Switch capabilities of AIMesh Nodes?

[visortgw]

It appears from your signature that you're running Merlin on your AiMesh nodes. I wonder if installing it on one my nodes would yield a different result.

Not sure if it would. I recently switched back to Merlin on the nodes due to the IoT WPA2/WPA3 issues with recent Asus firmware — the GT-AX6000 and GT-AXE16000 had not been patched by Asus yet (and they still haven't).

And I was just thinking... I don't believe that Merlin firmware is available for the RT-BE58U...

 

[visortgw]

From the Asus website, I don't see any mention of VLAN support for the RT-BE58U.

 

[visortgw]

I found an Asus Support FAQ that lists VLAN supported models:

• GT-AX11000 Pro
• GT-AXE16000
• GT-BE19000
• RT-AX88U Pro
• RT-AX86U Pro
• RT-BE96U
• RT-AX57 Go
• RT-BE88U
• RT-BE86U
• GT-AX6000
• GT-BE98
• GT-BE98 Pro
• GT-BE96
• ExpertWiFi : EBG19P, EBM68, EBR63, EBG15, EBA63

 

[jksmurf]

I found an Asus Support FAQ that lists VLAN supported models:

• GT-AX11000 Pro
• GT-AXE16000
• GT-BE19000
• RT-AX88U Pro
• RT-AX86U Pro
• RT-BE96U
• RT-AX57 Go
• RT-BE88U
• RT-BE86U
• GT-AX6000
• GT-BE98
• GT-BE98 Pro
• GT-BE96
• ExpertWiFi : EBG19P, EBM68, EBR63, EBG15, EBA63

lol, you’ve done it again, nailed it, thank you.

That could well be (is the most likely) explanation. So it’s not so much about Nodes with the 3006 codebase, but rather Nodes that support VLANs (which incidentally are ones that are on the 3006 codebase) i.e. there may be some Nodes on 3006 that do not support VLANs.

[EDIT] Pretty short list of unobtrusive nodes though, only a few like the RT-AX57U Go and the EBG15 that don’t have external antennas. The RT-AX86U Pro [EDIT] is not too big, but still has external antennas.

 

[visortgw]

lol, you’ve done it again, nailed it, thank you.

That could well be (is the most likely) explanation. So it’s not so much about Nodes with the 3006 codebase, but rather Nodes that support VLANs (which incidentally are ones that are on the 3006 codebase) i.e. there may be some Nodes on 3006 that do not support VLANs.

[EDIT] Pretty short list of unobtrusive nodes though, only a few like the RT-AX57U Go and the EBG15 that don’t have external antennas. The RT-AX86U is not too big, but still has external antennas.

That's RT-AX86U PRO, not RT-AX86U.

 

[Seth Harman]

Luckily managed switches are really cheap these days so if you need that functionality and it's not available from your nodes it isn't that big of a deal.

 

[jksmurf]

Luckily managed switches are really cheap these days so if you need that functionality and it's not available from your nodes it isn't that big of a deal.

Yeah true but as per my note above it’s an extra item, cables, power source, lights. When you might need three to five of them it’s just a bit ugly to hide it all.

 

[Seth Harman]

Yeah true but as per my note above it’s an extra item, cables, power source, lights. When you might need three to five of them it’s just a bit ugly to hide it all.

Based on the list of Asus devices that support VLAN it appears to be significantly less expensive to buy a few managed switches to connect to your nodes rather than replace your nodes (the managed switches I use are $18 USD at Amazon). As far as size goes the 8-port switches are pretty small so they're fairly easy to make unobtrusive. As well, the TL-SG108E switches that I use have a function to turn off the LEDs if that's a concern, so I'm assuming the TL-SG105E (5-port version) also has that function.

 

[visortgw]

Based on the list of Asus devices that support VLAN it appears to be significantly less expensive to buy a few managed switches to connect to your nodes rather than replace your nodes (the managed switches I use are $18 USD at Amazon). As far as size goes the 8-port switches are pretty small so they're fairly easy to make unobtrusive. As well, the TL-SG108E switches that I use have a function to turn off the LEDs if that's a concern, so I'm assuming the TL-SG105E (5-port version) also has that function.

Great info. I wasn't aware of the managed versions switches from TP-Link — I have used literally dozens of the unmanaged versions of these switches (1, 2.5, and 10 Gbps), over the years. Currently, both the 8-port and 5-port versions are both $25 US on Amazon.

 

[Seth Harman]

Great info. I wasn't aware of the managed versions switches from TP-Link — I have used literally dozens of the unmanaged versions of these switches (1, 2.5, and 10 Gbps), over the years. Currently, both the 8-port and 5-port versions are both $25 US on Amazon.

Yeah, they're dirt cheap and I've had no issues with them so I think they're a great value for the price if you need to add on VLAN functionality. I didn't know anything about VLANs when I bought them so for the first day trying to get them configured properly really messed up my brain as I just couldn't wrap my head around the configuration, but then I found a post on one of the TP-Link forums by a guy that made it very easy to understand and walked through the process step-by-step so I was able to get them dialed in. As @jksmurf pointed out it's much cleaner if you can VLAN tag using your AiMesh nodes but I'm not going to spend hundreds of dollars per node to upgrade them all when I can drop $25 on switches like these and accomplish the same thing. As well, my house is wired with Ethernet so I've got wired devices in places where there aren't nodes, so the switches let me add those devices to the Guest Network VLANs without being directly connected to any of the Asus hardware.

 

[Seth Harman]

@jksmurf By the way, maybe I misunderstood your previous post but when you added the managed switch to the mix did you plug the AiMesh node into the managed switch and then run an uplink from the managed switch to the main router? If so, I'm curious why you did that instead of plugging the managed switch into one of the node's LAN ports and then just connect whatever devices you wanted tagged to the managed switch instead of the node.

 

[visortgw]

@jksmurf By the way, maybe I misunderstood your previous post but when you added the managed switch to the mix did you plug the AiMesh node into the managed switch and then run an uplink from the managed switch to the main router? If so, I'm curious why you did that instead of plugging the managed switch into one of the node's LAN ports and then just connect whatever devices you wanted tagged to the managed switch instead of the node.

I believe that @jksmurf wanted to prevent access to unrestricted ports on the AiMesh nodes.

 

[Seth Harman]

I believe that @jksmurf wanted to prevent access to unrestricted ports on the AiMesh nodes.

Assuming you haven't setup any firewall rules that allows a given VLAN to access the main LAN wouldn't tagging devices connected to the switch with anything other than VLAN ID 1 prevent that anyway?

 

[visortgw]

Assuming you haven't setup any firewall rules that allows a given VLAN to access the main LAN wouldn't tagging devices connected to the switch with anything other than VLAN ID 1 prevent that anyway?

That makes sense.

 

[Seth Harman]

That makes sense.

So assuming I'm correct, I'd argue having less hops for the backhaul is not only more efficient/clean but eliminates the possibility that any configuration issues on the managed switch will cause the node to disconnect like @jksmurf described. I know the pain, when I wasn't fully dialed in on how to configure the VLANs on the managed switch I ended up blocking myself from being able to access it several times due to erroneous configuration and had to factory reset each time so I could start over.

 

[jksmurf]

Based on the list of Asus devices that support VLAN it appears to be significantly less expensive to buy a few managed switches to connect to your nodes rather than replace your nodes (the managed switches I use are $18 USD at Amazon). As far as size goes the 8-port switches are pretty small so they're fairly easy to make unobtrusive. As well, the TL-SG108E switches that I use have a function to turn off the LEDs if that's a concern, so I'm assuming the TL-SG105E (5-port version) also has that function.

Good discussion!

• Yes if it’s simply down to cost then the switches attached to each node (as I concluded in one of my two options above) work out far cheaper, there’s no denying that.
• I have the TL-SG105E and yes it’s pretty small.
• Disabling the LEDs is a function I really wanted and was a strong reason for selecting that make and model. It’s surprising how many Switches do not have that capability. On the 8 port equivalent you can do the same but beware that on many other of the TP-Link Switches you cannot disable them, so if it’s important to you, check the manual.

…. I just couldn't wrap my head around the configuration, but then I found a post on one of the TP-Link forums by a guy that made it very easy to understand and walked through the process step-by-step so I was able to get them dialed in.

If you still have that link it’d be useful for future reference, thanks.

As @jksmurf pointed out it's much cleaner if you can VLAN tag using your AiMesh nodes but I'm not going to spend hundreds of dollars per node to upgrade them all when I can drop $25 on switches like these and accomplish the same thing.

True. If you’re upgrading anyway, it makes sense but TBH I thought there were a lot more VLAN capable units than @visortgw listed from ASUS source. I thought there’d be some of the ZenWifi internal antenna type of models that are “stuff it under the bed and antennas can’t be wrecked by a 3-year old” friendly.

As well, my house is wired with Ethernet so I've got wired devices in places where there aren't nodes, so the switches let me add those devices to the Guest Network VLANs without being directly connected to any of the Asus hardware.

That is almost identical to my remotely managed (my folks house) setup. Hence the 3 to 5 switches, currently there are 3 nodes but 5 Ethernet jacks.

@jksmurf By the way, maybe I misunderstood your previous post but when you added the managed switch to the mix did you plug the AiMesh node into the managed switch and then run an uplink from the managed switch to the main router? If so, I'm curious why you did that instead of plugging the managed switch into one of the node's LAN ports and then just connect whatever devices you wanted tagged to the managed switch instead of the node.

Excellent question. Yes I did put the switch between the router and the node, initially. Why? Two reasons and no blame here btw, I always wanted to get a managed switch to try this

• @bennor asked in this post further up the thread if I’d seen ASUS recommendations on putting a amanaged switch between Router and Node. So after I bought the little TL-SG105E as a trial, I did exactly that and this is what the spiel above was all about i.e. that it did not work for me, as the Node (apparently) can’t just be on 3006, it must be VLAN-capable (so it begs the question why do you even need the switch, but maybe there’s other reasons you might).
• @visortgw suggested in this post that I might be able to replace the (8 port) unmanaged switch (see picture in the post above it) with a managed switch I.e “I am suggesting a single managed switch to replace the unmanaged switch. On my TP-Link managed switch, VLAN IDs are replicated properly once configured. Even if AiMesh nodes run 3004 (or 386) firmware, the managed switch can restrict traffic to the entire AiMesh node (i.e., you wouldn't be able to configure VLANs for separately individual LAN ports on the AiMesh nodes)”.
• I only tried the ASUS configuration mentioned above (switch between router and node), as my primary focus was to see if i could get Node ports to assign a specific subnet to attached devices.
• I did not try any other configuration on the switch e.g. “to restrict traffic to the entire mesh node” as this was not my primary focus. It might be useful to do that at my folks place anyway, but on that system I wanted to attach ESP32s to the mesh node and have them on the IoT network.

I believe that @jksmurf wanted to prevent access to unrestricted ports on the AiMesh nodes.

As above and apologies for not being clear on this in the beginning, that was not my primary focus (but I might look at how to do that anyway, somewhere down the line). The nodes have all 3 VLANs for Wi-Fi devices.

So assuming I'm correct, I'd argue having less hops for the backhaul is not only more efficient/clean but eliminates the possibility that any configuration issues on the managed switch will cause the node to disconnect like @jksmurf described.

Agree. So in order of fewer hops preference for a system that would give you ports on a specific subnet (on Node or Switch), my take would be VLAN Router-VLAN Node, VLAN Router-Node-Switch, VLAN Router-Switch-VLAN Node.

I know the pain, when I wasn't fully dialed in on how to configure the VLANs on the managed switch I ended up blocking myself from being able to access it several times due to erroneous configuration and had to factory reset each time so I could start over.

I’m glad I wasn’t the only one struggling with this. I think the way e.g. ASUS FAQ says to configure which ports are tagged or untagged vs the way the Switch GUI configures these using VLAN IDs, then ports, is confusing.

 

[Seth Harman]

If you still have that link it’d be useful for future reference, thanks.

https://community.tp-link.com/en/business/forum/topic/105250 you'll want to look at Post #5.

I also found this which was useful information specific to TP-Link link managed switches as for some reason they say Tagged/Untagged instead of Trunk/Access in the management interface:

Feature	Tagged (Trunk) Ports	Untagged (Access) Ports
VLAN Handling	Carries traffic from multiple VLANs	Carries traffic from a single VLAN
Tagging	Adds or removes VLAN tags as needed	Only handles traffic for a single VLAN (untagged)
Use Cases	Inter-switch links, routers	End devices (computers, printers, etc.)
Configuration	Requires specifying which VLANs are allowed	Requires specifying the single VLAN ID

 

[Seth Harman]

Excellent question. Yes I did put the switch between the router and the node, initially. Why? Two reasons and no blame here btw, I always wanted to get a managed switch to try this

• @bennor asked in this post further up the thread if I’d seen ASUS recommendations on putting a amanaged switch between Router and Node. So after I bought the little TL-SG105E as a trial, I did exactly that and this is what the spiel above was all about i.e. that it did not work for me, as the Node (apparently) can’t just be on 3006, it must be VLAN-capable (so it begs the question why do you even need the switch, but maybe there’s other reasons you might).

The reason is if you plug the managed switch into one of the node's LAN ports you can take whatever wired devices you want on VLANs, plug them into the managed switch LAN ports, tag them with the VLANs you want to assign, and the node will pass those VLAN tags all the way to the router regardless if the node supports VLANs on its physical ports or not. I'm doing exactly this with both of my managed switches to get around the fact that my nodes don't directly support VLAN tagging on their LAN ports. For example, on one of those managed switches I have a security camera NVR plugged into it, I've tagged that LAN port on the switch as VLAN ID 53, and now it's part of my Guest Network Pro IoT VLAN and can see all the wireless cameras that are on that WiFi VLAN.

 

[jksmurf]

For example, on one of those managed switches I have a security camera NVR plugged into it, I've tagged that LAN port on the switch as VLAN ID 53, and now it's part of my Guest Network Pro IoT VLAN

Yup; that’s exactly where I’ve landed with the test switch. The test ESP32 works fine in that configuration, see Switch settings that made it work for me.

For my folks place I was hoping one (hidden in the wall) managed switch between router and 5 node points would work, but the solution (if I want to go that way) is 5 Switches, given current Node Hardware.

As regards putting the Switch between the Router and the Node, one caveat which I mentioned above, was that you cannot use the backhaul AIMesh Port as a simultaneous trunk line Router to Switch, so unfortunately, as far as I can tell, you cannot configure it as the Trunk Port referred to in post 5 of the excellent TP Link example you referred to.

Thanks @Seth Harman for the TP Link references, much appreciated . Step 3 was particularly useful i.e.“Step 3: Now assign port 1 as a tagged member of VLAN 10 and 80 and remove ports 2-4 as members of VLAN 1 (check "Not member"). Leave ports 1 and 5 untagged in VLAN 1 so you don't get disconnected on port 1 (or use another port)”. I.e. due to idiosyncrasies in the way the TP Link configures members/non-members for VLAN 1 initially, you have to add them all, then remove the ones you don’t want afterwards. Neat.

 

[jksmurf]

Regarding ESP32s I went from wireless to wired for reliability, the irony now being that wireless goes straight to a VLAN by virtue of the SSID whereas you have to jump through all these hoops for wired versions.

Most of the Node or Ethernet locations (with PoE incidentally) will only have the Node and/or the ESP32-S3-Eth-PoE in a nice small unobtrusive housing that I can stick to the wall at the jack or put under the bed.

So what I’d love to see is one of the current (or more advanced Px?) ESP32s to include a small single-board integrated Switch, now that would be perfect. I don’t really need a multi-port managed switch at all locations (certainly not just for this purpose). If such an animal were to exist I could dispense with multiport powered Switches or the notion of VLAN capable Nodes. Bring it on developers .