Need Help Setting Up 3 VLANs (Home, Guest, IoT) on ASUSWRT-Merlin (RT-AC86U)

[utte]

I'm trying to set up three isolated networks (VLANs) on an ASUS RT-AC86U running ASUSWRT-Merlin 386.10_0:

• br0 (Home) – default LAN
• br1 (Guest) – for guests, works fine
• br2 (IoT) – this one is problematic

My goal:

Each VLAN should have:

• A separate subnet and DHCP range
• Internet access
• Isolation (IoT → no access to br0/home or br1/guest)

What I’ve done:

Activated second guest network in GUI and called IoT then also done.

1. Created the bridge and interface:

brctl addbr br2
brctl addif br2 wl0.2
ifconfig br2 192.168.20.1 netmask 255.255.255.0 up

1. Configured dnsmasq for br2 (in /jffs/configs/dnsmasq.conf.add):

interface=br2
dhcp-range=192.168.20.100,192.168.20.200,255.255.255.0,12h
dhcp-option=br2,3,192.168.20.1
dhcp-option=br2,6,1.1.1.1,8.8.8.8

3. Enabled firewall rules (in /jffs/scripts/firewall-start):

#!/bin/sh
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 68 -j ACCEPT

Made the script executable.

Verified rules are inserted manually and persist when run.

Interface br2 shows up fine in iptables after manual run.

1. Verified bridge membership:

# brctl show
br2 has wl0.2 attached

1. Checked interface mode (problem):

wl -i wl0.2 status
Mode: Managed

Despite setting:

nvram set wl0.2_mode=ap
nvram commit

and running:

wl -i wl0.2 down
wl -i wl0.2 ap 1
wl -i wl0.2 up

…the mode stays as Managed.

Problem:

• wl0.2 refuses to stay in AP mode — it always returns to Managed.
• No DHCP traffic seen on wl0.2 (tcpdump -i wl0.2 port 67 or 68 shows nothing).
• Clients can't connect or get IPs on IoT SSID.

Questions:

1. What’s forcing wl0.2 to stay in Managed mode?
2. How can I persistently set it to AP mode for VLAN use?
3. Is there a better way to isolate wireless SSIDs into VLANs on ASUSWRT-Merlin?

I also have RT-AX86U PRO (That I could use if it has better support)

 

[bennor]

Welcome. Edit: After rereading your initial post. Are you using the RT-AC86U as an AiMesh or AP node to the RT-AX86U Pro?

If the RT-AC86U is a stand alone router, not AiMesh and not an AP node. Have you given any consideration to using the addon script YazFi to accomplish what you seek?

YazFi - YazFi v4.4.7 [2025-Jun-18] - Enhanced AsusWRT-Merlin Guest WiFi Networks

Release Notes for YazFi v4.4.6 production release now available [2025-May-29] The fork from @Jack Yaz's repository is now hosted on the AMTM-OSR GitHub repo: https://github.com/AMTM-OSR/YazFi 1) FIXED: Problem where setting the "Allow Internet Access" option to "NO" was causing problems with...

www.snbforums.com

Also note that Asus-Merlin 386.10 is is extremely out of date (10-Mar-2023). You should strongly consider updating that router to the last Asus-Merlin firmware for it, 386.14_2 (17-Nov-2024).
https://sourceforge.net/projects/asuswrt-merlin/files/RT-AC86U/Release/

Note that you really cannot do true VLAN easily (if at all) on the AC series of routers. There is some discussion and attempts here to do so in the following discussion:

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models. This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but...

www.snbforums.com

Edit to add: The RT-AX86U Pro can do VLAN and likely do what you seek easily and without all the scripting using it's Guest Network Pro Profile option when the 3006.102.x firmware is loaded on the router. However, as discussed in a number of other topics the Guest Network Pro/VLAN feature of the 3006 firmware doesn't typically flow down to non 3006 firmware Asus routers setup in AiMesh or AP mode.

Any particular reason why you are using the RT-AC86U and not the RT-AX86U to accomplish what you seek?

 

[utte]

I have just bought the RT-AX86U. But thought of practice first little on my RT-AC86U to be able to restore internet when family gets home. However maybe that was an bad idea if its easier to make it work on RT-AX86U.

I use it as an router to access internet. Thanks for remind me to update the firmware.

Thanks for the answer I will try some more and might come back with more questions. I get a lot of help from ChatGTP also, but feelt it was lacking this info.

 

[bennor]

@utte, Avoid ChatGTP or other AI programs when it comes to asking questions about complex router configurations or scripting in Asus-Merlin firmware. It is often wrong on the details. Use the forum search feature to find a wealth of information in this forum on Asus routers and how to configure them.

Note that the RT-AX86U is a different router than the RT-AX86U Pro. The RT-AX86U Pro supports the 3006 firmware and it's VLAN/Guest Network Pro feature. The RT-AX86U does not support 3006 firmware and it's associated features.

 

[Tech9]

I also have RT-AX86U PRO

You are wasting your time with RT-AC86U and ChatGPT. Just use RT-AX86U Pro, configure and test whatever you need in GUI.