RT-AX88U Vlan bridge/port questions

[torchddv]

Oops. nevermind. I'm deleting this post.

 

[torchddv]

OK, this is weird. I had other things to do for a few hours but left things on. When I came back, the computer plugged into eth4 had an IP address and can connect to the internet. I cannot ping a computer on br0 from br3 and vise-versa. I wonder what happened and why it took so long?

I was looking at the logs and can see services-start ran on boot. Looking at a listing of all iptables shows that firewall-start did it's thing correctly. I'm not sure how to verify when dnsmasq.conf.add got added, but I assume it must have at some point since the client eventually got an IP address in the correct subnet.

But as near as I can tell, nat-start never ran. Nothing in the log, and the iptables line it is supposed to add:

iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -d 192.168.150.0/24 \
-o br3 -j MASQUERADE

does not appear in the nat rules list (iptables -t nat -L).

Any ideas why nat-start didn't run? Does that need to be in a separate script? Any reason it could not be added to the end of firewall-start?

 

[torchddv]

Using the terminal window, when I try to enter
iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -d 192.168.150.0/24 \ -o br3 -j MASQUERADE
I get the error message "Bad argument ' -o' " . Which probably explains why nat-start failed. So I tried iptables -h and learned:

[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)

Just to be sure I understand this error message correctly, the "Bad argument" is actually "br3", right? It being the argument for the -o option? Should the argument be "eth4" instead?

 

[ColinTaylor]

Using the terminal window, when I try to enter
iptables -t nat -A POSTROUTING -s 192.168.150.0/24 -d 192.168.150.0/24 \ -o br3 -j MASQUERADE
I get the error message "Bad argument ' -o' " . Which probably explains why nat-start failed. So I tried iptables -h and learned:

[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)

Just to be sure I understand this error message correctly, the "Bad argument" is actually "br3", right? It being the argument for the -o option? Should the argument be "eth4" instead?

You have a syntax error. The "\" is the continuation character for when a command is split across multiple lines. If you're entering the command as a single line you should remove the \ character as it would become an escape character.

Bash Reference Manual

Bash Reference Manual

www.gnu.org

 

[torchddv]

You have a syntax error. The "\" is the continuation character for when a command is split across multiple lines. If you're entering the command as a single line you should remove the \ character as it would become an escape character.

Bash Reference Manual

Bash Reference Manual

www.gnu.org

Doh!

I copied it direct from the previously linked article. I guess his editor split the line. I am way outside my wheelhouse and floundering around in the dark here. Thanks for the help.

It works now. From the terminal anyway. The command was accepted without error message and appears in the nat table now. I'll make the change in the nat-start script, reboot and see what happens.

 

[torchddv]

I corrected the line in nat-start, and now that completes successfully, inserting the line into the nat table on reboot.

I wasn't sure if the dhcp service is handing out addresses on that subnet or not though. The client computer on br3 took some time before it could connect (but not nearly as long as yesterday -- minutes vs hours). There is no DHCP lease listed for that computer in the router's DHCP log (but there are new leases listed for all computers on the br0 network). Running ipconfig/all in a DOS window on the client shows the lease started yesterday, so it appears that machine just picked up where it left off rather than seeking a new lease.

ipconfig /renew on the client did restart the 24 hour lease on both client and in the DHCP lease log, so I think everything is working.

 

[avidracer]

All, I wanted to ask this as this thread seem to be the most relevant to what I am trying to do. I am running AX86U device on 3006.102.4 - under this I am able to create a Guest Pro network for IOTs and the VLAN appear in the LAN tab. This is in Wireless router operation mode and not access point. What I am trying to achieve is to isloate the IOTs (doorbell, vacuum robot, walloutlet plug etc.,) into this IOT lan (192.168.52.1/255.255.255.0) and prevent them from being able to talk to the main network (192.168.50.1/255.255.255.0). But the Home assistant server which runs in the main network 192.168.50.x to be able to talk/access few of these devices in the IOT network. Set AP Isolated is turned ON in the Guest Pro setup for the IOT Wifi network. If I turn this OFF, will the traffic be bi-directional between 192.168.50.x and 192.168.52.x? I only want one way traffic from 50 to 52.

Do I need a 2nd hardware device like a smart switch to be able to accomplish this? Or can I acheive this with only the AX86U device alone? Thus far I have been unable to get such a setup work. I see few threads about manual install of modified YazFi Guest Wifi scripts. Thanks to any pointers and education you are able to provide!

 

[bennor]

I am running AX86U device on 3006.102.4

What specific router do you have? The RT-AX86U does not support the 3006.x firmware. The RT-AX86U Pro does support 3006.102.4.

If you do have a RT-AX86U Pro running 3006.102.4 firmware then a couple of questions.
Did you perform a hard factory reset of the router when you initially flashed the Asus-Merlin 3006.102.4 firmware to the router?
How have you configured your Guest Network Pro profile(s)? Post readable screenshots, redacting any sensative information.
When setting up the Guest Network Pro profile did you enable or disable Use same subnet as main network?

Guest Network Pro has its quirks and it has a learning curve to understand how it works. At times it feels like beta that we users are testing out for Asus. I'm currently running a RT-AX86U Pro with 3006.102.4 firmware with two Guest Network Pro IoT profiles configured and working normally. When setting up the two IoT profiles I did disable the Use same subnet as main network option so each IoT profile would use it's own DHCP IP subnet and be isolated from the main LAN/main WiFi.

For Home Assistant that is another issue. Use the forum search feature to find the other discussions, there are several, on trying to get Home Assistant to work with the 3006's Guest Network Pro feature. Some have resorted to using a firewall-start script with IPTables scripting to allow traffic between Guest Network Pro clients and the Home Assistant device. Others tried other workarounds like setting up a second network adapter on the Home Assistant device and connected that second network adapter to the Guest Network Pro VLAN. Some have resorted to just keeping certain IoT devices on the main LAN/main WiFi rather than the Guest Network Pro profile. Here are a few threads for more on Home Assistant and Asus-Merlin 3006 firmware.

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

Allowing intranet traffic for single host to guest wifi network

I have a guest 2.4 Wi-Fi network that does not allow intranet access and I've placed all of my IoT devices into it. I'm setting up a home assistant which is connected directly to my RT-AX86U. Because of the intranet access restriction my home assistant can't see any of my local IoT devices (by...

www.snbforums.com

Guest Network Pro One way to client

Hi, I have recently flashed the latest Asus stock 3006 firmware on my GT-AX6000 router to play with it(mostly because wanted to see how vlans and guest network pro works with my IoT devices). I am trying to make my Home Assistant server that runs on my main network to access my IoT devices on...

www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...

www.snbforums.com

In particular see my post here for some Guest Network Pro profile firewall-start and IPTables scripting with 3006 firmware: https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

 

[avidracer]

What specific router do you have? The RT-AX86U does not support the 3006.x firmware. The RT-AX86U Pro does support 3006.102.4.

If you do have a RT-AX86U Pro running 3006.102.4 firmware then a couple of questions.
Did you perform a hard factory reset of the router when you initially flashed the Asus-Merlin 3006.102.4 firmware to the router?
How have you configured your Guest Network Pro profile(s)? Post readable screenshots, redacting any sensative information.
When setting up the Guest Network Pro profile did you enable or disable Use same subnet as main network?

Guest Network Pro has its quirks and it has a learning curve to understand how it works. At times it feels like beta that we users are testing out for Asus. I'm currently running a RT-AX86U Pro with 3006.102.4 firmware with two Guest Network Pro IoT profiles configured and working normally. When setting up the two IoT profiles I did disable the Use same subnet as main network option so each IoT profile would use it's own DHCP IP subnet and be isolated from the main LAN/main WiFi.

Thanks for the guidance Bennor!! I did not even know there were two models in AX86U lineup. Yes my device is indeed the pro version and thus I was able to flash/upgrade to the 3006 firmware.

I used the Administration page of the router and restored it to factory default following the 3006 firmware update. Then manually setup the device as "wireless" router. Not sure if this counts as "hard" reset - should use the physical buttons in the router?

Presently I have one IOT guest wifi network setup. Its active only on 2.4GHz, Bandwidth limiter in OFF, Access intranet OFF position for 'Main' network, Under Advanced settings, 'DHCP server' enabled with LAN IP 192.168.52.1/255.255.255.0, VLAN ID 52. Set 'AP isolated' is ON. For this network under LAN > VLAN > Profile, I see the 52 ID active with 'port Isolation' feature OFF. I have not changed anything under LAN > VLAN > VLAN as I am only using WiFi for my IOTs and nothing on the wired network side.

With the above I am able to assign devices to this network and it gets an IP and ability to connect to internet. However with Set AP Isolated, its not reachable via (ping) from computers in the 192.168.50.1 LAN. Generally, I am fine with this behavior as the purpose of this IOT segregation is to keep these devices separated. However I am trying to see if one or handful of devices from the 192.168.50.1 LAN can access these.

Let me look at the pointers you have provided above - your thread says to activate "Access Intranet" to ON. Let me try this and come back for further clarifications, but looks like this might be bi-directional! Appreciate the inputs!!

 

[bennor]

With the above I am able to assign devices to this network and it gets an IP and ability to connect to internet. However with Set AP Isolated, its not reachable via (ping) from computers in the 192.168.50.1 LAN. Generally, I am fine with this behavior as the purpose of this IOT segregation is to keep these devices separated. However I am trying to see if one or handful of devices from the 192.168.50.1 LAN can access these.

The Guest Network Pro option Set AP Isolated will prevent the Guest Network Pro clients from talking to each other.

The Guest Network Pro option Access Intranet is supposed to allow Guest Network Pro clients to access the main LAN clients (or other Guest Network Pro profiles) when that option is enabled and one selects Main Network. However some are finding the Access Intranet option doesn't work as expected (or doesn't work at all). Click on each option in the GUI for a tooltip that explains what the option does.

Read the previously provided links, there is much information and the various suggestions there for those who need specific main LAN client access to Guest Network Pro clients. A number of us have found that certain Guest Network Pro options simply do not work as expected, or do not work at all, leaving people to use a firewall-start script with IPTables commands to replicate certain actions.