Switch capabilities of AIMesh Nodes?

[jksmurf]

Quite a few. I used to work in the security camera industry so I have a bunch of WiFi cameras that do 5GHz. As well, I've got random devices that support 5GHz like Amazon Echos, some dedicated hubs for IoT stuff, tablets, gaming devices, etc...

. I guess you have lots of cameras then.

Actually that is another good reason to get 3006 nodes (even non Ethernet VLAN capable ones), you can use multiple interfaces per band. I’m currently juggling whether to assign a node 5Ghz Wi-Fi for Guests or try to let my 5Ghz capable IoT devices (Amazon Echos) have it…

 

[Seth Harman]

. I guess you have lots of cameras then.

Actually that is another good reason to get 3006 nodes (even non Ethernet VLAN capable ones), you can use multiple interfaces per band. I’m currently juggling whether to assign a node 5Ghz Wi-Fi for Guests or try to let my 5Ghz capable IoT devices (Amazon Echos) have it…

The word you're looking for is either "unhealthy" or "absurd".

And yes, I have two VLANs set up in GNP and they're both using 2.4GHz and 5GHz. I wasn't aware that some nodes+firmware only allow a single VLAN on a frequency band so I'm glad I avoided that because that also would have been an issue for my setup.

 

[visortgw]

I have played a bit with 5 GHz for IoT devices (e.g., newer Ring doorbells), and my conclusion was that IoT devices in general performed better on 2.4 GHz only. Network tends to be much more stable, and devices recover much more quickly following network reboot. YMMV...

 

[visortgw]

The word you're looking for is either "unhealthy" or "absurd".

You called me "unhealthy" or "absurd"?!? (I resemble that remark!)

 

[jksmurf]

Have anyone tried any of the Asus ExpertWifi devices that support VLAN tagging?

Not me. Is there something specific you think it has? I looked at that list too btw, none with internal antennas. Oddly the Wi-Fi Go RT AX57U is VLAN capable and does have internal antennas but… only one Ethernet port.

 

[Seth Harman]

I have played a bit with 5 GHz for IoT devices (e.g., newer Ring doorbells), and my conclusion was that IoT devices in general performed better on 2.4 GHz only. Network tends to be much more stable, and devices recover much more quickly following network reboot. YMMV...

This came up all the time with the lab guys at my former employer. Depending on placement, this is generally because 2.4GHz has better wall penetration due to the longer wavelength of 2.4GHz vs 5GHz so establishing/reestablishing communication with the device was usually faster, and the more walls in between the device and the AP the bigger the discrepancy can get. For stuff like doorbells the antenna(s) is/are internal and very weak so they are heavily dependent on placement. For example, I had a 2K battery doorbell that operated at 2.4GHz. When I replaced it with a 4K battery doorbell that operated at 5GHz it couldn't maintain a stable connection with the exact same AiMesh node the 2K doorbell had been connected to without issue. In that particular example we're talking about a single brick wall with some electrical wiring in it in between the doorbell and an AiMesh node with 4 external antennas that was only about 10 feet away.

 

[Seth Harman]

Oddly the Wi-Fi Go RT AX57U is VLAN capable and does have internal antennas but… only one Ethernet port.

Not odd at all, that's a travel router so the single Ethernet port is by design. I actually don't think I've ever seen a travel router with more than one Ethernet port.

 

[visortgw]

Not odd at all, that's a travel router so the single Ethernet port is by design. I actually don't think I've ever seen a travel router with more than one Ethernet port.

GL-iNet GL-MT3000 Beryl AX has two -- one 2.5 Gbps WAN port and one 1 Gbps LAN port. Other routers from this vendor have two (or more) ports as well.

 

[Seth Harman]

GL-iNet GL-MT3000 Beryl AX has two -- one 2.5 Gbps WAN port and one 1 Gbps LAN port. Other routers from this vendor have two (or more) ports as well.

Interesting. I guess I'm not that surprised that some exist out there with more than one LAN port, but the ones I've seen/used just had a single port that was intended to be used, for example, to plug into hotel room LAN ports to allow you to avoid using the hotel WiFi for wireless devices.

 

[TD99]

Dang, lots of replies since my post on Friday. Just read them all. Thanks everyone for your input. I've tried everything suggested, no dice.

I'm pretty sure all of your AiMesh nodes need to be on some version of 3006 to have native Guest Network support. You could hack an ugly fix by binding all your IoT devices to a single node and then inserting the managed switch into the backhaul for that node and tagging all traffic passing through it as VLAN 52, but then ANYTHING that connects to that node is going to be forced onto VLAN 52.

I think you may be right.

I don't believe that you need a managed switch at all. Any unmanaged switch THAT CORRECTLY PASSES VLAN TAGS will work (TP-Link definitely work, but I have no experience with Netgear), or you can factory reset the TL-SG108E to use it as an unmanaged switch. The step that you may have missed is configuring which guest networks are passed to which AiMesh nodes (different from 3004.x firmware). Select Guest Network Pro (or Network), select the IoT networks to be forwarded, select AiMesh from right column, and select desired node(s).

Tried that. Still no go. All wireless devices that connect with one of the two nodes still get the wrong IP (192.168.2.XXX) instead of 192.168.52.XXX). See screenshots below.

He's talking about wireless clients and he's running 3004 firmware on the nodes which I think we've established at this point from previous threads don't support Guest Network Pro. There's three separate cases we've seen so far across previous threads:

A) AiMesh nodes that don't support Guest Network Pro at all
B) AiMesh nodes that support Guest Network Pro but don't support VLAN tagging on the node Ethernet ports
C) AiMesh nodes that support both

The managed switch is going to come into play if you want to add VLAN tagging to wired clients at the node location in cases A and B. You can also use it to force all traffic going across a node Backhaul onto a specific VLAN. So whether you need the managed switch or not depends on what you're trying to accomplish. But in all cases we've seen so far I think it's pretty clear the node has no chance of supporting Guest Network Pro if it's not running 3006-revision firmware.

Based on what I'm reading, it's not just 3004, but 3.0.0.4.386 vs. 3.0.0.4.388. Both of my nodes are on 386 which could be the issue here.

VLAN tagging for AiMesh wireless devices works for either 3004 OR 3006 firmware AiMesh nodes when connected to a 3006 primary router with Guest Network Pro (GNP) configured. The primary router takes care of the VLAN configuration for the AiMesh nodes — this has been the case for 3004 firmware as well for guest network 1 as well (if you disable intranet access for guest network 1 created VLANs 102 and 103, but they were not configurable).

What you are tryiing to do with the managed switch does in fact work IF you:

1. Connect the switch to one of the downstraem LAN ports of the AiMesh node (i.e., output from the AiMesh Node).
2. You properly configure the switch as described in the TP-Link community forum: Setting up VLAN tagging on ports.

This is how my TL-SG108E is configured to connect multiple VLAN 52 IoT devices. I added the switch as a proof of concept — I have successfully moved all of my IoT wired devices to the same IoT VLAN used by IoT guest network. Yes, I could have used an unmanaged switch by configuring one of the VLAN ports, but I needed to buy an extra switch anyway:

View attachment 66193​

View attachment 66194​

NOTE: I left port 1 configured as tagged for VLAN 1 as described at the bottom of the community forum post in order to maintain easy configuration access from the primary network.

I copied your settings identically on my TL-SG108E and still no go. Details below.

That's really the question: if he has not setup VLAN port tagging on his TL-SG108E it should be passing whatever tags are present in the traffic coming from the nodes without altering anything so I'd like to know what happens if that managed switch is used with no VLAN setup whatsoever (i.e. used as a normal switch). But can you confirm you've got/had nodes running 3004-firmware, a main router with 3006 running GNP, and the wireless clients connecting to the nodes can properly get tagged with a GNP VLAN ID other than 1?

I just tried that. Factory reset the TL-SG108E. No luck. Then I enabled VLAN support, but didn't set anything else. Same results.

If you have managed switches as workaround this means you also have Ethernet to nodes available. Not sure why you decided to pair your pfSense gateway with consumer AiMesh as AP and fix deficiencies with extra hardware. Sounds like self-inflicted complication to me. What was the idea behind this setup?

Seth has the manages switches as the work around. I'm the one with the pfSense. To answer your question, the idea behind this setup is merely a result of network changes and improvements I've made over the years:

• Dec 2014: Replaced TrendNet 802.11b router with Asus RT-AC68U.
• May 2018: Added Asus RT-AC86U. The AC-68U demoted to 1st AiMesh node.
• Apr 2020: Added PROTECTLI FW4B 4-port firewall for pfSense and changed Asus to "AP Mode*".
• Mar 2024: Added Asus RT-AX86U Pro. RT-AC86U demoted to 2nd AiMesh node.

*This is something that realy hasn't been mentioned. My RT-AX86U Pro is running in Access Point (AP) mode, not the default Wireless Router mode since I'm letting the pfSense handle DHCP, firewall, etc.. On that note, I came across this post over the weekend where he states "From what I have seen (but haven't tried), it does NOT work in standalone AP mode". So maybe that has something to do with it.

ARE YOU GUYS RUNNING IN AP MODE OR WIRELESS ROUTER MODE? Maybe it matters???

Details on my setup:

• Frontier FIOS ONT > Frontier MOCA/Ethernet converter > pfSense firewall > Asus RT-AX86U Pro.
• 5 bdrm, 3400 sq. ft., 2 story house with the 3 Asus routers/nodes spread around.
• Every Asus router/node is plugged into an Ethernet jack in the wall in their respective room. All Ethernet cables terminate inside an access panel outside next to my gas meter. I have the TP-Link switch inside the access panel.

TP-Link TL-SG108E managed switch:

• Port 1: Connected to LAN port 1 on Asus RT-AX86U Pro router,
• Port 2: Connected to WAN port on Asus RT-AC86U node in the workout room.
• Port 3: Connected to WAN port on Asus RT-AC68U in guest bedroom.

Here you can see the workout room node is handing out the wrong IP address range. Should be 192.168.52.XXX.

My TP-Link settings:

If I change the PVID on Ports 2 and 3 to "52", the nodes will become disconnected because the backhaul packets (whatever VLAN those use) can't get through anymore.

Lastly, I am retired network engineer so I have the distinct gut feeling that this entire setup simply isn't compatible so I may have to resort to putting everything on one SSID/network/subnet. I know, not best practice, but again, retired = very limited income so I can't just go out and drop a few hundred $$$ on newer, compatible devices.

 

[Tech9]

Based on this thread, should I assume that my RT-AC86U and RT-AC68U (both on 3.0.0.4) simply are incompatible when it comes to having both a wired backhaul and VLAN support, and therefore I am simply out of luck?

Short answer - Yes.

I can't just go out and drop a few hundred $$$ on newer, compatible devices.

If you want to play and keep using pfSense appliance - break AiMesh, use all Asus routers in AP Mode. The newer RT-AX86U Pro is perhaps fine as it is to pick up pfSense VLANs. The older RT-AC86U and RT-AC68U can be scripted for VLAN to SSID, but the method for both is different. Do some research and decide if you want to explore this path. Easiest - remove the pfSense appliance, use the RT-AX86U Pro as main router, GN1 for 2.4GHz and 5GHz will propagate to older Asus routers. May be enough for your needs without extra complications.

 

[jksmurf]

Not odd at all, that's a travel router so the single Ethernet port is by design. I actually don't think I've ever seen a travel router with more than one Ethernet port.

My GLINET Beryl AX MT-3000 does. Quite a few of their travel lines do actually.

 

[elorimer]

My GLINET Beryl AX MT-3000 does. Quite a few of their travel lines do actually.

Yes, even the little Mango has two. The Opal and Beryl have three. Marble is the same size as the Go and has three. For all of those one can be WAN or LAN.

In theory for an AIMesh node with wireless backhaul, the WAN port can be an additional LAN, but I never got that to work.

 

[jksmurf]

ARE YOU GUYS RUNNING IN AP MODE OR WIRELESS ROUTER MODE? Maybe it matters???

My nodes are in ASUS proprietary mesh mode; so strictly speaking neither AP mode nor router mode I guess.

 

[Tech9]

@TD99 was asking for the main unit/node. They are running AiMesh in AP Mode. This is a valid configuration, but has limitations.

 

[Seth Harman]

TP-Link TL-SG108E managed switch:

• Port 1: Connected to LAN port 1 on Asus RT-AX86U Pro router,
• Port 2: Connected to WAN port on Asus RT-AC86U node in the workout room.
• Port 3: Connected to WAN port on Asus RT-AC68U in guest bedroom.

My TP-Link settings:
View attachment 66208

View attachment 66209

If I change the PVID on Ports 2 and 3 to "52", the nodes will become disconnected because the backhaul packets (whatever VLAN those use) can't get through anymore.

You've got a few things configured differently on the managed switch than how I have it (I have the same switch and with my setup it's working perfectly) that have me wondering if that's your problem. Since you're only using ports 2 and 3 for VLAN tagging do the following: On your 802.1Q VLAN settings for VLAN ID 52 set 1-3 as your member ports, 1 as your tagged port, and 2-3 as your untagged ports. Then on your 802.1Q PVID settings just set 2 and 3 to 52.

 

[visortgw]

You've got a few things configured differently on the managed switch than how I have it (I have the same switch and with my setup it's working perfectly) that have me wondering if that's your problem. Since you're only using ports 2 and 3 for VLAN tagging do the following: On your 802.1Q VLAN settings for VLAN ID 52 set 1-3 as your member ports, 1 as your tagged port, and 2-3 as your untagged ports. Then on your 802.1Q PVID settings just set 2 and 3 to 52.

This is what is detailed in the TP-Link community forum reference.

 

[Seth Harman]

This is what is detailed in the TP-Link community forum reference.

I'll be curious to see if his slight deviation from the methodology in that forum post is the problem.

 

[visortgw]

I'll be curious to see if his slight deviation from the methodology in that forum post is the problem.

Not configuring PVID settings is most definitely one issue.

 

[Seth Harman]

Not configuring PVID settings is most definitely one issue.

The image in his post shows ports 2 and 3 set to 1, but right below that he pointed out when he changes them to 52 traffic stops going through.