RT-AX88U : VLAN Tagged setup (ethctl news ?)

[Quentin Dumay]

Hello,

I'm struggling with the setup of my new router RT-AX88U :
I need to setup a VLAN 100 tagged for my IPTV box to work (free, french ISP).

I've been looking for information about the possibilities and found a few facts :
- No GUI support of tagged VLANs (AsusWRT nor Merlin)
- Different switch on AX88 (as for AC86) => No robocfg
- The solution is probably related to ethctl/vlanctl tools
- Most of the posts are a bit dated (2017-2018)
- Except this one related to AC86 https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/

So,
- Does anybody has some news about the way to easily set up VLANs with ethctl ? Master @RMerlin ?
- Is there any other way ?
- If not available now do you think it will be soon...
- ... Or do I need to return this router and buy another one (with robocfg enabled or maybe a nighthawk) ?

Thank you very much

 

[Soul_]

I am just as interested in this item. Any news on vlanctl/ethctl?

 

[Jeffrey Young]

Have you seen this thread;

https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/

 

[amplatfus]

Hi,

I have found this info and I think maybe it wil be helpfull:

No robocfg?
The first problem is that robocfg is no more provided on AX88U (Broadcom’s HND platform). An alternative to robocfg on HND platform seems to be vlanctl2. However, after several hours of searching, trying and error, I believe vlanctl can only create tagged VLAN, which unfortunately can’t satisfy my need.

Source:
LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16
Approach with Separate Bridge

LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16

Although there is no more robocfg command on HND platform and Asuswrt-Merlin lacks GUI support on creating VLAN, port-based VLANs (or static VLAN) can still be achieved by separating ethernet interfaces into isolated bridges and applying firewall (ebtables or iptables) rules.

wu.renjie.im

Good luck!

 

[Jeffrey Young]

@amplatfus thank you for the great article.

Slow but sure, we will get the 86u and 88u figured out with the vlans.

 

[Quentin Dumay]

Hi,

I have found this info and ai think maybe it wil be helpfull:

No robocfg?
The first problem is that robocfg is no more provided on AX88U (Broadcom’s HND platform). An alternative to robocfg on HND platform seems to be vlanctl2. However, after several hours of searching, trying and error, I believe vlanctl can only create tagged VLAN, which unfortunately can’t satisfy my need.

Source:
LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16
Approach with Separate Bridge

LAN port isolation (port-based VLAN) on ASUS RT-AX88U with Asuswrt-Merlin 384.16

Although there is no more robocfg command on HND platform and Asuswrt-Merlin lacks GUI support on creating VLAN, port-based VLANs (or static VLAN) can still be achieved by separating ethernet interfaces into isolated bridges and applying firewall (ebtables or iptables) rules.

wu.renjie.im

Good luck!

Thanks a lot for this article
Very helpful indeed !

Some breaktroughts have also been made on the other thread https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/
But I didn't manage to make it work so far.

I'm not good enough in networks to find the good configuration for my situation but hopefully we will get there

 

[Quentin Dumay]

@amplatfus thank you for the great article.

Slow but sure, we will get the 86u and 88u figured out with the vlans.

Hopefully

 

[amplatfus]

Hi,

I tried to implement on a AX88U. All are fine, but it seems that part of sites are not loading.
Using the scripts from LAN port isolation (port-based VLAN) from the link I posted above. I am on 384.19 with pppoe connection.
With Android as secondary WAN is working fine, same scripts. Only on pppoe is happening, only some sites affected. One of them is page from 104.17.78.107. Please find below tests, syslog of dhcp and 2 screenshots, one with page loading on br0 and another one with br1.

Spoiler: traceroute 104.17.78.107

br0
root@linux:~# traceroute 104.17.78.107
traceroute to 104.17.78.107 (104.17.78.107), 30 hops max, 60 byte packets
1 RT-AX88U-0EB0 (192.168.50.1) 0.809 ms 0.796 ms 0.792 ms
2 10.0.0.1 (10.0.0.1) 2.559 ms 2.552 ms 2.533 ms
3 10.30.1.81 (10.30.1.81) 2.592 ms 2.576 ms 2.574 ms
4 10.220.142.125 (10.220.142.125) 18.898 ms 10.220.142.129 (10.220.142.129) 18.874 ms 10.220.142.127 (10.220.142.127) 18.875 ms
5 86-120-70-185.rdsnet.ro (86.120.70.185) 4.190 ms 4.174 ms 4.654 ms
6 104.17.78.107 (104.17.78.107) 3.533 ms 2.644 ms 2.592 ms

br1
root@linux:~# traceroute 104.17.78.107
traceroute to 104.17.78.107 (104.17.78.107), 30 hops max, 60 byte packets
1 192.168.150.1 (192.168.150.1) 0.757 ms 0.727 ms 0.712 ms
2 10.0.0.1 (10.0.0.1) 2.153 ms 2.134 ms 2.116 ms
3 10.30.1.81 (10.30.1.81) 2.971 ms 2.927 ms 2.909 ms
4 10.220.149.25 (10.220.149.25) 2.866 ms 2.849 ms 10.220.142.125 (10.220.142.125) 3.424 ms
5 86-120-70-185.rdsnet.ro (86.120.70.185) 3.417 ms 4.169 ms 4.128 ms
6 104.17.78.107 (104.17.78.107) 3.291 ms 2.977 ms 2.954 ms

disable iptables
ASUSWRT-Merlin RT-AX88U 384.19_0 Fri Aug 14 19:20:07 UTC 2020
admin@RT-AX88U-0EB0:/tmp/home/root# # Flush all rules
admin@RT-AX88U-0EB0:/tmp/home/root# iptables -F
admin@RT-AX88U-0EB0:/tmp/home/root# # Set all chains' policy to ACCEPT
admin@RT-AX88U-0EB0:/tmp/home/root# iptables -P INPUT ACCEPT
admin@RT-AX88U-0EB0:/tmp/home/root# iptables -P FORWARD ACCEPT
admin@RT-AX88U-0EB0:/tmp/home/root# iptables -P OUTPUT ACCEPT
admin@RT-AX88U-0EB0:/tmp/home/root# exit
admin@RT-AX88U-0EB0:/tmp/home/root# exit
ASUSWRT-Merlin RT-AX88U 384.19_0 Fri Aug 14 19:20:07 UTC 2020
admin@RT-AX88U-0EB0:/tmp/home/root# service restart_dnsmasq
Done.
admin@RT-AX88U-0EB0:/tmp/home/root# service restart_firewall
Done.
Connection to 192.168.50.1 closed.
root@linux:~# traceroute 104.17.78.107
traceroute to 104.17.78.107 (104.17.78.107), 30 hops max, 60 byte packets
1 RT-AX88U-0EB0 (192.168.50.1) 0.680 ms 0.639 ms 0.615 ms
2 10.0.0.1 (10.0.0.1) 2.542 ms 2.514 ms 2.485 ms
3 10.30.1.81 (10.30.1.81) 2.464 ms 2.450 ms 2.415 ms
4 10.220.149.25 (10.220.149.25) 3.153 ms 3.124 ms 3.106 ms
5 86-120-70-185.rdsnet.ro (86.120.70.185) 3.710 ms 3.695 ms 3.662 ms
6 104.17.78.107 (104.17.78.107) 2.978 ms 3.187 ms 3.151 ms
root@linux:~# traceroute 104.17.78.107
traceroute to 104.17.78.107 (104.17.78.107), 30 hops max, 60 byte packets
1 192.168.150.1 (192.168.150.1) 0.756 ms 0.724 ms 0.688 ms
2 10.0.0.1 (10.0.0.1) 2.243 ms 2.228 ms 2.213 ms
3 172.19.213.33 (172.19.213.33) 2.800 ms 14.441 ms 14.403 ms
4 10.220.142.133 (10.220.142.133) 3.309 ms 10.220.142.135 (10.220.142.135) 3.282 ms 3.241 ms
5 86-120-70-185.rdsnet.ro (86.120.70.185) 4.467 ms 4.420 ms 4.382 ms
6 104.17.78.107 (104.17.78.107) 3.072 ms 2.758 ms 2.724 ms

Spoiler: syslog

Sep 24 11:23:31 ntpd: Initial clock set
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 available DHCP range: 192.168.150.2 -- 192.168.150.254
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 client provides name: porteus
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 DHCPDISCOVER(br1) 172.16.0.247 5c:26:0a:5a:3b:b4
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 tags: br1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 DHCPOFFER(br1) 192.168.150.199 5c:26:0a:5a:3b:b4
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 1:netmask, 28:broadcast, 2:time-offset, 3:router,
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 15:domain-name, 6:dns-server, 12:hostname,
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 121:classless-static-route, 249, 33:static-route,
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 252, 42:ntp-server, 17:root-path
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 next server: 192.168.150.1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 1 option: 53 message-type 2
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 54 server-identifier 192.168.150.1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 51 lease-time 1d
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 58 T1 12h
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 59 T2 21h
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 1 netmask 255.255.255.0
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 28 broadcast 192.168.150.255
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 8 option: 6 dns-server 8.8.8.8, 8.8.4.4
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 3 router 192.168.150.1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 available DHCP range: 192.168.150.2 -- 192.168.150.254
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 client provides name: porteus
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 DHCPREQUEST(br1) 192.168.150.199 5c:26:0a:5a:3b:b4
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 tags: br1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 DHCPACK(br1) 192.168.150.199 5c:26:0a:5a:3b:b4 porteus
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 1:netmask, 28:broadcast, 2:time-offset, 3:router,
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 15:domain-name, 6:dns-server, 12:hostname,
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 121:classless-static-route, 249, 33:static-route,
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 requested options: 252, 42:ntp-server, 17:root-path
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 next server: 192.168.150.1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 1 option: 53 message-type 5
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 54 server-identifier 192.168.150.1
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 51 lease-time 1d
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 58 T1 12h
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 59 T2 21h
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 1 netmask 255.255.255.0
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 28 broadcast 192.168.150.255
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 7 option: 12 hostname porteus
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 8 option: 6 dns-server 8.8.8.8, 8.8.4.4
Sep 24 13:04:02 dnsmasq-dhcp[8902]: 3628969524 sent size: 4 option: 3 router 192.168.150.1

I kindly ask for support in this matter. I will also search in the meantime and I will post updates or the working sollution in my case.

Thank you,
amplatfus

 

[Kanji-San]

This blog might be helpful.

 

[amplatfus]

Thanks very much for reply.
From that source I started (I found very good too, and I was very happy). Very good source, but it seems that because I am using pppoe, and is not fully working. It seems that I have to change more than the interface name.
As I mention, on secondary WAN (Android, tethering USB), is working very well.
I do not know if it matters or not, but on PPPoE I have public IP and I am behind a Gpon in bridge mode, on the other hand, Android it without direct public IP.

So, the ride to find the cause and eventually the fix continues. Any further help would be greatly appreciate. If I will find, I will share here too.
Thank you,
amplatfus

 

[amplatfus]

Hi,

As I said,....now I have some news from the author of that post:

Renjie Wu reply:
"The log seems fine, traceroute looks normal, which mean there is no routing issue. Also the round trip time (RTT) in traceroute result shows ICMP works well, which means there is no connection issue with the remote server.
However from the screenshot, it seems that the remote server resets the HTTP connection (note this is different from simply timeout). I'm not sure what's wrong with this."

Thank you, Renjie Wu
Source: LAN port isolation (port-based VLAN) on ASUS RT-AX88U by Renjie Wu and comments

Stiill searching....
Thanks,
amplatfus

 

[amplatfus]

Hi again,

I have something new in the meantime.
With some big extra help from another passionate guy, I discovered using Wireshark this is the pattern for not loading sites:

client hello = ok
server respond with ack
server hello = NOTHING AT ALL,no response

So the problem is not related to DHCP, DNS or NAT. Maybe to a a forward rule or...? Or a port to be configured?
Only some sites are not working as I sad. Still investigating. I am thankful to all the help received into solving this.

Thank you!

 

[amplatfus]

Hi again,

As I promised, I post because I have some feedback regarding PPPoE configuration for br1 in order to have all sites working.
To conclude: is working in my case too with WAN on eth0, also, on usb (Android PIE) and without any change, on PPPoE not all sites. (only ppoe changed thanks as per articol suggestion).
And, now, after apply bellow, is working too with PPPoE, but I have'n identify what have to be done to fix it, without deleting all.

So if you have any idea, please share it.

Thank you very much!
Gabriel

Below is the firewall-start tested, nothing else changed, and PPPoE started to work for all sites:

#(1)#####1ST WORKING after below Source: https://linuxlasse.net/linux/howtos/Iptables_with_PPPoE

## FLUSHING / CLEANING UP EARLIER RULES
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F
iptables --delete-chain
iptables -F

## RULES
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

## ENABLE MASQUERADE AND FORWARDING
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## ENABLE THE TCP MSS, BECAUSE OF ADSL ICKY-NESS
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

## ALLOW TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#(1)#####1ST WORKING after run this

 

[amplatfus]

Hi again,

As I promiced, I post now to share with you that I have found the sollution. #happy
The problem was that some sites were not loading. Mainly the problem was on communication on TLS 443 with NAT Ports >50k.
But what was strange, some sites were working on the same context, only on PPPoE (ppp0) interface. Other interfces were working without any change, using only the scripts posted on LAN port isolation (port-based VLAN) on ASUS RT-AX88U by Renjie Wu .
For not working sites, on ppp0 interface the journey was something like:

client = hellow
server respond with ack
server hellow = missing

Mainly I had to add this 3 lines to initial code shared in the best article on this topic shared in few post earlier in this thread.

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -D POSTROUTING -s default_router_ip -o internet_interface -j SNAT --to 0.0.0.0
iptables -t nat -I POSTROUTING -s default_router_ip  -o internet_interface -j SNAT --to 0.0.0.0

I am grateful for all help and ideas received regarding this topic, to developers and this community.
More detailes abtout this on initial article and in the comments section:
Renjie Wu blog

Maybe it will help others too in the same situation.
Thank you.

All the best,
amplatfus