Packet errors on RT-AX86U LAN port / running Asuswrt-Merlin 388.1

[jjones7791]

Greetings all! Been to this site many times in the past for solutions and usually have good luck, but running into an issue that is beyond my skillset and looking for some advice as I can't seem to find a resolution.

My current setup is below. My issue is that when I activate the first guest network (MAKnet) and use the GUI to set it to not allow intranet access, I'm getting bad packets flooding port one of my switch. I suspect this has something to do with the guest network using a different IP network (192.168.101.0 / 192.168.102.0) than my LAN, because when I use the GUI to set this guest network to access the intranet, it stops using the aforementioned IPs, and starts using 192.168.50.0, and the issue ceases. Likewise I don't have this issue with the other two guest networks, which you can see below, use the same IP addressing as my LAN, but cannot access the internal network. I believe it's broadcast or multicast traffic that is being pushed to this port because when I disable the vlan on my managed switch, I receive the same count of bad packets on every switch port, and only port 1 when the vlan is enabled.

In all transparency, I'm not sure this is causing any issues on my LAN, that I notice anyway, but I know this is not normal and is an unusually high error rate. Any help or suggestions anyone can offer are appreciated.

Edit: For clarity, I attempted this on both stock and Merlin firmware, and it's an issue that is native to the device, not the firmware from what I can tell.

Also for anyone else experiencing this and attempting more segmentation on their home network, I found what I believe is a solid work around. I enabled GUI Intranet access to my guest wifi which uses the same IPs as the LAN, then used the commands below to set AP isolation on the guest APs, so they are still segmented but using the same IPs as the LAN and the bad packet issue on my switch has ceased.

nvram set wl1.1_ap_isolate=1
nvram set wl1.0_ap_isolate=1
nvram commit
reboot

vlan disabled

vlan enabled

 

[Yota]

I think this is caused by your switch not handling VLANs traffic properly. when guest network 1 is enabled, two new VLANs are enabled, VLAN 501 (2.4GHz) and VLAN502 (5GHz). also, AP isolation doesn't really isolate your guest network.

There are 2 methods of isolation:

VLAN, this is what Guest Network 1 is using.

ebtables, which is what other guest networks use.

In this case, I recommend you use a different guest network to avoid incompatibilities.

 

[jjones7791]

First off, thank you very much Yota for your help and advice with this!

I think this is caused by your switch not handling VLANs traffic properly. when guest network 1 is enabled, two new VLANs are enabled, VLAN 501 (2.4GHz) and VLAN502 (5GHz). also, AP isolation doesn't really isolate your guest network.

Agreed, but do you know if the VLANs for the guest network are tagged or untagged, and can this be manipulated? I suspect tagging is causing the issue as the VLANs on my switch are untagged.

Also can you expand on your comment about AP isolation doesn't really isolate your guest network? I'm asking as I've done several pings and port scans and nothing on the isolated AP can see anything on my LAN and vice versa.

In this case, I recommend you use a different guest network to avoid incompatibilities.

Certainly not a bad idea, but my challenge is I'm already using them for other purposes, but mainly because, the first guest network at least based on the GUI, is the only one that will allow devices connected to use the mesh point and the main AP. The others only connect to the main AP, which is ok for my purposes, but I want my first guest network to use the mesh points as it's what I have most of my home devices connected to.

 

[Yota]

but do you know if the VLANs for the guest network are tagged or untagged

VLAN 501/502 are tagged on all ethernet ports and AiMesh's node untags on its guest network 1.

and can this be manipulated?

This will be difficult as Asuswrt doesn't have an easy-to-understand manual for VLAN setup, you have to test it yourself, which is usually time consuming, but some people in the forums have provided some clues.

Also can you expand on your comment about AP isolation doesn't really isolate your guest network?

AP isolation is provided by the wireless driver and only works at the wireless level, we know very little about wireless because it is related to Broadcom's confidentiality. I don't even think AP isolation will work on the node's guest network.

VLANs and ebtables are open technologies and people know the security it can provide.



But if you want the nodes to provide an isolated guest network, you must rely on VLAN 501/502, and your switch must properly handle the VLAN traffic from the router.

 

[jjones7791]

Thanks again Yota, this was a huge help. I'm confident the tags on the router VLANs are the culprit behind the packet errors.

Also appreciate the info about the Broadcom wireless stuff, did not know that. But I do believe the AP isolation is providing another layer of security. Obviously I'm not testing every port for every protocol, but from what I can see at the moment, it's restricting traffic to all nodes connected to the guest wifi with AP isolation, but no router VLAN. And honestly this is my home network and I'm probably being a little overzealous with hardening my security, but you know how it is these days, doesn't hurt. I have my IOT cams that never get firmware updates isolated at least which was my main goal and I did that with the second and third guest networks.

Nevertheless, help is much appreciated and you have a great week!

 

[jjones7791]

Want to provide an update should anyone else try this. After more testing and TSing I found the AP isolation settings work on the primary router to restrict intranet access, however they do NOT work on the AI mesh node, just as @Yota stated above. You can SSH into the node and adjust the AP isolation settings, but you can still get to the intranet through the node on an isolated AP, or really it doesn't appear to be isolating them at all despite setting isolation on all logical APs available.

For me I'm just going to live with the dropped packets on my switch as it's not causing any problems with latency, just more of an annoyance when I look at the switch packet statistics.

 

[drinkingbird]

Want to provide an update should anyone else try this. After more testing and TSing I found the AP isolation settings work on the primary router to restrict intranet access, however they do NOT work on the AI mesh node, just as @Yota stated above. You can SSH into the node and adjust the AP isolation settings, but you can still get to the intranet through the node on an isolated AP, or really it doesn't appear to be isolating them at all despite setting isolation on all logical APs available.

For me I'm just going to live with the dropped packets on my switch as it's not causing any problems with latency, just more of an annoyance when I look at the switch packet statistics.

Your switch supports VLANs obviously so you could just enable 501 and 502 (and possibly 503 if your router uses that) tagged on switch port 1. The traffic still will get dropped if there is no other port in that VLAN but I don't believe it will show up as an error or drop against that port anymore. Or you could go into the router and script the removal of 50x VLANs from that port so it won't get sent to the switch in the first place. As you say, it is not hurting anything, but if you ever did have real errors it would mask that and interfere with troubleshooting.

What is handling the routing between your various VLANs off the switch? Or do you have them intentionally all isolated with no internet access? I'm assuming the TP Link isn't an L3 switch.

 

[jjones7791]

Thanks @drinkingbird, love the suggestions, but being transparent this is getting beyond my skillset, so additional help you are willing to offer is appreciated, but completely understand we all have better things to do.

My current VLAN setup on my TL-SG108E is below and how I would translate this to VLANs 501 and 502 ingressing to my switch (which I did confirm are the only ones), I'm not sure. I tried changing the VLANs 2, 3 and 4 below to 501 and 502 tagging on port 1 which is my uplink, but still couldn't get it to work. I suspect this is due to 501, 502 using .101.x/.102.x subnets as opposed to .50.x.

What is handling the routing between your various VLANs off the switch? Or do you have them intentionally all isolated with no internet access? I'm assuming the TP Link isn't an L3 switch.

My RT-AX86U is handling all routing. I have all the switch VLANs isolated but with internet access from the router via port 1, and it's a L2 only switch.

Honestly I love your last suggestion about blocking all 50x VLAN traffic from the router, as nothing on those VLANs needs to be talking to my switch VLANs. If you can point me to a post about how to do that, it would be much appreciated. Otherwise I'll keep looking and I've seen the posts below referenced that I need to spend some time reviewing / learning as I'm sure there is a solution there somewhere, maybe even as simple as killing the eth4.501/502 ports or something like that. Like you said, this is really only an issue for me should some other error come up and I have too many errors to sort through.

• Guest Network in Access Point Mode
• Handling Tagged VLAN on a AC86U
• RT-86U - vlanctl & ethctl usage puzzle

Current working config

 

[drinkingbird]

Thanks @drinkingbird, love the suggestions, but being transparent this is getting beyond my skillset, so additional help you are willing to offer is appreciated, but completely understand we all have better things to do.

My current VLAN setup on my TL-SG108E is below and how I would translate this to VLANs 501 and 502 ingressing to my switch (which I did confirm are the only ones), I'm not sure. I tried changing the VLANs 2, 3 and 4 below to 501 and 502 tagging on port 1 which is my uplink, but still couldn't get it to work. I suspect this is due to 501, 502 using .101.x/.102.x subnets as opposed to .50.x.


My RT-AX86U is handling all routing. I have all the switch VLANs isolated but with internet access from the router via port 1, and it's a L2 only switch.

Honestly I love your last suggestion about blocking all 50x VLAN traffic from the router, as nothing on those VLANs needs to be talking to my switch VLANs. If you can point me to a post about how to do that, it would be much appreciated. Otherwise I'll keep looking and I've seen the posts below referenced that I need to spend some time reviewing / learning as I'm sure there is a solution there somewhere, maybe even as simple as killing the eth4.501/502 ports or something like that. Like you said, this is really only an issue for me should some other error come up and I have too many errors to sort through.

• Guest Network in Access Point Mode
• Handling Tagged VLAN on a AC86U
• RT-86U - vlanctl & ethctl usage puzzle

Current working config

View attachment 47945View attachment 47946

In order to eliminate the errors (or attempt to) you first need to create VLAN 501 and 502 in the switch, then go and assign them as tagged on port 1, leaving VLAN 1 as untagged on that port. Leave the PVID on port 1 as 1/default.

The rest of your VLANs aren't doing much, they aren't truly isolating each other, if at all. All the traffic just merges together in the switch since it has no tagging. Have you tried pinging between various devices to confirm it is doing the isolation you think it is? The PVID may be filtering one direction of traffic (depending how that switch works) but not both, and it wouldn't take much to use the router to be able to communicate between them by just changing a device's IP (plus broadcast, multicast, and UDP traffic will be able to communicate directly).