Network upgrade to the new wifi 7 and VLAN

[sman]

Hi there,
I plan to upgrade to WIFI 7 and use the VLAN too. I am not an advanced user and need recommendations.
I have to mention from the start, that I'm not expressly interested in wireless speed as much as wired fluidity matters.

In the attached sketch you can see the existing topology:

Devices in Main router + 10 GB Switch: Ubuntu server with LAMP and more (this is most important device of network and req. max priority for low latency), Win11 Media server, 2 PC, Node 2i, 8 wireless devices.

Devices in Node2. A lot of IoT devices on wired ports: 3 TVs with Netflix, 3 IP cam, 2 PC's. Looks like I need a switch here.
Wireless there are 8 phones, laptops etc.

I have some questions:

1. Are the ports in the ROG-GT-BE98 or RT-BE-88U base router Layer 3? If so, what type? CPU based or Hardware acceleration? Apropos, which is more suitable for wired connections ROG-GT-BE98 or RT-BE-88U ?

2. Do AIMESH NODES necessarily need to be made up of routers that have the VLAN feature? e.g. RT-BE86U, RT-BE96U ? This is very important because I don't know if the MAIN Router is using resources from the VLAN function of the NODE(S) Router. If the VLAN feature of the NODE are not used by the MAIN Router I am thinking to buy a RT-BE92U - better wireless, no VLAN feature available and it's cheaper.

3. For traffic flow is it recommended to connect Node 1 and Node 2 with a wired connection? Of course I will enable Spanning-Tree Protocol - STP. Fortunately there is a CAT5 cable between these two nodes. I mention that in node 1 there is little traffic and I was thinking that maybe load balancing between the nodes and the main router.

4. Can the Main Router create VLANs for IoT devices placed in physical (not wireless) ports in Node2? I mean without direct connection in the main router ports.

Thanks for any hints and help

 

[sman]

Could someone please confirm/deny the questions marked with yellow in points 2. and 4.?
This information is not available anywhere and only an owner or advanced user would know. Thanks guys

 

[Tech9]

Not documented - not guaranteed to work. If you want full VLAN configuration freedom for LAN/WLAN you have to look elsewhere, skip Republic Of Gamers. If you want true 10Gbps processing capabilities gateway you have to look at x86 hardware devices. Nothing on the consumer market can do 10GbE without NAT acceleration hacks. The home routers you are looking at can do Gigabit with true traffic processing. RPi-like hardware inside with aggressive marketing and false advertising involved. Good luck!

 

[sman]

thanks for the reply mate. I understand, but it doesn't necessarily have to be true 10Gb, it can be 5Gb.
in my current network I have main router AX88U and the mesh node is a AC68U which is on the limit, so the new models should do the job (probably 2 x BE88U)

But the network set-up makes me nervous as I know nothing about VLAN on asus routers/NODES.

I saw an older discussion on reddit, from a user called TiggerLAS., him answering a question similar to mine:

Your primary router is where you'll need to create your VLANs, gateway IP addresses, DHCP servers, NAT, and firewall rules. This is where your VLANs will start.

Managed switches don't typically source VLANs, they simply distribute the various VLANs across their ports as instructed. No need for ACLs in most cases. Use port-based VLANs.

Not sure why you linked several articles about using non-vlan-aware routers if all of your devices are already flashed with Merlin, which supports VLANs.

Define your VLANs on your primary router, making sure that each one has a gateway IP address, DCHP server, and NAT / Firewall rules as needed.

Assign trunk ports on your primary router, and assign them to the appropriate VLANS.

Configure your other Asus devices as access points, and create VLAN entries on each one, and tie them to your SSIDs as needed.

Plug each one into the trunk ports you defined on your primary router.

If you have switches in between your primary router, and your Asus access points, then you'll have to set up the VLANs on them as well.

Don't over-complicate it.

He said to "Configure your other Asus devices as access points, and create VLAN entries on each one, and tie them to your SSIDs as needed."
question the AP mode is the same thing with AIMESH node?

 

[degrub]

No, it is not. Think of AiMesh as a wifi extender box.

 

[Tech9]

But the network set-up makes me nervous as I know nothing about VLAN on asus routers/NODES.

Let's put it this way - what we know so far is based on experiments. As per Asus marketing everything is AiMesh Compatible, but in reality only partially depending on hardware and firmware. Advantage - cheap, somewhat user friendly. Disadvantage - may not work the way you want. With your requirements look at SMB equipment. Lower cost options are from MikroTik, TP-Link (Omada), Ubiquiti (Unifi). Cisco also has some low cost options APs with built-in controller (CWB series) as well as HPE Aruba (Instant On). Disadvantage - you have to pay more (especially for real 10GbE capable hardware) and you may need to have above average networking knowledge. If you don't feel comfortable going this way - consumer market and it is what it is. Find a way to use whatever is available.

 

[Tech9]

For 10Gbps appliance with user friendly software you may look at Firewalla:

Firewalla Gold Pro: 10G Cyber Security Firewall & Router Protecting Your Family and Business

Powered by The Firewalla Security Stack Deep Insight helps you see the network at up to 10+ Gigabits per second with 2x 10Gbit Interfaces and 2x 2.5Gbit interfaces. Control your network with intrusion prevention (IPS) and network segmentation, adding virtual walls around your connected devices...

firewalla.com

...or similar Netgate, but this one runs pfSense and is more complex to setup:

Netgate 6100 BASE pfSense+ Security Gateway

The Netgate® 6100 is one of the most versatile security gateways in its class. It is ideal for home, remote workers, and small businesses who require flexible port configurations for high-speed WAN and LAN connectivity. The 6100 combines the power of an Intel C3558 Quad Core CPU with integrated...

shop.netgate.com

...or you can build your own with proper Mini PC hardware and use free pfSense/OPNsense.

pfSense® - World's Most Trusted Open Source Firewall

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

www.pfsense.org

OPNsense® is an open source, feature rich firewall and routing platform, offering cutting-edge network protection. - OPNsense

We’ve made digital security accessible to everyone. With our free OPNsense® platform, you get all the features of expensive commercial firewalls and more. Enjoy open and verifiable sources in a product developed with and for a large user community.

opnsense.org

DIY option may come significantly cheaper, you may have some suitable x86 hardware already.

 

[sman]

I'll stick with the Asus platform, I'm familiar with it and don't want to get too complicated with new stuff for myself.
These days I bought a BE88U and I found at a good price a second hand GE-98, from an advanced member of this forum (hi Paul).

From what I noticed, the last Merlin update for the GE-98 (it's MESH node) is from January, so I went with the official update from Asus 2 weeks ago today. BTW, I hope I don't have problems because is not a Merlin firmware

So the MAIN router remains BE-88U, and regarding my question no. 4 in the first topic I can tell you that: YES, if the node has VLAN capabilities, then the main router uses them!

I haven't made any changes to the VLAN yet, it's the default, I'll do more research.

At the moment I've installed a few mods, I hope I haven't installed duplicates :

 

[Tech9]

At the moment I've installed a few mods

You’ve installed quite a few, one of them may break your GUI, another may impact user experience and generate useless traffic… make sure you know how to reset your router.

 

[sman]

@Tech9
ufff, could you please give me a short label for the installed mods, in this context with the recent 3006 firmware., something like:
-Addonn_x may break your GUI
-Addonn_y may impact user experience
-Addonn_z generate useless traffic



Diversion 5.4.4
Skynet 7.6.4
scribe 3.2.1
MerlinAU 1.4.2
connmon 3.0.2
vnStat 2.0.6
RTRMON 2.1.5
BACKUPMON 1.8.22
scMerlin 2.5.10

uiDivStats 4.0.9
uiScribe 1.4.5
YazDHCP 1.0.6
WAN IP Notification 4.11

Entware packages
email settings
Disk check script

Swap file 2.0G << is OK 2G ? I saw someone with 10G.
the idea is that I'll figure out how to reset the router and then install only the recommended addons

I checked the router status and it doesn't look too good.

 

[Tech9]

could you please give me a short label for the installed mods

No, I can't extract the essentials of SNB Forums for you. Custom scripts are optional tools, they all have own release and support threads with all the information you need to know. This is your router, do your own research and make own decisions what you want to do with it. I would never buy GT-BE98 router to begin with, not to mention used one.

 

[Ripshod]

@Tech9
ufff, could you please give me a short label for the installed mods, in this context with the recent 3006 firmware., something like:
-Addonn_x may break your GUI
-Addonn_y may impact user experience
-Addonn_z generate useless traffic



Diversion 5.4.4
Skynet 7.6.4
scribe 3.2.1
MerlinAU 1.4.2
connmon 3.0.2
vnStat 2.0.6
RTRMON 2.1.5
BACKUPMON 1.8.22
scMerlin 2.5.10

uiDivStats 4.0.9
uiScribe 1.4.5
YazDHCP 1.0.6
WAN IP Notification 4.11

Entware packages
email settings
Disk check script

Swap file 2.0G << is OK 2G ? I saw someone with 10G.
the idea is that I'll figure out how to reset the router and then install only the recommended addons

I checked the router status and it doesn't look too good.
View attachment 65251

Do your own reading:

Compatibility Findings with AddOns with GT-BE98 Pro

I am starting a thread to summarize my findings to date with my recently purchased GT-BE98 Pro (Merlin 3006.102.1_beta1 firmware) with the "traditional" add-ons. amtm v4.8: Works as designed, including swap file creation and entware installation. diversion v5.1.3: Works as designed, including...

www.snbforums.com

Pro or none Pro makes no nevermind. It's about 3006 firmware.

 

[sman]

@Tech9 GT-BE98 is the Mesh-Node, I think is not so relevant.
Nvm, Thanks for the answer!

@Ripshod thanks for the tip, i will try to disable addons one by one
i saw u have same router like me and some addons

 

[Tech9]

i saw u have same router like me and some addons

@Ripshod has the add-ons he needs, knows what they do and knows how to support whatever is installed himself. The last part is very important. Rule No.1 - don't copy someone else's setup just because the router model in their signature matches yours. Brand new router, brand new firmware, no experience - start with Zero add-ons. Explore one thing at a time.

 

[Ripshod]

At any one time I only have a few of those addons running, and just activate what I need when I need it. They will all run together but I've only tested that over a short period of time.

 

[sman]

@Ripshod
if it's not too much to ask, could you detail which adons you have active, which adons you activate when you need them and which adons you don't use at all. thanks .
In the meantime, I updated my addons to the latest versions (develop command) , as you have in your signature.

 

[Ripshod]

@Ripshod
if it's not too much to ask, could you detail which adons you have active, which adons you activate when you need them and which adons you don't use at all. thanks .
In the meantime, I updated my addons to the latest versions (develop command) , as you have in your signature.

YazDHCP, Skynet, ntpMerlin and BACKUPMON are my constants. MerlinAU is a leftover from testing. The others I only keep installed for when mates have an internet problem - I'll take my router round to their homes for testing, so they're just diagnostic tools. I still have my old RT-AX88U fully loaded for the same purpose - obviously that has Diversion and YazFi too.

 

[sman]

I really appreciate, concrete advice is welcome! Thanks

Now I'm curious about these CPU-intensive processes. As a result, I sat 20 minutes and watched the process consumption in real time and made a table with the consumption peaks:

PID    PPID    USER    STAT    VSZ        VSZ%    CPU        CPU%     COMMAND



1       0       admin    S        15892    0.7        0         22.5    /sbin/init

3593    1       admin    R        14156    0.6        3         21.9    watchdog

3514    1       admin    S        5504     0.7        3          7.3    /usr/sbin/dnsqd

25614   1       admin    S        12500    0.6        3          11.8    httpd -i br0

4524    1       admin    S        20644    1.0        0          12.1    conn_diag

3431    1       admin    S        12048    0.5        0          13.6    asd

Are these processes known from addons? is there a way to decrease the CPU load?

 

[Ripshod]

As a comparison to your graph earlier, this is what I get 10 minutes after reboot with all the addons in my signature running

 

[sman]

very nice, thanks for the feedback!