RT-AX88U in AP mode - Is it possible to tag ports or SSIDs for VLAN?

laucien

New Around Here
I'm using two RT-AX routers as a mesh and they're both in AP mode with an OPNSense install being my main router/firewall. Is there any way for me to tag the ports and SSIDs on the APs to assign them to specific vlans?.

I know there's a lot of threads about implementing VLANs and that there will be no support for it on the UI. I've read all the threads I could find but they're all about how to set up VLANs and multiple network on the router itself and couldn't find much about just tagging the ports so they report the VLAN ID to a router further down the line.

I know the units can correctly handle passing through the VLAN tags because I'm running Proxmox on one of my servers connected to the RT-AX88U and if I assign VLANs to the VMs on proxmox they show up correctly in OPNSense. Would love to be able to assign tags to the actual ports and the wireless on the APs but couldn't find out how to do it through the command line or if that's possible.

Thanks!.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
I'm using two RT-AX routers as a mesh and they're both in AP mode with an OPNSense install being my main router/firewall. Is there any way for me to tag the ports and SSIDs on the APs to assign them to specific vlans?.

I know there's a lot of threads about implementing VLANs and that there will be no support for it on the UI. I've read all the threads I could find but they're all about how to set up VLANs and multiple network on the router itself and couldn't find much about just tagging the ports so they report the VLAN ID to a router further down the line.

I know the units can correctly handle passing through the VLAN tags because I'm running Proxmox on one of my servers connected to the RT-AX88U and if I assign VLANs to the VMs on proxmox they show up correctly in OPNSense. Would love to be able to assign tags to the actual ports and the wireless on the APs but couldn't find out how to do it through the command line or if that's possible.

Thanks!.
check out here


also here



I am sure there maybe still some grains of truth in these forums for you to read.
 

SomeWhereOverTheRainBow

Part of the Furniture
I'm using two RT-AX routers as a mesh and they're both in AP mode with an OPNSense install being my main router/firewall. Is there any way for me to tag the ports and SSIDs on the APs to assign them to specific vlans?.

I know there's a lot of threads about implementing VLANs and that there will be no support for it on the UI. I've read all the threads I could find but they're all about how to set up VLANs and multiple network on the router itself and couldn't find much about just tagging the ports so they report the VLAN ID to a router further down the line.

I know the units can correctly handle passing through the VLAN tags because I'm running Proxmox on one of my servers connected to the RT-AX88U and if I assign VLANs to the VMs on proxmox they show up correctly in OPNSense. Would love to be able to assign tags to the actual ports and the wireless on the APs but couldn't find out how to do it through the command line or if that's possible.

Thanks!.
Also, check out here:
 

laucien

New Around Here
Also, check out here:


Hey, thanks but I guess I should have specified what I looked up with the "I read a lot of threads part".

That last link you shared is an amazing writeup and got me to understand how the network interfaces are listed but its exactly what I mentioned on my first post. A great rundown on how to isolate things in the same router but says nothing about actually tagging a port, right? Unless I missed something it goes into details on separating the networks, creating new DHCP services and IP segments... which in my case I'm not even doing with the router.


I'm probably not explaining myself correctly since I'm still learning some of this. From the first 2 threads the steps include setting up iptables/firewall rules to block communication from one vlan to the other, setting up DHCP to assign IP segments and dnsmasq for DNS resolvers. I'm handling all that through OPNsense downstream and only using the routers as switches and wireless APs. What I'm trying to figure out (and wondering if its even doable) is to tag a port or an SSID so OPNSense sees it and goes "yes, this belongs to vlan 10".
I know the routers are at least vlan aware enough that tags coming from other places are passed along and not discarded but that's as far as I got.

Makes sense?.
 

SomeWhereOverTheRainBow

Part of the Furniture
Hey, thanks but I guess I should have specified what I looked up with the "I read a lot of threads part".

That last link you shared is an amazing writeup and got me to understand how the network interfaces are listed but its exactly what I mentioned on my first post. A great rundown on how to isolate things in the same router but says nothing about actually tagging a port, right? Unless I missed something it goes into details on separating the networks, creating new DHCP services and IP segments... which in my case I'm not even doing with the router.


I'm probably not explaining myself correctly since I'm still learning some of this. From the first 2 threads the steps include setting up iptables/firewall rules to block communication from one vlan to the other, setting up DHCP to assign IP segments and dnsmasq for DNS resolvers. I'm handling all that through OPNsense downstream and only using the routers as switches and wireless APs. What I'm trying to figure out (and wondering if its even doable) is to tag a port or an SSID so OPNSense sees it and goes "yes, this belongs to vlan 10".
I know the routers are at least vlan aware enough that tags coming from other places are passed along and not discarded but that's as far as I got.

Makes sense?.
Hey have you checked google search? those are where i found those other methods. Maybe it might reveal more information than narrowly using forum search does.
 

SomeWhereOverTheRainBow

Part of the Furniture
Hey, thanks but I guess I should have specified what I looked up with the "I read a lot of threads part".

That last link you shared is an amazing writeup and got me to understand how the network interfaces are listed but its exactly what I mentioned on my first post. A great rundown on how to isolate things in the same router but says nothing about actually tagging a port, right? Unless I missed something it goes into details on separating the networks, creating new DHCP services and IP segments... which in my case I'm not even doing with the router.


I'm probably not explaining myself correctly since I'm still learning some of this. From the first 2 threads the steps include setting up iptables/firewall rules to block communication from one vlan to the other, setting up DHCP to assign IP segments and dnsmasq for DNS resolvers. I'm handling all that through OPNsense downstream and only using the routers as switches and wireless APs. What I'm trying to figure out (and wondering if its even doable) is to tag a port or an SSID so OPNSense sees it and goes "yes, this belongs to vlan 10".
I know the routers are at least vlan aware enough that tags coming from other places are passed along and not discarded but that's as far as I got.

Makes sense?.
From what i can tell, You can create the tag using vlanctl2. how it is done, I have no clue.

The forum post here is in chinese, but the terminal/script commands are not. Maybe you could piecemeal something from here.
 

drinkingbird

Senior Member
Hey, thanks but I guess I should have specified what I looked up with the "I read a lot of threads part".

That last link you shared is an amazing writeup and got me to understand how the network interfaces are listed but its exactly what I mentioned on my first post. A great rundown on how to isolate things in the same router but says nothing about actually tagging a port, right? Unless I missed something it goes into details on separating the networks, creating new DHCP services and IP segments... which in my case I'm not even doing with the router.


I'm probably not explaining myself correctly since I'm still learning some of this. From the first 2 threads the steps include setting up iptables/firewall rules to block communication from one vlan to the other, setting up DHCP to assign IP segments and dnsmasq for DNS resolvers. I'm handling all that through OPNsense downstream and only using the routers as switches and wireless APs. What I'm trying to figure out (and wondering if its even doable) is to tag a port or an SSID so OPNSense sees it and goes "yes, this belongs to vlan 10".
I know the routers are at least vlan aware enough that tags coming from other places are passed along and not discarded but that's as far as I got.

Makes sense?.

Note that with the 386 code base, Guest Wireless 1 does get its own VLANs, subnets, and DHCP (one VLAN for 2.4Ghz and one for 5Ghz). So that is a good starting point and you could probably use scripting to do anything extra you need. If you want more than two SSIDs, then you'll have to start creating more VLANs, DHCP ranges, etc via CLI and that gets more complex.

If you don't want to go down that road, look at the products from Ubiquiti. Their Edgerouters are very capable and support VLANs natively, and brand new aren't that expensive, and used are even cheaper. Using with their APs would be easiest (since they also support VLANs and mapping VLANs to SSIDs natively) but you could probably still utilize your Asus as an AP and just do some minor changes to trunk the VLANs to the Edgerouter.
 

laucien

New Around Here
From what i can tell, You can create the tag using vlanctl2. how it is done, I have no clue.

The forum post here is in chinese, but the terminal/script commands are not. Maybe you could piecemeal something from here.

Okay, the vlanctl examples actually give me something to start looking into!. I was reading the help on that command on the router but was having a lot of issues trying to understand how it worked.
 

laucien

New Around Here
Note that with the 386 code base, Guest Wireless 1 does get its own VLANs, subnets, and DHCP (one VLAN for 2.4Ghz and one for 5Ghz). So that is a good starting point and you could probably use scripting to do anything extra you need. If you want more than two SSIDs, then you'll have to start creating more VLANs, DHCP ranges, etc via CLI and that gets more complex.

If you don't want to go down that road, look at the products from Ubiquiti. Their Edgerouters are very capable and support VLANs natively, and brand new aren't that expensive, and used are even cheaper. Using with their APs would be easiest (since they also support VLANs and mapping VLANs to SSIDs natively) but you could probably still utilize your Asus as an AP and just do some minor changes to trunk the VLANs to the Edgerouter.

I was looking at the Ubiquiti stuff and yeah, its not that expensive... was actually planning on another thread somewhere else asking for suggestions in case I end up replacing these for something a bit more 'pro'sumer.

The main limitation I have is that I need something that works as a mesh _and_ can use wireless backhaul. My apartment isn't that big (~70m2) but has a lot of walls so just 1 unit won't cut it and at the same time I can't wire anything because I'm renting. Tried powerline and sucked it sucked. Using wireless for the backhaul even when my routers don't have a dedicated 5ghz band for it worked a LOT better.
 

SomeWhereOverTheRainBow

Part of the Furniture
I was looking at the Ubiquiti stuff and yeah, its not that expensive... was actually planning on another thread somewhere else asking for suggestions in case I end up replacing these for something a bit more 'pro'sumer.

The main limitation I have is that I need something that works as a mesh _and_ can use wireless backhaul. My apartment isn't that big (~70m2) but has a lot of walls so just 1 unit won't cut it and at the same time I can't wire anything because I'm renting. Tried powerline and sucked it sucked. Using wireless for the backhaul even when my routers don't have a dedicated 5ghz band for it worked a LOT better.
Lucien have you tried moca adapters using already installed coxail (cable wires) wiring?
 

laucien

New Around Here
Lucien have you tried moca adapters using already installed coxail (cable wires) wiring?

I've had 2 of those in my Amazon shopping cart for like a month already and haven't decided yet haha. Mainly I'm not sure how it works because I don't know where the coax runs in my apartment split from the main cable going down to the building basement and how the communication between adapters would work.
 

SomeWhereOverTheRainBow

Part of the Furniture
I've had 2 of those in my Amazon shopping cart for like a month already and haven't decided yet haha. Mainly I'm not sure how it works because I don't know where the coax runs in my apartment split from the main cable going down to the building basement and how the communication between adapters would work.
Yea I use them in my location for three access points. It actually works great. But you need to really understand the logistics of your cable network including using the right type of splitters when necessary. From there it is pretty much plug and play. Speeds are about the same. One of the great things about it is you don't suffer the same speed degradation you do with power-line adapters.
 

drinkingbird

Senior Member
I was looking at the Ubiquiti stuff and yeah, its not that expensive... was actually planning on another thread somewhere else asking for suggestions in case I end up replacing these for something a bit more 'pro'sumer.

The main limitation I have is that I need something that works as a mesh _and_ can use wireless backhaul. My apartment isn't that big (~70m2) but has a lot of walls so just 1 unit won't cut it and at the same time I can't wire anything because I'm renting. Tried powerline and sucked it sucked. Using wireless for the backhaul even when my routers don't have a dedicated 5ghz band for it worked a LOT better.

The UBNT Unifi APs all support wireless backhaul, at least all the ones I've used.

Not positive if you can send multiple SSIDs/VLANs over the backhaul, my guess would be probably multiple SSIDs but the VLAN is sorted out at the "base" AP, but probably need to read up on their documentation on that.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top