Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SSID to VLAN

Discussion in 'Asuswrt-Merlin' started by User774, Jun 1, 2015.

  1. User774

    User774 New Around Here

    Joined:
    Jun 1, 2015
    Messages:
    5
    Hello!

    Model: Asus RT-AC56U
    Firmware: 378.53 (AsusWRT-Merlin)

    Some default configs:
    Code:
    lanports=0 1 2 3
    wanports=4
    landevs=vlan1 wl0 wl1
    vlan1hwname=et0
    vlan1ports=0 1 2 3 5*
    vlan2hwname=et0
    vlan2ports=4 5u
    I'm trying to build a professional home network =D (to learn)
    I'm new to AsusWRT, Merlin, DD-WRT, etc...
    I spend some days reading a lot and learning all that I can.

    I liked the AsusWRT-Merlin (from lostrealm.ca), because I can use some features like Trend Virtual Patch/AD block, and some new options/features provided by Merlin custom firmware.

    But I'm confused if the management via shell is allowed.

    Basically, I wish:
    • Ports 0 and 1 (LAN 1 and 2) as VLAN1 (as the default configuration) - I will not use these ports
    • Port 2 (LAN3) as VLAN9
    • Create a Wireless for guest, VLAN 8
    • Port 3 (LAN4) in trunk (receive tagged packets from VLAN1, 9 and 8), I'll connect a UTM/FW to act as the FW, gateway, DHCP server, etc.. (the WAN will be connected to this UTM/FW)

    But before the hard work, I tried to create a small/simplest test environment to check if this firmware will allow me to do what I need.
    Small test:
    • Create a Guest network and bridge to a VLAN with one switch's port
    • This VLAN isn't allowed to access the others VLANs
    • The RT-AC56U will be connected with port 3 (LAN4) to a notebook
    • After test the wired part, I'll disconnect the ethernet cable and use the wireless of this notebook to test the Guest network
    • The UTM/FW isn't present at the test environment (just the RT-AC56U and a notebook).

    What I did:
    1. Upgraded to the latest version of AsusWRT, then reset the configuration to defaults
    2. Upgrated to the latest version of AsusWRT-Merlin (378.53), then reset the configuration to defaults
    3. Disabled the "JFFS"
    4. Using the web interface, created a "Guest Network" (wireless) - wl0.1
    5. Then via SSH:
      Code:
      # Remove port 3 from VLAN1
      robocfg vlan 1 ports "0 1 2 5t"
      # Create VLAN9, and add port 3
      robocfg vlan 9 ports "3 5t"
      # Remove wl0.1 (the guest network) from br0
      brctl delif br0 wl0.1
      # up interface vlan9
      ifconfig vlan9 up
      # create br9
      brctl addbr br9
      # enable stp
      brctl stp br9 on
      # add vlan9 to br9
      brctl addif br9 vlan9
      # add wl0.1 to br9
      brctl addif br9 wl0.1
      # up interface
      ifconfig br9 up
      # Cleanup (removed the wl0.1 from "lan_ifnames")
      nvram set lan_ifnames="vlan1 eth1 eth2"
      # Created lan9_ifnames
      nvram set lan9_ifnames="vlan9 wl0.1"
      nvram set lan9_ifname="br9"
      # Mapped vlan9ports
      nvram set vlan9ports="3 5t"
      nvram set vlan9hwname=et0
      # Commit
      nvram commit
      # Configured an IP address to the bridge
      ifconfig br9 10.0.0.1 netmask 255.255.255.0 up
    6. At this point, I can see:
      - 2 bridges, br0 and br9 (brctl show)
      - Port 3 (LAN4) is on VLAN 9 (robocfg show)
      - Interfaces vlan9, br9 and wl0.1 are up (ifconfig)

    7. If I try to connect on the Guest wireless, I get a "Time out" error (some times, "Wrong password", but wl0.1_wpa_psk reports the correct password..)

    8. I tried to configure manually the IP address 10.0.0.9/24 on my notebook (because the DHCP isn't configured..), but the problem persists.

    9. The wired part, I configured a IP on my notebook, and ran the PING to the 10.0.0.1, but no response

    10. I ran "iptables -F' to check if the iptables is blocking something, but doesn't worked

    11. If I reboot the router, all changes are lost.

    Just to check, I'm doing something wrong?
     
    ASAT likes this.
  2. coldwizard

    coldwizard Regular Contributor

    Joined:
    Apr 17, 2014
    Messages:
    179
    I suspect at your point 7 connecting to the SSID will work only when using no security.

    I suggest you change this ....
    # Created lan9_ifnames
    nvram set lan9_ifnames="vlan9 wl0.1"
    nvram set lan9_ifname="br9"

    to the lower number 1 since eapd may not look as high as 9 (or may not like skipping numbers).
    # Created lan1_ifnames
    nvram set lan1_ifnames="vlan9 wl0.1"
    nvram set lan1_ifname="br9"

    Then you need the stop/ restart process eapd to read the new nvram names and get security to work on the WiFi.

    # restart eapd
    killall eapd
    eapd

    See thread
    http://www.snbforums.com/threads/ac56u-how-to-add-bridges-with-dhcp-servers.20326/
     
    Wisiwyg and ASAT like this.
  3. ASAT

    ASAT Senior Member

    Joined:
    Jun 5, 2015
    Messages:
    223
    why eapd?
     
  4. Gorsha

    Gorsha New Around Here

    Joined:
    Jul 4, 2015
    Messages:
    2
    Hello everybody.

    I'm also looking for solution to have additional Wi-fi network on RT-AC68U for IPTV connection (VLAN 3999). Because of multicast, the solution is to completely separate this network from LAN (VLAN 5). I'm running Asuswrt-merlin 378.54_2.

    I'm experiencing same problem as others - if I enable guest network (wl0.1) and add it to another bridge (br1) then with WPA2 security Wi-fi connection doesn't work - my PC can't connect to either Wi-fi network.

    I've tried with this command, according to few posts here on this forum, but no success:
    Code:
    nvram set lan_ifnames="vlan5 eth1 eth2"
    nvram set lan_ifname="br0"
    
    nvram set lan1_ifnames="vlan3999 wl0.1"
    nvram set lan1_ifname="br1"
    nvram commit
    
    killall eapd
    eapd
    I have encountered same problems using Tomato Shibby firmware.

    Looking at the source code for eapd each interface should be configured at eapd startup (autoconfig) if set in ifnames variable, but it's hard to know if this configuration is done correctly or not.

    I've been trying to recompile eapd from source code (Asuswrt -> eapd-arm-10) with debbuging enabled, so I could have so insight what is happening, but so far I didn't have success compiling the firmware.

    If anyone has some ideas about this, I would be very grateful.
     
  5. starfall

    starfall Occasional Visitor

    Joined:
    Nov 4, 2014
    Messages:
    19
    It works! WPA2 is working on the guest VLAN setup. I'm over the moon. Here is my services-start script in case somebody wants to use it -

    Code:
    #!/bin/sh
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    
    robocfg vlan 9 ports "4t 5t"
    vconfig add eth0 9
    ifconfig vlan9 up
    
    brctl addbr br1
    brctl delif br0 wl0.1
    brctl addif br1 wl0.1
    brctl delif br0 wl1.1
    brctl addif br1 wl1.1
    brctl addif br1 vlan9
    #ifconfig br1 192.168.9.254 netmask 255.255.255.0
    ifconfig br1 up
    
    nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
    nvram set lan_ifname="br0"
    
    nvram set lan1_ifnames="vlan9 wl0.1 wl1.1"
    nvram set lan1_ifname="br1"
    
    nvram commit
    killall eapd
    eapd
    
    My AC68U (running 378.54_2) is in AP mode as I'm using a pfSense HA cluster as router. However, I suggest using a local IP on the AP first to test the client (ie. remove the comment on the ifconfig line). Also, remember to setup dhcp on the guest VLAN, or else test it with a static IP on the client.

    EDIT: Just to clarify, I have a switch connected to the AC68U, and it is on port 4. I've left the normal LAN VLAN untagged, and only tagged the new guest VLAN as VLAN 9, hence, " 4t 5t". Port 5 is of course the internal interface of the ASUS.
     
    Last edited: Jul 8, 2015
    Wisiwyg and stiffbeta like this.
  6. Gorsha

    Gorsha New Around Here

    Joined:
    Jul 4, 2015
    Messages:
    2
    I can confirm that this also works for me on AC68U (378.54_2). It seems I missed something in my previous attempts. Now I can unleash full power of the router, thanks to Merlin's firmware.
    Thanks!
     
  7. net101

    net101 Occasional Visitor

    Joined:
    Sep 10, 2013
    Messages:
    15
    Here's my script. It still doesn't work for me. What am I doing wrong? How can I get more information to diagnose the issue.

    Code:
    #!/bin/ash
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    rm /tmp/000services-start
    
    robocfg vlan 1 ports "0t 1 5t"
    robocfg vlan 26 ports "0t 2 3 4 5t"
    robocfg vlan 27 ports "0t 5t"
    
    vconfig add eth0 26
    ifconfig vlan26 up
    
    vconfig add eth0 27
    ifconfig vlan27 up
    
    ifconfig br1 down
    brctl delbr br1
    brctl addbr br1
    
    ifconfig br2 down
    brctl delbr br2
    brctl addbr br2
    
    brctl delif br0 wl0.1
    brctl delif br0 wl1.1
    
    brctl delif br0 wl0.2
    brctl delif br0 wl1.2
    
    brctl addif br1 wl0.1
    brctl addif br1 wl1.1
    brctl addif br1 vlan26
    
    brctl addif br2 wl0.2
    brctl addif br2 wl1.2
    brctl addif br2 vlan27
    
    ifconfig br1 192.168.26.3 netmask 255.255.255.0
    ifconfig br1 up
    
    ifconfig br2 192.168.27.3 netmask 255.255.255.0
    ifconfig br2 up
    
    nvram set lan26_ifnames="vlan26 wl0.1 wl1.1"
    nvram set lan26_ifname="br1"
    
    nvram set lan27_ifnames="vlan27 wl0.2 wl1.2"
    nvram set lan27_ifname="br2"
    
    nvram commit
    
    killall eapd
    eapd
    
    touch /tmp/000services-start
     
  8. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,164
    Location:
    UK
    Line 1 contains a typo? ;)
     
  9. net101

    net101 Occasional Visitor

    Joined:
    Sep 10, 2013
    Messages:
    15
    Thanks (embarrassed!) but running the commands manually doesn't make it work either.

    I am using AP mode.

    Here is the output from the various commands:
    Code:
    [email protected]:/tmp/home/root# brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.10c37bXXXXXX       no              vlan1
                                                            eth1
                                                            eth2
    br1             8000.10c37bXXXXXX       no              wl0.1
                                                            wl1.1
                                                            vlan26
    br2             8000.10c37bXXXXXX       no              wl0.2
                                                            wl1.2
                                                            vlan27
    
    [email protected]:/tmp/home/root# robocfg show vlan
    Switch: enabled
    Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: f0:de:f1:f5:c0:d2
    Port 2:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
    Port 3:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
    Port 4:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
    Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    VLANs: BCM5301x enabled mac_check mac_hash
       1: vlan1: 0t 1 5t
       2: vlan2: 5t
      26: vlan26: 0t 2 3 4 5t
      27: vlan27: 0t 5t
      56: vlan56: 1t 2 4 5
      57: vlan57: 1t 2t 3t 4 7
      58: vlan58: 0t 8u
      59: vlan59: 0t 2t 4 8t
      60: vlan60: 0t 1t 2t 3
      61: vlan61: 1 2t 3t 4 7t 8u
      62: vlan62: 2t 7t
    
    [email protected]:/tmp/home/root# nvram show | grep ifnames
    size: 42544 bytes (22992 left)
    wl0_vifnames=wl0.1 wl0.2 wl0.3
    wl1_vifnames=wl1.1 wl1.2 wl1.3
    lan26_ifnames=vlan26 wl0.1 wl1.1
    dpsta_ifnames=
    lan_ifnames=vlan1 eth1 eth2 wl0.1 wl0.2 wl1.1 wl1.2
    lan27_ifnames=vlan27 wl0.2 wl1.2
    wan_ifnames=vlan2
    wl_ifnames=eth1 eth2
    wl_vifnames=wl0.1 wl0.2 wl0.3
    acs_ifnames=eth1 eth2
    
     
  10. starfall

    starfall Occasional Visitor

    Joined:
    Nov 4, 2014
    Messages:
    19
    /bin/ash is a valid shell

    I think it's to do with the lanX_ifnames nvram settings. See this post for more info - WAP/Guest SSID/Port based VLAN
     
  11. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,164
    Location:
    UK
    Indeed and I assume there is no functional difference between shells 'sh' and 'ash' given they are both symlinks to Busybox, but many of my personal programming/scripting errors have been attributed to an incorrect assumption that such a trivial technical detail couldn't possibly be the reason why my programs to fail execute as desired! :p

    Stranger things have happened and as I was taught; "Computers only do what you tell them to do - rarely what you wanted/intended them to do!" ;)
     
  12. coldwizard

    coldwizard Regular Contributor

    Joined:
    Apr 17, 2014
    Messages:
    179
    For anyone that wants to modify the script above for another Asus model, this table of hardware ports may be useful

    #Robocfg port mapping
    #Model { WAN L1 L2 L3 L4 CPU }
    #RTN16: { 0, 4, 3, 2, 1, 8 }
    #RTAC56U: { 4, 0, 1, 2, 3, 5 }
    #RTN66U: { 0, 1, 2, 3, 4, 8 }
    #RTAC66U: { 0, 1, 2, 3, 4, 8 }
    #RTAC68U: { 0, 1, 2, 3, 4, 5 }
    #RTAC87U: { 0, 5, 3, 2, 1, 7 }
    #RTAC3200: { 0, 4, 3, 2, 1, 5 }

    Also the "nvram commit" line should not be required in the script.
     
  13. Pablo

    Pablo New Around Here

    Joined:
    Jun 22, 2017
    Messages:
    5
    Hi, I'be been fighting with this for a couple of days.
    I have a pfSense router with a VLAN4 defined on the LAN interface tagged with id "4". That port is connected to port 1 on the router. My goal is to have a wlan on vlan4.

    This is how I have configured it:

    Code:
    robocfg vlan 4 ports "1t 8t"
    vconfig add eth0 4
    ifconfig vlan4 up
    
    brctl addbr br1
    brctl delif br0 wl0.1
    brctl delif br0 wl1.1
    brctl addif br1 wl0.1
    brctl addif br1 wl1.1
    brctl addif br1 vlan4
    ifconfig br1 up
    
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan_ifname="br0"
    nvram set lan1_ifnames="vlan4 wl0.1 wl1.1"
    nvram set lan1_ifname="br1"
    
    nvram commit
    killall eapd
    eapd
    
    Port 1 is tagged because it is also used on VLAN3 (another VLAN defined in pfSense and on the phisical LAN interface).


    This is the output of "robocfg show"

    Code:
    Switch: enabled
    Port 0:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
    Port 1:  100FD enabled stp: none vlan: 1 jumbo: off mac: 52:54:00:0a:74:e6
    Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: a0:f3:c1:f8:6f:b0
    Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: c4:04:15:23:8d:25
    VLANs: BCM5301x enabled mac_check mac_hash
       1: vlan1: 1 2 3 4 8t
       2: vlan2: 0 8t
       3: vlan3: 1t 4t 8t
       4: vlan4: 1t 8t
    1045: vlan1045: 0t 3 4t 8u
    1046: vlan1046: 0 1 2 3 4 5 7t
    1047: vlan1047: 0t 2t 4 5t 7
    1099: vlan1099: 0t 5 7
    1100: vlan1100: 2 3 7 8t
    1101: vlan1101: 3t
    1102: vlan1102: 0 1 2t 3t 4 7t 8t
    1103: vlan1103: 0 8u
    

    And this is the output from "brctl show"

    Code:
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.c40415238d25       yes             vlan1
                                                            eth1
                                                            eth2
    br1             8000.022215a50305       no              wl0.1
                                                            wl1.1
                                                            vlan4
    
    With this setup when I try to connect from a wifi device to the guest SSID (defined on the XWRT gui), I've get stucked at the point when it's trying to get the IP address. So, I can pass the authentication point successfully (tried both open and wpa2 with same results) and just keeps trying to get an IP address.

    I think that no connection is established with the pfSense box, because no packet seems to appear on the "Interface statistics" panel, so I think my VLAN is not well defined but... what is wrong?

    On the pfSense box I have VLAN3 working with a DHCP for VLAN3 and also VLAN4 defined the same as VLAN3 (just with different ID tag) and also a DHCP defined for VLAN4 with different ip address ranges (VLAN3 192.168.3.0 and VLAN4 192.168.4.0)

    Anyone willing to troubleshoot this to help me?

    Thanks,
    Pablo
     
  14. Pablo

    Pablo New Around Here

    Joined:
    Jun 22, 2017
    Messages:
    5
    I'll reply to myself so anyone with this problem can avoid loosing days trying to solve this...

    The configuration is right, the only problem was that I forgot to specify in pfSense that the DNS resolver must serve addresses on all the VLANs and not just on the LAN..... :-(
     
  15. snb_rookie

    snb_rookie New Around Here

    Joined:
    Sep 12, 2017
    Messages:
    1
    I am trying to use this configuration, but scale it up to more SSID / VLAN combos and using a managed switch with pfsense. I'm having a terrible time and I'm not convinced the VLAN tagging on Merlin supports what I am trying to accomplish.

    RT-AC68R / Merlin 380.68.

    Attempted VLAN / SSID config:

    VLAN11 - Internet only access port from LGS308 (not related to ASUS.. works great).

    ssid:dev1 VLAN20 - Internet only
    ssid:dev2VLAN21 - Internet only
    ssid:media VLAN22 - Internet only

    My HW config is as follows:

    WAN <--> PF Sense <---> LGS308 <---> RT-AC68R
    LGS308 is connected to PF Sense LAN via a trunk port (1) which carries all VLANs.

    Per instructions in this thread, I'm adding 3 new guest VLANs (wl0.1, wl1.1, wl1.2)

    This is my config. I'm using ports 2-4 on the ASUS, which is configured in AP only mode.

    Code:
    #!/bin/sh
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    
    robocfg vlan 20 ports "2t 5t"
    vconfig add eth0 20
    ifconfig vlan20 up
    
    robocfg vlan 21 ports "3t 5t"
    vconfig add eth0 21
    ifconfig vlan21 up
    
    robocfg vlan 22 ports "4t 5t"
    vconfig add eth0 22
    ifconfig vlan22 up
    
    brctl addbr br1
    brctl delif br0 wl0.1
    brctl addif br1 wl0.1
    brctl addif br1 vlan20
    ifconfig br1 up
    
    brctl addbr br2
    brctl delif br0 wl1.1
    brctl addif br2 wl1.1
    brctl addif br2 vlan21
    ifconfig br2 up
    
    brctl addbr br3
    brctl delif br0 wl1.2
    brctl addif br3 wl1.2
    brctl addif br3 vlan22
    ifconfig br3 up
    
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan_ifname="br0"
    
    nvram set lan1_ifnames="vlan20 wl0.1"
    nvram set lan1_ifname="br1"
    
    nvram set lan2_ifnames="vlan21 wl1.1"
    nvram set lan2_ifname="br2"
    
    nvram set lan3_ifnames="vlan22 wl1.2"
    nvram set lan3_ifname="br3"
    
    killall eapd
    eapd
    Really, I'm just trying to get the guest traffic tagged so pfsense can handle the rest...

    Symptoms are hard to describe. Often times I get VLAN-appropriate DHCP from pf sense, but the sanity stops there. Internet on my non-guest SSIDs becomes intermittent.

    I've also tried trunking all 3 VLANs to one port (2t for instance) to save on switch ports. This doesn't seem to behave any better. I realize not much to go on...

    EDIT: Not an issue with ASUS Merlin at all... it was tagging just fine.

    As it turns out, the biggest issue with this setup was the "default VLAN" or Parent LAN interface in PfSense. I left this in here, because I didn't want to bother with VLAN config for non-guest wifi networks. Problem is, when you go this route configuring firewall rules becomes a real hassle, because you have VLAN traffic showing up both on the parent interface and on the VLAN interface itself, requiring a bunch of duplicate rules.

    I ended up adding a VLAN10 for "local" ops, and then adding it to the "br0" bridge which contains eth1 and eth2. After a bit of reconfig, everything is good.
     
    Last edited: Sep 13, 2017

Share This Page