1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Help setting up VLAN on ASUS RT-AC68U

Discussion in 'Asuswrt-Merlin' started by FalconB, Oct 14, 2018.

  1. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Hi everyone!

    I'm trying to setup a VLAN om my ac68u to separate my IoT-devices. I've been scanning the forum for clues but I just don't get it working :( So if someone could give some assistance it would be much appreciated!

    What I have:
    • ASUS RT-AC68U running Merlin 384.7
      • 192.168.1.1
    • Private network
      • 192.168.1.x
    • Using DNSCrypt
    • Using Diversion (formerly AB-Solution)
    • IoT-devices
    • Unmanaged switch

    What I want to do:
    • Connect all my IoT devices to the unmanaged switch to create a IoT-net
    • Connect my IoT-net (the switch) to the physical port 4 on my router
      • IoT-net: 192.168.4.x with DHCP enabled
    • Isolate the IoT-net from the rest of my private network but still allow:
      • Internet access for IoT-devices
      • Connections initiated from my private network to the IoT-net to make me able to configure the IoT-devices from my computer
      • Let the IoT-net use my router (192.168.1.1) as DNS-server (to make use of DNSCrypt)
      • Let the IoT-net use the adblocking I have enabled on my private network

    From what I've read on the forum the way to go is using VLAN to tag my IoT-net, but, as I said, I have done some trial-and-error looking at scripts/commands here on the forum, but I just can't get it to work.

    So if someone could create a beginner's/noob-guide it would be awesome :p

    Thanks!
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    I'm not sure what issues you faced with the various other scripts/commands posted on the forum, but if have the time and want to beta-test my script I can send you a link?

    Code:
    #======================================================================================= © 2016-2018 Martineau 'Router-on-a-stick' v1.18
    #
    # Configure RT-AC68U LAN Port X as VLAN Trunk for tagged VLAN nnn to downstream switch(s) on separate subnet using '/etc/dnsmasq.conf' or simply assign Port X to a separate subnet.
    #
    #
    # Usage:    VLANSwitch  ['help'|''-h''] | [ [''vlan_id''] [switch_port] ]
    #                                       [ ['status' ['verbose'] ['diag'] ['del'['nvram']] ['vpn'[n]] ['vlanfw'] ['nodnsmasq'] ['autodnsmasq'] ['alias='vlan_alias] ['debug'] ['bridge'] ['tcqdisc']
    #
    #           VLANSwitch  200
    #                       Switch port 4 will have vlan200 tagged to it
    #           VLANSwitch  200 del
    #                       Switch port 4 will have vlan200 removed
    #           VLANSwitch  50 status
    #                       Show the connected VLAN devices (or Bridge if VLAN is enslaved to one)
    #           VLANSwitch  50 status verbose
    #                       Show the vlan configuration and statistics etc.
    #           VLANSwitch  20 3 vpn2
    #                       Switch port 3 will have vlan20 tagged to it and will be forced via the VPN Client 2 (on bridge br2)
    #                       and the alias will be taken from the VPN Client GUI 'description' if it exists (Firmware >v380.xx)
    #                       or will be taken from '/etc/iproute2/rt_tables' e.g. 'ovpnc2'
    #           VLANSwitch  30 vpn1 vlanfw
    #                       Switch port 4 will have vlan30 tagged to it and will be forced via the VPN Client 1 (on bridge br1)
    #                       Firewall rules will explicitly use vlan30 rather than vlan+
    #           VLANSwitch  130 nodnsmasq
    #                       Switch port 4 will have vlan130 tagged to it, and vlan130 does not need to exist in /etc/dnsmasq.conf
    #           VLANSwitch  150 autodnsmasq
    #                       Switch port 4 will have vlan150 tagged to it, and /jffs/configs/dnsmasq.conf.add will be modified
    #                       NOTE: dnsmasq will be auto-restarted.
    #           VLANSwitch  10 1 bridge notag
    #                       Switch port 1 will ONLY be vlan10 (not a tagged port), and bridge br10 using vlan111 will be created.
    #                       This method is for environments without additional downstream VLAN capable switches
    #           VLANSwitch  10 1 bridge notag del
    #                       Switch port 1 will have vlan10 removed, and bridge br10 will be deleted
    #           VLANSwitch  10 1 bridge notag tcqdisc
    #                       Switch port 1 will ONLY be vlan10 (not a tagged port), and bridge br10 using vlan111 will be created and 'tc qdisc' will be added
     
    Wisiwyg likes this.
  4. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Excellent! That script of yours seems to be covering all bases regarding VLAN :cool:, so I'll gladly try it out and see if it resolves my issues. I guess it won't meet all of my "requirements", as per my first post (might be wrong though), but I think it will definately help me a lot. So if you could send me the link I will try it out and get back to you afterwards with some feedback.
     
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    I cannot PM you..... ?o_O

    upload_2018-10-14_12-55-49.png
     
  6. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    That's strange! However, I found the setting to allow it (I think). Don't remember ever changing it. Well, well, try again please.
     
  7. Grisu

    Grisu Very Senior Member

    Joined:
    Aug 28, 2014
    Messages:
    1,293
    I dont even have a button to start a PM ...
     
  8. wheelq w

    wheelq w New Around Here

    Joined:
    Aug 5, 2015
    Messages:
    3
    Please, i am also interested seems like a good idea


    Sent from my iPhone using Tapatalk
     
  9. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Thanks for the script! Man, just must have spent some time on it, it's huge!!!

    I tried to create a VLAN 40 but I get an error (ifconfig: bad address 'up'), but still it seems to be created as I can view its status and then delete it. I don't know how to troubleshoot it more than reporting back the feedback I get from the script:
    Code:
    [email protected]:/tmp/home/root# ./VLANSwitch.sh 40
    
    (VLANSwitch.sh): 11032 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.
    
    
    ifconfig: bad address 'up'
    
            (VLANSwitch.sh): 11032 VLAN 'vlan40' alias 'None40' (.0/24) via Switch Port 4 created for downstream VLAN switch(s)
    
    
    
    
    
    [email protected]:/tmp/home/root# ./VLANSwitch.sh 40 status
    
            v1.18b non-Public Beta VLAN Switch Port 4 Configuration Status:
    
    
            'None40' vlan40 ACTIVE devices (ARP only accurate within 60secs?)
            =================================================================
    
    
    
    
    [email protected]:/tmp/home/root# ./VLANSwitch.sh 40 del
    
    (VLANSwitch.sh): 11462 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.
    
    
            (VLANSwitch.sh): 11462 VLAN 'vlan40' (alias 'None40') .0/24 via Switch Port 4 deleted.
    
    
    [email protected]:/tmp/home/root#
    
    Once again, thanks for your efforts!
     
  10. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    Well this is embarrassing...first attempt and a complete failure :oops:
    It hasn't correctly assigned a VLAN subnet.... '(.0/24)' o_O

    Have you already tried to configure VLANs?, possibly the script is confused by your previous attempts?

    Perhaps you could try specifying a different Port (other than the default) 4, say 1 and try to see if the script correctly assigns the VLAN subnet?

    When you say you have a managed switch - presumably attached to Port 4, is it capable of VLAN tagging?

    If so then can you try the following
    Code:
    VLANSwitch  40   1   autodnsmasq
    otherwise if the switch is not VLAN tagging capable... then try this command
    Code:
    VLANSwitch  40   1  bridge   notag   autodsnmasq
     
  11. wheelq w

    wheelq w New Around Here

    Joined:
    Aug 5, 2015
    Messages:
    3
    Can you pm me? I also would like to test this script
     
  12. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Haha, no worries :cool:! I'm just glad to take advantage of all the knowledge around here and that you guys are willing to share your wisdoms.

    Well, as I said, I have been trying to get VLAN to work without success. But I don't think that left anything in the configs. I tried setting the VLAN ID to 400 when I tried but your script doesn't allow that high values, so that shouldn't be a problem if something was left in the configs. Also, before running your script I did a 'robocfg show' and it only showed 2 VLANs, VLAN 1 and VLAN 2, none created by me.

    After creating VLAN 40 with your script 'robocfg show' lists VLAN 40 (along with VLAN 1 & 2) with the correct router port configured. If I connect a computer to the IoT-switch it gets a DHCP address from the router, but it's from my private ip-range 192.168.1.x instead of 192.168.4.x, but this might be expected from the script? Either way, how do I change the DHCP-range on my VLAN 40 to be 192.168.4.x?

    My switch is UNmanaged and it is connected to my router's LAN port #4. So no VLAN support on that one...

    EDIT:
    If I do a 'ifconfig' I can see that my old VLAN 400 is there, but not "your" VLAN 40. I'm a bit lost here and can't really explain how this can be? 'robocfg show' only lists VLAN 1, 2 and 40. 'ifconfig' lists VLAN 400 but not VLAN 40.
     
  13. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    Try posting output from
    Code:
    ./VLANSwitch.sh   40   status   verbose
     
  14. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Here it is:

    Code:
    [email protected]:/tmp/home/root# ./VLANSwitch.sh   40   status   verbose
    
            v1.18b non-Public Beta VLAN Switch Port 4 Configuration Status:
    
    
            'None40' vlan40 Robocfg Status
            ==============================
       1: vlan1: 1 2 3 4t 5t
      40: vlan40: 4t 5t
    
    
            'None40' vlan40 Bridge Status
            =============================
    
    
    
            'None40' vlan40 Status
            ======================
    vlan40    Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
              alias None40
    
    
            'None40' vlan40 Statistics
            ==========================
    vlan40  VID: 40  REORDER_HDR: 1  dev->priv_flags: 1
             total frames received            0
              total bytes received            0
          Broadcast/Multicast Rcvd            0
    
          total frames transmitted            0
           total bytes transmitted            0
                total headroom inc            0
               total encap on xmit            0
    Device: eth0
    INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
     EGRESS priority mappings:
    
                    Firewall rules
                    ==============
    Chain MyInput (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     udp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
    2        0     0 ACCEPT     tcp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    3        0     0 DROP       all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW
    
    Chain MyVLANs (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    3        0     0 DROP       all  --  br0    vlan+   0.0.0.0/0            0.0.0.0/0            state NEW
    4        0     0 DROP       all  --  vlan+  br0     0.0.0.0/0            0.0.0.0/0            state NEW
    5        0     0 ACCEPT     all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW
    
                    DNS VPN rules
                    =============
    
    
            'None40' vlan40 ACTIVE devices (ARP only accurate within 60secs?)
            =================================================================
    
    [email protected]:/tmp/home/root#
    
     
  15. mzuri

    mzuri New Around Here

    Joined:
    Aug 8, 2018
    Messages:
    6
    Hi guys - similar question. I plan to use a pfsense - cisco (ebay) managed switch - Asus RTAC68u F/W: 384.7 (AP mode)

    I have tried to add tagged vlan20 here and could add other vlan 30,40,50 and so on. This is the code I have gleaned from the forums. Feel free to correct me. Although Martineau's script may be more elegant and mature and I would very much like to test it :)

    Code:
    !#/bin/sh
    
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    
    # Remove port 4 from VLAN1
    robocfg vlan 1 ports "0 1 2 5t"
    
    # Create VLAN20, and add port 4t(tagged) or 4 (untagged)
    robocfg vlan 20 ports "4t 5t"
    
    #VLAN-port setup - add VLAN as an interface connected to eth0
    vconfig add eth0 20
    
    # up interface vlan20
    ifconfig vlan20 up
    
    # create br1
    brctl addbr br1
    # enable stp
    #brctl stp br1 on
    
    # Remove wl0.1 (the named guest network) from br0
    brctl delif br0 wl0.1
    
    # add wl0.1 to br1
    brctl addif br1 wl0.1
    
    # up interface
    ifconfig br1 up
    
    # add vlan20 to br1
    brctl addif br1 vlan20
    
    # Configure an IP address to the bridge and enable (up) it - alternate just ipconfig br1 up
    ifconfig br1 10.0.0.1 netmask 255.255.255.0 up
    
    # Mapped vlan20ports
    nvram set vlan20ports="4t 5t"
    nvram set vlan20hwname=et0
    
    # Cleanup (remove the wl0.1 from "lan_ifnames")
    #nvram set lan_ifnames="vlan1 eth1 eth2"
    
    #  Create lan1_ifnames & make eapd to listen to the existing bridge br0
    nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
    nvram set lan_ifname="br0"
    
    #   Create lan1_ifnames &  make eapd to listen to the new bridge br1
    nvram set lan1_ifnames="vlan20 wl0.1"
    nvram set lan1_ifname="br1"
    
    # save nvram settings
    nvram commit
    I am unsure what these refer to or even if that is required:
    1. PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    2. # Mapped vlan20ports
    3. # Cleanup (remove the wl0.1 from "lan_ifnames")

    Thanks all and Martineau (please PM me your script)
     
  16. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    I suggest you will probably have to delete any interfaces defined in '/jffs/configs/dnsmasq.conf.add' and reboot.

    VLAN400
    should not cause a problem, but strange that it still exists.

    Since the script was originally written to have tagged ports from down-stream VLAN capable switches, you will be limited to the following usage:
    Code:
    VLANSwitch  40   1  bridge   notag   autodnsmasq
    Can you please retry with the above syntax after you have rebooted?
     
    Last edited: Oct 14, 2018
  17. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Well, that didn't go well! After a reboot, the VLAN 400 was gone and everything seemed normal. Good! But after running the command...
    Code:
    VLANSwitch  40   1  bridge   notag   autodnsmasq
    ...I got the VLANSwitch header-text displayed...
    Code:
    (VLANSwitch.sh): 4539 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.
    ...and then my router hung (or at least internet died and I couldn't interact with it from PuTTY anymore). I had to power-cycle it. After that, it's back to normal and I can still do the 'VLANSwitch.sh 40' as per earlier, with the same result as then. Haven't dared to try the other command again as I already got the evil eye from the family after bringing Internet down :confused:. One time is no time, two times is one time to many :p

    So I think I'll leave till tomorrow for now. Many thanks though! I'll try some more and get back tomorrow.
     
  18. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    Abject apologies :oops::oops:

    P.S. Perhaps you could post the contents of '/jffs/configs/dnsmasq.conf.add'

    I will try and see if I can find why the subnet is not being created for the tagged Port method.
     
    Last edited: Oct 14, 2018
  19. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,852
    Location:
    UK
    OK I think I have found the bug.

    I have added two 'sleep 2' statements as the restart of dnsmasq seemingly can now take longer if the script has to physically add the directives :rolleyes::rolleyes:

    Please download v1.19b
     
    Last edited: Oct 14, 2018
    joe scian likes this.
  20. joe scian

    joe scian Regular Contributor

    Joined:
    Apr 22, 2018
    Messages:
    95
    Hi Martineau

    is there any chance I may also be included in the non public beta V1.19b of vlanswitch.sh? Thank you
     
  21. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    989
    @Martineau
    I would also like to try the vlan switch program.
    Octopus
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!