What's new

Tag guest SSID traffic with VLAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

galapogos01

Occasional Visitor
Hi guys,

I have found loads of threads relating to this topic but unfortunately none that solve my problem.

I run my AC66U in AP mode. I have a linux box as my NAT gateway, and have added a VLAN 2 to it's LAN interface, that will keep Guest traffic separate from my default LAN.

I would like to tag all traffic that comes via the Guest SSID on my AC66U with VLAN 2.

Any advice appreciated.

Jason
 
I would think as long as you have your guess traffic tagged it can run on a trunked port with all the other traffic. This is still keeping the traffic separate. You don't really need to physically separate the traffic flow.

PS
I read your post again and it sounds more like you are having trouble assigning a tag to guess traffic which I can't help you with as I don't own an ASUS router.
 
Last edited:
Agre. Maybe my question was not clear enough - I'm not looking for physical separation.

How do I tag traffic coming in on the guest SSID with VLAN2?

Jason
 
Agre. Maybe my question was not clear enough - I'm not looking for physical separation.

How do I tag traffic coming in on the guest SSID with VLAN2?

Jason

Have you looked at this thread? - http://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187

Using a services-start script, I tagged VLAN9 onto one of LAN port 4 (port 5 is the internal port used by the ASUS), created VLAN9 on the internal interface, then bridged it with Guest network 1 on both 2.4ghz (wl0.1) and 5ghz (wl1.1). Then you need to update nvram and restart eapd. Works 100%.

If you want VLAN 9 on another port, just remap VLAN 1 (which is default LAN in AP mode), and VLAN 9. Change the top of my script in the following way -

Code:
robocfg vlan 1 ports "0 1 2 3 5t"
robocfg vlan 9 ports "4 5t"
vconfig add eth0 9
ifconfig vlan9 up

This will make LAN port 4 use VLAN9 untagged and that port will be bridged to your Guest network 1
 
Yours was one of the few scripts I saw that came close. The other was http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/ but the people who were close moved to Tomato!

If I understand it correctly, your setup has a dedicated port (Port 4) for the VLAN9 traffic to your AP. You are not using a trunk port for your uplink, where both tagged and untagged traffic can go on the one interface. Is my understanding of your setup correct?

What I am looking for is this
Code:
                           [-------------------]          [---------------------------]
                           |                   |          | Asus AC66U                |
                           | Internet     eth0 |          |               SSID1 (eth0)|
[internet]--[cable modem]--| Gateway       |   |----------| Port 1                    |
                           | (Linux)    eth0.2 |          |             SSID2 (eth0.2)|
                           |                   |          |                           |
                           [-------------------]          [---------------------------]

My internet gateway has two physical interfaces, one for WAN (eth1) and one for LAN (eth0). The LAN interface is trunked with a 2nd VLAN (eth0.2) which will has a separate IP range and limited internet connectivity.

I want to run one lead to the Asus, where the untagged traffic is bridged with SSID1 (full LAN access), and the trunked VLAN (2) is bridged with SSID2 (for limited guest internet).

If your script does this, maybe I am missing it...?
 
Yours was one of the few scripts I saw that came close. The other was http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/ but the people who were close moved to Tomato!

If I understand it correctly, your setup has a dedicated port (Port 4) for the VLAN9 traffic to your AP. You are not using a trunk port for your uplink, where both tagged and untagged traffic can go on the one interface. Is my understanding of your setup correct?

What I am looking for is this
Code:
                           [-------------------]          [---------------------------]
                           |                   |          | Asus AC66U                |
                           | Internet     eth0 |          |               SSID1 (eth0)|
[internet]--[cable modem]--| Gateway       |   |----------| Port 1                    |
                           | (Linux)    eth0.2 |          |             SSID2 (eth0.2)|
                           |                   |          |                           |
                           [-------------------]          [---------------------------]

My internet gateway has two physical interfaces, one for WAN (eth1) and one for LAN (eth0). The LAN interface is trunked with a 2nd VLAN (eth0.2) which will has a separate IP range and limited internet connectivity.

I want to run one lead to the Asus, where the untagged traffic is bridged with SSID1 (full LAN access), and the trunked VLAN (2) is bridged with SSID2 (for limited guest internet).

If your script does this, maybe I am missing it...?

Yes, my original script does exactly what you want, but for VLAN9 -

Code:
robocfg vlan 9 ports "4t 5t"

This means that VLAN 9 is tagged on port 4 (as well as port 5, the internal port).

You shouldn't use VLAN2 as that conflicts with the internal VLAN numbering of the router. The VLAN 1, 2 and 3 are used by the router depending on which mode (router, AP, media bridge, etc.) and if dual-WAN is on. So you should avoid those VLAN numbers.

SSH into your router and do a robocfg show for more info. I think the AC87U, used port 8 as the internal port, for example.

Also, be aware that my script is for the AC68U. The AC66U may have a different internal port, and also, I heard you might not need to make the NVRAM changes and restart eapd.
 
Last edited:
Thanks heaps for your help & patience. I finally got a hour or two to play and after making a rookie mistake (dropping the t on the vlan 9 port definition) I got the vlan working on the router. Without the t it would drop the untagged traffic. Now from the router I can ping my vlan interface on my gateway and same the other way.

Where I got to now is that even after restarting the eapd, I can't connect to the guest SSID. It's secured with WPA2. I read about the same issue in http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/ but didn't see a fix.

The only thing I haven't done from your suggested script is the nvram changes, partially because I don't understand them and partially because they are semi-permanent (whereas if I break things with robocfg/brctl/vconfig I can just reboot).

My current script
Code:
# default
robocfg vlan 1 ports "0 1 2 3 4 8t"

# vlan-port setup
robocfg vlan 9 ports "1t 8t"
vconfig add eth0 9
#for testing only ifconfig vlan9 192.168.2.50 up
ifconfig vlan9 up

# create a new bridge for the wifi and the vlan; add the ifs
brctl addbr br1
brctl addif br1 vlan9
brctl delif br0 wl0.1
brctl addif br1 wl0.1

# bring the bridge if up with an addy
ifconfig br1 192.168.2.50 up

Current switch and bridge config (even though port 1 shows vlan9, it's also passing untagged traffic to vlan1)
Code:
admin@RT-AC66U:/tmp/home/root# robocfg show
Switch: enabled gigabit
Port 0:  DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 9 jumbo: off mac: 74:d4:35:ea:c8:12
Port 2:  DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:  10FD enabled stp: none vlan: 1 jumbo: off mac: d0:50:99:5f:45:7d
Port 4:  DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: ac:22:0b:d0:77:88
VLANs: BCM53115 enabled mac_check mac_hash
  1: vlan1: 0 1 2 3 4 8t
  2: vlan2: 8t
  9: vlan9: 1 8t

admin@RT-AC66U:/tmp/home/root# brctl show
bridge name  bridge id  STP enabled  interfaces
br0  8000.ac220bd07788  no  vlan1
  eth1
  eth2
br1  8000.ac220bd07788  no  vlan9
  wl0.1

Any tips appreciated.
 
Thanks heaps for your help & patience. I finally got a hour or two to play and after making a rookie mistake (dropping the t on the vlan 9 port definition) I got the vlan working on the router. Without the t it would drop the untagged traffic. Now from the router I can ping my vlan interface on my gateway and same the other way.

Where I got to now is that even after restarting the eapd, I can't connect to the guest SSID. It's secured with WPA2. I read about the same issue in http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/ but didn't see a fix.

The only thing I haven't done from your suggested script is the nvram changes, partially because I don't understand them and partially because they are semi-permanent (whereas if I break things with robocfg/brctl/vconfig I can just reboot).

No worries. I had this exact problem on my first attempt, which led to the nvram changes and eapd restart. It seems that without the nvram changes, eapd does not authenticate on the new bridge.

Basically the nvram setting tells eapd which interfaces it needs to listen on for authentication requests. To clarify, eth1 and eth2 is your current main wireless SSIDs. Also, wl0.2 and wl1.2 are my secondary SSIDs that I use to make clients force 2.4Ghz or 5Ghz, so you can skip them.

In light of your setup, I propose the following. It really shouldn't lock you out and you can save your existing nvram settings first.

Code:
# default
robocfg vlan 1 ports "0 1 2 3 4 8t"

# vlan-port setup
robocfg vlan 9 ports "1t 8t"
vconfig add eth0 9
#for testing only ifconfig vlan9 192.168.2.50 up
ifconfig vlan9 up

# create a new bridge for the wifi and the vlan; add the ifs
brctl addbr br1
brctl addif br1 vlan9
brctl delif br0 wl0.1
brctl addif br1 wl0.1

# bring the bridge if up with an addy
ifconfig br1 192.168.2.50 up

#  make eapd to listen on the new bridge
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br1"

# restart eapd to put changes in effect
nvram commit
killall eapd
eapd

I also suggest an iptables rule to prevent the AP routing from your guest network and main network just in case IP forwarding hasn't been turned off in the kernel. I don't have an IP for the AP on the guest network so it's not a problem for me.
 
Last edited:
It works! Thanks heaps for your help.

ip_forward is turned off on the Asus. Now to tidy up the routing on my gateway.

Jason
 
Hi Guys I also have been looking for a while to get this working. Basically I got 2 VLANs 10(Home) and 20(Guest). My Router is Asus87U. Can you guys check if the configuration is right for my device.
I am looking for vlan10 to merge with bridge 0 and public or guest vlan 30 to bridge to br1. I cant get my head around LAN ifname variables. And all the routing to be done at cisco router. Any help would be greatly appreciated. Thanks.

#Model { WAN L1 L2 L3 L4 CPU }
#RTAC87U: { 0, 5, 3, 2, 1, 7 }


#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
rm /tmp/000services-start

robocfg vlan 1 ports "0t 7t"
robocfg vlan 10 ports "0t 5 3 2 1 7t"
robocfg vlan 30 ports "0t 7t"

vconfig add eth0 10
ifconfig vlan10 up

vconfig add eth0 30
ifconfig vlan30 up

ifconfig br0 down
brctl delbr br0
brctl addbr br0

ifconfig br1 down
brctl delbr br1
brctl addbr br1

brctl delif br0 wl0.1

brctl addif br0 wl0
brctl addif br0 wl1
brctl addif br0 vlan10

brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan30

ifconfig br0 up
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth0 eth1"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan10 wl0 wl1"
nvram set lan1_ifname="br0"

nvram set lan2_ifnames="vlan30 wl0.1 wl1.1"
nvram set lan2_ifname="br1"

nvram commit

killall eapd
eapd


Some output from my device:
RT-AC87U-B498:/tmp/home/root# robocfg show vlan
Switch: enabled
Port 0: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XX:XX:XX:XX:XX:XX
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 5 7t
2: vlan2: 7t
1045: vlan1045: 1t 3t 4t
1046: vlan1046: 0t 2
1047: vlan1047: 0t 3t 4t 5 7 8t
1099: vlan1099: 2 3 7t
1100: vlan1100: 1 3 4t 8t
1101: vlan1101: 0 2 4 7t
1102: vlan1102: 0 1 2t 3t 5 7t
1103: vlan1103: 1 2t 8u

@RT-AC87U-B498:/tmp/home/root# nvram show | grep ifnames
size: 39020 bytes (26516 left)
wl0_vifnames=wl0.1 wl0.2 wl0.3
wl1_vifnames=wl1.1 wl1.2 wl1.3
dpsta_ifnames=
lan_ifnames=vlan1 eth1 wifi0 wl0.1
wan_ifnames=eth0
wl_ifnames=eth1 wifi0
wl_vifnames=wl1.1 wl1.2 wl1.3
acs_ifnames=eth1

RT-AC87U-B498:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.xxxxxxxxxxxx yes vlan1
eth1
wl0.1
 
I was able to get everything working but somehow my 5GHZ antennae gets disabled and Gui shows its on but nothing connects to it..no ssid.. cannot create guest ssid on it either..working config..Am i missing something?

robocfg vlan 1 ports ""
robocfg vlan 10 ports "0t 5 3 2 1 7t"
robocfg vlan 30 ports "0t 7t"
vconfig rem vlan1
vconfig add eth0 10
ifconfig vlan10 up
vconfig add eth0 30
ifconfig vlan30 up
brctl delif br0 wl0.1
brctl delif br0 vlan1
brctl addif br0 vlan10
brctl addif br0
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 vlan30
ifconfig br1 up
nvram set lan_ifnames="vlan10 eth0 eth1"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan30 wl0.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd
 
I am far from an expert, but iirc if you use a separate ssid for 5ghz you get either an additional eth interface or wl interface. Also why do you drop vlan1?

btw your original post says the guest network is VLAN 20 but in your script it's 30.
 
Oh yeah sorry a typo.. Guest Vlan is 30. thought it would be better to remove vlan 1 since i wasn't using it. I think you are right the device is suppose to use a different physical interface which is wl1 and its name in nvram is wl1 = wifi0 but when I add that interface to nvram set lan_ifnames it gives me error saying it doesnt exist.. and when i do ifconfig i dont see that interface and even though when 5ghz is running in AP mode. Maybe its a thing with AC87u?
 
Does anyone know what I am missing? Everything else works fine its just 5GHz band that doesn't work and when i go to the settings for 5GHz after running the script router reboots..I tried this as well

nvram set lan_ifnames="vlan10 eth0 eth1 wifi0"

but then the script doesn't run and nothing no vlan no bridge gets created.
 
Use the stock output above to work out which of the interfaces is the 5ghz ssid. Your script does not seem to include all of the ifs in your stock output. That all I have to suggest.
 
I have recently had to replace my whole router/network configuration to increase my speed. I am now using two routers RT-AC66 and RT-N66. I have been a little disappointed with guest network implementation on the ASUS firmware.
From your post, I hope to get it configured like I wanted to.

I have the RT-AC66 in AP mode, I want to put the guest on another subnet and using the VLAN should do that.

The only questions that I have it how to set up the dhcp server on the n66 to look at different vlans and set up different subnets.

has anyone done that recently or have an example?

This is what I previously had.

Main network 10.0.0.X
Guest 192.168.1.X
AP has main wireless and guest wireless.
Router has main wireless and guest wireless

Want Router to hand out DHCP for both main network and guest but different subnets

Also are there extra iptable rules I need to put into place

I still don't understand why in AP mode so much functionality is disabled. Could be much more powerful or configurable via gui

Would like to see on main router when you enable guest you can give it a new subnet to be on.

I hope to be able to get it working with merlin and not needing to go to tomato or dd-wrt

Thanks for any help
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top