Is there a script for configuring VLANs?

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.


New Around Here
Hi everyone. I've been scouring this forum for a couple months now looking for information on using VLANs via scripting and trying to make sense of everything that I've read. I'm not making this post lightly, as in most of what i've read there seem to be a lot "You should have searched first! What's wrong with you?! Don't you know how to internet-forum properly!? Hey everybody, get a load of this guy! He doesn't know how to Internet!" type comments. Don't get me wrong, there is a lot of help, too, a phenomenal amount, but still it's enough to make a person not want to make a post unless they've hit a brick wall, had that wall fall over on top of them, and then discover that there is a steel wall behind that which is also teetering in the direction of what may well soon be their corpse. Oh, and heaven help you and God have mercy on your soul if you have a converted TM-AC1900. Those poor souls.

Except for whole "search first" stuff everyone is generally really nice and willing to help and answer questions, but it seems almost everyone talks about stuff in the same way that linux *is*: it's taken for granted that you just know what everything is, how it works, and why. Don't know about iptables and ebtables? That's really just too bad, you need to check the manuals. Look up the manuals for them and they are written with the same assumption that you are Linus Torval and already know everything. Not only that, but the documentation also says "this is everything this can do *IF* it was compiled that way and was built with the lastest version out of 7000. Check the source code to see what options it was or wasn't compiled with. and which version it was built from." Uhhh. OK.... So now in order to know how to setup the tables i need to become an expert in all things Linux and go traipsing through sources and builds to figure out what i can and can't do? Oy vay!

For someone who isn't already familiar with Linux it can make everything much harder to digest, and makes it harder to know how to troubleshoot before asking for help. I really don't mean to be, and hope i'm not coming off as, passive aggressively or anything. I have been extremely impressed by everything i've seen. That a world like this existed for routers, with scripts like Skynet and Diversion, or any scripts really, wasn't even a consideration. It's just a combination of being overwhelmed, a little lost, and frustrated at getting stuck.

Background: My house has an apartment built in the basement. I live in the basement and rent out the upstairs to 4 college kids. I began to include internet in the rent in August after i upgraded to a 1gb synchronous fiber connection. I wanted to be sure that i would have as much bandwidth as possible to the tenants since there is so much Online stuff now because of COIVD, but i also wanted to isolate them and their guests from my LAN. I was already a bit worried about feeding everyone with the router i had, and then when i was moving the gear to a more central part of the house where the fiber was going to be installed one of my kids knocked the router off the shelf and broke off one of the antenna. So i decided i would try to upgrade. I could either buy a new high end router with a million antennas, or i could buy an access point that would offer all the wireless bandwidth i could dream of for cheaper and just plug it into the router. I opted to get a Unifi nano-HD. It supports VLAN tagging and multiple SSIDs. All LAN devices are hooked to a dumbswitch that is plugged into the router on port 1. The AP is plugged into the router on port 2.

The plan was put the access point upstairs in the middle of the house to feed everyone up there the best signal possible. I would also connect my devices through it and disable the wireless on the router so there wouldn't be any interference. I would have 4 SSIDs each on their own VLAN and sub-net coming from the AP: Main (shared with LAN), IoT, Tenants, AllGuests. All would have WAN access, be NAT'ed, be protected by the firewall, as well as the following:
  • Main should have no device isolation. It should be able to see all the other sub-nets and the devices on them, but not have direct access to the devices except that it should have access outbound to the IoT subnet so i can reach their webUIs as needed.
  • IoT should be totally isolated from each other. Not able to see beyond it's own sub-net, or be accessed by any other sub-net except for me accessing the webUI from the LAN/Main and only the LAN/Main.
  • Tenants should not be able to see the other 3 sub-nets, but not have device isolation within it's sub-net.
  • AllGuests would have total isolation from everything, being able to only access the internet and show up in a client list on the router.

What was tried: So after having done the requisite search for the term "VLAN", and reading every post of every thread on the subject going back to 2012, I am still left wanting. For example, I used versions and/or combinations of most of the scripts from these threads, and some others i don't feel like digging through my browser history to find:

I've been looking through all of this and trying to sort out all the relevant pieces, but for some reason it's just not clicking (or working). Problems I ran into when trying all of these in approximate order:
  • Wired clients lost connection (the first time this happened was on me. I forgot to change the port number from 8t to 5t to match my router when pasting the code)
  • Network would become unstable after 20-45 minutes and wired clients would lose connection until the router was rebooted
  • DHCP wouldn't assign clients to the correct sub-net despite coming in tagged
  • DNS mask saying in the log that the VLAN interfaces didn't exist when it tried to setup the sub-nets from dhcp.conf.add
  • Router GUI/SSH access from clients attached to access point guest network wasn't blocked
  • Lost some communication with my access point even though it was on the same subnet as my computer: i could SSH into it, but couldn't configure it with the UniFi controller anymore, and couldn't adopt it after doing a reset to try and get it to take the new settings
  • lost all communication with the access point: couldn't adopt it from controller or layer 3 adoption program, couldn't SSH into it anymore. it's ACK packets seemd to be blocked as the log showed endless attempts to offer an IP to it, but no ACK being received back.
  • lost ability to ping anything on the network at all
Even after disabling all the scripts and rebooting i was stuck at the end with no communication between devices. No matter what i didn't i couldn't get communication restored to the access point. I wanted to ask for help, but at the time i was using a converted TM-AC1900. The conversion seemed to work perfectly, but then i started running into these problems when trying to do more with it than default. Since it isn't supported i couldn't be sure if the problems were due to some code ghosts, hardware differences that no one knows about, or if i had walked under a ladder while breaking a mirror. Since it isn't supported there was no way for me to get help out of the mess i was in. It is at least hobbling along right now. However, as luck would have it, i came into the possession of an AC87r for free and so now i'm in the clear to try again and this time get help!

After a hard factory reset of the ac87r and an upgrade to Merlin 384.13 (the last build available for this model) I used AMTM to give myself a 2gig swap on a 16gig usb stick, and put on Diversion, Skynet, YazFi, scMerlin, and most of the stuff offered in AMTM. I just performed a backup with NSRU, and so i'm ready to try again. This is where I'm stuck, mostly because i don't want to run into any of the previous issues again.

Hit the character limit. Continued in Post #2.


New Around Here
Where I need help now: Among all the advice are many different subsets of methods, and all of them seem to only work half the time or not at all, and it's not always clear how the problems were fixed, if they were, or if they even were. For example:

  1. Half the advise says to just make a VLAN interface with robocfg and use br0, the other half says to create new bridges, and no one really says which way is best and causes less headache and is easier to configure.
  2. Some say to use IPtables for isolation, some EBTABLES, and some both iptables and ebtables together. They all offer a few lines of rules for each which are supposed to do the job, but then there are people for which it doesn't work or breaks things to where the sub-nets and VLANs exist, but they can't talk to the router and even get DHCP (one of several problems i ran into when trying to get this to work).
  3. Some say to totally clear all the tables first and then re-add the rules to avoid duplicates. Does having the rule in a script actually create a duplicate entry every time the script is run? Are all those who aren't using a script to remove duplicates unknowingly filling their IPtables with hundred of redundant rules?
  4. Some seem to work just fine but don't state if they are using NAT or not. A couple mention NAT working, but don't say how to get it running for all of the subnets created. And still others say there is a need to have some sort of POSTROUTING table entry added to enable NAT correctly, but don't give it or say where to use it.
  5. nat-start, firewall-start, init-start, services-start: everyone says to use one or more of these with only vague hints about how the whole setup should be properly setup, with which parts in where, and which script sections need a wait command in front of them because there should actually be in a different section but the author wanted to have everything in 1 script instead of 2 or 3.
  6. Some of the scripts are given without instruction on where to put them.
  7. Some set nvram if_names and some don't. Why? it's not clearly said anywhere what the benefit, or lack there of, is to using them, or if they are actually vitally necessary.
  8. How do we even go about setting up the routing? Do we even need to? Some say yes, others no. Unclear examples given without explanation of how to set it up in the cases they said it was.
  9. Kill eapd and restart it? mentioned a lot, but never specified if this is only required when setting up with WiFi VLANs or with wired ones as well
  10. Most information is on having an isolated guest network on a single port. Not enough info on if you need that port to be a trunk, and if you need to have it explicitly tagged/untagged in all VLANs it's a part of.

I know that VLANs aren't going to be added to the GUI by Merlin and that he isn't going to directly support them. He's mentioned it in several of the threads, as well as in the recently updated (last week) FAQ thread. That's fine. I totally get what he lays out in the FAQ. However, there are many that use them anyway, and the majority of the scripts that are used, like YazFi, are technically in the same boat: It's all unofficial, and in some cases is added to the GUI. So why not VLANs?

Is there anyone who has working VLANs that also has a script that can be shared to configure them? Something like YazFi would be awesome. Or (since if one isn't made yet and that would take a while, i assume) can anyone address the above 10 issues and give advice on how to fix them/avoid them/not have them? Is there a way, after all these years of Discussion, to get all the correct information into 1 place that everyone can reference? If not an automated script a How-To guide? I am sure that if either of those (script or guide) were created that the community would be ecstatic.

If that is too heavy a request: the part that seems to hit the most snags is the iptables, ebtables, routing, and nat configurations. Does anyone know of a GUI (or could someone make a tab in the webGUI) that allows full configuration of ebtables and iptables? One where we can see all tables and chains, move rules up and down, and create/delete rules? Or is there anyway someone could write a guide/intro to ebtables and iptables that isn't linux-speak cryptic and explains the path packets take through the chains in the router so people that are new could write their own rules without so much trial and error?

So if you're still with me, thank you for the time you took to read this. I really hope i'm not asking amiss, asking too much, or asking for something that isn't allowed.

Help me Obi-Wan Kenobi, you're my only hope.


Part of the Furniture
If I had those use case requirements, I would use pfSense. VLAN Support is built into the GUI. You can re-purpose any routers as Access Points or buy UniFi APs.



New Around Here
Let's assume i don't have money to buy a pfsence box, or a spare computer to repurpose, so i have to use what i have.


Regular Contributor
There's a valid reason why people point to older posts or don't reply at all to the requests for help with VLANs and it's that doing this on Asus/Merlin routers isn't recommended if one doesn't have a good grasp on VLANs and iptables, which can't be learned just by reading a post or even a guide without any real world experience.

It's an unsupported configuration that has to be done entirely from the CLI and it's not an easy one. You risk opening serious security holes while thinking you have a secure network when in fact you don't if you don't take care properly of the various moving parts. It isn't a set and forget configuration, it has to be monitored and taken care of over time.

For these reasons it's only recommended for advanced users, who are normally able to figure out how to do this on Asus/Merlin routers by looking at older posts.

I'm normally only willing to help with this if the OP has a separate firewall and wants to use the Asus in AP mode as that's much less risky since the tricky part is the firewall configuration. @Xentrk advice is good, get a pfSense or an OPNsense which support this out of the box and on the GUI, which Asus/Merlin never will as they are consumer targeted routers.


Occasional Visitor
@Xentrk advice is good, get a pfSense or an OPNsense which support this out of the box and on the GUI, which Asus/Merlin never will as they are consumer targeted routers.
This is what I did after months of researching Vlan options, some worked but non provided a stably environment. After an IT audit flagged the 86U as non compliant, my choice was easy. Asus refuses to release complete documentation for VLAN commands on the new chip sets. Personally, I think Asus is making a huge mistake because the IPTV market segment is small globally and near non existent in North America.
@ThePooBurner you mentioned cost; an OPNsense box can be had for free with a little looking, assuming you have the AP's and switches the total is likely less than the 68U. OPNsense is an Enterprise level firewall / router with functionality few will actually use. The rule sets alone make it far superior to any current consumer targeted router.
I have multiple Vlans, trunks, tagged and untagged exactly how the network audit gods want it.

Granted, this forum is primarily composed of folks willing to debug Dev code and enjoy the challenge of correcting Asus mistakes and short comings. @merlin has mentioned there will be no support for Vlans and he's understandingly tired of chasing a moving target. Currently we have no option for CLI Vlan for 86U forward...

If when a Dev decides to create something for Vlan, maybe we will get a script. Until then I highly advise OPN or PF sense for Vlans.



Asuswrt-Merlin dev
Asus refuses to release complete documentation for VLAN commands on the new chip sets.
That's on Broadcom, not Asus. Broadcom's documentation is marked as confidential.


Occasional Visitor
That's on Broadcom, not Asus. Broadcom's documentation is marked as confidential.
Thanks for the technical clarification, the greater issue remains branding. Broadcom isnt catching heat for the current code gremlins, Asus is surely feeling the effects in lost revenue though.
As always, thanks for your herculean efforts!



New Around Here
I agree with the group consensus, forget attempting VLAN with the individual pieces of hardware you have. It’s not supported and hacking a way to make it work isn’t just a can of worms but will reduce if not destroy any security your devices do offer. But do you really want or need VLAN at all, especially for what your end goal is? Reason why I ask is cause technically you have enough equipment on hand that you already own to physically separate your network into the described subnets. You “maybe” just need one item that’s about $15 if you already don’t have it.


New Around Here
Using the hardware you mentioned this is what I would do. I'm a bit more familiar with the ASUS router so I would make it Router 1. On a fresh default config using Merlin firmware I’d hop out of the wizard and just go straight into the Configs putting the ASUS into Router mode and creating an initial wireless network. I'll hide the SSID I just created later but keep active just to use to wirelessly reconfigure the ASUS.

I'd also hop into the "professional" subtab that's under the "wireless" tab in the advance config column. In the "Band" dropdown menu select 5g and then turn off the 5G radio selecting 'No' in the "Enable Radio" row.

Now create two wireless networks using the "guest network" tab. I'd named one “guest” in the 2.4g row and the other “IOT” also in the 2.4g row. Set the "access intranet" field on both SSIDs to "disabled".

Now select the "LAN" tab and the "Route" sub tab. Set "Enable static routes" to yes. The network/host IP will be set to the same WAN IP as the second router I'll configure after. I'm assuming our LAN IP tab IP address is already set to with a subnet mask of so my "network/host IP" in the routes tab would be set to, netmask to, I arbitrarily set gateway to, metric to 0, and finally interface to "LAN" then press apply. Plug in the Ubi Nano HP AP, your TM-1900 wireless router and connect any wireless devices you plan on allowing to later configure the ASUS routers. Give the ASUS enough time to sense the MAC addresses of everything you've connected.

We're going to manually assign IPs to the connected devices according to their MAC address then restrict administrative access to the router by IP. Select the "LAN" tab and choose the "DHCP Server" sub tab and at the bottom you can assign whatever IP you want to your devices MAC. But when you see or use the MAC for TM-1900 set it to using the IP I set as the gateway in the "route" sub tab of the "LAN" tab. You may or may not want to configure the Ubi Nano HD in the same manner as how we now just set the TM-1900, but because we're planning treating the Ubi specifically as a wireless AP just for now I'm not creating the gateway profile we created for the TM-1900. Honestly not familiar with the UBi interface screen options so you'll have to try one way or the other but I believe either should work and is just a matter of preference in the end.
So, now you can head to the "administration" tab and select the "system" sub tab and at the very bottom pair the assigned IP addresses of up to 4 devices you want allowed to access the administrative screens or the SSH paths of the ASUS router.
Apply your settings. It's a good time to backup your config to a file cause we're done on this router. Select the "restore/save/upload setting" sub tab and do that there. Finally hard reset your ASUS physically using the power on/off switch of the router.

In the TM-1900, run it as a wireless router setting the WAN IP to, turn on DHCP and create your own personal wireless network for your trusted devices.

Hop into the Ubi and create your 4 wireless network SSIDs for each tenant. Config for an Isolated AP or restrict intranet access of each of the SSIDs.

When you got everything working hope back into the ASUS through that initial SSID created in the beginning and hide it from broadcasting the SSID.

This setup works, and stays pretty stable all year round. It may not have the highest security offerings of installing a separate firewall and the ease of configurability for adding on new features in the future. But it's probably the best option you'll have or really need that's still functional, easy enough to setup, plus it's in using and keeping with the most important features of your device uses up to the limitations of the hardware you already own and have on hand.


New Around Here
Btw that $15 device I mentioned, it’s just a USB wireless network interface component. I’m assuming you’re on a desktop PC but not a brand spanking new one that has em in the mobo.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!