Noob with AsusWRT Merlin - Need to create vlan for each SSID

[SoukoussMan]

Hi,

I'm recently buy a RT-AC88U.
In my architecture, i've a firewall who is able to provide dhcp.

I want to know if it's possible to create this type of architecture :



Objectives are that my firewall provide DHCP to all device connect to an SSID and each SSID in differents vlan.
My AC88U will have a trunk with all vlan to my firewall. And if possible via a aggregate LACP.

I've search on the forum, and see few things but not sure what i need to do.

-----

I think, i need to create each vlan with "robocfg vlan <vlanid> ports <ports>" and create vlan interface with "
vconfig add eth0 <vlanid>".
It's right ?

But to be able to have firewall who provide DHCP for all device connected to SSID, i suppose i need to bridge my vlan interface and my ssid interface ? It's right ? If yes, how do this ?
In this case, if i bridge, no need to have a ip address on each vlan on my AC88U ?

Do i need to be in router mode or ap mode ?

Thanks for your help.

 

[SoukoussMan]

Hi,

I've work on it.

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"


# Remove port LAN1 from VLAN1
robocfg vlan 1 ports "4 8t"
robocfg vlan 30 ports "0 1 2 3t 5 7"
robocfg vlan 31 ports "3t"
robocfg vlan 60 ports "3t"
robocfg vlan 61 ports "3t"


vconfig add eth0 30
vconfig add eth0 31
vconfig add eth0 60
vconfig add eth0 61

ifconfig vlan30 up
ifconfig vlan31 up
ifconfig vlan60 up
ifconfig vlan61 up

brctl addbr br1
brctl addbr br2
brctl addbr br3
brctl addbr br4

brctl delif br0 eth1
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl0.3
brctl delif br0 wl1.1
brctl delif br0 wl1.2
brctl delif br0 wl1.3

brctl addif br1 eth1
brctl addif br1 eth2
brctl addif br1 vlan30
brctl addif br2 wl0.1
brctl addif br2 wl1.1
brctl addif br2 vlan31
brctl addif br3 wl0.2
brctl addif br3 wl1.2
brctl addif br3 vlan60
brctl addif br4 wl0.3
brctl addif br4 wl1.3
brctl addif br4 vlan61


ifconfig br1 up
ifconfig br2 up
ifconfig br3 up
ifconfig br4 up

nvram set lan_ifnames="vlan1"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="eth1 eth2 vlan30"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan31 wl0.1 wl1.1"
nvram set lan2_ifname="br2"
nvram set lan3_ifnames="vlan60 wl0.2 wl1.2"
nvram set lan3_ifname="br3"
nvram set lan3_ifnames="vlan61 wl0.3 wl1.3"
nvram set lan3_ifname="br4"

nvram commit
killall eapd
eapd

But i've a problem. when i do this (manualy for the moment), i can't retreive dhcp address on vlan30.
WAN port is use for management access and LAN1 for my trunk.

When i look on my firewall, i receive dhcp request from my client (iphone or mac) and my firewall send reply.
Between my asuswrt and my firewall, i only have a manageable switch.

If you can help me to understand why this don't works... it will be very appreciate.

 

[SoukoussMan]

So, i don't understand what's the problem.
Now, i can have DHCP on one VLAN, but only from one SSID. On each vlan, i bind 2 SSID (1 in 2.4G and 1 in 5G).
But on vlan30, this works only on 5G SSID and for other vlan, nothing works.

My Device : RT-AC88U

My physical connection :

• 1 cable on WAN port to access for management
• 1 cable on LAN1 connected to my switch on a trunk port with vlan 30,31,60,70

Tests already done :

• Test : Connect my mac with configured vlan interface on the cable connected on LAN1
  • Result : All vlan interface retreive a DHCP address
  • Deduction : Misconfiguration is on the ASUS configuration side

Here is the extract of my configuration :

admin@RT-AC88U-4030:/tmp/home/root# robocfg show
Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 1:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:1c:7f:84:cd:7f
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 20:47:47:bb:39:c5
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 7: 1000FD enabled stp: none vlan: 30 jumbo: off mac: d4:a3:3d:f1:58:40
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 10:7b:44:ae:40:30
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 4 8t
   2: vlan2: 8u
  30: vlan30: 0 1 2 3t 5t 7
  31: vlan31: 3t
  60: vlan60: 3t
  70: vlan70: 3t

admin@RT-AC88U-4030:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.107b44ae4030       no              vlan1
br1             8000.107b44ae4030       no              eth1
                                                                                   eth2
                                                                                   vlan30
br2             8000.107b44ae4030       no              wl0.1
                                                                                    wl1.1
                                                                                    vlan31
br3             8000.107b44ae4030       no              wl0.2
                                                                                   wl1.2
                                                                                   vlan60
br4             8000.107b44ae4030       no              wl0.3
                                                                                   wl1.3
                                                                                   vlan70

I think problem is in the nvram definition but i don't know where to search.

Thanks for all help you can, also a small idea or direction to look

 

[SoukoussMan]

Hi,

Ok. With adding 8t interface in all vlan this work.
Except for one who refuse my PSK. I'm sure it the right one.
How can i debug this ?

Thanks

 

[amplatfus]

So, i don't understand what's the problem.
Now, i can have DHCP on one VLAN, but only from one SSID. On each vlan, i bind 2 SSID (1 in 2.4G and 1 in 5G).
But on vlan30, this works only on 5G SSID and for other vlan, nothing works.

My Device : RT-AC88U

My physical connection :

• 1 cable on WAN port to access for management
• 1 cable on LAN1 connected to my switch on a trunk port with vlan 30,31,60,70

Tests already done :

• Test : Connect my mac with configured vlan interface on the cable connected on LAN1
  • Result : All vlan interface retreive a DHCP address
  • Deduction : Misconfiguration is on the ASUS configuration side

Here is the extract of my configuration :

admin@RT-AC88U-4030:/tmp/home/root# robocfg show
Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 1:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:1c:7f:84:cd:7f
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 20:47:47:bb:39:c5
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 7: 1000FD enabled stp: none vlan: 30 jumbo: off mac: d4:a3:3d:f1:58:40
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 10:7b:44:ae:40:30
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 4 8t
   2: vlan2: 8u
  30: vlan30: 0 1 2 3t 5t 7
  31: vlan31: 3t
  60: vlan60: 3t
  70: vlan70: 3t

admin@RT-AC88U-4030:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.107b44ae4030       no              vlan1
br1             8000.107b44ae4030       no              eth1
                                                                                   eth2
                                                                                   vlan30
br2             8000.107b44ae4030       no              wl0.1
                                                                                    wl1.1
                                                                                    vlan31
br3             8000.107b44ae4030       no              wl0.2
                                                                                   wl1.2
                                                                                   vlan60
br4             8000.107b44ae4030       no              wl0.3
                                                                                   wl1.3
                                                                                   vlan70

I think problem is in the nvram definition but i don't know where to search.

Thanks for all help you can, also a small idea or direction to look

Hi,

Please, did you make it work?
I also try to delete the LAN 1 from VLAN1. But because there's no way to configure VLANs on the Realtek switch I could not use it:

robocfg vlan 1 ports "0 1 2 3 5 7 8t"
robocfg vlan 10 ports "3 8t"

Because if I am doing so I am loosing functionality for LAN 5 - LAN 8 because there's no way to configure VLANs on the Realtek switch I could not use it.
I do not know how to delete 3 (LAN 1) from VLAN 1 without changing LAN 5 - LAN 8.

Thank you in advance for any idea.
amplatfus

 

[Hyacin]

I've got an AX88U running 384.19 and I don't have a robocfg command. Anyone know what the equivalent command is on this model? I just need to split one port off into its own VLAN for switch management so I can do VLAN routing on my switch (it won't let me do it on VLAN 1 which is where all my everything, including the switch's management address lives.)

 

[Hyacin]

I've got an AX88U running 384.19 and I don't have a robocfg command. Anyone know what the equivalent command is on this model? I just need to split one port off into its own VLAN for switch management so I can do VLAN routing on my switch (it won't let me do it on VLAN 1 which is where all my everything, including the switch's management address lives.)

Never mind, figured it out myself.

It appears port 3 corresponds to eth2, and port 4 to eth1 on this device (no idea where 5-8 go as I see no change when I connect stuff to them) ... I stitched a few things I found online together and ended up doing -

brctl delif br0 eth2
ip link add link eth2 name eth2.11 type vlan id 11
ip link set eth2.11 up
ip addr add 10.30.20.2/24 dev eth2.11

and then changing my switch management config to 10.30.20.1 gw 10.30.20.2 management vlan 11 and away I go, it's up and running now, and I should be able to create a routed interface for my main subnet on the switch now to do some vlan routing!