Tutorial How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

[alexsantos89]

Thanks @drinkingbird, this tutorial is awesome, I was able to make it work using a smart switch pretty easily.
I know the idea here is to avoid scripting, but I'm interested in the more complex topics that would require script.

Specifically in those 2 topics you mentioned:

• Allowing certain traffic to flow between VLANs, such as letting guest print to main LAN
• Disabling isolation so wireless clients on the guest can see each other (and also the wired devices)

I need to do one way guest acess (from vlan 1 to vlan 501 - guest), I tried several approaches using iptables but no real success so far.
I tried to setup pretty broad rules allowing br0 (vlan1) and br(vlan 501) talk to each other, than I would make the rules more constrained after success, but I could not make it work, this is one of my attemps (in /jffs/scripts/firewall-start):

iptables -I FORWARD -i wl0.1 -o br0 -d 192.168.0.11 -j ACCEPT
iptables -I FORWARD -i br0 -o wl0.1 -s 192.168.0.11 -j ACCEPT
iptables -D INPUT -i br1 -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -j ACCEPT
iptables -I FORWARD -i br1 -o br1 -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -j ACCEPT

Do you have any suggestions of what I might be doing wrong? if you have any script samples able to do something similar could you share please?

I believe I'm facing this problem because even though I'm allowing both bridges to exchange packets, they still belong to different vlan id's, so I can't do that unless I remove the VLAN ID tag from the packet between br0 and br1, but I'm not sure this is the problem.

 

[SomeWhereOverTheRainBow]

Just wanted to follow up with more info I found since I posted...

The switch is an HPe v1910, which actually has some layer 3 functions (static routing etc). So it may be a bit more complicated to configure for this. The switch has a webui page that contains vlan interfaces, and only the subnet for vlan1 appears there (22.3 is the switch itself, router is at 22.1).

View attachment 54857

Not sure if that's all that's needed there. There's also several lines in the ipv4 routing page (vlan1=*.22.X):

View attachment 54858

I disabled the dhcp functions on the switch since I thought that could be a problem, but that didn't seem to change anything. Reading on this I saw some folks mention similar issues that may be related to the router connected switch ports being of the hybrid type (rather than trunk or access). I noticed that the ports connected to my router also are in hybrid mode. I think that's because I have 1 untagged, and 501 tagged... it won't call it a trunk port with the untagged membership I think... but I'm worried I'll lock myself out of the switch if I remove pvid1 from the router connected ports. I was hoping I could configure this switch to work like the ones mentioned in the OP.

I know very little about networking outside of the very basics. I really don't need any L3 features, and figure a simpler switch like mentioned in the OP would just work. However I got the switch years ago for the POE (used on ebay... for cameras), and really don't want to add more clutter to my gadget closet if possible. I'm sure this switch is capable of doing everything the $30 basic switches can do, and it certainly meets all my needs otherwise.

Any tips on how to get vlans working with my ax86u and this switch would be very much appreciated. I'd also appreciate any links to info that would help me learn the parts of networking I need to know to understand how/why this happens. It is weird that the older PC seems to work fine regardless, but I figure I may have something misconfigured on the switch that's making the newer nic puke when connected to a pvid besides 1. Seems like many lessons about networking to be learned here.

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models.
This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but haven't tried), it does NOT work in standalone AP mode, you will not have the option to enable LAN isolation (and thus create the VLANs) but still need 100% confirmation on that. It does work with Aimesh slave/nodes as long as you have a master router set up, these VLANs are definitely on the WAN port, so you can put the switch inline with that (in that case your uplink to main router and downlink to the AIMESH node must have all 3 or 4 VLANs configured as described below). I believe the VLANs will also be on the LAN ports too but again need confirmation on that. Even in wireless backhaul mode the VLANs should be there on both wireless and wired.

1. Ensure you have one of the code versions above (either Asus stock or Merlin) installed. If you are upgrading from 384 or earlier, good idea to hard factory reset and start from scratch, not from a backup. In fact that's a good idea for any code upgrade.
2. Enable guest wireless 1 (must be #1) and set access intranet to "disabled". Note this is the stock or Merlin Asus guest VLAN config. Does not work with Yazfi as far as I can tell.
   -If you only need one VLAN, you can pick either 2.4 or 5ghz, if you want two, enable them both. Technically an additional SSID can slightly hurt the performance of your wireless, usually negligible, but if you just need one probably use 2.4G so as not to impact your higher performance 5G. However I have both enabled and no noticeable impact, even with SSID broadcasts on, so may as well just enable both for future use/flexibility, even if you don't need 2 now.
   -If you do not need guest wireless and only want this for wired (or to feed another wireless AP) you can set the SSID to any random name (that isn't in use around you) and check off to "hide" it. You can even shut off the wireless radios if you need no wireless at all on the main router.
3. Hit apply, and when finished applying, reboot router.
4. Now all LAN ports (and WAN port on Aimesh Nodes) will have vlan 501 (2.4ghz guest, subnet 192.168.101.0/24) and/or 502 (5ghz guest, 192.168.102.0/24) tagged on them. Normal devices plugged into these ports will ignore those tags and just use your main LAN VLAN 1 as always, so for main LAN devices you can plug right into the router LAN (or the external switch on VLAN 1).
5. Get a switch with VLAN support. Netgear 5 port GS305E is typically around $20 and TP-Link 8 port TL-SG108E is usually around $27. Of course you can get larger switches for more money too, just make sure they are "smart" switches with 802.1Q vlan support.
6. Connect one port of that switch to any LAN port on the Asus (on Aimesh nodes, can use the WAN port too). Usually you'll use either the first or last port on your switch and the asus for this, those are the unofficial "uplink" ports on any switch. Note on Asus routers with 8 ports, stick with LAN ports 1-4 for the uplink.
7. On your switch, set that port to have VLAN 1 untagged, VLAN 501 and/or 502 tagged, PVID set to 1
8. The rest of the ports (or at least ones that won't be linked to another VLAN aware device) set to a single vlan, (1, 501, or 502), UNTAGGED. Choose the VLAN based on what network you want the port to have access to - VLAN 1 will be on your main LAN, 501 and/or 502 will be on your guest network(s).
9. Set the PVID of those ports to match the same VLAN as step 8 above (1, 501, or 502).

Your wired devices will now be in the respective VLAN/subnet and isolated from your main LAN (and also isolated from wireless devices in that same guest network)

Few notes
-If you have a tri-band router (5ghz-2) you will likely also have a VLAN 503/192.168.103.0/24 if you enable guest on that band. You can make use of that as well if you want.
-You cannot set DHCP reservations or modify the DHCP scope for the 192.168.101 and 192.168.102 subnets without doing a script (fairly easy script though). May be possible with YazDHCP, not sure.
-Two wired devices in the same VLAN on your switch will not be isolated from each other so they can communicate (but they will be isolated from main LAN and wireless devices in that same guest vlan).
If you want two "guest" wired devices to be isolated from each other, put one in 501 and one in 502.

If you want to feed a downstream AP, there are a few options:
-If using AIMESH, set the port facing the AP the same as the uplink port from the router - vlan 1 untagged, vlan 501 and 502 tagged, PVID 1. That will allow aimesh to work. (Include 503 also for tri-band routers). Of course you can just plug it directly into the Asus router too if you have enough wiring.
-If using just a standard AP, decide which VLAN/subnet you want those devices to be in, and set that port to the corresponding VLAN ID and PVID (no tagging), all wireless clients (and physical ports) on that AP will be in that VLAN. Again if you want it on VLAN 1 then you can just plug it directly into the Asus if wiring is in place.
-If you use an AP with VLAN support you can do similar to aimesh, VLAN 1 untagged, VLAN 501 and 502 tagged, PVID 1, then configure the AP SSIDs into the respective VLAN(s). Plugging directly into the asus is an option here too.

If you want to feed a downstream switch from this switch, basically the same as an AP above. You can send all 3 VLANs with 501 and 502 tagged just like the uplink port (assuming that downstream switch is a smart switch with VLAN support) or just put the port into one VLAN (untagged) and that downstream switch will have all ports in that VLAN.

In addition to above you can still use guest wireless 2 and 3 but it will only work on the main router, you can't add it to the switch to put wired devices in them or feed them to another AP, etc. They use VLAN 1/main subnet along with firewall rules to isolate them off the main LAN, not VLANs, totally different setup. It is possible to use scripting to move them around but that is not the intent of this post.

More advanced things are possible with scripting such as:
Allowing certain traffic to flow between VLANs, such as letting guest print to main LAN
Disabling isolation so wireless clients on the guest can see each other (and also the wired devices)
Changing the subnets on those VLANs, the DHCP scope, lease time, adding DHCP reservations, etc
Again, out of scope of this post though.

If you want more flexibility in the GUI or to configure ports on the asus into specific VLANs (or you need more than the 3 VLANs), you can check out Fresh Tomato. It only supports certain router models, and the GUI is pretty complex and aimed at more advanced users, but it gives a lot of options for VLANs.

You wouldn't happen to have screen shots doing the same thing with this switch would you?

Amazon.com

 

[GBee]

Just checking that I've understood this post correctly (and checking my sanity) - although these VLANs are related to the Guest network, this still doesn't allow wired devices in VLAN to communicate with wireless devices connected to the Guest network*?

If that's the case, I'm don't really understand the point of using these VLANs at all? If, as the original post recommends, you need a VLAN capable managed (smart) switch, why would need the router to do VLAN tagging when you can just connect those wired devices to VLAN capable switches and achieve the same thing?

Unless the VLAN tagging works across wireless backhaul, meaning you can connect two wired devices with a wireless hop in the middle?

* This is the functionality that I'm looking for - to isolate WIFI IOT devices from the intranet while still allowing them to communicate with my HA server.

 

[glens]

Maybe it's in your signature, don't know as I've opted out; what are you running equipment-wise?

 

[GBee]

2x XT8 with 5x XD4 Minis extending coverage (It's an old house with 1-2ft stone walls between every room). At least I assume that's the question you're asking? A few managed switches with a couple of different VLANs configured on a 10GB fibre trunk that eventually I hope to have the nodes all connected to for wired backhaul (Obviously limited to the speeds of the individual node ports).

Does the fact that you're asking the question mean the answer depends on what Asus router I'm using? I know the new 'Pro' models have better VLAN support, however they launched just after I'd invested a lot of money in the XT8 and XD4 setup, hence my initial interest in this thread.

 

[glens]

Well, I have (initially) a pair of XT8s (V1) extravagantly (don't tell my better half) augmented with a GT-AX6000 (was cheaper that day than the RT-AX88U Pro - $229) as the "router" feeding at 2.5Gb my "node" (as an AP) XT8. The "extra" XT8 has its 2.4 and 5-1 radios turned off and is an AP solely feeding an old laptop which had a 1x"n" adaptor (initially) and a 100Mb ethernet jack, serving stuff to the LAN. Can approach 10x its "native" networking traffic that way.

I have no felt need to do VLANs, however since I'm running Merlin on everything I'm confident I could, system-wide (not using AiMesh) should I so chose.

2x XT8 with 5x XD4 Minis extending coverage (It's an old house with 1-2ft stone walls between every room). At least I assume that's the question you're asking?

Yes. Thank you. That's a ton of wifi! If you're using AiMesh you may be gaining a fair amount of "central" control, along with a VLAN guest network, but that's a negative imbalance against what you could do using "everything else" as APs. It would behove you to at least investigate such usage.

 

[DiliMe]

Just checking that I've understood this post correctly (and checking my sanity) - although these VLANs are related to the Guest network, this still doesn't allow wired devices in VLAN to communicate with wireless devices connected to the Guest network*?

The main scope for me was to isolate an IoT device [a TV with ethernet port, but no WiFi] to permit access to the internet, but to block access from the TV to the LAN side. It involved trunk ports between switches and configuring the TV switch port to VLAN501. That involved minimal configuration, no scripting and the use of a managed switch that I already had.
Another scope was to make use of the Guest-WiFi (VLAN 501) option and use it on TP-Link EAP Outdoor that can offer both the normal WiFi and Guest-WiFi with minimal configuration and no-scripting.

The other option would have been creating scripts with new VLANs and iptables, which is error prone.

 

[DiliMe]

I am putting here a link to a new script that was launched recently by a member of this forum. The script might solve many of the requests I saw on this thread.
sbnMerlin - automatic subnet creation for AsusWRT-Merlin Guest Networks

 

[fmaimon]

Do I need to disable the DHCP in the Asus AP/routers, or do I need to use it and disable it inside my OPNsense router?

 

[Tech9]

Do I need to disable the DHCP in the Asus AP/routers, or do I need to use it and disable it inside my OPNsense router?

You need one DHCP server on your network and it has to be on your Router. Whatever is used as Access Point doesn't need to run DHCP server. Asus home AIO routers in AP Mode don't even have DHCP option. You have to review your configuration and perhaps learn more about how things work before you proceed with changes.

 

[fmaimon]

You need one DHCP server on your network and it has to be on your Router. Whatever is used as Access Point doesn't need to run DHCP server. Asus home AIO routers in AP Mode don't even have DHCP option. You have to review your configuration and perhaps learn more about how things work before you proceed with changes.

I'm aware of that, thank you. My doubt arises from this statement, in the original post below, that the device need to be in router mode. I want to use my 2 XD4 as access points, using their guest networks, while i still don't have a new AP capable of using VLANs.

This definitely works in router mode on all models that support AIMESH and these code versions

 

[Tech9]

This entire method is a theoretical workaround. Better get the proper APs with native VLAN support and go from there.