RT-AC68U guest Wifi via VLAN in AP mode

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mofog

New Around Here
Hi, in the last two weeks, I scanned this forum to find an answer, but now I can't fit all pieces together. Thus, I'd like to ask whether it is possible to achieve the following setup. If so, could someone be so kind to point me in the right direction?

I've got three RT-AC68U (stock firmware) serving as Access Points in an AiMesh. All three routers are connected via LAN to a manageable Netgear switch (GS108Ev3), which is hooked up to another router (AVM Fritz!Box), which manages the DSL internet connection. This setup works well.

Now, I would like to provide a guest wifi, too (devices in the guest network should be able to access the internet only). The Fritz!Box provides a guest network via Wifi and also via a dedicated LAN port. I thought I could have my RT-AC68Us provide a 2.4 and a 5.0 GHz guest wifi, which is connected to the dedicated guest LAN port of the Fritz!Box via VLAN. However, I'm unsure about whether this can be done with the hardware in the first place, as I read various posts about the RT-AC68U not capable of handling "the right type of" VLAN. Moreover, I'm confused about which tools to use (e.g., robocfg, brctl, ip, nvram) and "how to get started."

Can this be done? If so, which posts/threads would be most relevant for me?

Thank you very much.
 

scatman75

New Around Here
I assume you already have installed the latest Merlinwrt-build for your router. Second you have activated SSH and the JFFS parition via the web interface.

Next you navigate to the path /jffs/scripts and create a new file named services-start. If you want to learn more about the different scripts and the time they were executed by Merlinwrt, have a look at the excellent WIKI.

The following script is just example of how to create VLANs and attach a guest WLAN to VLAN 3. I am running the script on an ASUS RT-AC88u, so you have to adopt it to your router.

For me the most irritating part was difference of the assignment of ports (physical naming on the back side of the router vs. output of robocfg show.

robocfg show

Switch: enabled
Port 0: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XX:XX:XX:XX:XX:XX
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: XX:XX:XX:XX:XX:XX
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 4 5 7 8t
2: vlan2: 8u


For the RT-AC88u, the following table is the result:

A - physical port
B - output robocfg

A - B
------
WAN - 4
LAN 1 - 3
LAN 2 - 2
LAN 3 - 1
LAN 4 - 0
LAN 5 - (Realtec chipset switch)
LAN 6 - (Realtec chipset switch)
LAN 7 - (Realtec chipset switch)
LAN 8 - (Realtec chipset switch)
WIFI 2.4GHz - 5
WIFI 5GHz - 7
CPU - 8


> vi /jffs/scripts/services-start

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
# vlan1 and vlan2 are existing in the router by default
# vlan1 configuration 0u 1u 2u 3u 4u 5u 7u 8t
# vlan2 configuration 8u

# First we reset the port configuration to default for VLAN 1
robocfg vlan 1 ports "0u 1u 2u 3u 4t 5u 7u 8t"

# VLAN 2: set WAN-port (4) tagged, CPU (port 8) stays untagged (standard)
robocfg vlan 2 ports "4t 8u"

# VLAN 3: set WAN-Port (Port 4) tagged, set CPU (port 8) tagged
robocfg vlan 3 ports "4t 8t"

# Add VLAN 3
# Activation of VLAN 3
vconfig add eth0 3
ifconfig vlan3 up

# Create a new bridge 1 (br1)
# Delete 2.4 GHz guest WLAN 2 (wl0.2) from bridge 0 (br0)
# Add wl0.2 to br1
# Add br1 to vlan3
brctl addbr br1
brctl delif br0 wl0.2
brctl addif br1 wl0.2
brctl addif br1 vlan3

# Set a static IP-address for bridge 1
# Activate the bridge
ifconfig br1 192.168.50.2 netmask 255.255.255.0
ifconfig br1 up

# Set NVRAM variables
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan3 wl0.2"
nvram set lan1_ifname="br1"

# Kill and restart the service eapd
killall eapd
eapd

Save and exit the editor.


Make script executable:
chmod a+rx services-start

Reboot the router

Good luck with your router.
 

mofog

New Around Here
Thank you very much for the detailed response! I figured out the port mapping for the RT-AC68U:

Code:
WAN   -> robocfg Port 0
LAN 1 -> robocfg Port 1
LAN 2 -> robocfg Port 2
LAN 3 -> robocfg Port 3
LAN 4 -> robocfg Port 4
CPU   -> robocfg Port 5

Apparently, the mapping is quite straight-forward on Merlin 386.2_4. The default VLAN configuration looks like this:

Code:
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t

I set up a 2.4 GHz and a 5.0 GHz guest wifi network via the UI (both with index 2) and adjusted your script accordingly:
  • Change robocfg ports
  • Added STP (spanning tree protocol) to br0 and br1
  • Added 5 GHz Wifi to the script (wl1.2)
  • Adjusted IP address of br1 to match my router's guest subnet

Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
# vlan1 and vlan2 exist in the router by default:
# vlan1 configuration 0 1 2 3 4 5t
# vlan2 configuration 5t

# vlan1: Set WAN (port 0) to tagged mode
robocfg vlan 1 ports "0t 1u 2u 3u 4u 5t"

# vlan2: Add WAN to VLAN 2 and set WAN (port 0) to tagged mode
robocfg vlan 2 ports "0t 5t"

# vlan3: set WAN (port 0) and CPU (port 5) to tagged mode
robocfg vlan 3 ports "0t 5t"

# Add VLAN 3
vconfig add eth0 3
ifconfig vlan3 up

# Create a new bridge 1 (br1)
# Delete 2.4 GHz guest WLAN 2 (wl0.2) from bridge 0 (br0)
# Add wl0.2 to br1
# Delete 5.0 GHz guest WLAN 1 (wl1.2) from bridge 0 (br0)
# Add wl1.2 to br1
# Add br1 to vlan3
brctl stp br0 on

brctl addbr br1
brctl stp br1 on
brctl delif br0 wl0.2
brctl addif br1 wl0.2
brctl delif br0 wl1.2
brctl addif br1 wl1.2
brctl addif br1 vlan3

# Set a static IP-address for bridge 1
# Activate the bridge
#ifconfig br1 192.168.179.2 netmask 255.255.255.0
ifconfig br1 up

# Set NVRAM variables
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan3 wl0.2 wl1.2"
nvram set lan1_ifname="br1"

# Kill and restart the service eapd
killall eapd
eapd

Clients connect to the main wifi as they used to, also AiMesh is working. But there seems to be a loop issue in the guest wifi:
Clients are able to connect and will be assigned a correct guest IP address. However, after a few seconds, e.g., pinging 8.8.8.8, packets get lost and the LEDs on the switch go crazy. Thus, I activated STP on the bridges and in the managed switch.
This helps to prevent the entire network (also the main wifi) to break down, while there is little to no traffic on the guest wifi. I attached screenshots of the managed switch's configuration – sorry, I updated to the most recent German firmware.

Can you help me out?

Bildschirmfoto 2021-05-17 um 20.31.01.png


Bildschirmfoto 2021-05-17 um 20.31.10.png


Bildschirmfoto 2021-05-17 um 20.31.18.png


Bildschirmfoto 2021-05-17 um 20.31.24.png
 

scatman75

New Around Here
At first glance, I have no explanation for this behavior. Second, I want to let you know that I had severe 2.4GHz WiFi issues with my router, which is the same as your described symptoms after updating from Merlin 386.1.2 to 386.2.4. I lost a packet and the dynamic naming system stopped working properly after a very short time. There are some users on the forum who complain about WiFi after updating to firmware versions 386.2.x, but the cases seem to be rare.

According to the principle of divide and rule I would try to simplify the search. From what you wrote I assume that your guest vlan is powered by an AVM Fritzbox which operates as DHCP-server for your guest wifi. Port 2 is connected to port 4 of the Fritzbox (guest lan), port 3 (tagged) is connected to WAN port of the Asus router and port 7 is used for some wired device which should get access to the guest vlan.

If my assumptions match your setup, than I would try to verify that a wired client on port 7 is getting an address from the Fritzbox and is working stable in regards of packet loss and DNS service.

If this is the case, than I would start the second test, this time on the ASUS router:
- Declare a physical port, e.g. Port 1 as a guest VLAN port.
- Check if the problem persists when using a wired connection.
- If so, I recommend testing firmware version 386.1.2 and lower.

To be very clear, this is just a guess with no guarantee of success.

Good luck.
 

mofog

New Around Here
I followed your approach and tested each system individually: Port 7 was indeed configured as a local/wired testing port. The VLAN configuration of the managed switch and the Fritzbox seem to work, as clients connected to this port will be assigned a guest IP and can perform multiple downloads without problems. Then I defined the physical port #2 on the ASUS router as part of VLAN 3. I adjusted the script as follows:

Code:
# vlan1: Set WAN (port 0) to tagged mode
robocfg vlan 1 ports "0t 1u 3u 4u 5t"

# vlan3: set WAN (port 0) and CPU (port 5) to tagged mode
robocfg vlan 3 ports "0t 2u 5t"

Clients connected via cable to this port on the ASUS router also work as expected: they will be assigned a guest IP and they can access the internet! Yet, Wifi guest still run into the issues described above. Thus, I think you are right – thank you very much, you saved me from wasting time!

For testing purposes, I downgraded to Merlin version 386.1_2, but the problems persist. Do you have an idea what to do about this?
 

scatman75

New Around Here
Honestly I do not have a clue. If I were you I would try the lastest version of the 384.x.x series because the problem is most likely somewhere in the wifi code.

But before you undertake further action please have a look at the following thread:
 

mofog

New Around Here
Alright, I'll keep an eye on this issue and the threat you mentioned. I'll post updates here as soon as I discover something new. Thank you once more for the script and your time.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top