1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SSID to VLAN

Discussion in 'Asuswrt-Merlin' started by User774, Jun 1, 2015.

  1. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    3,348
    Location:
    UK
    Yes - wl0.x is Guest 2.4GHz, wl1.x is Guest 5GHz
    Yes - Tagged switch Port and CPU, but you have to ensure that the Port/CPU mapping matches your hardware!

    EDIT: I think on your RT-AC3200 the internal to physical port mapping is reversed so '1t 5t' means L4 port on the back? :confused:

    e.g. On the RT-AC68U the CPU port can be either 5 or 8 depending on the GUI options enabled, and I think Port 4 on the RT-AC87U is actually '5' internally?o_O
     
    Last edited: Dec 13, 2018
  2. JohnB4

    JohnB4 New Around Here

    Joined:
    Nov 24, 2018
    Messages:
    7
    1. I believe the guest SSIDs are 0.1 0.2 and 0.3 for 2.4Ghz and 1.1 1.2 and 1.3 for 5GHz
    2. Not 100% sure but I think this tells the router how to properly perform the WPA/AES handshake
    3. Robocfg allows you to set for each VLAN, whether they are:
    a) not available on the port (if you dont write the port number in the quotes)
    b) available and tagged with its vlan number (write port number with a t)
    c) available untagged; can only have one vlan untagged on each port (write port number without t)
     
  3. JohnB4

    JohnB4 New Around Here

    Joined:
    Nov 24, 2018
    Messages:
    7
    Ok so it appears I have managed to fix the issues on BOTH devices (ac66 and ac68) with the same fix:

    You need to turn off the HW NAT acceleration. No idea why it's even on since both devices were in AP mode.
    It's a bit of a pain to turn off, as the option to turn it off is only available in normal router mode. So turn it off and then switch back to AP mode; it will then remain off.

    No more martians since and all works as expected!!
     
    john9527 likes this.
  4. desol

    desol New Around Here

    Joined:
    Dec 13, 2018
    Messages:
    3
    Do you have any instructions for disabling NW NAT acceleration? I am also suffering the same issue ?

    EDIT:
    From my cursory search it appears that
    Code:
     nvram set ctf_disable=1 
    disables HW acceleration
     
    Last edited: Dec 14, 2018
  5. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,285
    Location:
    United States
    Use
    Code:
    nvram set ctf_disable_force=1
    
    Plain 'ctf_disable' is set when the firmware encounters a function being enabled which requires ctf to be disabled.
     
    desol likes this.
  6. JohnB4

    JohnB4 New Around Here

    Joined:
    Nov 24, 2018
    Messages:
    7
    If you wanted to do it via the GUI, you would first have to set the device back to router mode. Once you do that you can find a tab called "switch control" under the LAN options. This will have the HW NAT option
    You can check that it's really turned off under "Tools" then SysInfo
     
  7. JohnB4

    JohnB4 New Around Here

    Joined:
    Nov 24, 2018
    Messages:
    7
    I guess technically that is what the firmware should have done once more than one bridge is used...

    It's interesting that no one has come across this issue earlier in the thread. Perhaps they already had a function running (QoS?) that disabled HW NAT

    I do wonder if the HW NAT also plays a role in accelerating LAN<->WLAN traffic. I did notice after disabling it, that a 40MBps file transfer creates a near 100% load on my AC1750. I don't remember if this would also happen with HW NAT on. Mind you this is the A1 version that has a single core 600Mhz processor though, so may be less of an issue on more powerful APs
     
  8. yacob841

    yacob841 New Around Here

    Joined:
    Mar 13, 2019
    Messages:
    1
    Can anyone confirm what might be going wrong? I have created the script and attempted to use it. I have not been able to confirm if it works or not because the main issue I am having is that whenever I connect to any of my guest networks, it ends up giving me a self assigned ip and 0 access to anything. I am only using the AC88U as an AP and OPNSense as my router. The setup I want is this:

    iNet > Modem > OPNSense/Radius > Networking > AC88U-1 > Single SSID
    ------------------------------------------IOT------------AC88U-2
    ------------------------------------------Personal
    ------------------------------------------Guest

    One SSID, where depending on the login credentials to Radius is assigned 1 of 4 VLANs. All of networking will be through ports, but IOT, Personal, and Guest are through wifi.

    Code:
    #!/bin/sh
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    
    robocfg vlan 2 ports "1t 2t 5t"
    vconfig add eth0 2
    ifconfig vlan2 up
    
    brctl addbr br1
    brctl delif br0 wl0.3
    brctl addif br1 wl0.3
    brctl delif br0 wl1.3
    brctl addif br1 wl1.3
    brctl addif br1 vlan2
    ifconfig br1 up
    
    brctl addbr br2
    brctl delif br0 wl0.2
    brctl addif br2 wl0.2
    brctl delif br0 wl1.2
    brctl addif br2 wl1.2
    brctl addif br2 vlan3
    ifconfig br2 up
    
    brctl addbr br3
    brctl delif br0 wl0.1
    brctl addif br3 wl0.1
    brctl delif br0 wl1.1
    brctl addif br3 wl1.1
    brctl addif br3 vlan4
    ifconfig br3 up
    
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan_ifname="br0"
    
    nvram set lan1_ifnames="vlan2 wl0.3 wl1.3"
    nvram set lan1_ifname="br1"
    
    nvram set lan2_ifnames="vlan3 wl0.2 wl1.2"
    nvram set lan2_ifname="br2"
    
    nvram set lan3_ifnames="vlan4 wl0.1 wl1.1"
    nvram set lan3_ifname="br3"
    
    nvram commit
    killall eapd
    eapd
     
  9. bobpaul

    bobpaul New Around Here

    Joined:
    Sep 14, 2018
    Messages:
    6
    I don't think I understand this, but I've never used Radius. How does the radius server assign a user to a VLAN if all of your "guest" networks are using the same SSID? Can Radius force a client to use a specific BSSID?

    Did you get this working? I'm still trying to sort out my own script, but from reading the thread I think you might need to disable CTF and you should feel free to comment out the nvram commit because it's not needed and might not be desired (we don't need to save to nvram since we're configuring this via a startup script)

    Code:
    #!/bin/sh
    nvram set ctf_disable_force=1
    nvram set ctf_disable=1
    #nvram commit
    
    Also, what does
    Code:
    robocfg show vlan
    show? Are you positive 5t is the correct CPU port for your hardware?
     
  10. bobpaul

    bobpaul New Around Here

    Joined:
    Sep 14, 2018
    Messages:
    6
    OK. So I have an RT-N66W on Merlin 380.70. I have a single connection to an OPNsense router that's providing LAN (untagged) and Guest (vlan250). I've gotten this far:

    Code:
    nvram set ctf_disable_force=1
    nvram set ctf_disable=1           
                                       
    #8 is internal.                   
    robocfg vlan 250 ports "1t 2t 3t 4t 8t"
    vconfig add eth0 250               
    ifconfig vlan250 up
    ifconfig vlan250 192.168.250.3 netmask 255.255.255.0
    
    I'm 100% sure the above is working. With a wired computer plugged into a port on the Asus, I configure a tagged vlan250 and get the correct DHCP from the router. With a wired or wireless computer on the untagged vlan, I get a normal 192.168.1.x address. On a computer with a 1.x address, I can access the Asus device if and only if I configure firewall rules on the router to pass traffic between the two subnets. The vlan tagging is 100% working on the wired network.

    and the bridge works, too:

    Code:
    ifconfig vlan250 0.0.0.0
    brctl addbr br1
    brctl addif br1 vlan250
    ifconfig br1 192.168.250.3 netmask 255.255.255.0
    ifconfig br1 up
    
    In this case things still work. I can only ssh to the Asus's address on another device with VLAN250 tagged or if I configure the firewall to route between the two vlans.

    BUT

    When I reboot and then use the full script:
    Code:
    #!/bin/sh
    #https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187
    #https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-192836
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    
    nvram set ctf_disable_force=1
    nvram set ctf_disable=1
    
    #8 is internal.
    robocfg vlan 250 ports "1t 2t 3t 4t 8t"
    vconfig add eth0 250
    ifconfig vlan250 up
    
    brctl addbr br1
    brctl delif br0 wl0.1
    brctl addif br1 wl0.1
    brctl addif br1 vlan250
    ifconfig br1 192.168.250.3 netmask 255.255.255.0
    ifconfig br1 up
    
    #eth1 and eth2 are 2.4 and 5ghz main wifi
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan_ifname="br0"
    
    #wl0.x is 2.4ghz guests
    #wl1.x is 5ghz guests
    nvram set lan1_ifnames="vlan250 wl0.1"
    nvram set lan1_ifname="br1"
    
    #nvram commit
    killall eapd
    eapd
    
    Initially (first 2-3 minutes?) things seem to work. I can get one or two wireless clients to get a 250.x address from the Guest wifi. But then after a short time, all of my devices on the primary WiFi lose their connections to the internet. Android connects, but reports no internet connection. If I switch back to Guest, DHCP fails.

    What else should I be looking at? The vlan is stable until I add the virtual access point device, and then all the wifi quickly goes unstable.

    Edit: I moved the killall eapd line further up, added some logging, and changed the bridge name to "guest" instead of "br1" and now it's working fine. I suspect moving the killall is all that mattered. Maybe changing the ifname nvram vars while eapd is running is bad? Or maybe I just needed some delay between the kill and the restarting?.

    Code:
     
    #!/bin/sh
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    
    logger starting guest vlan
    nvram set ctf_disable_force=1
    nvram set ctf_disable=1
    
    #8 is internal.
    robocfg vlan 250 ports "1t 2t 3t 4t 8t"
    vconfig add eth0 250
    ip link set vlan250 up
    logger vlan up
    
    brctl addbr guest
    brctl addif guest vlan250
    brctl delif br0 wl0.1
    brctl addif guest wl0.1
    brctl delif br0 wl1.1
    brctl addif guest wl1.1
    #ip addr add 192.168.250.3/24 dev guest
    logger bridge up, killing eapd
    
    killall eapd
    
    logger setting nvram
    #eth1 and eth2 are 2.4 and 5ghz main wifi
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan_ifname="br0"
    
    #wl0.x is 2.4ghz guests (Virtual Access Point)
    #wl1.x is 5ghz guests
    nvram set lan1_ifnames="vlan250 wl0.1 wl1.1"
    nvram set lan1_ifname="guest"
    #Issolate guests from each other
    nvram set wl0.1_ap_isolate=1
    nvram set wl1.1_ap_isolate=1
    wl -i wl0.1 ap_isolate 1
    wl -i wl1.1 ap_isolate 1
    
    ip link set guest up
    
    eapd
    logger link up and eapd restarted
    
     
    Last edited: Feb 8, 2020