Looking for testers for MerVLAN

[visortgw]

So this is what the VLAN configuration page for AiMesh nodes looks like with multiple compliant nodes:

There is one additonal AiMesh node (ZenWiFi BQ16 Pro) that does show on VLAN page — it is not VLAN capable.

Just thinking out loud here, but here goes... One possibility for running scripts on the nodes would be to add flash drive to node, install amtm (and entware if necessary), and use cron or automatically run scripts in /jffs/scripts. What I cannot wrap my head around is how one could automatically push configuration from the primary router to nodes. Might it involve installing MerVLAN on the nodes (as well as the router) and configuring it independently? This would most likely require MerVLAN recognizing that it's installed on node instead of primary router — MerlinAU already does this.

 

[r80xcore]

So this is what the VLAN configuration page for AiMesh nodes looks like with multiple compliant nodes:

View attachment 68791​

There is one additonal AiMesh node (ZenWiFi BQ16 Pro) that does show on VLAN page — it is not VLAN capable.

Just thinking out loud here, but here goes... One possibility for running scripts on the nodes would be to add flash drive to node, install amtm (and entware if necessary), and use cron or automatically run scripts in /jffs/scripts. What I cannot wrap my head around is how one could automatically push configuration from the primary router to nodes. Might it involve installing MerVLAN on the nodes (as well as the router) and configuring it independently? This would most likely require MerVLAN recognizing that it's installed on node instead of primary router — MerlinAU already does this.

This wont be a problem. MerVLAN already is node capable and can sync to nodes and even set them up remotely. What we need is only to be able to strip the local execution from a already VLAN capable device.

I am going to try editing the GUI to detect Pro routers and strip local executions on those.

This will enable the user to setup the VLANs on a AI node from the main unit interface.

 

[visortgw]

This wont be a problem. MerVLAN already is node capable and can sync to nodes and even set them up remotely. What we need is only to be able to strip the local execution from a already VLAN capable device.

I am going to try editing the GUI to detect Pro routers and strip local executions on those.

This will enable the user to setup the VLANs on a AI node from the main unit interface.

Let me know when this is ready for testing. Currently, for my network, GT-AX6000 (x2) and GT-AXE16000 are VLAN capable, and ZenWiFI BQ16 Pro is not.

List of VLAN capable routers with minimum firmware version is here: VLAN Supported Models

 

[Seth Harman]

This wont be a problem. MerVLAN already is node capable and can sync to nodes and even set them up remotely. What we need is only to be able to strip the local execution from a already VLAN capable device.

I am going to try editing the GUI to detect Pro routers and strip local executions on those.

This will enable the user to setup the VLANs on a AI node from the main unit interface.

This whole deal is a really interesting development. I'm especially amused by the prospect of non-Pro routers magically gaining the ability to do Ethernet VLAN tagging, meaning ASUS went in and specifically disabled that feature for "business reasons".

 

[visortgw]

This whole deal is a really interesting development. I'm especially amused by the prospect of non-Pro routers magically gaining the ability to do Ethernet VLAN tagging, meaning ASUS went in and specifically disabled that feature for "business reasons".

Asus always did VLAN tagging, but they refused to admit it -- this is how they implemented isolation for guest network 1 pre-Guest Network Pro, using 501 and 502 as VLAN tags for 2.4 and 5 GHz, respectively. I know this for a fact since I had TRENDnet unmanaged 2.5 GHz switch that did not support forwarding VLAN tags (TP-Link unmanaged switches do!). There was simply no way to manage it via GUI.

 

[Seth Harman]

Asus always did VLAN tagging, but they refused to admit it -- this is how they implemented isolation for guest network 1 pre-Guest Network Pro, using 501 and 502 as VLAN tags for 2.4 and 5 GHz, respectively. I know this for a fact since I had TRENDnet unmanaged 2.5 GHz switch that did not support forwarding VLAN tags (TP-Link unmanaged switches do!). There was simply no way to manage it via GUI.

Yeah, but I'm specifically talking about LAN VLAN tagging. I'm sure they're using one general Ethernet hardware setup for everything and then making features visible/invisible in the UI depending on the model series. Frankly, I'm surprised nobody has figured this out before now and done an add-in specifically to enable LAN VLAN tagging regardless of GNP/Smart Home Master.

 

[r80xcore]

@Seth Harman @visortgw

I have updated the repo with:

1. The ability to execute the mervlan_manager on the nodes only.
2. Added many Pro models into the hw_probe. If the model isnt found it will revert to max 6 SSIDs and 4 LAN ports.

How you use it?
1. Install the addon.
2. Navigate to LAN --> MerVLAN
3. Add your node(s) to the node section and configure VLANs. Press Save.
4. Setup SSH (generate SSH key and paste it into the SSH key section in the GUI) then reboot you node(s)
5. Press Sync Nodes and wait until its finished, press INFO on the side to read the live log.
6. Press "Apply VLAN" --> "Run VLAN Manager on Nodes Only"

Check logs, see if it works. Post you findings in form of logs if any problems arise.

NOTES:
Don't enable Boot at this time as this will apply the configured VLANs on your Main unit on next boot which is something you dont want in you situation.
I will include a fix for this later on but first we want to know if it works or not.

 

[r80xcore]

Another note:

Been doing some reading and as i suspected Asus uses a proprietary tunneling for the Guest VLANS when using WiFi backhaul. This is not 802.1 VLAN but a tunnling directly from one WiFi chip to another and it will strip any real tags on the way. So while you can segregate your networks with this, you can't set up proper tags from one unit to another with WiFi backhaul. This is only achievable with Ethernet backhaul.

Well thats my findings anyway and it's in line with everything else I've read.

 

[Seth Harman]

@Seth Harman @visortgw

I have updated the repo with:

1. The ability to execute the mervlan_manager on the nodes only.
2. Added many Pro models into the hw_probe. If the model isnt found it will revert to max 6 SSIDs and 4 LAN ports.

How you use it?
1. Install the addon.
2. Navigate to LAN --> MerVLAN
3. Add your node(s) to the node section and configure VLANs. Press Save.
4. Setup SSH (generate SSH key and paste it into the SSH key section in the GUI) then reboot you node(s)
5. Press Sync Nodes and wait until its finished, press INFO on the side to read the live log.
6. Press "Apply VLAN" --> "Run VLAN Manager on Nodes Only"

Check logs, see if it works. Post you findings in form of logs if any problems arise.

NOTES:
Don't enable Boot at this time as this will apply the configured VLANs on your Main unit on next boot which is something you dont want in you situation.
I will include a fix for this later on but first we want to know if it works or not.

Thanks. I'll give this a shot later tonight and report back results.

 

[visortgw]

@Seth Harman @visortgw

I have updated the repo with:

1. The ability to execute the mervlan_manager on the nodes only.
2. Added many Pro models into the hw_probe. If the model isnt found it will revert to max 6 SSIDs and 4 LAN ports.

How you use it?
1. Install the addon.
2. Navigate to LAN --> MerVLAN
3. Add your node(s) to the node section and configure VLANs. Press Save.
4. Setup SSH (generate SSH key and paste it into the SSH key section in the GUI) then reboot you node(s)
5. Press Sync Nodes and wait until its finished, press INFO on the side to read the live log.
6. Press "Apply VLAN" --> "Run VLAN Manager on Nodes Only"

Check logs, see if it works. Post you findings in form of logs if any problems arise.

NOTES:
Don't enable Boot at this time as this will apply the configured VLANs on your Main unit on next boot which is something you dont want in you situation.
I will include a fix for this later on but first we want to know if it works or not.

Can you please provide some guidance for Step 4? I currently use an alternate port and username/password for ssh from LAN/VPN only.

 

[r80xcore]

Can you provide some guidance for Step 4? I currently use an alternate port and username/password for ssh from LAN/VPN only.

I don't know how much you've done yet but:

1. Open the MerVLAN tab.
2. Click on "SSK Key Install"
A popup window will appear.
3. Click "Generate Keys"
This will generate the key and the key will spear in the box.
4. Copy this key.
5. Navigate to: Administration → System
6. Scroll to "Authorized Keys" section
7. paste the key below into the text area
8. Click "Apply" then reboot all nodes

MerVLAN uses SSH keys and should work without name/password. But the custom port might be a problem, you'll have to test. If it is a problem I'll have to provide a port override inside MerVLAN or maybe it can check which port is used and apply that.

You'll have to try and se what happens. Remember to check the logs if you get issues.

 

[visortgw]

I don't know how much you've done yet but:

1. Open the MerVLAN tab.
2. Click on "SSK Key Install"
A popup window will appear.
3. Click "Generate Keys"
This will generate the key and the key will spear in the box.
4. Copy this key.
5. Navigate to: Administration → System
6. Scroll to "Authorized Keys" section
7. paste the key below into the text area
8. Click "Apply" then reboot all nodes

MerVLAN uses SSH keys and should work without name/password. But the custom port might be a problem, you'll have to test. If it is a problem I'll have to provide a port override inside MerVLAN or maybe it can check which port is used and apply that.

You'll have to try and se what happens. Remember to check the logs if you get issues.

The directory shown in the GUI is incorrect — according to log, directory is /jffs/addons/mervlan/.ssh. The keys are generated (verified by navigating to directory using ssh), but the key is not displayed in the GUI.

 

[r80xcore]

The directory shown in the GUI is incorrect — according to log, directory is /jffs/addons/mervlan/.ssh. The keys are generated (verified by navigating to directory using ssh), but the key is not displayed in the GUI.

View attachment 68807​

This is why the beta testing is awesome. I will fix that in a moment. That's the old directory, strangely this hasn't happened to me. I'll fix that and then I'll provide a hot-fix for you.

Need to double check what's gone wrong as it works here. Just to clarify, are the keys located in mervlan/.ssh or Merlin_VLAN_Manager/.ssh?

 

[visortgw]

This is why the beta testing is awesome. I will fix that in a moment. That's the old directory, strangely this hasn't happened to me. I'll fix that and then I'll provide a hot-fix for you.

Need to double check what's gone wrong as it works here. Just to clarify, are the keys located in mervlan/.ssh or Merlin_VLAN_Manager/.ssh?

TheS1R@routS1R:/jffs/addons/mervlan/.ssh# ls -al
drwxrwxrwx    2 TheS1R   root           312 Nov  8 14:55 .
drwxrwxr-x    7 TheS1R   root           992 Nov  8 14:51 ..
-rw-------    1 TheS1R   root            83 Nov  8 14:55 vlan_manager
-rw-r--r--    1 TheS1R   root            96 Nov  8 14:55 vlan_manager.pub

 

[jksmurf]

So... I just temporarily disconnected wired backhaul from GT-AX6000 AiMesh node — it failed over to 5 GHZ wireless backhaul. VLAN configuration for wired ports remained intact. Wireless backhaul works as well as wired backhaul.

So while you can segregate your networks with this, you can't set up proper tags from one unit to another with WiFi backhaul. This is only achievable with Ethernet backhaul.

@visortgw would I be correct in understanding that by “Wireless VLAN configuration for wired ports remains intact” that tagging still works wirelessly? If so, you have to wonder how Asus achieve that though? Sorry if I’m missing something fundamental here, out of my depth.

 

[r80xcore]

TheS1R@routS1R:/jffs/addons/mervlan/.ssh# ls -al
drwxrwxrwx    2 TheS1R   root           312 Nov  8 14:55 .
drwxrwxr-x    7 TheS1R   root           992 Nov  8 14:51 ..
-rw-------    1 TheS1R   root            83 Nov  8 14:55 vlan_manager
-rw-r--r--    1 TheS1R   root            96 Nov  8 14:55 vlan_manager.pub

This should be fixed now. The easiest way to update is to run:

/jffs/addon/mervlan/uninstall.sh full

mkdir -p /jffs/addons/mervlan && /usr/sbin/curl -fsL --retry 3 "https://raw.githubusercontent.com/r80xcore/mervlan/refs/heads/main/install.sh" -o "/jffs/addons/mervlan/install.sh" && chmod 0755 /jffs/addons/mervlan/install.sh && /jffs/addons/mervlan/install.sh full

Problem was in the key generator that didnt symlink the right file ending for the public directory.

The pathway in the GUI is also fixed but that is only plain text and has no function. Just for the user to know where they are.

Test it out and see if it fixes your problem. Otherwise

 

[visortgw]

@visortgw would I be correct in understanding that by “Wireless VLAN configuration for wired ports remains intact” that tagging still works wirelessly? If so, you have to wonder how Asus achieve that though? Sorry if I’m missing something fundamental here, out of my depth.

Yes, tagging still works wirelessly.

Like I said, Asus does more than they will admit with VLAN tags in the background. I once had "discussion" with Asus tech support that lasted weeks concerning VLAN tags not being passed correctly for one particular router/firmware version that I was using as AiMesh node — I could not use isolated guest network 1 on that node. They eventually sent me beta firmware that fixed the issue.

 

[jksmurf]

Yes, tagging still works wirelessly.

Like I said, Asus does more than they will admit with VLAN tags in the background. I once had "discussion" with Asus tech support that lasted weeks concerning VLAN tags not being passed correctly for one particular router/firmware version that I was using as AiMesh node — I could not use isolated guest network 1 on that node. They eventually sent me beta firmware that fixed the issue.

Great, thank you .

Clearly @r80xcore needs to go one step at a time so I will watch the progress of the wired version closely and then hopefully it’ll be able to be worked out in in a later phase of development .. all good stuff.

 

[r80xcore]

@visortgw would I be correct in understanding that by “Wireless VLAN configuration for wired ports remains intact” that tagging still works wirelessly? If so, you have to wonder how Asus achieve that though? Sorry if I’m missing something fundamental here, out of my depth.

What this means, if what I've read is right is this:

Original Asus VLAN:
The main configures VLAN, then propagates to the nodes what VLANS will be used. The guest using those VLANs will be tunneled from WiFi -> WifI. Not from VLAN -> VLAN. Thats why users cannot have VLANs on the ethernet ports on the nodes when using WiFi backhaul. Because its not actually VLAN its using when connecting them. The VLANs are applied on the main router that is also VLAN aware.

As the tunnel is not VLAN aware, real VLANs are stripped.

That is also why the Asus propreitary VLAN seems to work on either WiFi backhaul or ethernet backhaul.

What should be tested in that case would be two VLAN capable Asus router running in WiFi backhaul with a managed switch behing the node to see if it's passed to the main router.

Note, this is what I've read, but nothing I've read seems to indicate that the node is passing any real VLANs in WiFi mode. I'm happy to be disproven.

 

[visortgw]

This should be fixed now. The easiest way to update is to run:

/jffs/addon/mervlan/uninstall.sh full

mkdir -p /jffs/addons/mervlan && /usr/sbin/curl -fsL --retry 3 "https://raw.githubusercontent.com/r80xcore/mervlan/refs/heads/main/install.sh" -o "/jffs/addons/mervlan/install.sh" && chmod 0755 /jffs/addons/mervlan/install.sh && /jffs/addons/mervlan/install.sh full

Problem was in the key generator that didnt symlink the right file ending for the public directory.

The pathway in the GUI is also fixed but that is only plain text and has no function. Just for the user to know where they are.

Test it out and see if it fixes your problem. Otherwise

2025-11-08 15:53:41 [INFO] ✓ SSH key pair generated successfully:
2025-11-08 15:53:41 [INFO]   Private key: /jffs/addons/mervlan/.ssh/vlan_manager
2025-11-08 15:53:41 [INFO]   Public key:  /jffs/addons/mervlan/.ssh/vlan_manager.pub