RT-AC87U guest networking using separate subnets and vlans to trunk to another device

[airwoflsnb]

Hi,

I have a frustrating problem I am trying to solve with a couple of Asus RT-AC87U's. Rather than explain my desired network setup, please find the diagram below - a picture equals a thousand words They are running Asuswrt-Merlin 3.80.59

  Internet
     |
+----------+
| ISP MOCA |
|  router  |
| no wifi  |
+----------+
     | 192.168.254.254
     |
     |
     | 192.168.254.1          /-----  SSID: public (on 192.168.1.254/24) using both 2.4Ghz and 5Ghz
+-------------+              /
|    AC87U    |-------------/
|             |---------------------  SSID: private (on 192.168.0.254/24) using both 2.4Ghz and 5Ghz
| router mode |
+-------------+ br0: 192.168.0.254 (for LAN and private wifi)
  |  |  |  |    br1: 192.168.1.254 (for public wifi)
  |  |  |  |
  |  |  |  \---------------------\
  |  |  |                        |
  |  |  \------------------\     |
  |  |                     |     |
  |  \----------\          |     |
  |             |          |     |                    /-----  SSID: public (on 192.168.1.253/24) using both 2.4Ghz and 5Ghz
+--------+  +--------+  +-----+  |  +---------+      /
| switch |  | switch |  | nas |  |  |  AC87U  |-----/
+--------+  +--------+  +-----+  |  |         |-------------  SSID: private (on 192.168.0.253/24) using both 2.4Ghz and 5Ghz
| | | |     | | | |              |  | AP mode |
                                 |  +---------+
devices     devices              |    | | | |
                                 \----/ | | |
                                        | | |

                                       devices

The trunk (or cable) between the router and AP will carry both LAN (untagged) and private wifi traffic (tagged).

First of all, I am trying to get the guest network on the router (the AC-87U and will refer to this as the router forthwith) to run on a separate subnet so I can then create a VLAN to carry the tagged public wifi traffic to/from the AP whilst keeping it isolated from the LAN / private wifi. I basically want roaming capability for both the private and public SSID across the house.

And here is where the fun begins... I haven't even got as far as setting up the AP! ASUS implement guest networks by using bridge separation courtesy of ebtables on the guest wifi interface (wl0.1). So I thought it would be as simple as setting up a new bridge (br1), a VLAN to carry the public traffic on an ethernet port and map the guest wifi interface and vlan to the new bridge. Plus running a separate instance of dnsmasq to serve addresses for br1.

However, when I connect to the guest network with the password for it, I get served a 192.168.0.* address and the MAC address for the router is the one from br0 and not br1.

Any assistance to help me implement the desired state would be much appreciated. I did debate simply using the ASUS guest network implementation but am not sure how VLAN tagging to pass traffic between the AP and router would work to allow roaming on the guest (public) network? This might have to be the solution if someone can point in the right direction on getting the VLANs setup correctly between the two devices.

Also, how would I tag the 5Ghz radio to be part of the VLAN too given it is not a real interface on the RT-AC87U devices (appreciate that
Quantenna!)? Interesting side bar - I tried this in DD-WRT too by using a separate VLAN and bridge, and had the same results as experienced with Merlin. Thinking about this a bit more, is this really a Quantenna issue?

Thanks in advance!!

P.

Here are the config details:

Create /jffs/configs/dnsmasq-guests.conf:

pid-file=/var/run/dnsmasq-guests.pid
user=nobody
bind-dynamic
interface=br1
interface=ppp1*
no-dhcp-interface=ppp1*
no-hosts
resolv-file=/jffs/configs/resolv-guests.conf
servers-file=/jffs/configs/resolv-guests.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=guests.lan
expand-hosts
bogus-priv
local=/guests.lan/
dhcp-range=br1,192.168.1.1,192.168.1.240,255.255.255.0,86400s
dhcp-option=br1,3,192.168.1.254
dhcp-option=br1,15,guests.lan
dhcp-option=br1,252,"\n"
dhcp-authoritative
addn-hosts=/jffs/configs/hosts-guests.dnsmasq

Create /jffs/configs/hosts-guests.conf:

192.168.1.254  router.guests.lan  router

Create /jffs/configs/resolv-guests.conf:

nameserver   8.8.8.8
nameserver   4.4.4.4

# This file is empty:

touch /jffs/configs/resolv-guests.dnsmasq

# Create the VLAN (vlan3) to carry the guest network traffic from other APs
vconfig add wl0.1 3
# Bring up the VLAN (vlan3) interface for the guest network traffic
ifconfig vlan3 up
# Tag vlan3 to have traffic coming in from ethernet port 4 (known as 5 on AC-87U)
robocfg vlan 3 ports "5t 7t"
# Create a new bridge for the guest networks
brctl addbr br1
# Remove guest wifi interface from br0:
brctl delif br0 wl0.1
# Add the guest wireless and LAN trunked guest wireless to br1
brctl addif br1 wl0.1 vlan3
# Enable STP on br1
brctl stp br1 on
# Configure and bring up br1
ifconfig br1 192.168.1.254 netmask 255.255.255.0
ifconfig br1 up
# Setup ebtables forwarding rules
ebtables -F FORWARD
ebtables -I FORWARD -o wl0.1 -j DROP
ebtables -I FORWARD -i wl0.1 -j DROP
ebtables -I FORWARD -o vlan3 -j DROP
ebtables -I FORWARD -i vlan3 -j DROP
# Have no idea what vlan4000 is for, but it is bound to the main bridge (br0) and local network MAC
# and this was in the ebtables config by default
ebtables -I FORWARD -o vlan4000 -j DROP
ebtables -I FORWARD -i vlan4000 -j DROP

# Run your separate DHCP daemon on br1 to serve the guest network
dnsmasq -C /jffs/configs/dnsmasq-guests.conf --log-async
# Run the link layer topology daemon on br1 to help guest network clients
lld2d br1

 

[airwoflsnb]

Here are the outputs from the command line:

$ robocfg show
Switch: enabled
Port 0:  DOWN enabled stp: none vlan: 2 jumbo: on mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 04:18:29:36:23:4a
Port 2:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 3:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 4:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
  1: vlan1: 1 2 3 5 7t
  2: vlan2: 0 7
  3: vlan3: 5t 7t
1045: vlan1045: 1 5 7t 8u
1046: vlan1046: 4t 7t
1047: vlan1047: 2 3 5t 8t
1099: vlan1099: 3 4t 5
1100: vlan1100: 0 1 3 4t 5t 7 8u
1101: vlan1101: 0t 1 2 7 8t
1102: vlan1102: 0t 1t 2 3 4
1103: vlan1103: 1t 2t 4t 5t 7 8u
4000: vlan4000: 5t 7t

$ brctl show
bridge name  bridge id  STP enabled  interfaces
br0  8000.1cb72cc2e868  yes  vlan1
  vlan4000
  eth1
br1  8000.1cb72cc2e869  yes  wl0.1
  vlan3

$ ifconfig
br0  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:68
  inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0
  UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
  RX packets:31800 errors:0 dropped:0 overruns:0 frame:0
  TX packets:32858 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:3115306 (2.9 MiB)  TX bytes:14769085 (14.0 MiB)

br0:0  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:68
  inet addr:169.254.39.129  Bcast:169.254.39.255  Mask:255.255.255.0
  UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

br1  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:69
  inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 B)  TX bytes:3371 (3.2 KiB)

eth0  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:68
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:31832 errors:0 dropped:0 overruns:0 frame:0
  TX packets:37563 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:3818214 (3.6 MiB)  TX bytes:15739746 (15.0 MiB)
  Interrupt:180 Base address:0x5000

eth1  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:68
  UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:22295
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
  Interrupt:163

lo  Link encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
  RX packets:157 errors:0 dropped:0 overruns:0 frame:0
  TX packets:157 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:59454 (58.0 KiB)  TX bytes:59454 (58.0 KiB)

vlan1  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:68
  UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
  RX packets:31832 errors:0 dropped:0 overruns:0 frame:0
  TX packets:35054 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:3245238 (3.0 MiB)  TX bytes:15023539 (14.3 MiB)

vlan3  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:69
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 B)  TX bytes:2576 (2.5 KiB)

vlan4000  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:68
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:2062 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:0 (0.0 B)  TX bytes:563333 (550.1 KiB)

wl0.1  Link encap:Ethernet  HWaddr 1C:B7:2C:C2:E8:69
  UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:22295
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

$ ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 6, policy: ACCEPT
-i vlan4000 -j DROP
-o vlan4000 -j DROP
-i vlan3 -j DROP
-o vlan3 -j DROP
-i wl0.1 -j DROP
-o wl0.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

 

[stiffbeta]

Holy cow, if I may ask, how did you get your vlan 3 created? Ive been working on this for 3 days now and all I'm doing is semi bricking mine. I've tried ddwrt which bricks everytime and 380.9. Truth be told I don't have a good understanding of what I'm doing but could you tell me how and what commands you use to get this far? What I'm looking to do is add 2 vlans 4 and 5 tagged to one port and if I can get dhcp set up and tied to one or both with different scopes even better.

 

[stiffbeta]

D'oh then I actually read what was in front of my face. Thank you for posting. I'm trying these right now so here goes. I only got the 1 router and a procurve with different things going on in it so hopefully this does what I need.

 

[airwoflsnb]

Have been reading that using vlan numbers <=5 might cause problems as they could be reserved for different things. Am going to try this again but using vlan10.

Alternatively, there is another post I have found that talks about a need to update some nvram settings and restart eapd when you make these kind of changes. If the above doesn't work, will give this a go. Might be helpful for you?

http://www.snbforums.com/threads/tag-guest-ssid-traffic-with-vlan.25712/

 

[airwoflsnb]

About had enough of this frustrating exercise. Couldn't get this working in Router mode so am going to try doing this in AP only mode and hard coding the default gateway. And another thing, after I make the manual VLAN changes, I can't save or perform any action in the UI - it simply redirects me to the login page upon those type of attempts.

Otherwise, I am going to return the second RT-AC87U which is thankfully still boxed, bite the (waste of) money on one of them and buy a couple of TPLink AC2600s as they support OpenWRT, have official linux interfaces for each radio rather than this bodged middle ground between the Broadcom and Quantenna chipsets and allow for guest networks roaming via vlans.

 

[sfx2000]

Be careful with the 87U, as one of the LAN ports is actually not controlled directly by the Broadcom SDK, but by Quantenna (LAN1 if I recall) as well as the 5GHz side of the house on that device - makes things a bit more complicated as a result.

Wondering if this is better handled by including a managed switch after the first Router/AP - even a lower end SmartSwitch should be able to handle this one would think - Netgear GS-108T's are less than $100USD, and quite powerful with regards to building out what is needed with this config.

And consider simplifying the IP tables - the more changes here, the better the opportunity it will be the break at some point.

Just my thoughts here...

 

[airwoflsnb]

See your point on the managed switch, and it is a good one. But part of the problem is that I can't get the separate bridges (or subnets) for guest vs private working, let alone testing the vlans.

 

[sfx2000]

See your point on the managed switch, and it is a good one. But part of the problem is that I can't get the separate bridges (or subnets) for guest vs private working, let alone testing the vlans.

Just keep in mind that the RT-AC87U is a complicated beast in and of itself - a lot of things happen under the hood that aren't that transparent to make the QTN radio work, along with the LAN1 port.

It's good enough for simple layouts, but might not be the right choice for something like what you're proposing...

BTW - someone mentioned earlier in the thread about VLAN_ID's - do try to stay about ID5 - as this can directly conflict with things internal, and also carrier services for multiple play (broadband/tv/telephone) - unfortunately, there's no standardization there - so sometimes it might need Wireshark and some investigation to see what might in use to stay away from.

FWIW - I enable Guest WLAN SSID's from time to time - friends/family visit, but there, it's not whole house, but the primary AP has good coverage in the common areas - e.g. family room, kitchen for 5GHz, and worst case, I can always disable Guest for 5GHz, and 2.4GHz covers the whole home and most of the yard.. but that's my environment, and may not match others. That GuestSSID will at least have connectivity, might not be fast, but it will connect for the most part.

 

[stiffbeta]

Thanks for the updates. I've given up on trying with this router. I'm going to eat the cost and try to sell it as its not going to work for what I want to do. I'm going to get a sg300 switch or a mikrotik switch. Anyone know how I can sell it as its about 2 weeks old and cant return it to the store.

 

[airwoflsnb]

@sfx2000 - yes, had come to that conclusion that some closed source sorcery is going on wrt Quantenna.

For my setup, the primary doesn't cover the outside patio / deck or the den so when we have guests over they can't get wifi unless they are on the private SSID.

I did move the VLAN assignments to 10+ but still didn't work.

@stiffbeta - second hand sale on Amazon, eBay it or sell on some local buy, sell page on FB? Am going to do that with mine. Take a look at the TP-Link AC2600 as that takes OpenWRT, has separate physical interfaces per radio in Linux and can do what we need it to do. This is what I am buying.

Check the bottom out on this page:
https://forum.openwrt.org/viewtopic.php?id=56231