How to setup an isolated VLAN on Merlin?

ccl13

Occasional Visitor
Hi All,

I tried to read a few instructions but am unable to produce expected results.

What I have is an ASUS RT-AC68U running merlin firmware with one AP connected. I can create an isolated SSID (one that cannot access Intranet) on ASUS without problem, but I cannot "extend" it to my AP.

The AP is capable to create SSID with VLAN tag, and I know internally ASUS' isolated SSID is implemented using VLAN. The problem is, how can I configure my router so the isolated SSID on AP is able to connect to Internet and cannot access Intranet?


Thank you for your help!
 

yk101

Senior Member
Wouldn't that be what guest network is for? Have you tried that?
 

Wingsfan87

Regular Contributor
Wouldn't that be what guest network is for? Have you tried that?

I believe the OP is saying they already have the guest network on the main router and it is set to be isolated from intranet and they have a second AP that can do a VLAN SSID but they want it to be the same vlan that is created from the guest network on the Asus router that is already isolated to ensure the guest network on the AP is also isolated.

I actually have the same issue and would be interested in knowing a solution.
 

ccl13

Occasional Visitor
The instructions you've already looked at, do they include posts regarding VLANs in this forum? The topic crops up from time to time; if you haven't already searched the forum, it might be worth a go. Here was one such thread: https://www.snbforums.com/threads/vlans-on-merlin-mini-howto.20529/page-2#post-318151
That's a good idea! I can't believe it never came to me so. I tried to search so much about how to create VLAN to isolate clients but never thought to bring up the more general idea. I will read it. Thanks!

I believe the OP is saying they already have the guest network on the main router and it is set to be isolated from intranet and they have a second AP that can do a VLAN SSID but they want it to be the same vlan that is created from the guest network on the Asus router that is already isolated to ensure the guest network on the AP is also isolated.

I actually have the same issue and would be interested in knowing a solution.
That's exactly what I meant. Thanks for explaining! If I ever got a solution I will post it here.
 

florid

Occasional Visitor
@ccl13 not sure whether you have found a good solution for this? I have exactly the same requirement at home. I want to use RT-AC68U as main internet router with Guest wifi limit intranet access. I have a Cisco AP attached to AC68U lan port. I want to broadcast the segregated Guest wifi on Cisco AP too. Not sure how to configure the VLAN tag and trunk interfaces. .
 

TonyK132

Senior Member
Maybe this is related to this topic but maybe not. I have a number of devices that are both wireless and wired that I would like to isolate from the rest of my network and from each other but still give them WAN access. This is in response to the recent Wired article about the vulnerability of IoT devices on your network. I suspect I need a script using iptables but have no idea how to do that. Is there a link that someone could point me to that would show how to do that in Merlin?
 

Mister Craft

Occasional Visitor
Maybe this is related to this topic but maybe not. I have a number of devices that are both wireless and wired that I would like to isolate from the rest of my network and from each other but still give them WAN access. This is in response to the recent Wired article about the vulnerability of IoT devices on your network. I suspect I need a script using iptables but have no idea how to do that. Is there a link that someone could point me to that would show how to do that in Merlin?

Is setting them up on a guest network, not an option? I currently have all of my IoT devices on a Guest network, and then I have my kids on a separate guest network. You can run three different guest networking for each 2.4GHZ and 5GHZ totaling 6 guest networks.
 

TonyK132

Senior Member
I could do that for WiFi, but I do not know how to do that for wired devices.
 

Mister Craft

Occasional Visitor
I could do that for WiFi, but I do not know how to do that for wired devices.

It would be simpler to get a $40 switch from Amazon and set your VLANs up that way. My house is run mainly on Wi-Fi, so I use the Guest as my "VLAN" if you could even call it that. Although, I'm currently looking for a switch that I can setup legitimate VLANs for the added security and the practice.
 

TonyK132

Senior Member
It would be simpler to get a $40 switch from Amazon and set your VLANs up that way. My house is run mainly on Wi-Fi, so I use the Guest as my "VLAN" if you could even call it that. Although, I'm currently looking for a switch that I can setup legitimate VLANs for the added security and the practice.
A managed switch with VLAN capability will cost more than $40. WRT should be able to handle it.
 

TonyK132

Senior Member
Wait, I'm wrong. You can get an 8-port managed switch for $40 or less on Amazon. But I want to manage and isolate devices via IP address not switch port.
 

Mister Craft

Occasional Visitor
Wait, I'm wrong. You can get an 8-port managed switch for $40 or less on Amazon. But I want to manage and isolate devices via IP address not switch port.
You can set up static routing through your router using the DHCP Server or go around and manually configure each device with static addresses and disable the DHCP. Set up your VLAN and then assign those static IPs to where you want them
 

gpz1100

Regular Contributor
Wait, I'm wrong. You can get an 8-port managed switch for $40 or less on Amazon. But I want to manage and isolate devices via IP address not switch port.

Set up each wired device on its own dedicated vlan? You'd have one feeder cable into the rt or managed switch with tagged vlans. Each port (upto 4 as there's only a total of 5 ports on the rt) would have an untagged vlan definition. Your IoT device would plug into its respective port.

By design, traffic on the same subnet does not get routed or processed in any way other than getting passed to its destination [on the same subnet]. You can't just block it from accessing other devices on that same subnet.

This can be done on the asus rt's with merlin's (possible even with stock) firmware. It's klunky and script based. To add more challenges you'd either have to assign static ip's to these devices or create dhcp servers for each vlan.

I run sophos utm as my main router/firewall/vpn server/and other. It handles all the dhcp and masquerading duties. All I had to do was define the vlans and set up some other housekeeping (I wanted guest wifi clients to be totally isolated from each other and wired devices on the same vlan). Maybe this thread will give you some ideas.. https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-360410 .
 

username0475

Regular Contributor
So I'm in the similar boat as a couple of the posters & the OP are: Main Router on Merlin > Unmanaged Switch > AP > Smart Home devices only

Just to confirm - short of doing some complex (to me) scripting - the only other choice to get clients connecting to the AP without access to the rest of my internal LAN is via a Managed switch?
 

TonyK132

Senior Member
Set up each wired device on its own dedicated vlan? You'd have one feeder cable into the rt or managed switch with tagged vlans. Each port (upto 4 as there's only a total of 5 ports on the rt) would have an untagged vlan definition. Your IoT device would plug into its respective port.

By design, traffic on the same subnet does not get routed or processed in any way other than getting passed to its destination [on the same subnet]. You can't just block it from accessing other devices on that same subnet.

This can be done on the asus rt's with merlin's (possible even with stock) firmware. It's klunky and script based. To add more challenges you'd either have to assign static ip's to these devices or create dhcp servers for each vlan.

I run sophos utm as my main router/firewall/vpn server/and other. It handles all the dhcp and masquerading duties. All I had to do was define the vlans and set up some other housekeeping (I wanted guest wifi clients to be totally isolated from each other and wired devices on the same vlan). Maybe this thread will give you some ideas.. https://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/#post-360410 .

Thanks for the link. That is very helpful.
 

florid

Occasional Visitor
So a under $80 MikroTik ROS router can replace both main router and 4 ports manageable switch with granular VLAN function plus POE.
 

ccl13

Occasional Visitor
@ccl13 not sure whether you have found a good solution for this? I have exactly the same requirement at home. I want to use RT-AC68U as main internet router with Guest wifi limit intranet access. I have a Cisco AP attached to AC68U lan port. I want to broadcast the segregated Guest wifi on Cisco AP too. Not sure how to configure the VLAN tag and trunk interfaces. .
Hi there. It's quite a while ago and I moved away from using a all-in-one router system so I cannot find config details now. But I can share with you what I could remember.

I finally figured out how to do that, as I read through all the available documents online and figured it's basically a quite standard VLAN configuration process. And you need to setup NAT on different VLAN which is a bit hard but there are examples to follow. The tricky part is to have it configured automatically on reboot - I think I put it in JFFS and had some trouble to make it work correctly every time.

My solution to the whole thing is I moved to use a MikroTik RB750Gr3 with Netgear WAC510 instead. The whole experience is much better over there compared to do all the ASUS/Merlin scripting.
 

schmerg

Occasional Visitor
So I'm in the similar boat as a couple of the posters & the OP are: Main Router on Merlin > Unmanaged Switch > AP > Smart Home devices only

Just to confirm - short of doing some complex (to me) scripting - the only other choice to get clients connecting to the AP without access to the rest of my internal LAN is via a Managed switch?

I wrote up my notes on doing this, VLAN tagging on an AP precisely for having an extended guest (and "Normal") wifi.
I tried using a managed switch at first, but that didn't work out for me so now I do it entire within the router.
See scripts and configs and explanations etc here

Regards

Tim
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top