How to disable DHCP for one LAN port on AC-RT68U?

[netaddict]

I can't figure out how to disable DHCP on just one LAN port on the AC-RT68U. I see that "lan_ifnames=vlan1 eth1 eth2", where eth1 and eth2 are wireless ports and the 4 port switch are all part of vlan1.

I see that dnsmasq.conf.add can have the "except-interface=ifname" to exclude a particular interface, but the LAN ports are bundled into vlan1. How can I instruct dnsmasq not to hand out DHCP addresses to port #3 of the LAN ports? Please advise, thanks.

 

[eibgrad]

Seems to me you've answered your own question. In order to uniquely identify a given port (or group of ports), it needs to be assigned to its own network interface. And then you can assign it its own IP network, DHCP server, etc. But by default, the wired ports form their own vlan (vlan1 in this case) and are assigned to the default bridge (br0) along w/ the wireless network interfaces, meaning you can't treat either the wired ports or wireless network interfaces independently from the bridge to which they are assigned.

Some third party firmware (e.g., freshtomato) supports this capability natively, but Merlin is NOT one of them. It's just an inherent limitation of that firmware. Although if you dig around, I believe there are scripting solutions available to implement such changes. Needless to say, caveat emptor.

 

[netaddict]

Thank you for your response. I prefer not to have to reflash to freshtomato, so a scripting solution to bypass would be best. I've searched online for I think over an hour for scripts to do exactly this, but perhaps I'm not searching for the correct terms. I believe ideally I'd be able to create VLANs and allocate interface, but what would be the workaround? Firewalling a port, perhaps?

 

[ColinTaylor]

I don't know the specifics (so search for existing posts), and they will vary depending on the model of router, but your starting point will be the robocfg command.

You will need to use that to detach the desired port from vlan1 and attach it to a new vlan. Once you've done that you can reconfigure the rest of the router to use it however you want to.

Of course you will need to be using Merlin's firmware to do this.

 

[netaddict]

OK, you sent me to the right track searching through this forum. I was able to find lots of articles and tips and finally understood how this can be done. I wrote the following script and got it working. Just thought to share it here.

/jffs/scripts/dnsmasq.conf.add
except-interface=vlan20

/jffs/scripts/nat-start
#!/bin/sh
# /jffs/scripts/nat-start
#
# https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
# https://github.com/RMerl/asuswrt-merlin.ng/wiki
# Excellent info on internals of AC-RT68U https://coertvonk.com/sw/networking/dd-wrt-heading-two-networks-asus-rt-ac68u-11717
#
# nvram show | grep vlan.*ports | sort
# vlan1ports=1 2 3 4 5*
# vlan2ports=0 5
#
# robocfg show # shows VLAN information
# ...
# vlan1: 1 2 3 4 5t
# vlan2: 0 5
# vlan56: 1t 5t 7 8t
# vlan57: 0t 2t 5t 8t
# vlan58:
# vlan59: 2t 8t
# vlan60: 0 1t 7t 8t
# vlan61: 4t 8t
# vlan62: 0t 1 7t 8t
#
# brctl show # Shows bridge information
# bridge name bridge id STP enabled interfaces
# br0 8000.e03f49280ad8 yes vlan1
# eth1
# eth2
# tap21
#
# Port 0 = WAN
# Port 1-4 = LAN
# Port 5 = CPU: connects the VLAN trunk from the switch to interface eth0 on the CPU
# VLAN 1 = LAN Ports 1-4 + CPU
# VLAN 2 = WAN + CPU
# br0 = LAN bridge, including AP radio
# eth0 - LAN
# eth1 - 2.4G Wifi
# eth2 - 5G Wifi
#
# The switch tags incoming frames with a VLAN identifier. Frames arriving on the WAN port are tagged as VLAN2,
# while frames from the LAN ports are tagged as VLAN1. The frames destined for the CPU are sent on CPU internal
# port 5.

# The CPU receives the frames over port eth0. Frames with a VLAN2 tag are treated as WAN traffic. Frames with a
# VLAN1 tag are combined (bridged) with frames from the wireless module (eth1) and treated as LAN traffic.
#
# Log everything within ()
/usr/bin/logger "================== NAT START ==================="

# Checks if VLAN20 already exists within robocfg and then only executes if it's not already there
# Useful for starting and stopping services manually to test
robocfg show | grep -i vlan20 > /dev/null 2>&1 || \
(
/usr/bin/logger "========= ROBOCFG"
# Remove Port 2 from vlan1
robocfg vlan 1 ports "1 3 4 5t"
# Assign Port 2 to vlan20 and tag with the CPU
robocfg vlan 20 ports "2 5t"

/usr/bin/logger "====== VCONFIG"
# Create VLAN20
vconfig add eth0 20 || /usr/bin/logger "VLAN 20 already exists"

/usr/bin/logger "====== IFCONFIG"
# Bring VLAN20 up (note that dnsmasq has already been configured for this address)
ifconfig vlan20 up
# Use the following if wanting to assign IP range
#ifconfig vlan20 up 192.168.11.0 netmask 255.255.255.0 up

/usr/bin/logger "====== BRCTL"
# Add the interface to the bridge
brctl addif br0 vlan20
# if wanting complete separation of port 2, establish a separate bridge
# brctl addbr br1
# brctl addif br1 vlan20
# ifconfig br1 up


# Restart services, do this if changing nvram settings
#killall eapd
#eapd
)
/usr/bin/logger "=================== NAT DONE ==================="