ghz - 1st guest 5Ghz-2 radio
# wl1.2 -> WLAN 5Ghz - 2nd guest 5Ghz-1 radio
# wl2.2 -> WLAN 5Ghz - 2nd guest 5Ghz-2 radio

# echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
# ip a >> /jffs/scripts/log
# ip r >> /jffs/scripts/log
# brctl show >> /jffs/scripts/log
# echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
brctl show

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
#brctl delif br0 eth0 eth1 eth6 eth7
brctl delif br0 eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7
# remove guest wifi interfaces we're gonna move to other bridges
brctl delif br0 wl0.1 wl0.2 wl1.1 wl2.1

# simple for loop
for int in eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7;
do
ip link add link ${int} name ${int}.v20 type vlan id 20
ip link add link ${int} name ${int}.v40 type vlan id 40
ip link add link ${int} name ${int}.v80 type vlan id 80
ip link add link ${int} name ${int}.v100 type vlan id 100
ip link set ${int}.v20 up
ip link set ${int}.v40 up
ip link set ${int}.v80 up
ip link set ${int}.v100 up
done

# brctl stp br0 on # STP to prevent bridge loops

brctl addif br0 eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7
# set up br1, guest LAN
brctl addbr br1
brctl stp br1 on # STP to prevent bridge loops
brctl addif br1 eth0.v20
brctl addif br1 eth1.v20
brctl addif br1 wl0.1
ifconfig br1 192.168.20.2 netmask 255.255.255.0
ip link set br1 up


brctl addbr br2
brctl stp br2 on # STP to prevent bridge loops
brctl addif br2 eth0.v40
brctl addif br2 eth1.v40
brctl addif br2 wl0.2
ip link set br2 up



brctl addbr br3
brctl stp br3 on # STP to prevent bridge loops
brctl addif br3 eth0.v80
brctl addif br3 eth1.v80
brctl addif br3 wl1.1
ip link set br3 up


brctl addbr br4
brctl stp br4 on # STP to prevent bridge loops
brctl addif br4 eth0.v100
brctl addif br4 eth1.v100
brctl addif br4 wl2.1
ip link set br4 up
# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7"

nvram set lan1_ifnames="wl0.1 eth1.v20 eth0.v20"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 eth1.v20 eth0.v20"
nvram set br1_ifname="br1"

nvram set lan2_ifnames="wl0.2 eth1.v40 eth0.v40"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 eth1.v40 eth0.v40"
nvram set br2_ifname="br2"

nvram set lan3_ifnames="wl1.1 eth1.v80 eth0.v80"
nvram set lan3_ifname="br3"
nvram set br3_ifnames="wl1.1 eth1.v80 eth0.v80"
nvram set br3_ifname="br3"

nvram set lan4_ifnames="wl2.1 eth1.v100 eth0.v100"
nvram set lan4_ifname="br4"
nvram set br4_ifnames="wl2.1 eth1.v100 eth0.v100"
nvram set br4_ifname="br4"
# doesn't seem to affect anything, just make it align

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# Disable hardware switching (increases CPU load) but threads say it's required
#ethswctl -c hw-switching -o disable #NOTE: in my testing this is not necessary. Here for reference.

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

 

[jiveman-fan]

So I read about a dozen or so threads with different advise and finally put together a script to create vlans on boot that seems to work as intended. Unlike many of the examples out there, my script relies solely on brctl and ip link to create simple bridges. I'm open to feedback if I setup something wrong. I'm using OPNSense => ASUS AX92u (AP Mode) LAN4 (eth1) => WAN (eth0) Asus AX92u (AP Mode) / non-ai-mesh. Non-tagged traffic works fine when plugging into ethernet ports, but tagged traffic also gets distributed via the eth0 trunk back to OPNsense. I've created 4 guest networks and assigned each to a separate vlan. The code below is what I run on the first AX92u connected directly to OPNSense. The second AP shouldn't need the eth1.vNN sub interfaces added to each bridge (br1-br4) as it doesn't have another AP hooked up to it's LAN4 port. You can search for how to get scripts to auto start from a shell script e.g. /jffs/scripts/myvlanscript.sh called by /jfffs/scripts/services-start (you may need to enable jffs scripts in the webui => admin section > enable jffs scripts, and I think I had to install a usb disk, format it, then install packages by logging into AP via ssh then running amtm, then ep and selecting the formatted disk.

#!/bin/sh
set -x
# multi SSID with VLAN script, for ASUS AX92u with gnuton/merlin
# RT-AX92U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> WLAN 2.4 GHz (but not used?)
# eth6 -> WLAN 5-1 GHz (but not used?)
# eth7 -> WLAN 5-2 GHz (but not used?)
# wl0.1 -> WLAN 2.4 GHz - 1st guest 2.4Ghz radio
# wl0.2 -> Wireless - 2nd guest 2.4Ghz radio
# wl1.1 -> WLAN 5Ghz - 1st guest 5Ghz-1 radio
# wl2.1 -> WLAN 5Ghz - 1st guest 5Ghz-2 radio
# wl1.2 -> WLAN 5Ghz - 2nd guest 5Ghz-1 radio
# wl2.2 -> WLAN 5Ghz - 2nd guest 5Ghz-2 radio

# echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
# ip a >> /jffs/scripts/log
# ip r >> /jffs/scripts/log
# brctl show >> /jffs/scripts/log
# echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
brctl show

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
#brctl delif br0 eth0 eth1 eth6 eth7
brctl delif br0 eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7
# remove guest wifi interfaces we're gonna move to other bridges
brctl delif br0 wl0.1 wl0.2 wl1.1 wl2.1

# simple for loop
for int in eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7;
do
ip link add link ${int} name ${int}.v20 type vlan id 20
ip link add link ${int} name ${int}.v40 type vlan id 40
ip link add link ${int} name ${int}.v80 type vlan id 80
ip link add link ${int} name ${int}.v100 type vlan id 100
ip link set ${int}.v20 up
ip link set ${int}.v40 up
ip link set ${int}.v80 up
ip link set ${int}.v100 up
done

# brctl stp br0 on # STP to prevent bridge loops

brctl addif br0 eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7
# set up br1, guest LAN
brctl addbr br1
brctl stp br1 on # STP to prevent bridge loops
brctl addif br1 eth0.v20
brctl addif br1 eth1.v20
brctl addif br1 wl0.1
ifconfig br1 192.168.20.2 netmask 255.255.255.0
ip link set br1 up


brctl addbr br2
brctl stp br2 on # STP to prevent bridge loops
brctl addif br2 eth0.v40
brctl addif br2 eth1.v40
brctl addif br2 wl0.2
ip link set br2 up



brctl addbr br3
brctl stp br3 on # STP to prevent bridge loops
brctl addif br3 eth0.v80
brctl addif br3 eth1.v80
brctl addif br3 wl1.1
ip link set br3 up


brctl addbr br4
brctl stp br4 on # STP to prevent bridge loops
brctl addif br4 eth0.v100
brctl addif br4 eth1.v100
brctl addif br4 wl2.1
ip link set br4 up
# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7"
nvram set br0_ifnames="eth0 eth1 eth2 eth3 eth4 eth5 eth6 eth7"

nvram set lan1_ifnames="wl0.1 eth1.v20 eth0.v20"
nvram set lan1_ifname="br1"
nvram set br1_ifnames="wl0.1 eth1.v20 eth0.v20"
nvram set br1_ifname="br1"

nvram set lan2_ifnames="wl0.2 eth1.v40 eth0.v40"
nvram set lan2_ifname="br2"
nvram set br2_ifnames="wl0.2 eth1.v40 eth0.v40"
nvram set br2_ifname="br2"

nvram set lan3_ifnames="wl1.1 eth1.v80 eth0.v80"
nvram set lan3_ifname="br3"
nvram set br3_ifnames="wl1.1 eth1.v80 eth0.v80"
nvram set br3_ifname="br3"

nvram set lan4_ifnames="wl2.1 eth1.v100 eth0.v100"
nvram set lan4_ifname="br4"
nvram set br4_ifnames="wl2.1 eth1.v100 eth0.v100"
nvram set br4_ifname="br4"
# doesn't seem to affect anything, just make it align

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# Disable hardware switching (increases CPU load) but threads say it's required
#ethswctl -c hw-switching -o disable #NOTE: in my testing this is not necessary. Here for reference.

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

I registered and made an entire account on this forum just so I could reply to tell you thanks. I was trying to accomplish this exact problem with that exact setup and I can vouch that this worked flawlessly (with configuration-specific changes, of course). I think I wasted upwards of 6+ hours on different ways of doing this, so cheers to you. I owe you a beer