MerVLAN v0.46 Simple and Powerful VLAN Management **BETA**

[r80xcore]

I will take a deeper look on the install/uninstall and the templates tomorrow. Today i had to fix some other issues reported with the core script "mervlan_manager.sh"

version 0.47 of the mervlan_manager.sh is up.This should hopefully cure any problems with JSON -> SSID -> brX parsing that has been reported. Probable cause was that the name was not normalized. Added more safety features to make sure the VLANS are added safely and correctly.

JSON & parsing

1. BusyBox-safe key escaping: esc_key() to escape [].^$* before sed patterns.
2. Robust scalar read: read_json() pulls either a quoted string or a bare number, trims whitespace.
3. Numeric read helper: read_json_number() (digit-only).
4. Array read helper: read_json_array() flattens ["eth4","eth5"] → eth4 eth5.
5. Whitespace/UTF cleanup: normalize_basic() strips BOM, CR, zero-width chars, trims.

String normalization & SSID resolution

1. Consistent iface/SSID normalization: normalize_iface() / normalize_ssid() unify hyphens/quotes (—/–→-, smart quotes → ascii).
2. Case-insensitive SSID matching with safeguards: exact match first; if not, lowercase fallback; logs ambiguity if multiple matches.
3. Band-agnostic lookup: find_if_by_ssid_any() scans all *_ssid nvram entries and maps to ifnames.

Validation & safety

1. VLAN input guard: validate_vlan_id() accepts none/trunk or 2–4094; hard-rejects 1.
2. Internal VAP filter: is_internal_vap() skips wl*.4–9.
3. Existence checks: iface_exists() + wait_for_interface() with exponential backoff.

Bridge/VLAN infra & membership

1. Idempotent bring-up: ensure_vlan_bridge() creates ${WAN_IF}.VID and brVID, brings them up, stp off, setfd 0.
2. Accurate membership test: member_of_bridge() uses sysfs first, brctl AWK fallback that handles continuation lines.

Attach flow & staging logs

1. Attach-verify-retry: After brctl addif, we verify membership; if not present, sleep, retry once, then queue for watchdog.
2. Staging log gating: WATCHDOG_QUEUE_LOG controls whether queue_watch() emits

staging IF -> brVID for watchdog verification.Cleanup, idempotency & audit

1. Clean teardown: cleanup_existing_config() detaches ports, deletes br[1+], and removes ${WAN_IF}.* VLAN links.
2. Change audit trail: track_change() writes human-readable deltas to a per-run file under $CHANGES.

 

[visortgw]

I run backupmon as well so I went in and checked, everything was still in there for me in regards to the cru entry within services-start.

I actually originally created the cru entries by hand because I backup to three (3) different destinations (local NAS, remote NAS, and USB drive) -- overkill, maybe, but I did it because I can.

 

[Seth Harman]

overkill, maybe, but I did it because I can.

You've just described my home network, 40+ IoT devices, and a RaspberryPi that doesn't do anything except let me tinker for fun.

 

[visortgw]

You've just described my home network, 40+ IoT devices, and a RaspberryPi that doesn't do anything except let me tinker for fun.

Sounds familiar!

 

[r80xcore]

You've just described my home network, 40+ IoT devices, and a RaspberryPi that doesn't do anything except let me tinker for fun.

Like me. I run a proxmox server with opnsense, Ubuntu server, backup, around 15-20 dockers, plex, wireguard and around 20-30 IoT and Zigbee. Right now on untagged and three VLANs

 

[Seth Harman]

Man...we're a bunch of serious nerds

 

[Tekko]

Well I'm definitely just a N00b compared to you guys but I do what I can.
Running only 15 or so IoT devices on my network since the vast majority of my toys are Zigbee.

Current set-up: RT-BE92 with 3 SSID's:
- Main (has my ethernet connected Home Assistant NUC - HAOS, not proxmox or containerised)
- IoT (all devices blocked from internet, second Home Assistant connection via Wifi which allows IoT and Main LAN to stay segregated while still being able to operate everything in HA)
- Robovacs (access to internet but with AP isolation. Currently no need to be propagated on the Nodes fortunately)

2 Mesh nodes (RT-AC5300 and RT-AX56 - both on 3004 FW so inherent limitations with 3006 based BE92) with ethernet backhaul originally running Merlin FW but now on stock based on some recommendations here but so much conflicting advice on this as is also apparent by this thread stating there shouldn't be an issue running Merlin on Mesh nodes . Happy to revert my nodes to Merlin of course for the sake of this Beta.

My issue:
- 3006.102.4 was unstable on my BE92 but allowed my IoT devices to connect to my Mesh nodes correctly.
- Upgraded to 102.5 and did a clean install but now my IoT devices couldn't connect to the nodes anymore.
- Went back to 102.4, set everything up and dirty upgraded to 102.5 and everything was running smoothly for a couple of months. Then all of a sudden IoT devices stopped connecting to my nodes again and I haven't been able to get them back online. Was going to do a full reinstall starting from 102.4 again, but now this Beta sounds like it might be more promising.

Q1:
Is my understanding correct that this addon needs to be installed on both Mesh router as well as nodes? Saw the discussion about the nodes and am happy to put them back on Merlin but nobody is mentioning the Mesh router which I would assume is a given that the addon needs to be installed there?

Q2:
Given the FW interoperability limitations between 3006 and 3004 FW's, will there be an issue for MerVLAN? Or will I just have the same limitation of only the first guest network being 'propagatable' to the nodes (at least, that's my current understanding)? Would be great if MerVLAN could somehow overcome this limitation of course but will already be happy if this will allow me to reliably have my IoT clients connect to my IoT network regardless of whether they are on the main router or a node.

Q3:
Is my current setup with 2 Home Assistant (HA) connections acceptable or would it be better to only have HA connected to the main LAN with firewall/iptables set up to the IoT LAN once they are made available in MerVLAN?

Q4:
currently don't have a great need for wired VLAN tagging, but will be adding some wired CCTV cams soon, both on the main router as well as nodes so my understanding is that MerVLAN will allow me to put those CCTV cams on my IoT network regardless of which nodes they are connected to correct?


Really keen to give this a go but might have to wait till the weekend as the Mrs is WFH today and Friday and I don't want to mess anything up while she's in meetings

 

[jksmurf]

Q1:
Is my understanding correct that this addon needs to be installed on both Mesh router as well as nodes?

So here’s the thing … I was getting all excited about the project until I kept reading (see first post and subsequent ones by @r80xcore) that it applies only to Routers in AP mode not in Router mode (something to do with double NAT).

That being the case I’m not able to use it like I thought I might, unfortunately. Both my systems have a Router (in Router mode) and AiMesh nodes.

 

[Tekko]

So here’s the thing … I was getting all excited about the project until I kept reading (see first post and subsequent ones by @r80xcore) that it applies only to Routers in AP mode not in Router mode (something to do with double NAT).

That being the case I’m not able to use it like I thought I might, unfortunately. Both my systems have a Router (in Router mode) and AiMesh nodes.

Well gee, stumbled at the first hurdle... guess I've completely misunderstood then!
With all the talk about mesh nodes, I kinda automatically assumed this would apply to a system with a mesh router and nodes. Or are mesh-nodes considered as being set-up as AP's?

If not, not sure if I want to move to a setup with AP's instead of mesh nodes as roaming/device handoff and such is pretty crucial in my place.

Guess this is on me for starting to read at 1am
I'll take some time to re-read to properly understand, but if this is running on AP's only and not on the main router, could it nevertheless still fulfill the purpose I had in mind? I.e.: for the AP's (ideally mesh nodes) to properly handle clients for any SSID's and networks that are being rebroadcast by the nodes from the main router (and even physical VLAN)?

 

[jksmurf]

# MerVLAN

MerVLAN is an addon for Asuswrt‑Merlin focused on AP-mode deployments.

The vlan manager is specifically made for routers in AP mode as running vlan in router mode generally isn't recommended and can introduce double NAT (as you need another firewall/router routing the vlans.

These bits are what I saw... unless that has changed...

 

[Tekko]

These bits are what I saw... unless that has changed...

And this is what gave me the idea it would be applicable to my situation:

Limitations

• The maximum number of VLANs (up to 12) depends on the number of SSIDs your device supports.
  For example, if your router supports only 5 SSIDs, you cannot configure more than 5 VLANs.
• Mesh functionality is limited by ASUS’s firmware design.
  For instance, some models support nine guest SSIDs but only three (one per band) are mesh-enabled.
  Non-mesh SSIDs can still be assigned VLANs but will only broadcast from the main node.
• Devices connected to VLANs cannot be bound to specific nodes.
• VLAN devices use standard band steering, which cannot currently be customized per VLAN.
• Mesh users: VLAN tagging is only supported when nodes are connected via Ethernet backhaul. This limitation is due to the underlying hardware and wireless driver design—the WiFi backhaul does not support passing VLAN-tagged traffic. It's currently tested with Node - > Switch topology, daisy chaining is not tested and will most likely drop tagged traffic, but Daisy Chaining mode is planned for future release!

But maybe I'm completely misinterpreting.

It might only run on the Ap's/nodes, but as long as that way it is able to replicate what Asus itself is doing and improve on it that's what I need.
Problem is it most likely doesn't fix my clients not connecting to the nodes to begin with. Or the clients connecting to the AP/node but then not able to show up as a client on the guest network.

 

[r80xcore]

@Tekko @jksmurf

This will not run on stock firmware.

There is two ways of using the vlans from a unsupported device to a supported running MerVLAN.

Example
SSID 1: merlin-ap-IoT, VLAN: 155
LAN 1: connected unsupported router, VLAN: 155

This would put all traffic from the unsupported router in VLAN 155 together with ssid 1. Depending on your firewall settings this could make a mesh-ish system.

You could also put everything into a seperate VLAN. For example if you want the connected AP to act as a IoT container.

I am working on a trunk mode script too. This would make it possible to use both a VLAN on the untagged traffic while passing through set VLANs from it. It would also enable daisy chaining. Not tested at all yet but it's soon to be tested. But this too would need a supported firmware if you want more than one VLAN on the connected device

But this addon is mainly used for people using a managed switch in front of the main unit. I will update the original post to clarify this.
Hopefully it will be able to work with pro models that connects a a non-pro model that runs merlin. Will need to be tested though.

 

[jksmurf]

This will not run on stock firmware.

I think we (at least me) need a slightly simpler explanation, sorry about that.

Per my sig I run Merlin on my Routers plus where Merlin is available, on my nodes, on both my independent systems.

They run as AiMesh Router, with AiMesh Nodes. They run GNP on both systems, with VLANs set up as Guest (VLAN 52) and IoT (VLAN 53). If by the term “AP” (which is a mode in itself, in the Asus setup) you also mean AiMesh nodes (running Merlin) then as long as I don’t have to change anything on the AiMesh router, I’m in a position to try stuff out.

However given the original quoted text, and the fact no APs are configured on my system, I am assuming MerVLAN is not applicable?