Solved Help finding workarounds for a WiFi bridge repeater that doesn't support VLANs

[robca]

I'm currently using two RT-AC68U with Merlin, one as main router, one as AP with a guest VLAN. I set up my network so that IoT devices with vlan 101 can access the internet but not the main network (vlan 1), and IoT devices on vlan 102 cannot access either internet or main network (but devices on the main network can access all IoT devices). Now I'm trying to add a third AC68U for a remote location. The remote location is connected with a wifi bridge repeater which doesn't properly bridge vlan traffic. So, even if the new AC68U is set up correctly when tested on the main network, once behind the bridge, it won't allow IoT devices to connect.

Bridge repeaters that support vlans are harder to find and much more expensive, so I'm trying to figure out a workaround. I guess I could try to write iptables/ebtables rules to individually block devices in the remote location, but it will require editing the configuration every time a new device is added. Also, blocking by IP address or MAC can be defeated by a spoofed malicious device. I could set up the remote AC68U as a router with its own rules, then connect to the main router using OpenVPN (which is active). Remote devices will be slower, but should work.

Any other suggestion? Usually this forum saves me from my stupidity by suggesting smarter alternatives

EDIT: is there a way to encapsulate traffic on both ends, maybe using something lightweight as GRE?

 

[TonyK132]

You might look into Fresh Tomato as a media bridge firmware for your AC68. It seems to have more VLAN support than Asus but I do not know how it handles that as a media bridge. Still, might be worth a look.

 

[robca]

You might look into Fresh Tomato as a media bridge firmware for your AC68. It seems to have more VLAN support than Asus but I do not know how it handles that as a media bridge. Still, might be worth a look.

Thanks for the reply, but maybe I didn't explain properly. I don't need a media bridge, nor a wireless repeater. I'm using this https://ueevii.com/collections/deal...rking-distance-outdoor-wireless-bridge-2-pack as a bridge (incidentally, works very well, vlans aside)

Merlin works very well with vlans. It's the wireless bridge I use that doesn't properly bridge vlan traffic. So I need a way to encapsulate the traffic over the bridge (so that bridge can't mess with the vlan) or figure out an architecture that allows me to use standard traffic over the bridge but still achieve IoT isolation and prenvent some devices from accessing the internet

 

[robca]

I found a pair of https://www.tp-link.com/us/business-networking/pharos-cpe/cpe210/ for the same price I paid for the Ueevii, and I decided that life is too short to mess around with this The CP210 is confirmed to work with VLANs, and even if slower than the Ueevii, it works on the 2.4GHz band which will give me better signal in my environment (not entirely line-of-sight). For what is worth, Ueevii's support replied right away when I sent them a question, confirming that the CPE10KM is the only bridge repeater in their range that supports VLANs