1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Help setting up VLAN on ASUS RT-AC68U

Discussion in 'Asuswrt-Merlin' started by FalconB, Oct 14, 2018.

  1. joe scian

    joe scian Regular Contributor

    Joined:
    Apr 22, 2018
    Messages:
    99
    Many thanks to you and your brilliant coding skills
     
  2. joe scian

    joe scian Regular Contributor

    Joined:
    Apr 22, 2018
    Messages:
    99
    Hi Martineau

    I ran WIFIVPN with commands wifivpn.sh wl0.1 novpn vlan1 autodnsmasq and this is what it produced:-

    (wifivpn.sh): 32267 v1.05 © 2016-2018 Martineau, Guest WiFi Bridge request.....[wl0.1 novpn vlan1 autodnsmasq]
    (wifivpn.sh): 32267 ***Warning Bridge 'br1' not defined in '/etc/dnsmasq.conf' - auto updating '/jffs/configs/dnsmasq.conf.add' with 'br1' statements.....
    ifconfig: SIOCSIFFLAGS: Network is down
    ifconfig: bad address '.1'
    Sorry, rule does not exist.
    Sorry, rule does not exist.
    iptables v1.4.15: Invalid rule number `3
    4'
    Try `iptables -h' or 'iptables --help' for more information.
    (wifivpn.sh): 32267 WiFi (wl0.1) 2.4GHz Guest 1 ASUS_Guest1 (.0/24) via bridge:br1

    The contents of /etc/dnsmasq.conf are as follows:- ( the dns entry is incorrect? )
    # Bridge br1 uses DHCP pool 192.168.101.2 - 192.168.101.20
    interface=br1
    dhcp-range=br1,192.168.101.2,192.168.101.20,255.255.255.0,14400s
    dhcp-option=br1,3,192.168.101.1
    dhcp-option=br1,6,192.168.101.1
    dhcp-option=br1,252,"\n"

    [email protected]:/jffs/scripts# brctl show

    bridge name bridge id STP enabled interfaces
    br0 8000.d017c2ec0680 yes vlan1
    wl1.1
    wl2.1
    br1 8000.d017c2ec0681 no wl0.1
    vlan10

    [email protected]:/jffs/scripts# robocfg show
    Switch: enabled
    Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: fc:5b:39:27:de:50
    Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 2: 10HD enabled stp: none vlan: 1 jumbo: off mac: 00:25:9b:9c:36:68
    Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: 00:05:fe:85:23:55
    Port 4: 100FD enabled stp: none vlan: 1 jumbo: off mac: 7c:2f:80:b5:b8:ed
    Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 18:74:2e:9a:d2:bd
    Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 50:1a:c5:f6:9a:85
    Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: d0:17:c2:ec:06:80
    VLANs: BCM5301x enabled mac_check mac_hash
    1: vlan1: 2 3 4 5t 7 8t
    2: vlan2: 0 8u
    10: vlan10: 1t 8t

    PS - I cant join ASUS_Guest1 - keeps coming up with wrong password even though its correct
     
  3. 58chev

    58chev Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    54
    Location:
    Etobicoke, Canada
    Thank you SIR. You have been a tremendous help.

    Another stupid question. :confused:
    Do I call this script from firewall-start?
     
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    "Never stupid questions...only stupid answers" :p

    In an ideal world, you would only need to create the VLANs once during the boot process, so init-start or services-start would be preferred.
    However, depending on the environment, firewall-start and nat-start can fire more than once during the boot process :eek:

    I personally use nat-start (I posted a template that includes code to ensure the nat-start script only runs once during the boot process) to call my GS108E.sh VLAN management script.
     
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    I bet you now regret posting that!:oops:

    Always the way with lazy programming, in this case trying to make (VPN specific) code address a non-VPN problem it wasn't originally designed for.

    So if you remove the invalid dross from '/jffs/configs/dnsmasq.conf.add', and run
    Code:
    wifivpn.sh   wl0.1   novpn   autodnsmasq
    Hopefully the script should now work - albeit without the additional Port 1 VLAN10 mapped to to WiFi 2.4Ghz Guest #1.


    The error
    Code:
    iptables v1.4.15: Invalid rule number 3'   4'
    implies that there are duplicate :confused: conflicting rules so the script fails to insert its rule in the appropriate place and fails.:oops:

    I suspect perhaps you didn't delete VLAN10 having already used:
    Code:
    ./VLANSwitch.sh 10 bridge notag
    and WiFIVPN.sh didn't expect it? ,so I may decide to revert back to my original design and modify VLANSwitch.sh to bind to either a WiFi VPN bridge (as originally designed) , or add a new option (say 'bind=br10') to allow binding to the non-VPN bridge.

    EDIT: Just tested on RT-AC56U (no previous VLANs) and script didn't fail with any errors....:confused:
    Code:
    ./WiFiVPN.sh wl0.1 novpn vlan1 notag autodnsmasq
    
    (WiFiVPN.sh): 678 v1.05 © 2016-2018 Martineau, Guest WiFi Bridge request.....[wl0.1 novpn vlan1 autodnsmasq]
    
    (WiFiVPN.sh): 678 WiFi (wl0.1) 2.4GHz Guest 1 G241 (192.168.101.0/24) via bridge:br1
    
    robocfg show
    
    Switch: enabled
    <snip>
    VLANs: BCM5301x enabled mac_check mac_hash
       1: vlan1: 0 2 3 5t
       2: vlan2: 4 5
      10: vlan10: 1 5t
      56: vlan56: 0 1t 4t 5 7
      57: vlan57: 1 2t 3 4t 5t
      58: vlan58: 4 5 7t
      59: vlan59: 3 4t 7 8t
      60: vlan60: 1 2 3t 5t 8u
      61: vlan61: 3 5t
      62: vlan62: 0 3 7t 8u
    
    brctl show
    
    bridge name bridge id  STP enabled interfaces
    br0  8000.acxxxxxxx yes  vlan1
                             eth1
                             eth2
    br1  8000.aczzzzzzzz no  wl0.1
                             vlan10
    
     
    Last edited: Oct 18, 2018
  6. joe scian

    joe scian Regular Contributor

    Joined:
    Apr 22, 2018
    Messages:
    99

    Thanks Martineau

    BTW no regrets whatsoever on my statement - you are a brilliant coder - period.
     
  7. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    So, I'm back again, alive and kicking! And I'm happy to say that my router seems to be back in its full glory after a factory reset :D. Don't know what happened to it, but it's performing as expected for now :rolleyes:.

    So, back to business!

    First of all, a big thanks to @Martineau for supporting me through my struggles with my router and the script! Hopefully the future won't be as troubelsome. Going back to where it all started, I'm interested in creating a spearate subnet connected through an unmanaged switch to my router's LAN port 4. I don't want this IoT-net to have access to my personal LAN. However I would like to be able to reach the IoT-devices from my personal LAN (to be able to configure them) and I would also like the IoT-devices to be able to use DNSCrypt (running on the router). What command (if any) should I run to acheive this (I realize that this script only is a part of the complete solution).

    (Oh, and by now it's probably obvious that my knowledge in dnsmasq and such things are limited, to say the least :confused:).
     
  8. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    Good to hear...yet again proof (if proof were needed) that a 'factory reset' works wonders :p
    Unfortunately the command remains the same...the one that apparently causes your router to crash :confused:
    Code:
    ./VLANSwitch.sh   40   bridge   notag
    but @joe scian has used the 'bridge notag' method successfully. ;)

    P.S. I suggest you download the latest version, although the latest release just adds additional routers to be supported.
     
  9. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    @Martineau: Well, at least my router didn't hang (yay!:cool:), but the command gave the following error:
    Code:
    (VLANSwitch.sh): 20747 ***ERROR Bridge brbridge0 (vlan144) via Switch Port 4 not defined in '/etc/dnsmasq.conf' - (see 'VLANSwitch.sh' help)
    Using version 1.21.

    I wonder if it has to do with the other stuff I'm running on my router? Currently I'm running:
    • Merlin 384.7
    • Diversion with Pixelserv-tls
    • DNSCrypt
    Contents of my '/etc/dnsmasq.conf':
    Code:
    pid-file=/var/run/dnsmasq.pid
    user=nobody
    bind-dynamic
    interface=br0
    interface=pptp*
    no-dhcp-interface=pptp*
    no-resolv
    no-poll
    no-negcache
    cache-size=1500
    min-port=4096
    bogus-priv
    domain-needed
    dhcp-range=lan,192.168.1.230,192.168.1.250,255.255.255.0,86400s
    dhcp-option=lan,3,192.168.1.1
    dhcp-option=lan,252,"\n"
    dhcp-authoritative
    interface=tun21
    interface=tun22
    trust-anchor=.,19036,8,2,XXXXXXX
    trust-anchor=.,20326,8,2,XXXXXX
    dnssec
    dhcp-name-match=set:wpad-ignore,wpad
    dhcp-ignore-names=tag:wpad-ignore
    server=127.0.0.1#65053
    # start of Diversion directives #
    addn-hosts=/opt/share/diversion/list/blacklist
    addn-hosts=/opt/share/diversion/list/blockinglist
    log-async
    log-queries
    log-facility=/opt/var/log/dnsmasq.log
    # end of Diversion directives #
    The directory '/jffs/configs' does not contain any files.

    'robocfg show' returns:
    Code:
    Switch: enabled
    Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: XXX
    Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XXX
    Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XXX
    Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: XXX
    Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    VLANs: BCM5301x enabled mac_check mac_hash
       1: vlan1: 1 2 3 4 5t
       2: vlan2: 0 5
    'brctl show' returns:
    Code:
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.XXX                yes             vlan1
                                                            eth1
                                                            eth2
                                                            wl0.1


    It's almost like this was not meant to be :eek::D!

    EDIT: Spelling and formatting
     
    Last edited: Oct 20, 2018
  10. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    @Martineau: Restarting my router and running the command again yields:
    Code:
     (VLANSwitch.sh): 1608 ***ERROR Invalid Switch Port 'brdige' - range 1-4 ONLY! RT-AC68U (RT-AC87U range 2-4!!!)
    (By the way, is it a typo in the error message, 'brdige' instead of 'bridge'?)

    'robocfg show', 'brctl show' give the same result as before. Still no files in '/jffs/configs' and the '/etc/dnsmasq.conf' is the same as before.
     
    Last edited: Oct 20, 2018
  11. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    No, the script simply echoes back what you typed :rolleyes: and as it isn't a recognised keyword, it assumes it is the (optional) Port physical number.

    One final attempt, I suggest (as per the PM), you ensure that you copy'n'paste the command from post #48 and run it in debug mode and please PM the debug trace output back to me.
     
  12. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    OMG :eek:! So embarrassing and I'm really sorry for that! Will do a proper copy-paste to avoid any more basic mistakes. Once again, sorry for messing up (1000 x :oops:)! I have PM'd the output...
     
  13. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    OK folks,I finally got the script working. Basically, I had two issues:
    1. My router had ended up in a confused state. The reason for that is unknown at the moment. It could have been my own trial'n'error, the script or something else that caused it to behave strange.
    2. I can't type a simple command without a typo :oops:

    So, this what I did to get it to work:
    1. Did a factory reset on my router
    2. Got feeback on my typing and thus entered the command correctly (through copy-paste) :p
    So, since the script now works I would say that the script itself is/was NOT the cause of my initial problems. They were probably related to me doing stuff on the router that I didn't understood what they were doing. So, if you got the impression from my earlier posts/problems that script might cause your router to crash, it won't unless there's somethings already messed up.

    I have learned my lesson: Don't try stuff that you don't know what it's doing without taking in to consideration that a factory reset may be necessary to make all things good again. As for the typo, I won't comment it further :cool:, just use copy-paste.



    So the command I entered was:
    Code:
    ./VLANSwitch.sh   40   bridge   notag    autodnsmasq
    • This created a VLAN 144 on my router port 4. To that port I am now able to connect an unmanaged switch where I have a laptop connected which is now getting an ip-address through DHCP for the 192.168.144.x-net.
    • The .144-net is isolated from the .1-net (private-net)
    • I'm able to reach the .144-net from the .1-net
    One issue that occured was that I got a DNS-leak on the .144-net. I'm using DNSCrypt on my router and its address were sent as DNS through the DHCP, but a openDNS and google-DNS address were also sent. This, I learned (from the guru himself, aka @Martineau), can be changed by editing the file '/jffs/configs/dnsmasq.conf.add'. Haven't tried it yet, but it should easily be fixed. (EDIT: I can now confirmed that it works!)

    So that's where I stand now. I still need to read up on a few things (iptables and more) to complete my desired configuration, but I think I'll just pause for a while and enjoy the moment for now :D.

    A big thanks to @Martineau for the script itself and the support and guidance through my VLAN-journey. Great work and thanks a million!
     
    Last edited: Oct 20, 2018
    joe scian and Martineau like this.
  14. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    Many thanks for your comprehensive (and admirably honest 'confessional' ) feedback - it puts to shame those that can't be bothered to provide any at all.

    Without your testing, I would have still remained ignorant of the timing issue. The weird thing is that apart from the now enforced 2-second delay (and added support for the non-RT-AC68U routers) the script has remained unchanged and working in my environments for at least a year but since DNS leaks/DNSSEC was not a concern/available when I originally wrote the script, restarting dnsmasq apparently now takes longer. Clearly the 2-second delay is dumb overkill, so I will probably try and reduce the enforced wait....or as you suggested, issue a 'please wait/be patient/the router isn't crashing' message!:D

    Given your future 'advanced' design/topology requirements (once you have 'relaxed!)), then you may be better served by using a VLAN tagging capable downstream switch where additional ACL restriction may be applied to enforce client isolation within the new VLAN.

    Good luck.
     
  15. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    993
    Sorry I havent provide any feedback. I have familj issue to take care of at then moment. Sorry
     
  16. FalconB

    FalconB Occasional Visitor

    Joined:
    Apr 20, 2017
    Messages:
    45
    Thank you! I have a feeling I might need it :p.
     
  17. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    @octopus - apologies, I wasn't including you :oops: as you have always previously provided useful feedback.

    NOTE: Family should always take priority.
     
    joe scian and octopus like this.
  18. 58chev

    58chev Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    54
    Location:
    Etobicoke, Canada
    @Martineau
    I have tried to use your GS108e.sh to auto run the VLANSwitch.sh but not having any luck.

    Code:
    ********@RT-AC66U_B1:/jffs/scripts# ./nat-start
    
            ***ERROR Cannot display status; VLAN 20 (or Bridge br20) not found
    
    ********@RT-AC66U_B1:/jffs/scripts# ./Cisco2960X.sh
    
            ***ERROR Cannot display status; VLAN 20 (or Bridge br20) not found
    
    
    this is my nat-start
    Code:
    #!/bin/sh
    /jffs/scripts/Cisco2960X.sh
    This is Cisco2960X.sh - Only change I made was to initially run one VLAN on port 4 and change the switch name from yours to my Cisco.

    Code:
    #!/bin/sh
    VER="v1.01"
    #======================================================================================================= © 2016-2018 Martineau, v1.01
    #
    # Manage the VLANs (call this script from appropriate system script e.g. init-start/nat-start/services-start)
    #
    
    #  Validate the request
    OPTION=
    if [ "$1" == "del" ]; then
        OPTION="del"
    fi
    # Allow use of abbreviated 'status verbose'
    if [ "$1" == "verbose" ]; then
        OPTION="status verbose"
    fi
    # Allow use of abbreviated 'status diag'
    if [ "$1" == "diag" ]; then
        OPTION="status diag"
    fi
    # Set 'status' as the Default action if no args
    if [ -z "$1" ] || [ "$(echo [email protected] | grep -cw "status")" -gt 0 ];then
        OPTION="status"
        if [ "$2" == "verbose" ];then
            OPTION=$OPTION" "$2
        fi
    fi
    
    # Multiple VLANs on Port 4 (Tagged Trunk) for downstream VLAN capable switches
    #
    #    Cisco 2960X
    #
    /jffs/scripts/VLANSwitch.sh  20  autodnsmasq $OPTION "alias=Guest"               # VLAN20
    #/jffs/scripts/VLANSwitch.sh 30  $OPTION "alias=IoT"                 # VLAN30
    #/jffs/scripts/VLANSwitch.sh 40  $OPTION "alias=Internet"            # VLAN40
    #/jffs/scripts/VLANSwitch.sh 50  $OPTION "vpn1" "vlanfw" "alias=VPN" # VLAN50  force via VPN Client bridge (br1) and use explicit vlan50 Firewall rules
    #/jffs/scripts/VLANSwitch.sh 200 $OPTION                             # VLAN200 for testing
    
    # VLAN on Port 1 (UnTagged)
    #/jffs/scripts/VLANSwitch.sh 70  $OPTION "1 bridge notag alias=CCTV" # VLAN70 (Artificially exclude 60!)
    
    if [ "$1" == "del" ] || [ "$1" == "status" ];then
        # Perform any additional post-deletion or status activities here
        exit 0
    fi
    
    # Perform any additional post-creation activities here
    
    exit 0
    For now I run ./VLANSwitch.sh 20 4 autodnsmasq alias=GUEST manually after a reboot

    BTW, your script runs flawlessly with wired clients connected to my 2960 (ports configured for VLAN20) and WIFI clients that connect to a Cisco 3602i that I have with several SSID's and GUEST in VLAN20.
     
  19. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,861
    Location:
    UK
    Try changing nat-start to
    Code:
    #!bin/sh
    /jffs/scripts/Cisco2960X.sh   init
    Also it might be best if you keep the order of the positional args
    e.g. Change
    Code:
    /jffs/scripts/VLANSwitch.sh  20  autodnsmasq $OPTION "alias=Guest"               # VLAN20
    to
    /jffs/scripts/VLANSwitch.sh  20  $OPTION  autodnsmasq "alias=Guest"               # VLAN20
    
     
    Last edited: Oct 23, 2018
  20. 58chev

    58chev Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    54
    Location:
    Etobicoke, Canada
    That did the trick.

    ThanX