Thanks
@eibgrad and
@Jack Yaz for the explanation. I am planning on repurposing an AC86U as an AP (as opposed to purchasing a new AP) to use as the AP for my RasPi4 router. I've only been able to get a hold of the AC86U for an hour at a time to see how things are setup in AP (the joys of having 5 people in the house). From what I have seen, the ebtables and iptables are blank in AP mode with the guest interfaces lumped in with the br0. So, I am looking at running the following script to group my LAN and Guests/IOT into various VLANS to work with the RasPi router. Note that credit for this script largely is not mine. I have the link to the original GitHub poster somewhere, but can't find it right now.
Code:
#!/bin/sh
# remove eth0 which will be reconfigured as a tagged port
brctl delif br0 eth0
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2
# add vlans
# interestingly, depending on the time passed since system boot,
# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
# so we use ip link instead of vconfig to specify a name explicitly.
ip link add link eth0 name eth0.500 type vlan id 500
ip link add link eth0 name eth0.501 type vlan id 501
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.500 up
ip link set eth0.501 up
ip link set eth0.502 up
# reconfigure br0, private LAN
brctl addif br0 eth0.500
# set up br1, guest LAN
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
brctl setfd br1 2
ip link set br1 up
# set up br2, another guest LAN for IoT devices
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl0.2
brctl setfd br2 2
ip link set br2 up
# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.500"
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="wl0.2 eth0.502"
nvram set lan2_ifname="br2"
# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.500"
nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"
nvram set br2_ifnames="wl0.2 eth0.502"
nvram set br2_ifname="br2"
# we do NOT issue `nvram commit` here since it won't survive reboot anyway
# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd
The only concern I have is what Asus is doing in the background with the Guest Network in AP mode. Ideally, picking up a UniFi AP would be the best solution, but I don't want to spend extra money where it does not need to be spent.
Out of curiosity
@Jack Yaz, what product line are you moving to? My reasons for leaving Asus behind are varied (the RaspPi project is a learning one to keep my aged mine busy, but also I feel that Merlin has hit the upper limits of what I want to do, also I need to get my primary access to an area of the house where it is truly useful - i.e. get the wireless AP upstairs while all the cables terminate downstairs).
The issue I have with Asus is just reliability. Maybe it is me, but it seems that each GPL released now seems to be buggy or adds new issues. Just seems that Asus is trying to do too much is a small amount of time. Then there is the issue of Merlin being a one man show and he could pull the plug at any time. In the end, if PFSense would run on a Pi, it would be sweet.