Switch capabilities of AIMesh Nodes?

[jksmurf]

A recent thread (a very interesting one) started me off thinking about how under-utilized nodes appear to be, for 3006 FW based nodes in particular.
I am reasonably sure I know what the answer is, but bear with me while I muse and ramble and throw my toys out of the pram.

I’m starting to look at switches and the like for my setup(s), purely for wired Ethernet devices and I started thinking about Mesh Node capabilities as managed switches.

In a wired backhaul environment you use the WAN port of the Node for Mesh connectivity but often have 4, maybe even 8 LAN ports 'free'; so enticing.
When you plug an Ethernet device into these however, it always assigns an IP from the Primary VLAN (I checked this by ethernet-wiring a Mesh Node's WAN directly to the Mesh Router's LAN).

If you go to the Main Router 's LAN, VLAN WebGUI page, it is very clear that you cannot define the AIMesh backhaul port in Trunk Mode (Tags from/to which I was thinking could then possibly be managed by the Mesh Nodes Switch) for Ethernet attached devices. Nor can you even configure that port in Access mode. I guess there's good reasons for this (way outside my area of comprehension) but it sort of seems really wasteful; the ports are there, the capability is there.

To simultaneously set VLAN port as an AiMesh ethernet backhaul port, please select "All(Default)".
VLAN ports in Access Mode and Trunk Mode do not support such setups.

If the 3006 FW gives you the ability to define physical Ethernet based ports with Access/Trunk definitions for specific VLANs, would it be theoretically possible for a 3006 FW mesh node to do the same? Out of interest, are there any other mesh systems (Orbi? Ubiquiti?) that can do this?

Would I be correct in saying that at the moment regardless of whether you have a wired (backhaul) node, all the cabling does is provide a backhaul path to the node, it does not provide the node with any sort of management capabilities (despite the 3006-node clearly having that capacity); it is all configured by the main router? And there's no CLI settings which will allow you to define this on the Node? Assign PVIDs?

Don't get me wrong, it's not the cost of a (or in my case 5#) managed switches, these are becoming much cheaper and that's doable (in fact I am thinking to get one cheap one just to try and learn); but the thought of sticking a switch in each of the Master, Kids, Guest bedrooms and the Living Room is that it's just plain fugly, more devices, more cabling and more lights. I've seen very few cheap 5-Port 1G or 2.5G managed or "easy smart pseudo-managed" switches where you can actually turn off the blinking (in both uses of the word) LEDs (another advantage of a Mesh Node's Ethernet Ports!). This is a big thing for me.

I currently have a single (could be used as a Trunk) cable from my Router to an 8-port umanaged switch which is in the wall (so it is nice and hidden, LEDs and all) and from this switch there's a single Ethernet cable to each room (5 cables).

But my understanding is that even if I changed the unmanaged switch to a managed switch and configured (via the Switch Management GUI) each outgoing port (one for each room) in Trunk line mode to various Mesh nodes in the rooms, it does not help at all as any Ethernet devices attached to the Nodes Ethernet Ports STILL wouldn't know which VLAN they are associated with (so just default to Primary?), as the Switch in the Nodes just ignore VLAN Tags (is this correct or am I way off base here?).

k.

 

[bennor]

If you haven't already seen the following Asus Support document, it may (or may not) have some information that is relevant to your questions or desires:

[Wireless Router] How to setup Guest Network Pro (SDN) across AiMesh and managed switch? | Official Support | ASUS USA

 

[jksmurf]

If you haven't already seen the following Asus Support document, it may (or may not) have some information that is relevant to your questions or desires:

[Wireless Router] How to setup Guest Network Pro (SDN) across AiMesh and managed switch? | Official Support | ASUS USA

Thank you for that, no I hadn’t seen it TBH but I’ve now read it quite a few times, trying to get my head around it.

No problem if you’re not sure either, but I’d like to understand your (or anyone’s) interpretation of what it does vs my own interpretation.

1. The first part of my note above was referring to using the capabilities of the Mesh node switch (without the extra managed switch), which the FAQ does not address, but OK.
2. The FAQ does however address in part my query on replacing my unmanaged switch with a managed one, between router and the 5 nodes.
3. My reading of Condition 4 “we target to setup port 1 as VLAN 52, port 2 as VLAN 53 on all AiMesh Router/Node and switch.” is that the Router AND Node AND Switch’s ports 1 and 2 will ALL be VLAN52 and 53 respectively?
4. While it is clear that you can assign (configure) these on the Router and the Switch, I am not sure how this works with (how it is propagated to) the Node? I see in the example that it configures port 5: untag 1, tag 52, 53 and that the port 5 cable goes to the Node’s WAN Port (standard Mesh setup), but how does the Node then know it’s ports 1 and 2 are VLANs 52 and 53, just from that?
5. Will this configuration work for multiple Nodes after the switch, e.g. my use case, with 5# cables being configured, similar to port 5? So say a 10 port Switch, 10,9,8,7,6 are all configured like Port 5 (to each Node’s WAN), Port 5 and 4 are configured equivalent to port 4 and 3 in the example, Ports 1 and 2 are VLAN52 and 53. Bit unclear how exactly this all works for multiple nodes, one managed switch.

Anyway, it’d be interesting to try. If I do get myself a managed switch I might try in my local setup before expanding to the larger remote one, with the 5 Node locations.

 

[bennor]

No problem if you’re not sure either, but I’d like to understand your (or anyone’s) interpretation of what it does vs my own interpretation.

While I do have a older managed switch (Netgear GS908E), I haven't experimented with it's VLAN features or how it's VLAN feature would work with a RT-AX86U Pro's Guest Network Pro/VLAN/SDN at all. Nor have I tried playing with AiMesh nodes and VLAN, only have a couple of RT-AC68U's currently sitting around unused that could be used as AiMesh nodes.

 

[jksmurf]

While I do have a older managed switch (Netgear GS908E), I haven't experimented with it's VLAN features or how it's VLAN feature would work with a RT-AX86U Pro's Guest Network Pro/VLAN/SDN at all. Nor have I tried playing with AiMesh nodes and VLAN, only have a couple of RT-AC68U's currently sitting around unused that could be used as AiMesh nodes.

No worries at all, not expecting you to test this for me! It’s my curiosity / needs driving this, so I’ll see how to run it to ground for one node unit at least. If I could ascertain it would extend to multiple Nodes with one multi-port managed switch that would indeed be awesome but I don’t have high expectations.

I only have one Node locally an it’s 3004 so I’m not even sure that will work (the FAQ refers to GNP but does not clarify if that’s for Router AND Nodes).

 

[Tech9]

Ubiquiti

UniFi is not a mesh system by design, but it allows fill VLAN control for LAN port on any device with some exceptions. Wired devices with LAN ports - individual port control available (switches, APs with LAN ports). Wireless devices with LAN ports - depends on what device and what it does on the network. If you have a wireless bridge as part of UniFi network for example - it has no VLAN control on the LAN port because it's a bridge... like a connection between two network segments - passes VLANs to the next device. Recently Ubiquiti implemented VLAN control for LAN ports on UX devices in wireless mesh configuration, something missing and users asking for. APs used in unconventional way as bridges - no VLAN control on the LAN port, this type of use is not even documented as a valid configuration, works though on main VLAN only. So basically if the application guidelines are followed - full VLAN control per LAN port and WLAN radio.

 

[OzarkEdge]

ASUSWRT is introducing me to VLANs, so not the best way to learn... but since I have a Pro AiMesh, I'll share what I tried recently that seems to work...

My configuration and network. My MoCA2.5 wired backhaul is direct, not through any switch.

I configured this SDN custom VLAN with DHCP:
VLAN 2.4/5.0 OE Guest
WPA2/WPA3-Personal
Access Intranet disabled
DHCP Server enabled (192.168.52.*)
AP Isolated disabled
all nodes

The intended users are guests/untrusted clients that only need Internet access... the goal is to keep as many such 'Internet only' clients off the main LAN/WLANs OE, away from our stuff/data to keep it more secure. I realized my wife only needs Internet access for her mobile phone so it connects to OE Guest... one less attack vector to worry about.

A second goal was to secure the LANx4 ports on the wired node in the garage... it's a bit more exposed out there away from the house.

So I configured the LAN\VLAN\node LANx4 ports:
Mode Access
VLAN Profile OE Guest
(Port Isolation No)

Best I can tell, the node LANx4 ports now only have access to other OE Guest clients (no AP/port isolation) and the Internet. If someone sneaks into the garage and connects to a node LAN port, they will not be able to accces the main LAN/WLANs OE.

I have two HDHomeRun Dual TV tuner boxes, one wired to the main LAN OE for our use, and now one wired to the garage node LAN OE Guest for guest use. I now have to connect to the main LAN/WLANs OE or to VLAN OE Guest to access the respective HDHomeRun client.

But what about the garage node MoCA2.5 wired backhaul security... could someone connect to it at the garage node and access the main LAN/WLANs OE? So I wired a client to it and it never seemed to connect... since this backhaul is configured to connect the node, perhaps AiMesh restricts its use to only that, connecting the node(?)

An incidental feature... the HDHomeRun in the garage receives its TV signals directly from the TV antennas in the garage attic, while the HDHomeRun in the house is on the other side of the MoCA network, subject to the intervening coax network losses. So, I can use the HDHomeRun admin app, Config GUI, to roughly compare the TV signals at each HDHomeRun to better know the TV signal degradation across the coax network.

OE

 

[visortgw]

A recent thread (a very interesting one) started me off thinking about how under-utilized nodes appear to be, for 3006 FW based nodes in particular.
I am reasonably sure I know what the answer is, but bear with me while I muse and ramble and throw my toys out of the pram.

I’m starting to look at switches and the like for my setup(s), purely for wired Ethernet devices and I started thinking about Mesh Node capabilities as managed switches.

In a wired backhaul environment you use the WAN port of the Node for Mesh connectivity but often have 4, maybe even 8 LAN ports 'free'; so enticing.
When you plug an Ethernet device into these however, it always assigns an IP from the Primary VLAN (I checked this by ethernet-wiring a Mesh Node's WAN directly to the Mesh Router's LAN).

If you go to the Main Router 's LAN, VLAN WebGUI page, it is very clear that you cannot define the AIMesh backhaul port in Trunk Mode (Tags from/to which I was thinking could then possibly be managed by the Mesh Nodes Switch) for Ethernet attached devices. Nor can you even configure that port in Access mode. I guess there's good reasons for this (way outside my area of comprehension) but it sort of seems really wasteful; the ports are there, the capability is there.

To simultaneously set VLAN port as an AiMesh ethernet backhaul port, please select "All(Default)".
VLAN ports in Access Mode and Trunk Mode do not support such setups.

If the 3006 FW gives you the ability to define physical Ethernet based ports with Access/Trunk definitions for specific VLANs, would it be theoretically possible for a 3006 FW mesh node to do the same? Out of interest, are there any other mesh systems (Orbi? Ubiquiti?) that can do this?

Would I be correct in saying that at the moment regardless of whether you have a wired (backhaul) node, all the cabling does is provide a backhaul path to the node, it does not provide the node with any sort of management capabilities (despite the 3006-node clearly having that capacity); it is all configured by the main router? And there's no CLI settings which will allow you to define this on the Node? Assign PVIDs?

Don't get me wrong, it's not the cost of a (or in my case 5#) managed switches, these are becoming much cheaper and that's doable (in fact I am thinking to get one cheap one just to try and learn); but the thought of sticking a switch in each of the Master, Kids, Guest bedrooms and the Living Room is that it's just plain fugly, more devices, more cabling and more lights. I've seen very few cheap 5-Port 1G or 2.5G managed or "easy smart pseudo-managed" switches where you can actually turn off the blinking (in both uses of the word) LEDs (another advantage of a Mesh Node's Ethernet Ports!). This is a big thing for me.

I currently have a single (could be used as a Trunk) cable from my Router to an 8-port umanaged switch which is in the wall (so it is nice and hidden, LEDs and all) and from this switch there's a single Ethernet cable to each room (5 cables).

But my understanding is that even if I changed the unmanaged switch to a managed switch and configured (via the Switch Management GUI) each outgoing port (one for each room) in Trunk line mode to various Mesh nodes in the rooms, it does not help at all as any Ethernet devices attached to the Nodes Ethernet Ports STILL wouldn't know which VLAN they are associated with (so just default to Primary?), as the Switch in the Nodes just ignore VLAN Tags (is this correct or am I way off base here?).

k.

I have my wired (in addition to wireless) IoT devices segregated to my IoT guest network VLAN throughout my network.

1. A managed switch that alllows 802.1Q VLAN configuration would allow one to configure access to the AiMesh nodes by room in your scenario. You can configure which VLAN(s) are allowed by VLAN tags.
2. For AiMesh nodes running 3006 firmware, one can configure which VLAN each AiMesh node's ports belong to using the LAN >> VLAN page on the primary router running 3006 firmware.

 

[jksmurf]

I have my wired (in addition to wireless) IoT devices segregated to my IoT guest network VLAN throughout my network.

1. A managed switch that alllows 802.1Q VLAN configuration would allow one to configure access to the AiMesh nodes by room in your scenario. You can configure which VLAN(s) are allowed by VLAN tags.

Thanks for this, can I just clarify a couple of things please?

For the above item do you mean a managed switch at the unmanaged switch in the location in the attached OR at the end of each of the 3 cables just before the router in each room?

If the former are you able to confirm that the VLANs replicate identically to the same numbered port on all the Nodes?

1. For AiMesh nodes running 3006 firmware, one can configure which VLAN each AiMesh node's ports belong to using the LAN >> VLAN page on the primary router running 3006 firmware.

Interesting! So are you saying that with 3006 on the Node (as well as the Router) you don’t need a switch? Really?

 

[visortgw]

Thanks for this, can I just clarify a couple of things please?

1. For the above item do you mean a managed switch at the unmanaged switch in the location in the attached OR at the end of each of the 3 cables just before the router in each room?

If the former are you able to confirm that the VLANs replicate identically to the same numbered port on all the Nodes?

2. Interesting! So are you saying that with 3006 on the Node (as well as the Router) you don’t need a switch? Really?

1. I am suggesting a single managed switch to replace the unmanaged switch. On my TP-Link managed switch, VLAN IDs are replicated properly once configured. Even if AiMesh nodes run 3004 (or 386) firmware, the managed switch can restrict traffic to the entire AiMesh node (i.e., you wouldn't be able to configure VLANs for separately individual LAN ports on the AiMesh nodes).
2. Only if both the primary router and AiMesh nodes run 3006 firmware. On the LAN >> VLAN page, there is an additional panel (just like the primary router's panel) for each 3006 AiMesh node. One final caveat: If you are using the unmanaged switch between primary router and AiMesh nodes, the switch must properly forward VLAN tags — I know (from experience) that TP-Link and QNAP unmanaged switches do, but (at least some) TRENDnet unmanaged switches do not.

Hopefully, this helps, but feel free to ask if there's any confusion.

 

[jksmurf]

the managed switch can restrict traffic to the entire AiMesh node (i.e., you wouldn't be able to configure VLANs for separately individual LAN ports on the AiMesh nodes).

Thanks for clarifying this, much appreciated.

Yes this statement regarding wouldn’t …individual … ports is exactly what I needed clarifying.

So if I wanted an a IoT device to be on VLAN53 e.g., I couldn’t just plug it into the (3004 FW) Node’s Ethernet port, I’d need a separate managed switch at the node to achieve that, correct?

On the LAN >> VLAN page, there is an additional panel (just like the primary router's panel) for each 3006 AiMesh node.

.. additional panel … Wow. I don’t see that here as I don’t have a 3006 node in my local system but this is exciting.

It would achieve (I think) what I was hoping to achieve (IoT devices in VLAN53 via each node’s configured Ethernet port) at my remote location, provided nodes are all on 3006. I have a TP-LINK unmanaged switch there.

It’s exciting because each Node’s ports could be properly utilized and obviates the need for an additional switch for just one IoT device, if you want to put that device on the IoT VLAN. Thanks again!

Bonus question; does that panel appear (and work) with just Wi-Fi backhaul?

 

[OzarkEdge]

Bonus question; does that panel appear (and work) with just Wi-Fi backhaul?

Sure, why not?... going left or going right around the block still gets you around the block.

The panel 'works' provided a managed switch VLAN setting in the wired backhaul path doesn't mess with AiMesh VLAN control.

Given that a wired node can failover to being a wireless node, I think I understand why AiMesh needs VLANs to be implemented by AiMesh to be effective regardless of wired or wireless backhaul, and not touched by a managed switch in the wired backhaul path, that can not affect a wireless backhaul.

Excuse any awkward terminology!

OE

 

[visortgw]

Sure, why not?... going left or going right around the block still gets you around the block.

The panel 'works' provided a managed switch VLAN setting in the wired backhaul path doesn't mess with AiMesh VLAN control.

Given that a wired node can failover to being a wireless node, I think I understand why AiMesh needs VLANs to be implemented by AiMesh to be effective regardless of wired or wireless backhaul, and not touched by a managed switch in the wired backhaul path, that can not affect a wireless backhaul.

Unless one enables Ethernet Backhaul Mode...

Excuse any awkward terminology!

OE

 

[jksmurf]

Thank you both! This is great!

@visortgw if you have a screen cap of those multiple panels for the nodes it would be nice to see what that all looks like.

So if I wanted an a IoT device to be on VLAN53 e.g., I couldn’t just plug it into the (3004 FW) Node’s Ethernet port, I’d need a separate managed switch at the node to achieve that, correct?

Not sure if you caught this question above?

 

[visortgw]

Thank you both! This is great!

@visortgw if you have a screen cap of those multiple panels for the nodes it would be nice to see what that all looks like.


Not sure if you caught this question above?

Two screenshots to catch it all — MAC addresses have been redacted:

As far as your question above, in theory, a managed switch replacing your unmanaged switch might be able to limit traffic to one or more VLANs going to all of the LAN ports on the AiMesh node — I have not tried that. Replacing your node with a 3006-capable node may be easier to configure and manage as well as more cost effective.

 

[jksmurf]

Two screenshots to catch it all — MAC addresses have been redacted:

Oh that is so awesome thank you. I hadn’t expected that TBH. Definitely an advantage of 3006 based nodes, saves a bunch of switches if you have the Nodes anyway; just makes good sense.

As far as your question above, in theory, a managed switch replacing your unmanaged switch might be able to limit traffic to one or more VLANs going to all of the LAN ports on the AiMesh node — I have not tried that. Replacing your node with a 3006-capable node may be easier to configure and manage as well as more cost effective.

Absolutely agree on your last point and as in one of my posts above I might splash out on cheap managed switch to see what happens with 3004 based nodes, wired and wireless.

Cheers, k.

 

[OzarkEdge]

Unless one enables Ethernet Backhaul Mode...

True, but I've decided to keep wireless backhauls in play in the spirit of AiMesh self-healing, and to design my network accordingly. That said, my MoCA wired backhaul will never failover to wireless backhaul unless the wired backhaul failure disables the node-end Ethernet link... if Ethernet on the node-end stays healthly, the node fails to detect the lose of wired backhaul comms and will never failover to wireless backhaul. ASUS needs to improve how a node detects wired backhaul failure... simply relying on the presence of Ethernet at the node is not good enough!

I discovered this when a UPS holding up the router-end MoCA adapter died. The node lost wired backhaul comms but never noticed. Security cams stayed connected to the node WiFi but could not be accessed. I was traveling and couldn't use the cams. I would have preferred that the node had died because the cams would have reconnected weakly to the router WiFi and I would have retained their use while traveling instead of being left in the dark.

OE

 

[visortgw]

True, but I've decided to keep wireless backhauls in play in the spirit of AiMesh self-healing, and to design my network accordingly. That said, my MoCA wired backhaul will never failover to wireless backhaul unless the wired backhaul failure disables the node-end Ethernet link... if Ethernet on the node-end stays healthly, the node fails to detect the lose of wired backhaul comms and will never failover to wireless backhaul. ASUS needs to improve how a node detects wired backhaul failure... simply relying on the presence of Ethernet at the node is not good enough!

I discovered this when a UPS holding up the router-end MoCA adapter died. The node lost wired backhaul comms but never noticed. Security cams stayed connected to the node WiFi but could not be accessed. I was traveling and couldn't use the cams. I would have preferred that the node had died because the cams would have reconnected weakly to the router WiFi and I would have retained their use while traveling instead of being left in the dark.

OE

The perfect storm!

 

[Tech9]

MoCA wired backhaul

Does AiMesh recognize your MoCA connection at all?

Agree the backhaul has to be connection monitoring based.

 

[OzarkEdge]

Does AiMesh recognize your MoCA connection at all?

View attachment 65477

Agree the backhaul has to be connection monitoring based.

Good question... I don't think so but I'll review it when I get home in a few days. The AiMesh map just shows the green double lines and reports Great 2.5GbE.

Connection monitoring is the sort of thing that might eventually show up in a firmware update... or not.

OE