1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Tag guest SSID traffic with VLAN

Discussion in 'Asuswrt-Merlin' started by galapogos01, Jul 9, 2015.

  1. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    Hi guys,

    I have found loads of threads relating to this topic but unfortunately none that solve my problem.

    I run my AC66U in AP mode. I have a linux box as my NAT gateway, and have added a VLAN 2 to it's LAN interface, that will keep Guest traffic separate from my default LAN.

    I would like to tag all traffic that comes via the Guest SSID on my AC66U with VLAN 2.

    Any advice appreciated.

    Jason
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,272
    Location:
    texas
    I would think as long as you have your guess traffic tagged it can run on a trunked port with all the other traffic. This is still keeping the traffic separate. You don't really need to physically separate the traffic flow.

    PS
    I read your post again and it sounds more like you are having trouble assigning a tag to guess traffic which I can't help you with as I don't own an ASUS router.
     
    Last edited: Jul 9, 2015
  4. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    Agre. Maybe my question was not clear enough - I'm not looking for physical separation.

    How do I tag traffic coming in on the guest SSID with VLAN2?

    Jason
     
  5. starfall

    starfall Occasional Visitor

    Joined:
    Nov 4, 2014
    Messages:
    19
    Have you looked at this thread? - http://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187

    Using a services-start script, I tagged VLAN9 onto one of LAN port 4 (port 5 is the internal port used by the ASUS), created VLAN9 on the internal interface, then bridged it with Guest network 1 on both 2.4ghz (wl0.1) and 5ghz (wl1.1). Then you need to update nvram and restart eapd. Works 100%.

    If you want VLAN 9 on another port, just remap VLAN 1 (which is default LAN in AP mode), and VLAN 9. Change the top of my script in the following way -

    Code:
    robocfg vlan 1 ports "0 1 2 3 5t"
    robocfg vlan 9 ports "4 5t"
    vconfig add eth0 9
    ifconfig vlan9 up
    
    This will make LAN port 4 use VLAN9 untagged and that port will be bridged to your Guest network 1
     
  6. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    Yours was one of the few scripts I saw that came close. The other was http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/ but the people who were close moved to Tomato!

    If I understand it correctly, your setup has a dedicated port (Port 4) for the VLAN9 traffic to your AP. You are not using a trunk port for your uplink, where both tagged and untagged traffic can go on the one interface. Is my understanding of your setup correct?

    What I am looking for is this
    Code:
                               [-------------------]          [---------------------------]
                               |                   |          | Asus AC66U                |
                               | Internet     eth0 |          |               SSID1 (eth0)|
    [internet]--[cable modem]--| Gateway       |   |----------| Port 1                    |
                               | (Linux)    eth0.2 |          |             SSID2 (eth0.2)|
                               |                   |          |                           |
                               [-------------------]          [---------------------------]
    
    My internet gateway has two physical interfaces, one for WAN (eth1) and one for LAN (eth0). The LAN interface is trunked with a 2nd VLAN (eth0.2) which will has a separate IP range and limited internet connectivity.

    I want to run one lead to the Asus, where the untagged traffic is bridged with SSID1 (full LAN access), and the trunked VLAN (2) is bridged with SSID2 (for limited guest internet).

    If your script does this, maybe I am missing it...?
     
  7. starfall

    starfall Occasional Visitor

    Joined:
    Nov 4, 2014
    Messages:
    19
    Yes, my original script does exactly what you want, but for VLAN9 -

    Code:
    robocfg vlan 9 ports "4t 5t"
    
    This means that VLAN 9 is tagged on port 4 (as well as port 5, the internal port).

    You shouldn't use VLAN2 as that conflicts with the internal VLAN numbering of the router. The VLAN 1, 2 and 3 are used by the router depending on which mode (router, AP, media bridge, etc.) and if dual-WAN is on. So you should avoid those VLAN numbers.

    SSH into your router and do a robocfg show for more info. I think the AC87U, used port 8 as the internal port, for example.

    Also, be aware that my script is for the AC68U. The AC66U may have a different internal port, and also, I heard you might not need to make the NVRAM changes and restart eapd.
     
    Last edited: Jul 11, 2015
  8. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    Thanks heaps for your help & patience. I finally got a hour or two to play and after making a rookie mistake (dropping the t on the vlan 9 port definition) I got the vlan working on the router. Without the t it would drop the untagged traffic. Now from the router I can ping my vlan interface on my gateway and same the other way.

    Where I got to now is that even after restarting the eapd, I can't connect to the guest SSID. It's secured with WPA2. I read about the same issue in http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/ but didn't see a fix.

    The only thing I haven't done from your suggested script is the nvram changes, partially because I don't understand them and partially because they are semi-permanent (whereas if I break things with robocfg/brctl/vconfig I can just reboot).

    My current script
    Code:
    # default
    robocfg vlan 1 ports "0 1 2 3 4 8t"
    
    # vlan-port setup
    robocfg vlan 9 ports "1t 8t"
    vconfig add eth0 9
    #for testing only ifconfig vlan9 192.168.2.50 up
    ifconfig vlan9 up
    
    # create a new bridge for the wifi and the vlan; add the ifs
    brctl addbr br1
    brctl addif br1 vlan9
    brctl delif br0 wl0.1
    brctl addif br1 wl0.1
    
    # bring the bridge if up with an addy
    ifconfig br1 192.168.2.50 up
    
    Current switch and bridge config (even though port 1 shows vlan9, it's also passing untagged traffic to vlan1)
    Code:
    [email protected]:/tmp/home/root# robocfg show
    Switch: enabled gigabit
    Port 0:  DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 1: 1000FD enabled stp: none vlan: 9 jumbo: off mac: 74:d4:35:ea:c8:12
    Port 2:  DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 3:  10FD enabled stp: none vlan: 1 jumbo: off mac: d0:50:99:5f:45:7d
    Port 4:  DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: ac:22:0b:d0:77:88
    VLANs: BCM53115 enabled mac_check mac_hash
      1: vlan1: 0 1 2 3 4 8t
      2: vlan2: 8t
      9: vlan9: 1 8t
    
    [email protected]:/tmp/home/root# brctl show
    bridge name  bridge id  STP enabled  interfaces
    br0  8000.ac220bd07788  no  vlan1
      eth1
      eth2
    br1  8000.ac220bd07788  no  vlan9
      wl0.1
    
    Any tips appreciated.
     
  9. starfall

    starfall Occasional Visitor

    Joined:
    Nov 4, 2014
    Messages:
    19
    No worries. I had this exact problem on my first attempt, which led to the nvram changes and eapd restart. It seems that without the nvram changes, eapd does not authenticate on the new bridge.

    Basically the nvram setting tells eapd which interfaces it needs to listen on for authentication requests. To clarify, eth1 and eth2 is your current main wireless SSIDs. Also, wl0.2 and wl1.2 are my secondary SSIDs that I use to make clients force 2.4Ghz or 5Ghz, so you can skip them.

    In light of your setup, I propose the following. It really shouldn't lock you out and you can save your existing nvram settings first.

    Code:
    # default
    robocfg vlan 1 ports "0 1 2 3 4 8t"
    
    # vlan-port setup
    robocfg vlan 9 ports "1t 8t"
    vconfig add eth0 9
    #for testing only ifconfig vlan9 192.168.2.50 up
    ifconfig vlan9 up
    
    # create a new bridge for the wifi and the vlan; add the ifs
    brctl addbr br1
    brctl addif br1 vlan9
    brctl delif br0 wl0.1
    brctl addif br1 wl0.1
    
    # bring the bridge if up with an addy
    ifconfig br1 192.168.2.50 up
    
    #  make eapd to listen on the new bridge
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan_ifname="br0"
    
    nvram set lan1_ifnames="vlan9 wl0.1"
    nvram set lan1_ifname="br1"
    
    # restart eapd to put changes in effect
    nvram commit
    killall eapd
    eapd
    
    
    I also suggest an iptables rule to prevent the AP routing from your guest network and main network just in case IP forwarding hasn't been turned off in the kernel. I don't have an IP for the AP on the guest network so it's not a problem for me.
     
    Last edited: Jul 12, 2015
  10. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    It works! Thanks heaps for your help.

    ip_forward is turned off on the Asus. Now to tidy up the routing on my gateway.

    Jason
     
  11. Gill

    Gill Occasional Visitor

    Joined:
    Apr 22, 2015
    Messages:
    33
    Location:
    B.C Canada
    Hi Guys I also have been looking for a while to get this working. Basically I got 2 VLANs 10(Home) and 20(Guest). My Router is Asus87U. Can you guys check if the configuration is right for my device.
    I am looking for vlan10 to merge with bridge 0 and public or guest vlan 30 to bridge to br1. I cant get my head around LAN ifname variables. And all the routing to be done at cisco router. Any help would be greatly appreciated. Thanks.

    #Model { WAN L1 L2 L3 L4 CPU }
    #RTAC87U: { 0, 5, 3, 2, 1, 7 }


    #!/bin/sh
    PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
    rm /tmp/000services-start

    robocfg vlan 1 ports "0t 7t"
    robocfg vlan 10 ports "0t 5 3 2 1 7t"
    robocfg vlan 30 ports "0t 7t"

    vconfig add eth0 10
    ifconfig vlan10 up

    vconfig add eth0 30
    ifconfig vlan30 up

    ifconfig br0 down
    brctl delbr br0
    brctl addbr br0

    ifconfig br1 down
    brctl delbr br1
    brctl addbr br1

    brctl delif br0 wl0.1

    brctl addif br0 wl0
    brctl addif br0 wl1
    brctl addif br0 vlan10

    brctl addif br1 wl0.1
    brctl addif br1 wl1.1
    brctl addif br1 vlan30

    ifconfig br0 up
    ifconfig br1 up

    nvram set lan_ifnames="vlan1 eth0 eth1"
    nvram set lan_ifname="br0"

    nvram set lan1_ifnames="vlan10 wl0 wl1"
    nvram set lan1_ifname="br0"

    nvram set lan2_ifnames="vlan30 wl0.1 wl1.1"
    nvram set lan2_ifname="br1"

    nvram commit

    killall eapd
    eapd


    Some output from my device:
    RT-AC87U-B498:/tmp/home/root# robocfg show vlan
    Switch: enabled
    Port 0: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XX:XX:XX:XX:XX:XX
    Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    VLANs: BCM5301x enabled mac_check mac_hash
    1: vlan1: 0 1 2 3 5 7t
    2: vlan2: 7t
    1045: vlan1045: 1t 3t 4t
    1046: vlan1046: 0t 2
    1047: vlan1047: 0t 3t 4t 5 7 8t
    1099: vlan1099: 2 3 7t
    1100: vlan1100: 1 3 4t 8t
    1101: vlan1101: 0 2 4 7t
    1102: vlan1102: 0 1 2t 3t 5 7t
    1103: vlan1103: 1 2t 8u

    @RT-AC87U-B498:/tmp/home/root# nvram show | grep ifnames
    size: 39020 bytes (26516 left)
    wl0_vifnames=wl0.1 wl0.2 wl0.3
    wl1_vifnames=wl1.1 wl1.2 wl1.3
    dpsta_ifnames=
    lan_ifnames=vlan1 eth1 wifi0 wl0.1
    wan_ifnames=eth0
    wl_ifnames=eth1 wifi0
    wl_vifnames=wl1.1 wl1.2 wl1.3
    acs_ifnames=eth1

    RT-AC87U-B498:/tmp/home/root# brctl show
    bridge name bridge id STP enabled interfaces
    br0 8000.xxxxxxxxxxxx yes vlan1
    eth1
    wl0.1
     
  12. Gill

    Gill Occasional Visitor

    Joined:
    Apr 22, 2015
    Messages:
    33
    Location:
    B.C Canada
    I was able to get everything working but somehow my 5GHZ antennae gets disabled and Gui shows its on but nothing connects to it..no ssid.. cannot create guest ssid on it either..working config..Am i missing something?

    robocfg vlan 1 ports ""
    robocfg vlan 10 ports "0t 5 3 2 1 7t"
    robocfg vlan 30 ports "0t 7t"
    vconfig rem vlan1
    vconfig add eth0 10
    ifconfig vlan10 up
    vconfig add eth0 30
    ifconfig vlan30 up
    brctl delif br0 wl0.1
    brctl delif br0 vlan1
    brctl addif br0 vlan10
    brctl addif br0
    brctl addbr br1
    brctl addif br1 wl0.1
    brctl addif br1 vlan30
    ifconfig br1 up
    nvram set lan_ifnames="vlan10 eth0 eth1"
    nvram set lan_ifname="br0"
    nvram set lan1_ifnames="vlan30 wl0.1"
    nvram set lan1_ifname="br1"
    nvram commit
    killall eapd
    eapd
     
  13. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    I am far from an expert, but iirc if you use a separate ssid for 5ghz you get either an additional eth interface or wl interface. Also why do you drop vlan1?

    btw your original post says the guest network is VLAN 20 but in your script it's 30.
     
  14. Gill

    Gill Occasional Visitor

    Joined:
    Apr 22, 2015
    Messages:
    33
    Location:
    B.C Canada
    Oh yeah sorry a typo.. Guest Vlan is 30. thought it would be better to remove vlan 1 since i wasn't using it. I think you are right the device is suppose to use a different physical interface which is wl1 and its name in nvram is wl1 = wifi0 but when I add that interface to nvram set lan_ifnames it gives me error saying it doesnt exist.. and when i do ifconfig i dont see that interface and even though when 5ghz is running in AP mode. Maybe its a thing with AC87u?
     
  15. Gill

    Gill Occasional Visitor

    Joined:
    Apr 22, 2015
    Messages:
    33
    Location:
    B.C Canada
    Does anyone know what I am missing? Everything else works fine its just 5GHz band that doesn't work and when i go to the settings for 5GHz after running the script router reboots..I tried this as well

    nvram set lan_ifnames="vlan10 eth0 eth1 wifi0"

    but then the script doesn't run and nothing no vlan no bridge gets created.
     
  16. galapogos01

    galapogos01 New Around Here

    Joined:
    Jul 9, 2015
    Messages:
    7
    Use the stock output above to work out which of the interfaces is the 5ghz ssid. Your script does not seem to include all of the ifs in your stock output. That all I have to suggest.
     
  17. clifton.stokes

    clifton.stokes New Around Here

    Joined:
    Dec 4, 2014
    Messages:
    6
    I have recently had to replace my whole router/network configuration to increase my speed. I am now using two routers RT-AC66 and RT-N66. I have been a little disappointed with guest network implementation on the ASUS firmware.
    From your post, I hope to get it configured like I wanted to.

    I have the RT-AC66 in AP mode, I want to put the guest on another subnet and using the VLAN should do that.

    The only questions that I have it how to set up the dhcp server on the n66 to look at different vlans and set up different subnets.

    has anyone done that recently or have an example?

    This is what I previously had.

    Main network 10.0.0.X
    Guest 192.168.1.X
    AP has main wireless and guest wireless.
    Router has main wireless and guest wireless

    Want Router to hand out DHCP for both main network and guest but different subnets

    Also are there extra iptable rules I need to put into place

    I still don't understand why in AP mode so much functionality is disabled. Could be much more powerful or configurable via gui

    Would like to see on main router when you enable guest you can give it a new subnet to be on.

    I hope to be able to get it working with merlin and not needing to go to tomato or dd-wrt

    Thanks for any help
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!