What's new

Help setting up VLAN on ASUS RT-AC68U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

FalconB

Regular Contributor
Hi everyone!

I'm trying to setup a VLAN om my ac68u to separate my IoT-devices. I've been scanning the forum for clues but I just don't get it working :( So if someone could give some assistance it would be much appreciated!

What I have:
  • ASUS RT-AC68U running Merlin 384.7
    • 192.168.1.1
  • Private network
    • 192.168.1.x
  • Using DNSCrypt
  • Using Diversion (formerly AB-Solution)
  • IoT-devices
  • Unmanaged switch

What I want to do:
  • Connect all my IoT devices to the unmanaged switch to create a IoT-net
  • Connect my IoT-net (the switch) to the physical port 4 on my router
    • IoT-net: 192.168.4.x with DHCP enabled
  • Isolate the IoT-net from the rest of my private network but still allow:
    • Internet access for IoT-devices
    • Connections initiated from my private network to the IoT-net to make me able to configure the IoT-devices from my computer
    • Let the IoT-net use my router (192.168.1.1) as DNS-server (to make use of DNSCrypt)
    • Let the IoT-net use the adblocking I have enabled on my private network

From what I've read on the forum the way to go is using VLAN to tag my IoT-net, but, as I said, I have done some trial-and-error looking at scripts/commands here on the forum, but I just can't get it to work.

So if someone could create a beginner's/noob-guide it would be awesome :p

Thanks!
 
Hi everyone!

I'm trying to setup a VLAN om my ac68u to separate my IoT-devices. I've been scanning the forum for clues but I just don't get it working :( So if someone could give some assistance it would be much appreciated!

What I have:
  • ASUS RT-AC68U running Merlin 384.7
    • 192.168.1.1
  • Private network
    • 192.168.1.x
  • Using DNSCrypt
  • Using Diversion (formerly AB-Solution)
  • IoT-devices
  • Unmanaged switch

What I want to do:
  • Connect all my IoT devices to the unmanaged switch to create a IoT-net
  • Connect my IoT-net (the switch) to the physical port 4 on my router
    • IoT-net: 192.168.4.x with DHCP enabled
  • Isolate the IoT-net from the rest of my private network but still allow:
    • Internet access for IoT-devices
    • Connections initiated from my private network to the IoT-net to make me able to configure the IoT-devices from my computer
    • Let the IoT-net use my router (192.168.1.1) as DNS-server (to make use of DNSCrypt)
    • Let the IoT-net use the adblocking I have enabled on my private network

From what I've read on the forum the way to go is using VLAN to tag my IoT-net, but, as I said, I have done some trial-and-error looking at scripts/commands here on the forum, but I just can't get it to work.

So if someone could create a beginner's/noob-guide it would be awesome :p

Thanks!

I'm not sure what issues you faced with the various other scripts/commands posted on the forum, but if have the time and want to beta-test my script I can send you a link?

Code:
#======================================================================================= © 2016-2018 Martineau 'Router-on-a-stick' v1.18
#
# Configure RT-AC68U LAN Port X as VLAN Trunk for tagged VLAN nnn to downstream switch(s) on separate subnet using '/etc/dnsmasq.conf' or simply assign Port X to a separate subnet.
#
#
# Usage:    VLANSwitch  ['help'|''-h''] | [ [''vlan_id''] [switch_port] ]
#                                       [ ['status' ['verbose'] ['diag'] ['del'['nvram']] ['vpn'[n]] ['vlanfw'] ['nodnsmasq'] ['autodnsmasq'] ['alias='vlan_alias] ['debug'] ['bridge'] ['tcqdisc']
#
#           VLANSwitch  200
#                       Switch port 4 will have vlan200 tagged to it
#           VLANSwitch  200 del
#                       Switch port 4 will have vlan200 removed
#           VLANSwitch  50 status
#                       Show the connected VLAN devices (or Bridge if VLAN is enslaved to one)
#           VLANSwitch  50 status verbose
#                       Show the vlan configuration and statistics etc.
#           VLANSwitch  20 3 vpn2
#                       Switch port 3 will have vlan20 tagged to it and will be forced via the VPN Client 2 (on bridge br2)
#                       and the alias will be taken from the VPN Client GUI 'description' if it exists (Firmware >v380.xx)
#                       or will be taken from '/etc/iproute2/rt_tables' e.g. 'ovpnc2'
#           VLANSwitch  30 vpn1 vlanfw
#                       Switch port 4 will have vlan30 tagged to it and will be forced via the VPN Client 1 (on bridge br1)
#                       Firewall rules will explicitly use vlan30 rather than vlan+
#           VLANSwitch  130 nodnsmasq
#                       Switch port 4 will have vlan130 tagged to it, and vlan130 does not need to exist in /etc/dnsmasq.conf
#           VLANSwitch  150 autodnsmasq
#                       Switch port 4 will have vlan150 tagged to it, and /jffs/configs/dnsmasq.conf.add will be modified
#                       NOTE: dnsmasq will be auto-restarted.
#           VLANSwitch  10 1 bridge notag
#                       Switch port 1 will ONLY be vlan10 (not a tagged port), and bridge br10 using vlan111 will be created.
#                       This method is for environments without additional downstream VLAN capable switches
#           VLANSwitch  10 1 bridge notag del
#                       Switch port 1 will have vlan10 removed, and bridge br10 will be deleted
#           VLANSwitch  10 1 bridge notag tcqdisc
#                       Switch port 1 will ONLY be vlan10 (not a tagged port), and bridge br10 using vlan111 will be created and 'tc qdisc' will be added
 
Excellent! That script of yours seems to be covering all bases regarding VLAN :cool:, so I'll gladly try it out and see if it resolves my issues. I guess it won't meet all of my "requirements", as per my first post (might be wrong though), but I think it will definately help me a lot. So if you could send me the link I will try it out and get back to you afterwards with some feedback.
 
Excellent! That script of yours seems to be covering all bases regarding VLAN :cool:, so I'll gladly try it out and see if it resolves my issues. I guess it won't meet all of my "requirements", as per my first post (might be wrong though), but I think it will definately help me a lot. So if you could send me the link I will try it out and get back to you afterwards with some feedback.

I cannot PM you..... ?o_O

upload_2018-10-14_12-55-49.png
 
That's strange! However, I found the setting to allow it (I think). Don't remember ever changing it. Well, well, try again please.
 
Thanks for the script! Man, just must have spent some time on it, it's huge!!!

I tried to create a VLAN 40 but I get an error (ifconfig: bad address 'up'), but still it seems to be created as I can view its status and then delete it. I don't know how to troubleshoot it more than reporting back the feedback I get from the script:
Code:
XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh 40

(VLANSwitch.sh): 11032 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: bad address 'up'

        (VLANSwitch.sh): 11032 VLAN 'vlan40' alias 'None40' (.0/24) via Switch Port 4 created for downstream VLAN switch(s)





XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh 40 status

        v1.18b non-Public Beta VLAN Switch Port 4 Configuration Status:


        'None40' vlan40 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================




XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh 40 del

(VLANSwitch.sh): 11462 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


        (VLANSwitch.sh): 11462 VLAN 'vlan40' (alias 'None40') .0/24 via Switch Port 4 deleted.


XXXX@RT-AC68U:/tmp/home/root#

Once again, thanks for your efforts!
 
Thanks for the script! Man, just must have spent some time on it, it's huge!!!

I tried to create a VLAN 40 but I get an error (ifconfig: bad address 'up'), but still it seems to be created as I can view its status and then delete it. I don't know how to troubleshoot it more than reporting back the feedback I get from the script:
Code:
XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh 40

(VLANSwitch.sh): 11032 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: bad address 'up'

        (VLANSwitch.sh): 11032 VLAN 'vlan40' alias 'None40' (.0/24) via Switch Port 4 created for downstream VLAN switch(s)





XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh 40 status

        v1.18b non-Public Beta VLAN Switch Port 4 Configuration Status:


        'None40' vlan40 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================




XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh 40 del

(VLANSwitch.sh): 11462 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


        (VLANSwitch.sh): 11462 VLAN 'vlan40' (alias 'None40') .0/24 via Switch Port 4 deleted.


XXXX@RT-AC68U:/tmp/home/root#

Once again, thanks for your efforts!

Well this is embarrassing...first attempt and a complete failure :oops:
It hasn't correctly assigned a VLAN subnet.... '(.0/24)' o_O

Have you already tried to configure VLANs?, possibly the script is confused by your previous attempts?

Perhaps you could try specifying a different Port (other than the default) 4, say 1 and try to see if the script correctly assigns the VLAN subnet?

When you say you have a managed switch - presumably attached to Port 4, is it capable of VLAN tagging?

If so then can you try the following
Code:
VLANSwitch  40   1   autodnsmasq
otherwise if the switch is not VLAN tagging capable... then try this command
Code:
VLANSwitch  40   1  bridge   notag   autodsnmasq
 
Well this is embarrassing...first attempt and a complete failure :oops:
It hasn't correctly assigned a VLAN subnet.... '(.0/24)' o_O

Have you already tried to configure VLANs?, possibly the script is confused by your previous attempts?

Perhaps you could try specifying a different Port (other than the default) 4, say 1 and try to see if the script correctly assigns the VLAN subnet?

When you say you have a managed switch - presumably attached to Port 4, is it capable of VLAN tagging?

If so then can you try the following
Code:
VLANSwitch  40   1   autodnsmasq
otherwise if the switch is not VLAN tagging capable... then try this command
Code:
VLANSwitch  40   1  bridge   notag   autodsnmasq
Haha, no worries :cool:! I'm just glad to take advantage of all the knowledge around here and that you guys are willing to share your wisdoms.

Well, as I said, I have been trying to get VLAN to work without success. But I don't think that left anything in the configs. I tried setting the VLAN ID to 400 when I tried but your script doesn't allow that high values, so that shouldn't be a problem if something was left in the configs. Also, before running your script I did a 'robocfg show' and it only showed 2 VLANs, VLAN 1 and VLAN 2, none created by me.

After creating VLAN 40 with your script 'robocfg show' lists VLAN 40 (along with VLAN 1 & 2) with the correct router port configured. If I connect a computer to the IoT-switch it gets a DHCP address from the router, but it's from my private ip-range 192.168.1.x instead of 192.168.4.x, but this might be expected from the script? Either way, how do I change the DHCP-range on my VLAN 40 to be 192.168.4.x?

My switch is UNmanaged and it is connected to my router's LAN port #4. So no VLAN support on that one...

EDIT:
If I do a 'ifconfig' I can see that my old VLAN 400 is there, but not "your" VLAN 40. I'm a bit lost here and can't really explain how this can be? 'robocfg show' only lists VLAN 1, 2 and 40. 'ifconfig' lists VLAN 400 but not VLAN 40.
 
Haha, no worries :cool:! I'm just glad to take advantage of all the knowledge around here and that you guys are willing to share your wisdoms.

Well, as I said, I have been trying to get VLAN to work without success. But I don't think that left anything in the configs. I tried setting the VLAN ID to 400 when I tried but your script doesn't allow that high values, so that shouldn't be a problem if something was left in the configs. Also, before running your script I did a 'robocfg show' and it only showed 2 VLANs, VLAN 1 and VLAN 2, none created by me.

After creating VLAN 40 with your script 'robocfg show' lists VLAN 40 (along with VLAN 1 & 2) with the correct router port configured. If I connect a computer to the IoT-switch it gets a DHCP address from the router, but it's from my private ip-range 192.168.1.x instead of 192.168.4.x, but this might be expected from the script? Either way, how do I change the DHCP-range on my VLAN 40 to be 192.168.4.x?

My switch is UNmanaged and it is connected to my router's LAN port #4. So no VLAN support on that one...

EDIT:
If I do a 'ifconfig' I can see that my old VLAN 400 is there, but not "your" VLAN 40. I'm a bit lost here and can't really explain how this can be? 'robocfg show' only lists VLAN 1, 2 and 40. 'ifconfig' lists VLAN 400 but not VLAN 40.

Try posting output from
Code:
./VLANSwitch.sh   40   status   verbose
 
Here it is:

Code:
XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh   40   status   verbose

        v1.18b non-Public Beta VLAN Switch Port 4 Configuration Status:


        'None40' vlan40 Robocfg Status
        ==============================
   1: vlan1: 1 2 3 4t 5t
  40: vlan40: 4t 5t


        'None40' vlan40 Bridge Status
        =============================



        'None40' vlan40 Status
        ======================
vlan40    Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None40


        'None40' vlan40 Statistics
        ==========================
vlan40  VID: 40  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan+   0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan+  br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        'None40' vlan40 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================

XXXX@RT-AC68U:/tmp/home/root#
 
Hi guys - similar question. I plan to use a pfsense - cisco (ebay) managed switch - Asus RTAC68u F/W: 384.7 (AP mode)

I have tried to add tagged vlan20 here and could add other vlan 30,40,50 and so on. This is the code I have gleaned from the forums. Feel free to correct me. Although Martineau's script may be more elegant and mature and I would very much like to test it :)

Code:
!#/bin/sh

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# Remove port 4 from VLAN1
robocfg vlan 1 ports "0 1 2 5t"

# Create VLAN20, and add port 4t(tagged) or 4 (untagged)
robocfg vlan 20 ports "4t 5t"

#VLAN-port setup - add VLAN as an interface connected to eth0
vconfig add eth0 20

# up interface vlan20
ifconfig vlan20 up

# create br1
brctl addbr br1
# enable stp
#brctl stp br1 on

# Remove wl0.1 (the named guest network) from br0
brctl delif br0 wl0.1

# add wl0.1 to br1
brctl addif br1 wl0.1

# up interface
ifconfig br1 up

# add vlan20 to br1
brctl addif br1 vlan20

# Configure an IP address to the bridge and enable (up) it - alternate just ipconfig br1 up
ifconfig br1 10.0.0.1 netmask 255.255.255.0 up

# Mapped vlan20ports
nvram set vlan20ports="4t 5t"
nvram set vlan20hwname=et0

# Cleanup (remove the wl0.1 from "lan_ifnames")
#nvram set lan_ifnames="vlan1 eth1 eth2"

#  Create lan1_ifnames & make eapd to listen to the existing bridge br0
nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

#   Create lan1_ifnames &  make eapd to listen to the new bridge br1
nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

# save nvram settings
nvram commit

I am unsure what these refer to or even if that is required:
1. PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
2. # Mapped vlan20ports
3. # Cleanup (remove the wl0.1 from "lan_ifnames")

Thanks all and Martineau (please PM me your script)
 
Here it is:

Code:
XXXX@RT-AC68U:/tmp/home/root# ./VLANSwitch.sh   40   status   verbose

        v1.18b non-Public Beta VLAN Switch Port 4 Configuration Status:


        'None40' vlan40 Robocfg Status
        ==============================
   1: vlan1: 1 2 3 4t 5t
  40: vlan40: 4t 5t


        'None40' vlan40 Bridge Status
        =============================



        'None40' vlan40 Status
        ======================
vlan40    Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None40


        'None40' vlan40 Statistics
        ==========================
vlan40  VID: 40  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan+   0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan+  br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        'None40' vlan40 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================

XXXX@RT-AC68U:/tmp/home/root#

I suggest you will probably have to delete any interfaces defined in '/jffs/configs/dnsmasq.conf.add' and reboot.

VLAN400
should not cause a problem, but strange that it still exists.

Since the script was originally written to have tagged ports from down-stream VLAN capable switches, you will be limited to the following usage:
Code:
VLANSwitch  40   1  bridge   notag   autodnsmasq

Can you please retry with the above syntax after you have rebooted?
 
Last edited:
I suggest you will probably have to delete any interfaces defined in '/jffs/configs/dnsmasq.conf.add' and reboot.

VLAN400
should not cause a problem, but strange that it still exists.

Since the script was originally written to have tagged ports from down-stream VLAN capable switches, you will be limited to the following usage:
Code:
VLANSwitch  40   1  bridge   notag   autodnsmasq

Can you please retry with the above syntax after you have rebooted?
Well, that didn't go well! After a reboot, the VLAN 400 was gone and everything seemed normal. Good! But after running the command...
Code:
VLANSwitch  40   1  bridge   notag   autodnsmasq
...I got the VLANSwitch header-text displayed...
Code:
(VLANSwitch.sh): 4539 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.
...and then my router hung (or at least internet died and I couldn't interact with it from PuTTY anymore). I had to power-cycle it. After that, it's back to normal and I can still do the 'VLANSwitch.sh 40' as per earlier, with the same result as then. Haven't dared to try the other command again as I already got the evil eye from the family after bringing Internet down :confused:. One time is no time, two times is one time to many :p

So I think I'll leave till tomorrow for now. Many thanks though! I'll try some more and get back tomorrow.
 
Well, that didn't go well! After a reboot, the VLAN 400 was gone and everything seemed normal. Good! But after running the command...
Code:
VLANSwitch  40   1  bridge   notag   autodnsmasq
...I got the VLANSwitch header-text displayed...
Code:
(VLANSwitch.sh): 4539 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.
...and then my router hung (or at least internet died and I couldn't interact with it from PuTTY anymore). I had to power-cycle it. After that, it's back to normal and I can still do the 'VLANSwitch.sh 40' as per earlier, with the same result as then. Haven't dared to try the other command again as I already got the evil eye from the family after bringing Internet down :confused:. One time is no time, two times is one time to many :p

So I think I'll leave till tomorrow for now. Many thanks though! I'll try some more and get back tomorrow.

Abject apologies :oops::oops:

P.S. Perhaps you could post the contents of '/jffs/configs/dnsmasq.conf.add'

I will try and see if I can find why the subnet is not being created for the tagged Port method.
 
Last edited:
Well, that didn't go well! After a reboot, the VLAN 400 was gone and everything seemed normal. Good! But after running the command...
Code:
VLANSwitch  40   1  bridge   notag   autodnsmasq
...I got the VLANSwitch header-text displayed...
Code:
(VLANSwitch.sh): 4539 v1.18b non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.
...and then my router hung (or at least internet died and I couldn't interact with it from PuTTY anymore). I had to power-cycle it. After that, it's back to normal and I can still do the 'VLANSwitch.sh 40' as per earlier, with the same result as then. Haven't dared to try the other command again as I already got the evil eye from the family after bringing Internet down :confused:. One time is no time, two times is one time to many :p

So I think I'll leave till tomorrow for now. Many thanks though! I'll try some more and get back tomorrow.

OK I think I have found the bug.

I have added two 'sleep 2' statements as the restart of dnsmasq seemingly can now take longer if the script has to physically add the directives :rolleyes::rolleyes:

Please download v1.19b
 
Last edited:
Hi Martineau

is there any chance I may also be included in the non public beta V1.19b of vlanswitch.sh? Thank you
 
@Martineau
I would also like to try the vlan switch program.
Octopus
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top