Please help with VLAN tagging for WAP use

[CaptOnH2O]

Hi all,

Please help me understand some of the settings behind VLAN tagging and bridging...

I have an AC68U rev1 (running Merlin 386.5_2)
Am trying to config as a WAP with:
- tagged VLAN50 for WLAN users
- tagged VLAN60 for WLAN guests
- LAN ports disabled
- Web GUI & SSH on the WAN port
- WAN port is connected to a Palo Alto firewall to sort out the tagged VLAN traffic and handle security
I've switched to Router mode because I wasn't getting anywhere in AP mode but that doesn't seem to help, just confused me more by adding interfaces eth0.501, eth0.502, eth1.501, eth1.502, eth2.501, eth2.502.

I assigned an IP address to each VLAN

ifconfig vlan50 10.0.50.2 netmask 255.255.255.0
ifconfig vlan60 10.0.60.2 netmask 255.255.255.0

When I try to ping, only lo and lo:0 interfaces get replies... not even when I ping from the respective VLAN or bridge on which they're on.

Here's some config output:

brctl show
bridge name        bridge id           STP enabled        interfaces
br0                800.3497f65e3900    yes              vlan1
br1                800.3497f65e3901    yes              vlan50
                                                        eth1
                                                        eth2
br2                800.3497f65e3905    yes              vlan60
                                                        eth0.501
                                                        eth0.502
                                                        wl0.1

robocfg show
Switch: enabled
Port 0:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 5c:58:e6:3a:ee:31
Port 1:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 98:e7:43:df:2f:5c
Port 2:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 9c:eb:e8:39:8b:21
Port 4:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 34:97:f6:5e:39:00
Port 7:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 0 5
  50: vlan50: 0t 1t 2t 3t 4t 5t
  60: vlan60: 0t 1t 2t 3t 4t 5t
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t

Port 5 is all traffic destined to the CPU, right? Are ports 7 & 8 useful for anything?
How do I set the WAN port (0) to be the trunk port and ensure traffic from VLANs 50 & 60 are properly tagged?
For debug purposes I tried setting Port 3 to VLAN50 and Port 4 to VLAN60 and then doing a packet capture on the PA FW but while packets come in from the WAN port, all traffic appears untagged. What am I missing, please?

My target IP Schema:

VLAN50 (also tried as eth0.50) - ip: 10.0.50.2/24    gateway: 10.0.50.1 (sub-interface on PA FW)
VLAN60 (also tried as eth0.60) - ip: 10.0.60.2/24    gateway: 10.0.60.1 (sub-interface on PA FW)
VLAN1                           - ip: 192.168.1.1/24    gateway: 192.168.100.129

I understand VLAN1 is for LAN, so eventually ports 1-4 will be removed, right?
VLAN2 is for internet access, so no planned changes there, yes?
So should Port 0 be removed from VLAN1?

Thanks in advance

 

[drinkingbird]

Hi all,

Please help me understand some of the settings behind VLAN tagging and bridging...

I have an AC68U rev1 (running Merlin 386.5_2)
Am trying to config as a WAP with:
- tagged VLAN50 for WLAN users
- tagged VLAN60 for WLAN guests
- LAN ports disabled
- Web GUI & SSH on the WAN port
- WAN port is connected to a Palo Alto firewall to sort out the tagged VLAN traffic and handle security
I've switched to Router mode because I wasn't getting anywhere in AP mode but that doesn't seem to help, just confused me more by adding interfaces eth0.501, eth0.502, eth1.501, eth1.502, eth2.501, eth2.502.

I assigned an IP address to each VLAN

ifconfig vlan50 10.0.50.2 netmask 255.255.255.0
ifconfig vlan60 10.0.60.2 netmask 255.255.255.0

When I try to ping, only lo and lo:0 interfaces get replies... not even when I ping from the respective VLAN or bridge on which they're on.

Here's some config output:

brctl show
bridge name        bridge id           STP enabled        interfaces
br0                800.3497f65e3900    yes              vlan1
br1                800.3497f65e3901    yes              vlan50
                                                        eth1
                                                        eth2
br2                800.3497f65e3905    yes              vlan60
                                                        eth0.501
                                                        eth0.502
                                                        wl0.1

robocfg show
Switch: enabled
Port 0:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 5c:58:e6:3a:ee:31
Port 1:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 98:e7:43:df:2f:5c
Port 2:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 9c:eb:e8:39:8b:21
Port 4:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5:    1000FD enabled stp: none vlan: 1 jumbo: off mac: 34:97:f6:5e:39:00
Port 7:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:      DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 0 5
  50: vlan50: 0t 1t 2t 3t 4t 5t
  60: vlan60: 0t 1t 2t 3t 4t 5t
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t

Port 5 is all traffic destined to the CPU, right? Are ports 7 & 8 useful for anything?
How do I set the WAN port (0) to be the trunk port and ensure traffic from VLANs 50 & 60 are properly tagged?
For debug purposes I tried setting Port 3 to VLAN50 and Port 4 to VLAN60 and then doing a packet capture on the PA FW but while packets come in from the WAN port, all traffic appears untagged. What am I missing, please?

My target IP Schema:

VLAN50 (also tried as eth0.50) - ip: 10.0.50.2/24    gateway: 10.0.50.1 (sub-interface on PA FW)
VLAN60 (also tried as eth0.60) - ip: 10.0.60.2/24    gateway: 10.0.60.1 (sub-interface on PA FW)
VLAN1                           - ip: 192.168.1.1/24    gateway: 192.168.100.129

I understand VLAN1 is for LAN, so eventually ports 1-4 will be removed, right?
VLAN2 is for internet access, so no planned changes there, yes?
So should Port 0 be removed from VLAN1?

Thanks in advance

What you're looking to do is somewhat complex but doable. VLAN 501 and 502 are new guest networks associated with Guest Wireless 1 (501 is for 2.4Ghz and 502 is for 5ghz, and each gets a 192.168.x.x./24 subnet assigned). If you don't want those, use Guest Wireless 2 or 3 instead, they won't be created for those.

From what I understand you can leave VLAN1 on port 0 since port 0 is only looking for VLANs tagged with 2, at least in normal router mode. If you're trunking to a PA you may want to remove it but not sure if that will cause any other issues.

My setup is much simpler than yours but I'm making use of the 501 and 502 VLANs for wired and wireless guest, as well as trunking the wireless guest to my outdoor AP along with the normal wireless. Actually for now I'm just using 501 but I think I will put the wired guest into 502 at some point. So right now 502 is doing nothing.

I have to remove 501 and 502 from port 0 as FIOS has issues with that (this is a bug in Asus firmware, it should not be on that port in router mode). If you have your PA acting as your router and if it supports DHCP, you should be able to do something similar in AP mode and just forward everything to the PA.

robocfg vlan 502 ports "" - remove from WAN port and all LAN ports, not using it.
robocfg vlan 1 ports "1 2 3 5t" - remove port 4 from main VLAN so I can use it as wired guest
robocfg vlan 501 ports "1t 4 5t" - remove from WAN port and LAN 1-3, put wired guest port 4 in 501 and trunk wireless guest to my external AP on port 1.
killall eapd - kill EAPD
eapd - restart EAPD - though it seems to work without doing this too.

If you wanted to use your own VLAN IDs (which I may actually change to) you also need to do the below, say for example VLAN 999. This is assuming you do not need an IP or DHCP and are letting the PA do that for you (i.e. AP mode). I haven't done this in AP mode so the bridge ID may be different, not sure.
vconfig add eth0 999
ifconfig vlan999 up

brctl addif br1 vlan999

nvram set lan1_ifnames="wl0.1 eth0.501 eth1.501 eth2.501 vlan999"
nvram set lan2_ifnames="wl1.1 eth0.502 eth1.502 eth2.502 vlan999" - I'm not entirely sure what these do, it seems to work without them but may be used for traffic monitoring or firewall etc.

nvram commit

I'd say start fresh, factory reset the Asus and put it in AP mode. Get your PA all configured with the subnets and DHCP you want, then start with one VLAN/purpose at a time, get that working, then move on to the next.

Most devices do not want VLAN 1 tagged in the trunk, but may need to try that if the PA isn't seeing it.

 

[eibgrad]

No one but you obviously knows the full scope of your objectives. But given you prefer a bridged configuration (AP only), which means most of the built-in other features of the ASUS/Merlin firmware become inaccessible, seems to me it would be a whole lot easier to use something that natively supports user-defined VLANs, bridges, tagging, etc., namely FT (FreshTomato), rather than trying to force Merlin to do something it was never intended to support.

All that said, if the purpose is to preserve the unique benefits and functionality of Merlin, that's a different story. But that assumes a routed configuration (i.e., active WAN). But as an WAP, there isn't all that much difference between Merlin and FT, or even DD-WRT. In fact, the latter options actually make some features available in AP mode that Merlin doesn't! (e.g., OpenVPN).

 

[eibgrad]

P.S. FWIW, I happen to have a tutorial for managing VLANs, bridges, tagging, etc., on this forum, and specifically for the RT-AC68U (although I'm sure it could be easily adapted for other AC, and perhaps even AX, routers).

Tutorial - Adding IP Networks to the ASUS RT-AC68U (et al.)

Overview The following script adds support for the creation of additional IP networks for the ASUS RT-AC68U running Asuswrt-Merlin firmware. https://pastebin.com/hvHHic1V The impetus for the script came from another forum member. The original intent was to simply add a single VLAN to the...

www.snbforums.com

But as I state in the tutorial, I discourage any CLI based solution (including my own) if it can be avoided. I only offer it as a last resort for those who insist on it.

Also, even though the script supports AP mode, this comes w/ other issues. For example, in AP mode, the firewall is disabled. And therefore trying to maintain isolation between your VLANs and/or bridges is problematic (something I point out in that thread). Again, that's why I don't recommend using user-defined VLANs and bridging on Merlin if it can be avoided.

 

[CaptOnH2O]

No one but you obviously knows the full scope of your objectives. But given you prefer a bridged configuration (AP only), which means most of the built-in other features of the ASUS/Merlin firmware become inaccessible, seems to me it would be a whole lot easier to use something that natively supports user-defined VLANs, bridges, tagging, etc., namely FT (FreshTomato), rather than trying to force Merlin to do something it was never intended to support.

All that said, if the purpose is to preserve the unique benefits and functionality of Merlin, that's a different story. But that assumes a routed configuration (i.e., active WAN). But as an WAP, there isn't all that much difference between Merlin and FT, or even DD-WRT. In fact, the latter options actually make some features available in AP mode that Merlin doesn't! (e.g., OpenVPN).

Thanks eibgrad. I tried DD-WRT but it was unstable... WebGUI would become unresponsive before I could even enable SSH. Think I'll try FT soon.

 

[CaptOnH2O]

What you're looking to do is somewhat complex but doable. VLAN 501 and 502 are new guest networks associated with Guest Wireless 1 (501 is for 2.4Ghz and 502 is for 5ghz, and each gets a 192.168.x.x./24 subnet assigned). If you don't want those, use Guest Wireless 2 or 3 instead, they won't be created for those.

From what I understand you can leave VLAN1 on port 0 since port 0 is only looking for VLANs tagged with 2, at least in normal router mode. If you're trunking to a PA you may want to remove it but not sure if that will cause any other issues.

My setup is much simpler than yours but I'm making use of the 501 and 502 VLANs for wired and wireless guest, as well as trunking the wireless guest to my outdoor AP along with the normal wireless. Actually for now I'm just using 501 but I think I will put the wired guest into 502 at some point. So right now 502 is doing nothing.

I have to remove 501 and 502 from port 0 as FIOS has issues with that (this is a bug in Asus firmware, it should not be on that port in router mode). If you have your PA acting as your router and if it supports DHCP, you should be able to do something similar in AP mode and just forward everything to the PA.

robocfg vlan 502 ports "" - remove from WAN port and all LAN ports, not using it.
robocfg vlan 1 ports "1 2 3 5t" - remove port 4 from main VLAN so I can use it as wired guest
robocfg vlan 501 ports "1t 4 5t" - remove from WAN port and LAN 1-3, put wired guest port 4 in 501 and trunk wireless guest to my external AP on port 1.
killall eapd - kill EAPD
eapd - restart EAPD - though it seems to work without doing this too.

If you wanted to use your own VLAN IDs (which I may actually change to) you also need to do the below, say for example VLAN 999. This is assuming you do not need an IP or DHCP and are letting the PA do that for you (i.e. AP mode). I haven't done this in AP mode so the bridge ID may be different, not sure.
vconfig add eth0 999
ifconfig vlan999 up

brctl addif br1 vlan999

nvram set lan1_ifnames="wl0.1 eth0.501 eth1.501 eth2.501 vlan999"
nvram set lan2_ifnames="wl1.1 eth0.502 eth1.502 eth2.502 vlan999" - I'm not entirely sure what these do, it seems to work without them but may be used for traffic monitoring or firewall etc.

nvram commit

I'd say start fresh, factory reset the Asus and put it in AP mode. Get your PA all configured with the subnets and DHCP you want, then start with one VLAN/purpose at a time, get that working, then move on to the next.

Most devices do not want VLAN 1 tagged in the trunk, but may need to try that if the PA isn't seeing it.

Thanks drinkingbird. I'll switch back to AP mode and give these commands a shot. I have a script already written but it was using 'ip link', 'brctl', and 'nvram set' commands with no 'robocfg' commands. If I can't get a working trunk port I'll either try FT firmware or give up altogether and buy a Ubiquiti AP. I don't mind tinkering but burning 20 hours with little progress is not practical.

 

[drinkingbird]

Thanks drinkingbird. I'll switch back to AP mode and give these commands a shot. I have a script already written but it was using 'ip link', 'brctl', and 'nvram set' commands with no 'robocfg' commands. If I can't get a working trunk port I'll either try FT firmware or give up altogether and buy a Ubiquiti AP. I don't mind tinkering but burning 20 hours with little progress is not practical.

My outside AP is a Ubiquiti and it works well, their edgerouters are nice too and fairly cheap. But using the Asus as my main router with the UBNT trunked off it has worked well. I used to have a professional setup with Cisco, Juniper, etc but downsized, still wanted to maintain the separation of Guest though and have it extended to all areas.

If you want to maintain the guest network isolation in AP mode you should be OK as long as the PA is your routing device (and you can place policies for communication between VLANs). Or if you want more of the features of the Asus you can use it in router mode and just disable NAT, but most likely the PA will give you more robust control over what can talk between vlans etc. To be most secure, I believe you'll want the guest networks on different bridges from your main network on the Asus, not sure if that is the default in AP mode or not. If they share a bridge, in theory the VLAN tags still keep them separated but there is some chance that someone could get around it (not sure how critical that small risk is, in a home environment probably not really). Haven't played with AP mode at all so not sure the specifics.