MerVLAN v0.46 Simple and Powerful VLAN Management **BETA**

[visortgw]

That’s exactly what I do in both my networks. Easy to manage via SSH as IP is fixed. Even comes up with dinky little icons.

Although have you ever noticed they whilst they appear in the log, they don’t ever get assigned names in the system log, wireless log, if you use wireless backhaul…

View attachment 68814View attachment 68815View attachment 68816

Could be because Asus treats AiMesh node as part of its network infrastructure as opposed to a wireless client.

 

[Seth Harman]

Solution: Create DHCP reservation for AiMesh nodes.

If that's what it comes down to that's fine, but I'd think there are less human-interventiony ways of doing it. For example inputting the node MAC addresses and having the addon poll the system at each restart to determine the IP address in case it's changed. I have no idea if it's possible and it's not a priority right now, but streamlining the installation and daily usage parts of the addon are going to ultimately be important.

 

[visortgw]

If that's what it comes down to that's fine, but I'd think there are less human-interventiony ways of doing it. For example inputting the node MAC addresses and having the addon poll the system at each restart to determine the IP address in case it's changed. I have no idea if it's possible and it's not a priority right now, but streamlining the installation and daily usage parts of the addon are going to ultimately be important.

I already had DHCP reservations as I routinely ssh into nodes for one reason or another. I added hostnames on my MacBook Pro as well.

 

[jksmurf]

I have no idea if it's possible and it's not a priority right now

I hope @r80xcore doesn’t start getting the feeling he’s bitten off more than he can chew, he’s doing an amazing job so far, for someone that by his own admission is “… not a coder but I'm stubborn and I love to read up and learn new stuff. … sat down with Google, ChatGPT and a lot of coffee for two weeks and after a lot of trial and error I finally got (as far as I know) a working…”.

I’m sure it’ll get there , so many great ideas for this. Fantastic concept.

 

[Seth Harman]

I hope @r80xcore doesn’t start getting the feeling he’s bitten off more than he can chew, he’s doing an amazing job so far, for someone that by his own admission is “… not a coder but I'm stubborn and I love to read up and learn new stuff. … sat down with Google, ChatGPT and a lot of coffee for two weeks and after a lot of trial and error I finally got (as far as I know) a working…”.

I’m sure it’ll get there , so many great ideas for this. Fantastic concept.

This is why I think it's important we help test it, without feedback from people familiar with things like AiMesh and a good assortment of hardware it's going to be really hard to get it in good working shape.

 

[jksmurf]

This is why I think it's important we help test it, without feedback from people familiar with things like AiMesh and a good assortment of hardware it's going to be really hard to get it in good working shape.

I could possibly try my home system briefly later this week, without too much disruption, if I run a long Ethernet cable or use a set of old Powerline plugs.

 

[Seth Harman]

Here's another issue:

The addon is reporting 33 clients in VLAN 52 and 1 in VLAN 53. VLAN 52 is a guest network and VLAN 53 is my IoT VLAN. Right now nothing is connected to the guest network (hence why Guest Network Pro is showing 0) and I have 11 wireless clients connecting to VLAN 53. I'm not sure where the addon is getting its numbers from but they're way off.

 

[r80xcore]

Well i updated the addon with the ability to use custom SSH port. You choose this when installing and if you ever change you mind you can either reinstall or change it manually in mervlan/settings/var_settings.sh

@Seth Harman
I wouldnt put to much thought into the "Active VLAN Clients section". That was made for AP mode with AImesh AP and it will probably read wrong on your setup because of the DHCP. Right now its really mostly at tool to see if clients connects at all. This will have to be made from scratch to be able to function as it should on.

@jksmurf
No i think this is fun. I finally got some people to test it out and also to give input on features they want. I really didnt think there was any interest from the Pro models so this is starting to get really cool!

@visortgw
Right now i am running one XT8 AP with a AImesh node, this is with 4 VLANs present and it works great.

To all. The way this addon was designed in the first place was:

ASUS_DEVICE<---------->MANAGED SWITCH<---------->ASUS_DEVICE
If you daisy chain this,
ASUS_DEVICE<---------->ASUS_DEVICE
Then the VLANs will most likely be stripped.

A daisy chaining feature have been planned and maybe something that i should start on.

This would make one LAN port a trunk port. It should be possible to do without too much work. Would need to make a daisy chaining script and call those functions in the mervlan_manager.sh so it configures one of the port.

It's late now and im going to bed but tomorrow ill see what can be done about that!

 

[Seth Harman]

The question still remains if there's a missing step to get the SSH key onto the nodes, because right now the addon isn't working due to the lack of the keys on the nodes.

 

[r80xcore]

Ok, log files are telling me it's because of the same thing @visortgw just said in the other thread, the SSH key hasn't been copied to the nodes. Is there a step I'm missing here where I was supposed to manually install that key somewhere on the nodes?

Have you

The question still remains if there's a missing step to get the SSH key onto the nodes, because right now the addon isn't working due to the lack of the keys on the nodes.

Have you used "Sync Nodes"?
This will copy all the files to the nodes.

Also, after installing the SSH keys into the ASUS ssh key box and applying, you must reboot the nodes, else they will not get the updated key. They sync on boot

 

[Seth Harman]

Have you

Have you used "Sync Nodes"?
This will copy all the files to the nodes.

Also, after installing the SSH keys into the ASUS ssh key box and applying, you must reboot the nodes, else they will not get the updated key. They sync on boot

I've done the above, I'll do those steps again just to be sure.

Edit: Here's what I'm seeing...

2025-11-08 18:58:48 [INFO] === VLAN Manager File Synchronization ===
2025-11-08 18:58:48 [INFO]
2025-11-08 18:58:48 [INFO] ▒^|^s SSH key verification passed
2025-11-08 18:58:48 [INFO] Found nodes: 192.168.1.129 192.168.1.136
2025-11-08 18:58:48 [INFO] Starting file synchronization...
2025-11-08 18:58:48 [INFO] Processing node: 192.168.1.129
2025-11-08 18:58:49 [ERROR] ▒^|^w SSH connection failed to 192.168.1.129
2025-11-08 18:58:49 [INFO] Check if SSH key is properly installed on the node
2025-11-08 18:58:49 [INFO] Processing node: 192.168.1.136
2025-11-08 18:58:49 [ERROR] ▒^|^w SSH connection failed to 192.168.1.136
2025-11-08 18:58:49 [INFO] Check if SSH key is properly installed on the node
2025-11-08 18:58:49 [INFO] Triggering nodeenable on synchronized nodes
2025-11-08 18:58:49 [INFO] Injection skipped: block already present in /jffs/addons/mervlan/functions/service-event-han>
2025-11-08 18:58:49 [INFO] Injection skipped: block already present in /jffs/scripts/service-event
2025-11-08 18:58:49 [INFO] Installed node mervlan_boot.sh, service-event, services-start with MERV_BASE=/jffs/addons/me>
2025-11-08 18:58:49 [INFO] ▒^|^s Nodeenable completed for all reachable nodes
2025-11-08 18:58:49 [INFO] === Synchronization Complete ===
2025-11-08 18:58:49 [WARN] ▒^z▒▒^o PARTIAL SUCCESS: Some files may not have been synchronized
2025-11-08 18:58:49 [INFO] Check the log at /tmp/mervlan_tmp/logs/cli_output.log for details

 

[r80xcore]

I've done the above, I'll do those steps again just to be sure.

if that doesnt work you can temporarily do this:

SSH into the node:
nano /tmp/home/root/.ssh/authorized_keys

paste the key there (paste with the right mouse button) then save with, ctrl+x, the y, then enter
and when pasting a key, make sure to take the whole key "ssh-ed255 A LOT OF NUMBERS admin@ZenWiFi_XT8-79F0"
Dont leave anything out.

 

[jksmurf]

No hurry as you should be in bed (!!), but as the other thread directs to here, just for completeness, I brought the two questions from there over here i.e.

VLANs will be tunneled from WiFi -> WifI. Not from VLAN -> VLAN.

As the tunnel is not VLAN aware, real VLANs are stripped.

Q1. "Real" VLANs:

Sorry if this is clear to most folks but what are the properties of a “real” VLAN tunnel that this Wi-Fi - Wi-Fi tunnel cannot provide?

If all I wanted was for a downstream device (let’s say the ESP32 Bluetooth Proxy in the discussion i linked to earlier in the other thread) to be connected to the Ethernet port of a Node, and for it to be assigned (or retain if static) an IoT Network IP address, either from the DHCP manual assignment list or dynamically, does it matter if that “mesage” to do so is sent over Wi-Fi rather than VLAN?

If it gives me this one functionality i.e. of it being connected to and the Network Map showing it being connected to the IoT or Guest Network the Nodes Ethernet port is assigned, I’d be very happy to have it work that way, as it seems Asus are happy to do it this way using VLAN-capable nodes over Wifi?

Q2: Selected Nodes Only, ASUS VLANs co-existing with MerVLAN:

A quick question on the functionality of MerVLAN, for my remote system I ended up getting (but haven’t installed yet) nearly all VLAN capable router/nodes (as MerVLAN wasn’t in existence yet ) but I still have a non-VLAN node on that network. This system is all wired between main and nodes.

If I wanted to use ASUS VLAN setup for the VLAN capable nodes, but MerVLAN for that one node simultaneously, will that work? i.e. can they coexist or do you either go the whole hog with Asus or with MerVLAN but not both? Thank you.

 

[Seth Harman]

if that doesnt work you can temporarily do this:

SSH into the node:
nano /tmp/home/root/.ssh/authorized_keys

paste the key there (paste with the right mouse button) then save with, ctrl+x, the y, then enter
and when pasting a key, make sure to take the whole key "ssh-ed255 A LOT OF NUMBERS admin@ZenWiFi_XT8-79F0"
Dont leave anything out.

2025-11-08 19:26:05 [INFO] === VLAN Manager File Synchronization ===
2025-11-08 19:26:05 [INFO] 2025-11-08 19:26:05 [INFO] ✓ SSH key verification passed
2025-11-08 19:26:05 [INFO] Found nodes: 192.168.1.129 192.168.1.136
2025-11-08 19:26:05 [INFO] Starting file synchronization...
2025-11-08 19:26:05 [INFO] Processing node: 192.168.1.129
2025-11-08 19:26:05 [INFO] ✓ SSH connection successful to 192.168.1.129
2025-11-08 19:26:06 [WARN] JFFS not fully enabled on 192.168.1.129 (jffs2_on=1, jffs2_scripts=0). Remediating...
2025-11-08 19:26:06 [INFO] Enabling JFFS and scripts on 192.168.1.129 and triggering reboot
2025-11-08 19:26:06 [INFO] ✓ JFFS enable commands sent to 192.168.1.129
2025-11-08 19:26:06 [INFO] Waiting for 192.168.1.129 to respond to ping (60 attempts, 5s interval)
2025-11-08 19:26:06 [INFO] ✓ Ping succeeded for 192.168.1.129
2025-11-08 19:26:06 [INFO] Waiting an additional 10s for services to settle on 192.168.1.129
2025-11-08 19:26:16 [INFO] Waiting for SSH and /jffs on 192.168.1.129 (60 attempts, 5s interval)

Nano doesn't exist on AiMesh nodes but vi does, so you can use that if you dare (I hate vi with the heat of a thousand suns). After pasting the key into authorized_keys I can confirm it's in there. But as soon as I sync the nodes in your addon it realizes JFFS scripts isn't enabled on the node and triggers a reboot which blanks out the authorized_keys file and then we're back to where we've started. It may be related to this:

/jffs/scripts/services-start not executed on AiMesh nodes · Issue #728 · gnuton/asuswrt-merlin.ng

Router Model Affected Models: RT-AXE95Q (AXE6600/ET8), and probably other AiMesh models Firmware Version Affected 3004_388.5_0-gnuton1 (AiMesh functionality is broken on later versions) Is this bug...

github.com

On my nodes if you navigate into /jffs there are no /scripts dirs and, thus, no services-start files inside those dirs.

Edit: I created those missing dirs and services-start files on each node and the exact same behavior is manifesting when I sync nodes, i.e. they're establishing ssh, noticing "JFFS not fully enabled", rebooting the nodes which wipes out the information inside authorized_keys. As well, if something with your addon is supposed to drop something into services-start they're empty after the reboots.

 

[r80xcore]

2025-11-08 19:26:05 [INFO] === VLAN Manager File Synchronization ===
2025-11-08 19:26:05 [INFO] 2025-11-08 19:26:05 [INFO] ✓ SSH key verification passed
2025-11-08 19:26:05 [INFO] Found nodes: 192.168.1.129 192.168.1.136
2025-11-08 19:26:05 [INFO] Starting file synchronization...
2025-11-08 19:26:05 [INFO] Processing node: 192.168.1.129
2025-11-08 19:26:05 [INFO] ✓ SSH connection successful to 192.168.1.129
2025-11-08 19:26:06 [WARN] JFFS not fully enabled on 192.168.1.129 (jffs2_on=1, jffs2_scripts=0). Remediating...
2025-11-08 19:26:06 [INFO] Enabling JFFS and scripts on 192.168.1.129 and triggering reboot
2025-11-08 19:26:06 [INFO] ✓ JFFS enable commands sent to 192.168.1.129
2025-11-08 19:26:06 [INFO] Waiting for 192.168.1.129 to respond to ping (60 attempts, 5s interval)
2025-11-08 19:26:06 [INFO] ✓ Ping succeeded for 192.168.1.129
2025-11-08 19:26:06 [INFO] Waiting an additional 10s for services to settle on 192.168.1.129
2025-11-08 19:26:16 [INFO] Waiting for SSH and /jffs on 192.168.1.129 (60 attempts, 5s interval)

Nano doesn't exist on AiMesh nodes but vi does, so you can use that if you dare (I hate vi with the heat of a thousand suns). After pasting the key into authorized_keys I can confirm it's in there. But as soon as I sync the nodes in your addon it realizes JFFS scripts isn't enabled on the node and triggers a reboot which blanks out the authorized_keys file and then we're back to where we've started. It may be related to this:

/jffs/scripts/services-start not executed on AiMesh nodes · Issue #728 · gnuton/asuswrt-merlin.ng

Router Model Affected Models: RT-AXE95Q (AXE6600/ET8), and probably other AiMesh models Firmware Version Affected 3004_388.5_0-gnuton1 (AiMesh functionality is broken on later versions) Is this bug...

github.com

On my nodes if you navigate into /jffs there are no /scripts dirs and, thus, no services-start files inside those dirs.

Okay. I have nano on mine but seems that differ. I also despise Vi

Then we have a small problem there. Fixable though. We will have to make a services-boot that ensures that the ssh key gets reinstalled on boot. I can make a script for that. This will be for the special cases when this isn't auto-synced (like mine does)

A thought is to read the configured nodes, auto-ssh into them (user has to login) it will install one file and also the services-start the points to that. It will auto-inject the already made ssh key on the node.

Though, jffs should only need to be applied once. So you'll be fine now until you reboot so try to install the ssh key manually again.

 

[r80xcore]

No hurry as you should be in bed (!!), but as the other thread directs to here, just for completeness, I brought the two questions from there over here i.e.



Q1. "Real" VLANs:

Sorry if this is clear to most folks but what are the properties of a “real” VLAN tunnel that this Wi-Fi - Wi-Fi tunnel cannot provide?

If all I wanted was for a downstream device (let’s say the ESP32 Bluetooth Proxy in the discussion i linked to earlier in the other thread) to be connected to the Ethernet port of a Node, and for it to be assigned (or retain if static) an IoT Network IP address, either from the DHCP manual assignment list or dynamically, does it matter if that “mesage” to do so is sent over Wi-Fi rather than VLAN?

If it gives me this one functionality i.e. of it being connected to and the Network Map showing it being connected to the IoT or Guest Network the Nodes Ethernet port is assigned, I’d be very happy to have it work that way, as it seems Asus are happy to do it this way using VLAN-capable nodes over Wifi?

Q2: Selected Nodes Only, ASUS VLANs co-existing with MerVLAN:

A quick question on the functionality of MerVLAN, for my remote system I ended up getting (but haven’t installed yet) nearly all VLAN capable router/nodes (as MerVLAN wasn’t in existence yet ) but I still have a non-VLAN node on that network. This system is all wired between main and nodes.

If I wanted to use ASUS VLAN setup for the VLAN capable nodes, but MerVLAN for that one node simultaneously, will that work? i.e. can they coexist or do you either go the whole hog with Asus or with MerVLAN but not both? Thank you.

Well the difference it that real VLAN is 802.1Q compliant.

A real VLAN keeps its tag all the way through the network, even across switches and routers, so it works end-to-end and supports true network separation.
The Asus VLAN over WiFi backhaul strips or ignores those tags — it only simulates VLAN behavior at the SSID level.

I don't know yet how everything will work out but hopefully you will be able to achieve what you want - on ethernet backhaul

 

[visortgw]

Okay. I have nano on mine but seems that differ. I also despise Vi

Then we have a small problem there. Fixable though. We will have to make a services-boot that ensures that the ssh key gets reinstalled on boot. I can make a script for that. This will be for the special cases when this isn't auto-synced (like mine does)

A thought is to read the configured nodes, auto-ssh into them (user has to login) it will install one file and also the services-start the points to that. It will auto-inject the already made ssh key on the node.

Though, jffs should only need to be applied once. So you'll be fine now until you reboot so try to install the ssh key manually again.

So... Correct me if I'm wrong, but the differences appear to be AiMesh nodes with Merlin firmware vs those with stock. Merlin firmware adds:

1. ability to enable JFFS custom scripts and configs;
2. nano editor;
3. default scripts in /jffs/scripts directory;
4. ability to install amtm and entware;
5. ...

 

[r80xcore]

So... Correct me if I'm wrong, but the differences appear to be AiMesh nodes with Merlin firmware vs those with stock. Merlin firmware adds:

1. ability to enable JFFS custom scripts and configs;
2. nano editor;
3. default scripts in /jffs/scripts directory;
4. ability to install amtm and entware;
5. ...

Oh is he running stock?! I missed that totally. This won't run on stock firmware as far as I know, you need merlin for this to work.

 

[visortgw]

Oh is he running stock?! I missed that totally. This won't run on stock firmware as far as I know, you need merlin for this to work.

I was just guessing for @Seth Harman. My non-VLAN capable node is stock as well (ZenWiFI BQ16 Pro).

 

[r80xcore]

My non-VLAN capable node is stock as well (ZenWiFI BQ16 Pro).

Hmm.. Interesting. Well maybe it can work then. I'll make the script tomorrow and we'll see were it heads!