rt-ac87u trunk connection to Opensense router

Asmodaeus

New Around Here
Hi guys,

I spent most of today getting my rt87u (AP mode) to connect to my opensense router with two vlans on a single cable. I got it to work so I'm leaving the info here in case it helps anyone.

The idea is to use the rt87u guest network as an IOT wifi, and the regular wifi as the home network. Everything gets filtered on opensense. I only have one cable beween the two, so I need a trunk connection.

The main takeaway is that using native vlan (untagged) together with a tagged vlan (which are most of the examples I could find) wont work. I had to tag both networks on both ends.
(also, vlan 9 is used somethere inside rt87u and isn't free to use...couple of hours there...)

My /jffs/services-start:

#!/bin/sh
touch /tmp/000brstarted
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
robocfg vlan 101 ports "0t 1t 2t 3t 5t 8t"
#tag vlan 1 on the wan port (0t) I used to connect to opensense
robocfg vlan 1 ports "0t 1 2 3 5 8t"
vconfig add eth0 101
ifconfig vlan101 up
brctl addbr br1
brctl addif br1 vlan101
brctl delif br0 wl0.1
brctl addif br1 wl0.1
ifconfig br1 192.168.1.1 netmask 255.255.255.0 up
nvram set lan_ifnames="vlan1 eth1"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan101 wl0.1"
nvram set lan1_ifname="br1"
nvram set lan1_ipaddr=192.168.1.1

nvram commit
killall eapd
#redirect annoying messages
eapd >& /dev/null​


On Opensense side there wasn't a lot to do. I just needed create a vlan interface for each vlan on the ethernet interface that I used to connect to rt87u (each went into its own bridge and stuff but that's irrelevant here...)

Cheers,
-Miguel
 
Last edited:

Asmodaeus

New Around Here
Apparently my joy was premature ... Somehow these settings kill the GUI wifi configuration page, and 5G stopped working :(
bummer :(
 

grifo

Regular Contributor
Apparently my joy was premature ... Somehow these settings kill the GUI wifi configuration page, and 5G stopped working :(
bummer :(
The loss of the 5 GHz wifi and its configuration page is a limitation of the 87U that happens if you modify its vlan 1's default configuration with robocfg. The fix is to remove the "robocfg vlan 1 ..." line from your script, reboot the AP and untag vlan 1 at the other end.

Though, you mentioned that using an untagged and a tagged vlan wasn't working for you. It works fine on my 87U running in router mode. Maybe it's the NAT acceleration (CTF) issue in AP mode that is causing the problem, you can try entering the below command in the shell then rebooting the AP. Other than that it should work.

Code:
nvram set ctf_disable_force=1
BTW you don't need to configure an IP address for br1 in AP mode, you only need one IP (br0's, configured on the gui) for managing the AP.
 

grifo

Regular Contributor
@Asmodaeus have you got it working? I'd like to know as I'm also planning to migrate to an opnsense or pfsense router at some point and use my 87U as an AP.
 

Asmodaeus

New Around Here
@grifo
Unfortunately I couldn't get it to work. The tagging on the uplink did work correctly, but 5G wifi didn't:
Guest 5g never became available and regular 5g wouldn't get IP address from DHCP (or get any kind of communications with fixed IP) after authentication.

Since the wifi0 and wl1.x devices don't show up (I think ASUS changed something upstream...) I couldn't figure out what the problem was, or assign the defices to the proper bridges. After a couple of days of wife complaining about no wifi I bit the bullet, went back to stock firmware and just used another AP for IOT

In my opinion, rt-ac87u is a sick mess ...

In any case, here is my last services-start. It _almost_ works...

Code:
#!/bin/sh

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg show > /tmp/000before_services-start
cat /proc/net/vlan/config >> /tmp/000before_services-start

vconfig add eth0 1007
vconfig add eth0 1011

ifconfig vlan1007 up
ifconfig vlan1011 up

brctl addif br0 vlan1011
brctl delif br0 wl0.1

brctl addbr br1
brctl addif br1 vlan1007
brctl addif br1 wl0.1
ifconfig br1 192.168.7.1 netmask 255.255.255.0 up

#don't touch vlan 1...
#robocfg vlan 1 ports "0 1 2 3 5 8t"
robocfg vlan 1007 ports "0t 1t 2t 3t 5t 8t"
robocfg vlan 1011 ports "0t 1t 2t 3t 5t 8t"

#this tells eapd where to listen
nvram set lan_ifnames="vlan1 vlan1011 wifi0 eth1"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan101 wl0.1"
nvram set lan1_ifname="br1"

#tried this once but no joy...
#nvram set br0_ifnames="vlan1 wifi0 vlan1011 eth1"
#nvram set br0_ifname="br0"
#nvram set br1_ifnames="vlan1007 wl0.1"
#nvram set br1_ifname="br1"
#nvram set wl0.1_bridge=1


sleep 5
killall eapd
sleep 5
eapd >& /dev/null


Cheers,
-Miguel
 

grifo

Regular Contributor
The 87U works fine for me, it's running in router mode but it shouldn't make much of a difference for vlans in AP mode.

Your script won't work the way it is. If you want to give the 87U another try replace your script with the below and at the opnsense end use an untagged vlan 1 for your main LAN and a tagged vlan 1007 for the IOT network connecting to the first 2.4 GHz guest SSID.
Code:
#!/bin/sh

robocfg vlan 1007 ports "0t 1t 2t 3t 5t 8t"
vconfig add eth0 1007
ifconfig vlan1007 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 vlan1007
brctl addif br1 wl0.1
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan1007 wl0.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd
Edit: I've checked opnsense on virtualbox and it looks like you can't untag a specific vlan, if you create one it has to be tagged. So on your opnsense box you have to configure your LAN network on the main LAN interface. The result is the same.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top