What's new

SSID to VLAN only works with open authentication

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RadioactiveToy

Occasional Visitor
Hi,

I am trying to tag vlan traffic for the guest networks, I have found several threads and I think my config is correct, but it´s only working if the wifi guest network is open, once I set it to WPA2 clients cannot authenticate.

The config is:
robocfg vlan 1 ports "2 3 4 5t
robocfg vlan 11 ports "1t 5t
vconfig add eth0 11
ifconfig vlan11 up

brctl delif br0 wl0.1
brctl delif br0 wl1.1

brctl addbr br1
brctl addif br0 vlan11
brctl addif br0 wl0.1
brctl addif br0 wl1.1

ifconfig br1 192.168.11.2 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan11 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit

killall eapd
eapd

So I have the following:
admin@RT-AC68U-EC58:/tmp/home/root# robocfg show
Switch: enabled
Port 0: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:e0:67:12:10:32
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:e0:67:12:10:31
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:9e:c8:95:a4:d8
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 4 5t
2: vlan2: 5t
11: vlan11: 1t 5t
56: vlan56: 3 4t 8t
57: vlan57: 0t 1t 3 7
58: vlan58: 0 1 3 5t 8u
59: vlan59: 3t 5t 7 8t
60: vlan60: 0 8t
61: vlan61: 4t 5t
62: vlan62: 0t 3t 4 8u

admin@RT-AC68U-EC58:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.ac9e177eec58 no vlan1
eth1
eth2
br1 8000.ac9e177eec58 no wl0.1
vlan11
wl1.1

Anyone can help me to see why wireless authentication is not working with this config?
Thanks!
 
Have you had a look at YazFi yet?
 
Yes I took a look the code and it seemed it´s not exactly what I needed, looks like it is not doing vlan tagging, am I wrong?

Thanks!
Post this exact question in @Jack Yaz forum thread YazFi he is very good!!
 
Yes I took a look the code and it seemed it´s not exactly what I needed, looks like it is not doing vlan tagging, am I wrong?

Thanks!
Correct, I don't use vlans due to them being messy across the various asus models.

What is your end objective with the guests?
 
I am trying to tag vlan traffic for the guest networks, I have found several threads and I think my config is correct, but it´s only working if the wifi guest network is open, once I set it to WPA2 clients cannot authenticate.
Anyone can help me to see why wireless authentication is not working with this config?

Shouldn't the following use 'br1' rather than 'br0' ?
Code:
brctl addif br0 vlan11
brctl addif br0 wl0.1
brctl addif br0 wl1.1

P.S. My script creates Guest VLAN bridges

Code:
VER="v1.09"[/COLOR][/FONT][/LEFT]
[FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT]#============================================================================== © 2016-2019 Martineau, v01.09
#
# Configure a WiFi interface to use a VPN Client connection (called from 'vpnclientX-route-up)
#
#          WiFiVPN     [ {'help'} | {'-h'} | status | diag]
#                      { wifi_interface | ssid [ vpn_number | 'del' | 'status'] }  ['nodns'] ['autodnsmasq'] ['nobridge']
#                      ['openlan'] ['novpn'] ['vlan'{X} [notag]] ['debug'] ['brctlopt'] ['join']
#                      ['lanip='lan_ip[,...]] ['pinhole='lan_ip[:port[:'tcp'|'udp'[:'src'|'dst']][,...]] [log]
# e.g.
#          WiFiVPN
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     wl0.2 1
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     wl0.2 del
#                      Guest 2.4Ghz #2 (wl0.2) is reset to use the WAN rather than the VPN
#          WiFiVPN     wl0.2 nodns
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and uses router DNS.
#          WifiVPN     wl1.3 status
#                      Guest 5Ghz #3 (wl1.3) config is listed in detail.
#          WiFiVPN     br2g24 5
#                      Guest SSID 'br2g24' (could be 2.4GHz Wifi Guest #2!?) is forced to use VPN Client 5 using bridge 5 (br5) and forces VPN 5 DNS
#          WiFiVPN     eth1 1 log
#                      2.4Ghz WiFi network (eth1) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS,
#                      but ACCEPT/DROP replaced by logaccept/logaccept for diagnostic tracking in Syslog.
#          WiFiVPN     eth2 2
#                      5Ghz WiFi network (eth2) is forced to use VPN Client 2 using bridge 2 (br2) and forces VPN 2 DNS
#          WiFiVPN     wl1.2 2 lanip=10.88.8.131,10.88.8.99:161 pinhole=10.88.8.111:3030:udp:src
#                      Guest 5Ghz #2 (wl1.2) is forced to use VPN Client 2, and bridge 2 (br2) has full access to LAN device 10.88.8.131,
#                      and Port 161 on LAN device 10.88.8.99. Also LAN device 10.88.8.111 with source Port 3030 can access the VPN bridge.
#          WiFiVPN     status
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     diag
#                      List ALL WiFi interfaces and associated VPN bridges. Prompts to delete/show config.
#          WiFiVPN     wl1.2 novpn
#                      Guest 5Ghz #2 (wl1.2) will be created on next available bridge, and will explicitly use the WAN
#          WiFiVPN     wl1.2 novpn vlan4
#                      Guest 5Ghz #2 (wl1.2) will be created on next available bridge, and will explicitly use the WAN, also
#                      Switch tagged (trunk) Port 4 (br40) will be attached to the WiFi bridge.
#          WiFiVPN     wl1.3 novpn vlan4 notag
#                      Guest 5Ghz #3 (wl1.3) will be created on next available bridge, and will explicitly use the WAN, also
#                      Switch un-tagged Port 4 (br40) will be attached to the WiFi bridge.


If you want to give it a try I will PM you the link

 
Shouldn't the following use 'br1' rather than 'br0' ?
Code:
brctl addif br0 vlan11
brctl addif br0 wl0.1
brctl addif br0 wl1.1

Yes, that's wrong, but I have on br1 configured.

P.S. My script creates Guest VLAN bridges

Code:
VER="v1.09"[/COLOR][/FONT][/LEFT][/COLOR][/FONT][/LEFT]
[FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT][FONT=Georgia][COLOR=rgb(20, 20, 20)]
[LEFT]#============================================================================== © 2016-2019 Martineau, v01.09
#
# Configure a WiFi interface to use a VPN Client connection (called from 'vpnclientX-route-up)
#
#          WiFiVPN     [ {'help'} | {'-h'} | status | diag]
#                      { wifi_interface | ssid [ vpn_number | 'del' | 'status'] }  ['nodns'] ['autodnsmasq'] ['nobridge']
#                      ['openlan'] ['novpn'] ['vlan'{X} [notag]] ['debug'] ['brctlopt'] ['join']
#                      ['lanip='lan_ip[,...]] ['pinhole='lan_ip[:port[:'tcp'|'udp'[:'src'|'dst']][,...]] [log]
# e.g.
#          WiFiVPN
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     wl0.2 1
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS
#          WiFiVPN     wl0.2 del
#                      Guest 2.4Ghz #2 (wl0.2) is reset to use the WAN rather than the VPN
#          WiFiVPN     wl0.2 nodns
#                      Guest 2.4Ghz #2 (wl0.2) is forced to use VPN Client 1 using bridge 1 (br1) and uses router DNS.
#          WifiVPN     wl1.3 status
#                      Guest 5Ghz #3 (wl1.3) config is listed in detail.
#          WiFiVPN     br2g24 5
#                      Guest SSID 'br2g24' (could be 2.4GHz Wifi Guest #2!?) is forced to use VPN Client 5 using bridge 5 (br5) and forces VPN 5 DNS
#          WiFiVPN     eth1 1 log
#                      2.4Ghz WiFi network (eth1) is forced to use VPN Client 1 using bridge 1 (br1) and forces VPN 1 DNS,
#                      but ACCEPT/DROP replaced by logaccept/logaccept for diagnostic tracking in Syslog.
#          WiFiVPN     eth2 2
#                      5Ghz WiFi network (eth2) is forced to use VPN Client 2 using bridge 2 (br2) and forces VPN 2 DNS
#          WiFiVPN     wl1.2 2 lanip=10.88.8.131,10.88.8.99:161 pinhole=10.88.8.111:3030:udp:src
#                      Guest 5Ghz #2 (wl1.2) is forced to use VPN Client 2, and bridge 2 (br2) has full access to LAN device 10.88.8.131,
#                      and Port 161 on LAN device 10.88.8.99. Also LAN device 10.88.8.111 with source Port 3030 can access the VPN bridge.
#          WiFiVPN     status
#                      List ALL WiFi interfaces and associated VPN bridges.
#          WiFiVPN     diag
#                      List ALL WiFi interfaces and associated VPN bridges. Prompts to delete/show config.
#          WiFiVPN     wl1.2 novpn
#                      Guest 5Ghz #2 (wl1.2) will be created on next available bridge, and will explicitly use the WAN
#          WiFiVPN     wl1.2 novpn vlan4
#                      Guest 5Ghz #2 (wl1.2) will be created on next available bridge, and will explicitly use the WAN, also
#                      Switch tagged (trunk) Port 4 (br40) will be attached to the WiFi bridge.
#          WiFiVPN     wl1.3 novpn vlan4 notag
#                      Guest 5Ghz #3 (wl1.3) will be created on next available bridge, and will explicitly use the WAN, also
#                      Switch un-tagged Port 4 (br40) will be attached to the WiFi bridge.



If you want to give it a try I will PM you the link


I am sending you a PM. I somehow made it work but I cannot reproduce it.

Thanks!
 
It's really strange, rebooted the ap, configured the firs guest network on vlan11:

Code:
robocfg vlan 1 ports "2 3 4 5t
robocfg vlan 11 ports "1t 5t
vconfig add eth0 11
ifconfig vlan11 up

brctl delif br0 wl0.1
brctl delif br0 wl1.1

brctl addbr br1
brctl addif br1 vlan11
brctl addif br1 wl0.1
brctl addif br1 wl1.1

ifconfig br1 192.168.11.2 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan11 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd


This wotks ok, I can connect to the first guest network and the traffic is tagged correctly.
Then I configure a second guest network on vlan12, I don't want't an ip address on the bridge, it should not be needed...

Code:
robocfg vlan 12 ports "1t 5t
vconfig add eth0 12
ifconfig vlan12 up

brctl delif br0 wl0.2

brctl addbr br2
brctl addif br2 vlan12
brctl addif br2 wl0.2

nvram set lan1_ifnames="vlan12 wl0.2"
nvram set lan1_ifname="br2"

nvram commit
killall eapd
eapd

And on this ssid authentication is not working unless it's open! Anyone knows why this could be happening?

Thanks
 
Last edited:
It's really strange, rebooted the ap, configured the firs guest network on vlan11:



And on this ssid authentication is not working unless it's open! Anyone knows why this could be happening?

Thanks

Ok. it works. Silly mistake, I forgot to bring up the br2 interface. Ip address on the br interface is not needed. As reference in case anynone needs a similar setup: Switch port 1 has tagged vlans 11 and 12 for insecure devices and guest (only 2.4gz) wifi. Ports 234 are untagged vlan 1 for the lan devices wifi.

Code:
# Free switch port 1 and remove guest wifi from br0
robocfg vlan 1 ports "2 3 4 5t"
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

# Insecure devices wifi
# vlan 11 setup
robocfg vlan 11 ports "1t 5t"
vconfig add eth0 11
ifconfig vlan11 up

# br1 setup
brctl addbr br1
brctl addif br1 vlan11
brctl addif br1 wl0.1
brctl addif br1 wl1.1

#ifconfig br1 192.168.11.2 netmask 255.255.255.0
ifconfig br1 up

#  nvram config
nvram set lan1_ifnames="vlan11 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram commit

killall eapd
eapd

# Guest Wifi setup
# Setup vlan 12
robocfg vlan 12 ports "1t 5t"
vconfig add eth0 12
ifconfig vlan12 up

# Setup br2
brctl addbr br2
brctl addif br2 vlan12
brctl addif br2 wl0.2
ifconfig br2 up

#  nvram config
nvram set lan2_ifnames="vlan12 wl0.2"
nvram set lan2_ifname="br2"
nvram commit

killall eapd
eapd

Thanks to @Martineau , his script helped me a lot to solve this.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top