Help for RT-AC68U VLANs for LAN & WIFI

Khauron

New Around Here
Device: Asus RT-AC68U
H/W Ver: E1
S/W Ver: Asus-Merlin 386.7_2
Factory reset done and JFFS formatted and enabled

Hey there, can the community help me out here? I'm lost and don't know what to do next.

I have the device running fine, but I would want to do VLANs for both, LAN and WIFI.
I have pfSense creating the VLANs and switches are running fine; if I PVID the let's say "13" VLAN for LAN-port of the switch everything works.
But. When I run the VLAN's to the Asus, nothing works. I cannot understand why.

I have physical connections to the Asus:
WAN = This is the uplink with tagged info from the switch (VLAN 1, 11, 12, 13)
LAN1 = This should be VLAN1
LAN2 = This should be VLAN1
LAN3 = This should be VLAN1
LAN4 = This should be VLAN11
WIFI main 2.4 GHZ = This should be VLAN1
WIFI main 5.0 GHZ = This should be VLAN1
Guest N/w Index 1 2.4 GHz = This should be VLAN11
Guest N/w Index 1 5.0 GHz = This should be VLAN11
more to come, if I understand how this works

When I put script to /jffs/scripts/services-start (yes, I have chmod'ed a+x it):
__________________________________________________________
#!/bin/sh

robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 11 ports "2 5t"
vconfig add eth0 11
ifconfig vlan11 up
brctl addif br0 vlan11
__________________________________________________________

Everything breaks. I lose the uplink-connection and I have to reset.
What am I missing here?
ATM I'm trying to have VLAN 11 coming out from physical LAN 2. Rest is to figure out, but currently I'm lost.

My setup is now clean, no VLAN's nor scripts enabled:
[email protected]:/tmp/home/root# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 04:d9:f5:xx:xx:xx
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 70:af:24:xx:xx:xx
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 98:93:cc:xx:xx:xx
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0c:9d:92:xx:xx:xx
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 4 5t
2: vlan2: 5t
[email protected]:/tmp/home/root#

Halp?
 

drinkingbird

Very Senior Member
The commands you ran removed all VLANs from the WAN port (0) meaning it is a useless port now.

Not sure why you're changing port 2 to use VLAN 11 when you say you want that port to be VLAN 1?

Your switch port should have VLAN 1 untagged (VLAN 1 would be PVID of that port) and the rest of the VLANs tagged. Check to confirm. If for some reason it is tagging it (technically not correct but I've seen some do it) then under vlan 1 below put "0t" instead of "0". All VLANs should have 5t which is the CPU.

You will want something like
robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 11 ports "0t 4 5t"
robocfg vlan 12 ports "0t 5t"
robocfg vlan 13 ports "0t 5t"

you mention vlan 12 and 13 but don't say what you want them assigned to

Then you need to create a new bridge, and put VLAN 11 and your guest wifi into that to segregate it from the main VLAN/network which is br0

If you upgrade to the latest firmware and use Guest Wireless 1 it should create two VLANs for you, VLAN 501 and 502 (not positive if it does that in AP mode though). That should give you a good idea of what the configs need to look like. VLAN 501 is for 2.4Ghz and VLAN 502 is for 5Ghz. I'm running in router mode and just made use of those, since they get their own subnets, DHCP, etc.
 

Khauron

New Around Here
Thank you for your answer and help, it really helped me!

Myt first post was trying to do what I explained, but I got it all wrong. The logic didn't open up to me. Now with your explanation and help I got it working.
"Not sure why you're changing port 2 to use VLAN 11 when you say you want that port to be VLAN 1?"
This was one the points I got all wrong.

Yes, my switch (Tp-Link TL-SG2008 4.0) is configured like you described. VLAN 1 (which is fixed ) goes untagged with PVID 1 and other VLANs go tagged.

Now when I have on my script (thanks to you):
robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 11 ports "0t 4 5t"
robocfg vlan 12 ports "0t 5t"
robocfg vlan 13 ports "0t 5t"
I just confirmed that physical LAN port 4 works as expected; in VLAN 11. Great!
I'm handling all the traffic in my firewall (pfSense Plus), so I don't know yet do I need to do segregation on the Asus. Maybe, if Asus want's to route traffic directly from bridge to bridge. As for now, the LAN traffic works as expected, and my firewall rules does the tricks I want.

Oh, almost forgot, indeed I'm running in AP mode. Had a thought that in router mode everything could be simpler, but wanted to do AP mode.
What do you mean by upgrading to the latest firmware? I am running latest stable (386.7_2). You mean some beta?

Next stop for me would be adding my guest network (created in GUI) to the VLAN 11. But how do I do that? What robocfg -ports are WIFI? How do I know what is main wifi (should be VLAN 1) and what is guest wifi (should be VLAN 11)?

Thank you very much for your help this far, and thank you in advance.
 

drinkingbird

Very Senior Member
Thank you for your answer and help, it really helped me!

Myt first post was trying to do what I explained, but I got it all wrong. The logic didn't open up to me. Now with your explanation and help I got it working.
"Not sure why you're changing port 2 to use VLAN 11 when you say you want that port to be VLAN 1?"
This was one the points I got all wrong.

Yes, my switch (Tp-Link TL-SG2008 4.0) is configured like you described. VLAN 1 (which is fixed ) goes untagged with PVID 1 and other VLANs go tagged.

Now when I have on my script (thanks to you):
robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 11 ports "0t 4 5t"
robocfg vlan 12 ports "0t 5t"
robocfg vlan 13 ports "0t 5t"
I just confirmed that physical LAN port 4 works as expected; in VLAN 11. Great!
I'm handling all the traffic in my firewall (pfSense Plus), so I don't know yet do I need to do segregation on the Asus. Maybe, if Asus want's to route traffic directly from bridge to bridge. As for now, the LAN traffic works as expected, and my firewall rules does the tricks I want.

Oh, almost forgot, indeed I'm running in AP mode. Had a thought that in router mode everything could be simpler, but wanted to do AP mode.
What do you mean by upgrading to the latest firmware? I am running latest stable (386.7_2). You mean some beta?

Next stop for me would be adding my guest network (created in GUI) to the VLAN 11. But how do I do that? What robocfg -ports are WIFI? How do I know what is main wifi (should be VLAN 1) and what is guest wifi (should be VLAN 11)?

Thank you very much for your help this far, and thank you in advance.

Ports are switch ports, you're done with that part, you've set the VLANs you want.

Your wireless will be interfaces, which you'll need to add to a bridge along with the VLAN interface. Brctl is what you'll be using for that. VLAN 1 and your main wireless will already be in BR0 together.

If you're on the 386 code base and enable Guest Wireless 1, after rebooting it should create two new VLANs, 501 and 502 (I'm not 100% sure if it does this in "stand alone" AP mode, I think it does). From that you'll see good examples of what needs to be done. You can even make use of these VLANs instead of the 11/12/13 if you want, or just follow the examples there. For whatever reason they use one VLAN (501) for 2.4Ghz guest and another (502) for 5Ghz guest, but you can remap them as you want. I believe it creates a BR1 and puts both VLAN 501 and 502 in there along with the guest wireless interfaces, I don't recall the default "fresh" config exactly though and it may be different on an AP. You can make use of that bridge and add your new VLAN into that.

However after enabling GW1 double check to make sure it didn't overwrite any of your robocfg settings above. As long as your script runs late enough in the startup process it should be fine.

If it doesn't create those VLANs and the new bridge, you'll need to do it yourself, otherwise you'll just have everything hitting VLAN 1 from wireless (whether guest or not).

You need to create separate bridges or your VLANs will only apply to the switch, not your wireless, everything wireless will just use one VLAN. Brctl/separate bridges is how you map different SSIDs to different VLANs.
 
Last edited:

Khauron

New Around Here
OK, robocfg -part is done. As far I've tested it, everything works on the ethernets. I think I can manage to add more VLANs if I have to.
When I run 'robocfg show' after reboot, I get:
ASUSWRT-Merlin RT-AC68U 386.7_2 Sun Jul 24 21:37:07 UTC 2022
[email protected]:/tmp/home/root# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 04:d9:xx:xx:xx:xx
Port 1: 100FD enabled stp: none vlan: 1 jumbo: off mac: 70:af:xx:xx:xx:xx
Port 2: 100FD enabled stp: none vlan: 1 jumbo: off mac: 98:93:xx:xx:xx:xx
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 11 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0c:9d:xx:xx:xx:xx
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 5t
2: vlan2: 5t
11: vlan11: 0t 4 5t
12: vlan12: 0t 5t
13: vlan13: 0t 5t

There is this vlan2, which I don't create on the script. I have guest wifi enabled (2 x 2.4 GHZ and 1 x 5.0 GHz) from the GUI, so I suppose it created it automatically.

To the brctl -part it is then. When I run 'brctl show' after reboot, I get:
[email protected]:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.12.mark.fake no vlan1
eth1
eth2
wl0.1
wl0.2
wl1.1
[email protected]:/tmp/home/root#

After reboot I don't get VLANs 501 nor 502. This is the place to check? So I need to create VLAN 11 to the WIFI side and also create a new bridge:
# create a new bridge named br1
brctl addbr br1
# delete wl0.1 wl1.1 from br0
brctl delif br0 wl0.1 wl1.1
# add wl0.1 and wl1.1 to the new bridge br1
brctl addif br1 wl0.1 wl1.1
# bring the new bridge up
ip link set dev br1 up

Next step would be bringing the VLAN 11 to the bridge, right?
# create interface eth0.11 on the link eth0 and map it to VLAN 11
ip link add link eth0 name eth0.11 type vlan id 11
# add eth0.11 to the new bridge br1
brctl addif br1 eth0.11

And yet again I am lost. The guest wifi even won't allow to connect. What am I thinking wrong?

Edit:

FYI, I left the original post up there.

I continued heavy research and tried a different approach; came up with this:

vconfig add eth0 11

ifconfig vlan11 up

brctl delif br0 wl1.1

brctl addbr br11

brctl addif br11 wl1.1

brctl addif br11 vlan11

ifconfig br11 up

nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"

nvram set lan1_ifnames="vlan11 wl1.1"
nvram set lan1_ifname="br11"
nvram set br11_ifname="br11"
nvram set br11_ifnames="vlan11 wl1.1"

killall eapd

eapd

ebtables -F

I think it works... Not 100% sure yet, don't have the time to fully test, but looks very good. Will report back.
Does anyone find any problems or mistakes in that config?
 
Last edited:

drinkingbird

Very Senior Member
OK, robocfg -part is done. As far I've tested it, everything works on the ethernets. I think I can manage to add more VLANs if I have to.
When I run 'robocfg show' after reboot, I get:
ASUSWRT-Merlin RT-AC68U 386.7_2 Sun Jul 24 21:37:07 UTC 2022
[email protected]:/tmp/home/root# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 04:d9:xx:xx:xx:xx
Port 1: 100FD enabled stp: none vlan: 1 jumbo: off mac: 70:af:xx:xx:xx:xx
Port 2: 100FD enabled stp: none vlan: 1 jumbo: off mac: 98:93:xx:xx:xx:xx
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 11 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0c:9d:xx:xx:xx:xx
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 5t
2: vlan2: 5t
11: vlan11: 0t 4 5t
12: vlan12: 0t 5t
13: vlan13: 0t 5t

There is this vlan2, which I don't create on the script. I have guest wifi enabled (2 x 2.4 GHZ and 1 x 5.0 GHz) from the GUI, so I suppose it created it automatically.

To the brctl -part it is then. When I run 'brctl show' after reboot, I get:
[email protected]:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.12.mark.fake no vlan1
eth1
eth2
wl0.1
wl0.2
wl1.1
[email protected]:/tmp/home/root#

After reboot I don't get VLANs 501 nor 502. This is the place to check? So I need to create VLAN 11 to the WIFI side and also create a new bridge:
# create a new bridge named br1
brctl addbr br1
# delete wl0.1 wl1.1 from br0
brctl delif br0 wl0.1 wl1.1
# add wl0.1 and wl1.1 to the new bridge br1
brctl addif br1 wl0.1 wl1.1
# bring the new bridge up
ip link set dev br1 up

Next step would be bringing the VLAN 11 to the bridge, right?
# create interface eth0.11 on the link eth0 and map it to VLAN 11
ip link add link eth0 name eth0.11 type vlan id 11
# add eth0.11 to the new bridge br1
brctl addif br1 eth0.11

And yet again I am lost. The guest wifi even won't allow to connect. What am I thinking wrong?

Edit:

FYI, I left the original post up there.

I continued heavy research and tried a different approach; came up with this:

vconfig add eth0 11

ifconfig vlan11 up

brctl delif br0 wl1.1

brctl addbr br11

brctl addif br11 wl1.1

brctl addif br11 vlan11

ifconfig br11 up

nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"

nvram set lan1_ifnames="vlan11 wl1.1"
nvram set lan1_ifname="br11"
nvram set br11_ifname="br11"
nvram set br11_ifnames="vlan11 wl1.1"

killall eapd

eapd

ebtables -F

I think it works... Not 100% sure yet, don't have the time to fully test, but looks very good. Will report back.
Does anyone find any problems or mistakes in that config?

VLAN 2 is the WAN VLAN, it is not used in AP mode so that is why it isn't assigned to anything.

Are you using Guest Wireless 1? If so I guess AP mode does not create the VLAN 501 and 502 unless you put it into an AIMESH.

On your model router I usually see people use brctl and ifconfig, not sure if ip link will work or not, but looks like you moved away from that. Just test everything to make sure it is working right (receiving the correct DHCP IPs from your firewall, can't access the other network even if you set a static IP, etc). I haven't done it in AP mode, only router mode, but above looks like you're on the right track.
 

Khauron

New Around Here
After heavy and excessive testing I can confirm everything working as expected and wanted. Well, you can icmp ping the other VLANs gateway, but that was expected; after all this is home-router and not enterprise-grade hw nor sw.
I did some tweaking and now I use all the main and guest WIFIs.
Thank you @drinkingbird for your help and support!

This is for future readers:
This setup was used for Asus RT-AC68U and in AP mode. Physical WAN-port is the uplink, and is connected to managed switch, which brings VLAN1 untagged and VLAN11, VLAN12, VLAN13 tagged.
Main-WIFIs (2.4 GHz & 5.0 GHz) are bridged with all the physical LAN-ports in VLAN1.
Guest-WIFIs are used for three VLANs; I handled them in a way that 2.4 GHz and 5.0 GHz are a pair / bridge.

Script (/jffs/scripts/services-start):
Code:
#!/bin/sh

# multi SSID with VLAN script, for ASUS AC66U_B1 with merlin.
# DHCP service is configured by main router, such as ER-X or other devices,
# Not in this router.
#
# setup before hand:
#       set "router"  to "AP Mode"
#       this will be put all ports and wireless in br0
#       create a guest network ssid, exam: asus_guest_1
#       enable Administration => System => Enable JFFS custom scripts and configs
#   

# some basic info of original AP mode:

# exec 'brctl show' command in shell, then you will get info like below:
#
#        bridge name    bridge id               STP enabled     interfaces
#        br0            8000.1c4a54447218       no              vlan1
#                                                               eth1
#                                                               eth2
#                                                               wl0.1
#                                                               wl0.2
#       
#       'vlan1' is a set of Switch ports, router on ap mode, vlan1 member include switch's Port 0 1 2 3 4 5

#       'br0' is network bridge device in linux, 'wl0.1' as it a member
#       'wl0.1' is 2.4GHZ Guest network_1, 'vlan1' and 'wl0.1' they are in same network bridge(Broadcast domain),
#        so they can communicate with each other.
#       'eth1' is 2.4GHZ primary network
#       'eth2' is 5GHZ primary network

# exec 'robocfg show' in shell can show switch ports and vlans(switch inside only, Not on linux)

# Notice: all traffic is transport by eth0(swtich's Port 5) to linux(merlin system)

#       Switch: enabled
#       Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 14:82:c4:f4:40:20
#       Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
#       Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
#       Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
#       Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
#       Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 4c:2d:34:14:31:d8
#       Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
#       Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
#       VLANs: BCM5301x enabled mac_check mac_hash
#       1: vlan1: 0 1 2 3 4 5t
#       2: vlan2: 5t

#       On ASUS AC66U_B1 router 'Port 0' is correspond a physical Port --> WAN(blue)
#       On my asus AC66U_B1 router like below correspond physical Port
#       Port 1 --> LAN 1
#       Port 2 --> LAN 2
#       Port 3 --> LAN 3
#       Port 4 --> LAN 4
#       Port 5(eth0) is directly connected to CPU, it always UP
#     

# this setup:
#       WAN port(Port 0) will be as trunk port, transport vlan 102 traffic and vlan 200 traffic

#       'vlan 1' on Port 0 is untagged, purposes of management router
#       'vlan 101' on Port 0 is tagged, isolation primary network and Guests_1 network will use it.
#       'vlan 200' on Port 0 is tagged, isolation primary network and Guests_2 network will use it.

# client_traffic --> 2.4ghz network(wl0.1)--> br102 --> linux interface vlan102 --> switch's Port 5(tagged) -->
#  --->switch's Port 0(tagged)---->up Link Port

#       LAN ports (Port1~4) and primary WIFI will be on vlan 1
#       Guest network_1 will be on VLAN 102
#       Guest network_2 will be on VLAN 200



# Let's get started!

#!/bin/sh

# configure vlans on switch ports
# robocfg is Broadcom BCM5325/535x/536x/5311x switch configuration utility

robocfg vlan 11 ports "0t 5t"
robocfg vlan 12 ports "0t 5t"
robocfg vlan 13 ports "0t 5t"

# add vlan interface on merlin at eth0[switch 5 Port]
vconfig add eth0 11
vconfig add eth0 12
vconfig add eth0 13


# then up it
ifconfig vlan11 up
ifconfig vlan12 up
ifconfig vlan13 up


# remove guest wifis from br0   wl0.x-->guest wifi 2.4 GHz   wl1.x-->guest wifi 5.0 GHz
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl0.3
brctl delif br0 wl1.1
brctl delif br0 wl1.2
brctl delif br0 wl1.3

# add linux network bridge
brctl addbr br11
brctl addbr br12
brctl addbr br13

# add guest wifis to linux network bridge
brctl addif br11 wl0.1 wl1.1
brctl addif br12 wl0.2 wl1.2
brctl addif br13 wl0.3 wl1.3

# add interfaces to linux network bridges
brctl addif br11 vlan11
brctl addif br12 vlan12
brctl addif br13 vlan13

# up linux network bridge
ifconfig br11 up
ifconfig br12 up
ifconfig br13 up

# setting nvram values must be correct. if NOT correct, will reject wireless client request.
nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"

nvram set lan1_ifnames="vlan11 wl0.1 wl1.1"
nvram set lan1_ifname="br11"
nvram set br11_ifname="br11"
nvram set br11_ifnames="vlan11 wl0.1 wl1.1"

nvram set lan2_ifnames="vlan12 wl0.2 wl1.2"
nvram set lan2_ifname="br12"
nvram set br12_ifname="br12"
nvram set br12_ifnames="vlan12 wl0.2 wl1.2"

nvram set lan3_ifnames="vlan13 wl0.3 wl1.3"
nvram set lan3_ifname="br13"
nvram set br13_ifname="br13"
nvram set br13_ifnames="vlan13 wl0.3 wl1.3"


killall eapd

eapd

# Flush ebtables --> clear all rules
ebtables -F

# Restart HTTP GUI
service restart_httpd
 

drinkingbird

Very Senior Member
After heavy and excessive testing I can confirm everything working as expected and wanted. Well, you can icmp ping the other VLANs gateway, but that was expected; after all this is home-router and not enterprise-grade hw nor sw.
I did some tweaking and now I use all the main and guest WIFIs.
Thank you @drinkingbird for your help and support!

On your pfsense you should be able to block ICMP between the VLAN gateways, probably not a big deal though (as long as that isn't indicative of a bigger problem - other traffic being able to get through also). In reality on each VLAN interface on the PFsense it should block any and all traffic to the other LANs, that should be a pretty straightforward ruleset I would think, but haven't used it, maybe just the way it works.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top