What's new

SSID to VLAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

wl0.x are subinterfaces which correspond to the guest interfaces from the GUI
Yes - wl0.x is Guest 2.4GHz, wl1.x is Guest 5GHz
setting `robocfg vlan 4 ports "1t 5t"` means I want vlan4 to be tagged and connected to port 1 on the switch.
Yes - Tagged switch Port and CPU, but you have to ensure that the Port/CPU mapping matches your hardware!

EDIT: I think on your RT-AC3200 the internal to physical port mapping is reversed so '1t 5t' means L4 port on the back? :confused:

e.g. On the RT-AC68U the CPU port can be either 5 or 8 depending on the GUI options enabled, and I think Port 4 on the RT-AC87U is actually '5' internally?o_O
 
Last edited:
1. How do I find out which SSID's are linked to which interface e.g. wl0.1 wl1.2
2. What is the purpose of nvram setting the lan and lan1 ifname and ifnames and what does this correspond to on the system
3. How does the tagging work as opposed to just listing the port number with robocfg vlan 4 ports ...

1. I believe the guest SSIDs are 0.1 0.2 and 0.3 for 2.4Ghz and 1.1 1.2 and 1.3 for 5GHz
2. Not 100% sure but I think this tells the router how to properly perform the WPA/AES handshake
3. Robocfg allows you to set for each VLAN, whether they are:
a) not available on the port (if you dont write the port number in the quotes)
b) available and tagged with its vlan number (write port number with a t)
c) available untagged; can only have one vlan untagged on each port (write port number without t)
 
Ok so it appears I have managed to fix the issues on BOTH devices (ac66 and ac68) with the same fix:

You need to turn off the HW NAT acceleration. No idea why it's even on since both devices were in AP mode.
It's a bit of a pain to turn off, as the option to turn it off is only available in normal router mode. So turn it off and then switch back to AP mode; it will then remain off.

No more martians since and all works as expected!!
 
Ok so it appears I have managed to fix the issues on BOTH devices (ac66 and ac68) with the same fix:

You need to turn off the HW NAT acceleration. No idea why it's even on since both devices were in AP mode.
It's a bit of a pain to turn off, as the option to turn it off is only available in normal router mode. So turn it off and then switch back to AP mode; it will then remain off.

No more martians since and all works as expected!!

Do you have any instructions for disabling NW NAT acceleration? I am also suffering the same issue ?

EDIT:
From my cursory search it appears that
Code:
 nvram set ctf_disable=1
disables HW acceleration
 
Last edited:
Do you have any instructions for disabling NW NAT acceleration? I am also suffering the same issue ?
Use
Code:
nvram set ctf_disable_force=1

Plain 'ctf_disable' is set when the firmware encounters a function being enabled which requires ctf to be disabled.
 
Do you have any instructions for disabling NW NAT acceleration? I am also suffering the same issue ?
If you wanted to do it via the GUI, you would first have to set the device back to router mode. Once you do that you can find a tab called "switch control" under the LAN options. This will have the HW NAT option
You can check that it's really turned off under "Tools" then SysInfo
 
Plain 'ctf_disable' is set when the firmware encounters a function being enabled which requires ctf to be disabled.
I guess technically that is what the firmware should have done once more than one bridge is used...

It's interesting that no one has come across this issue earlier in the thread. Perhaps they already had a function running (QoS?) that disabled HW NAT

I do wonder if the HW NAT also plays a role in accelerating LAN<->WLAN traffic. I did notice after disabling it, that a 40MBps file transfer creates a near 100% load on my AC1750. I don't remember if this would also happen with HW NAT on. Mind you this is the A1 version that has a single core 600Mhz processor though, so may be less of an issue on more powerful APs
 
Can anyone confirm what might be going wrong? I have created the script and attempted to use it. I have not been able to confirm if it works or not because the main issue I am having is that whenever I connect to any of my guest networks, it ends up giving me a self assigned ip and 0 access to anything. I am only using the AC88U as an AP and OPNSense as my router. The setup I want is this:

iNet > Modem > OPNSense/Radius > Networking > AC88U-1 > Single SSID
------------------------------------------IOT------------AC88U-2
------------------------------------------Personal
------------------------------------------Guest

One SSID, where depending on the login credentials to Radius is assigned 1 of 4 VLANs. All of networking will be through ports, but IOT, Personal, and Guest are through wifi.

Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 2 ports "1t 2t 5t"
vconfig add eth0 2
ifconfig vlan2 up

brctl addbr br1
brctl delif br0 wl0.3
brctl addif br1 wl0.3
brctl delif br0 wl1.3
brctl addif br1 wl1.3
brctl addif br1 vlan2
ifconfig br1 up

brctl addbr br2
brctl delif br0 wl0.2
brctl addif br2 wl0.2
brctl delif br0 wl1.2
brctl addif br2 wl1.2
brctl addif br2 vlan3
ifconfig br2 up

brctl addbr br3
brctl delif br0 wl0.1
brctl addif br3 wl0.1
brctl delif br0 wl1.1
brctl addif br3 wl1.1
brctl addif br3 vlan4
ifconfig br3 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan2 wl0.3 wl1.3"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan3 wl0.2 wl1.2"
nvram set lan2_ifname="br2"

nvram set lan3_ifnames="vlan4 wl0.1 wl1.1"
nvram set lan3_ifname="br3"

nvram commit
killall eapd
eapd
 
One SSID, where depending on the login credentials to Radius is assigned 1 of 4 VLANs. All of networking will be through ports, but IOT, Personal, and Guest are through wifi.

I don't think I understand this, but I've never used Radius. How does the radius server assign a user to a VLAN if all of your "guest" networks are using the same SSID? Can Radius force a client to use a specific BSSID?

Did you get this working? I'm still trying to sort out my own script, but from reading the thread I think you might need to disable CTF and you should feel free to comment out the nvram commit because it's not needed and might not be desired (we don't need to save to nvram since we're configuring this via a startup script)

Code:
#!/bin/sh
nvram set ctf_disable_force=1
nvram set ctf_disable=1
#nvram commit

Also, what does
Code:
robocfg show vlan
show? Are you positive 5t is the correct CPU port for your hardware?
 
OK. So I have an RT-N66W on Merlin 380.70. I have a single connection to an OPNsense router that's providing LAN (untagged) and Guest (vlan250). I've gotten this far:

Code:
nvram set ctf_disable_force=1
nvram set ctf_disable=1           
                                   
#8 is internal.                   
robocfg vlan 250 ports "1t 2t 3t 4t 8t"
vconfig add eth0 250               
ifconfig vlan250 up
ifconfig vlan250 192.168.250.3 netmask 255.255.255.0

I'm 100% sure the above is working. With a wired computer plugged into a port on the Asus, I configure a tagged vlan250 and get the correct DHCP from the router. With a wired or wireless computer on the untagged vlan, I get a normal 192.168.1.x address. On a computer with a 1.x address, I can access the Asus device if and only if I configure firewall rules on the router to pass traffic between the two subnets. The vlan tagging is 100% working on the wired network.

and the bridge works, too:

Code:
ifconfig vlan250 0.0.0.0
brctl addbr br1
brctl addif br1 vlan250
ifconfig br1 192.168.250.3 netmask 255.255.255.0
ifconfig br1 up

In this case things still work. I can only ssh to the Asus's address on another device with VLAN250 tagged or if I configure the firewall to route between the two vlans.

BUT

When I reboot and then use the full script:
Code:
#!/bin/sh
#https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187
#https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-192836
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

nvram set ctf_disable_force=1
nvram set ctf_disable=1

#8 is internal.
robocfg vlan 250 ports "1t 2t 3t 4t 8t"
vconfig add eth0 250
ifconfig vlan250 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan250
ifconfig br1 192.168.250.3 netmask 255.255.255.0
ifconfig br1 up

#eth1 and eth2 are 2.4 and 5ghz main wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

#wl0.x is 2.4ghz guests
#wl1.x is 5ghz guests
nvram set lan1_ifnames="vlan250 wl0.1"
nvram set lan1_ifname="br1"

#nvram commit
killall eapd
eapd

Initially (first 2-3 minutes?) things seem to work. I can get one or two wireless clients to get a 250.x address from the Guest wifi. But then after a short time, all of my devices on the primary WiFi lose their connections to the internet. Android connects, but reports no internet connection. If I switch back to Guest, DHCP fails.

What else should I be looking at? The vlan is stable until I add the virtual access point device, and then all the wifi quickly goes unstable.

Edit: I moved the killall eapd line further up, added some logging, and changed the bridge name to "guest" instead of "br1" and now it's working fine. I suspect moving the killall is all that mattered. Maybe changing the ifname nvram vars while eapd is running is bad? Or maybe I just needed some delay between the kill and the restarting?.

Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

logger starting guest vlan
nvram set ctf_disable_force=1
nvram set ctf_disable=1

#8 is internal.
robocfg vlan 250 ports "1t 2t 3t 4t 8t"
vconfig add eth0 250
ip link set vlan250 up
logger vlan up

brctl addbr guest
brctl addif guest vlan250
brctl delif br0 wl0.1
brctl addif guest wl0.1
brctl delif br0 wl1.1
brctl addif guest wl1.1
#ip addr add 192.168.250.3/24 dev guest
logger bridge up, killing eapd

killall eapd

logger setting nvram
#eth1 and eth2 are 2.4 and 5ghz main wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

#wl0.x is 2.4ghz guests (Virtual Access Point)
#wl1.x is 5ghz guests
nvram set lan1_ifnames="vlan250 wl0.1 wl1.1"
nvram set lan1_ifname="guest"
#Issolate guests from each other
nvram set wl0.1_ap_isolate=1
nvram set wl1.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1
wl -i wl1.1 ap_isolate 1

ip link set guest up

eapd
logger link up and eapd restarted
 
Last edited:
It works! WPA2 is working on the guest VLAN setup. I'm over the moon. Here is my services-start script in case somebody wants to use it -

Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 9 ports "4t 5t"
vconfig add eth0 9
ifconfig vlan9 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl1.1
brctl addif br1 vlan9
#ifconfig br1 192.168.9.254 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan9 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

My AC68U (running 378.54_2) is in AP mode as I'm using a pfSense HA cluster as router. However, I suggest using a local IP on the AP first to test the client (ie. remove the comment on the ifconfig line). Also, remember to setup dhcp on the guest VLAN, or else test it with a static IP on the client.

EDIT: Just to clarify, I have a switch connected to the AC68U, and it is on port 4. I've left the normal LAN VLAN untagged, and only tagged the new guest VLAN as VLAN 9, hence, " 4t 5t". Port 5 is of course the internal interface of the ASUS.

Thanks!

I used your script to build my own. Works great on RT-AC3200.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top