Use LAN port 4 as private network

[vc1234]

I tried disabling NAT acceleration under LAN / Switch Control - which changes the CPU port from 8t to 5t, but it still doesn't fix the MTU issue.
AC68U?

Most likely your problem is caused by the CTF acceleration.

I had a similar issue with both N66U (AP mode) and AC68U (router mode) when I configured a second bridge and a VLAN(4). On N66U, depending on whether I used VLAN1 first or VLAN4 first from the same device, the second connection could not work because the ethernet frames were tagged with the previous VID.

I took a look at the kernel source and saw a call to something called ctf_brc_lkup (and others prefixed with ctf) which I assume is the broadcom bridge routing accelerator. Apparently, their code was getting confused which tag to apply to a frame. As soon as I disabled CTF by enabling IP traffic monitoring on N66, the problem went away since bridge forwarding was relying on the Linux native code rather that the broadcom accelerator.

When I connected N66 to AC68, it started kind of working, but some pages could not get loaded, e.g. google, stopping half way. Occasionally, they did load. Again, if I connected first to the main vlan and then the guest one, the guest stopped working and vice versa. Disabling CTF on AC68 made it all work. I observed the same behavior with a hardware AP.

I also saw that with CTF disabled on AC68, the CPU port changed from 8t to 5t on AC68. It did stay 8t on the N66, perhaps because it is used in the AP mode.

I wonder if anyone managed to make this VLAN tagging stuff work with CTF enabled. Judging by the fact that in all examples with AC68U they used port 5t rather than 8t, the answer is probably 'no'.

 

[bbito-g]

I've been very grateful for this guide and have been using the @sinshiva's work to isolate a credit card processing machine through my Asus RT-n66u since 2016.

That router is getting a little long in the tooth and I was hoping to upgrade to an RT-ac86u but from what I read on the forums here, that unit does not support robocfg.

Is there a recommended Asus upgrade that I can migrate this setup to?

 

[Teymur]

Hi Guys,

Thanks Sinshiva for the script! I use RT-AC3200 and this kind of works for me and kind of doesn't. After reboot I have to manually do service restart_firewall every time to get the iptables correct, otherwise there is no internet at all. After the firewall restart I can see the iptables rules all settles and it starts working. Also I can't send the traffic from port 4 via vpn client. Any ideas?

Teymur

 

[Martineau]

I can't send the traffic from port 4 via vpn client. Any ideas?

Basically you need to create a separate bridge for the mapping of the appropriate Guest WiFi SSID to the VPN, then having create a VLAN for switch Port 4, simply bind it to the VPN bridge.

See posts in this thread:
2 VPN Client and 2 WiFi SSID: how to route traffic
2 VPN Client and 2 WiFi SSID: how to route traffic
Remember to bind switch Port VLAN to VPN bridge in nat-start

 

[Teymur]

Basically you need to create a separate bridge for the mapping of the appropriate Guest WiFi SSID to the VPN, then having create a VLAN for switch Port 4, simply bind it to the VPN bridge.

See posts in this thread:
2 VPN Client and 2 WiFi SSID: how to route traffic
2 VPN Client and 2 WiFi SSID: how to route traffic
Remember to bind switch Port VLAN to VPN bridge in nat-start

Thanks for your reply! This is indeed very useful and I'll make sure I save the links up until whenever I need to setup a bridge.

I think I figured what my issue was. I do have a Guest Wifi which I use YazFi for. That works no problems. I also wanted to have a separate port on the router to act as a separate gateway via VPN. I don't want to bridge the guest wifi with this port for now. Turns out what I was missing, was a line in the nat table:

iptables -t nat -I POSTROUTING -s 192.168.85.0/24 -o tun11 -m comment --comment vlan4-via-vpn -j MASQUERADE

After adding this it worked.

 

[Teymur]

The only issue remaining tho is when the router finished booting I need to manually reconnect port 4 because the routers native DHCP leases the address before my custom vlan script executes. Any ideas how can I push a dhcp renew on that vlan so it happens automatically?

 

[Teymur]

Is there a way to disable (I mean hardware wise) a LAN port on ASUS routers and enable it again? Like on a Cisco Switch doing port shutdown and no shutdown???

 

[Martineau]

Is there a way to disable (I mean hardware wise) a LAN port on ASUS routers and enable it again?

Utility robocfg

robocfg   showports

Switch: enabled
Port 0:  100FD enabled stp: none vlan: 2 jumbo: off mac: 28:xx.xx.xx.xx.xx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 20:xx.xx.xx.xx.xx
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0c:xx.xx.xx.xx.xx
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: ac:xx.xx.xx.xx.xx
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

or perhaps et

et   port_status   all

Port    Link    Speed(Mbps)    Duplex
----    ----    -----------    ------
   0      Up            100      Full
   1      Up           1000      Full
   2    Down
   3    Down
   4      Up           1000      Full

can be used, but (using robocfg) I have altered the characteristics of a switch port i.e changed speed so the robocfg 'disable/enable' commands should answer your query.

 

[Teymur]

Utility robocfg

robocfg   showports

Switch: enabled
Port 0:  100FD enabled stp: none vlan: 2 jumbo: off mac: 28:xx.xx.xx.xx.xx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 20:xx.xx.xx.xx.xx
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 0c:xx.xx.xx.xx.xx
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: ac:xx.xx.xx.xx.xx
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

or perhaps et

et   port_status   all

Port    Link    Speed(Mbps)    Duplex
----    ----    -----------    ------
   0      Up            100      Full
   1      Up           1000      Full
   2    Down
   3    Down
   4      Up           1000      Full

can be used, but (using robocfg) I have altered the characteristics of a switch port i.e changed speed so the robocfg 'disable/enable' commands should answer your query.

THanks for that!

Actually I tried the robocfg - but it doesn't do what I need. It does disable the port - in the software if u like, there are no comms but the cable is still connected. Like there is a hardware connected. What I need is to see "Network Cable Disconnected" on the other side.

et tool seem to be useful but I can't understand how to use it.

xxxx@router:/tmp/home/root# et -i eth3 down
etcdown: Operation not supported
xxxx@router:/tmp/home/root# et -i eth0 down
etcdown: Bad address
xxxx@router:/tmp/home/root# et -i vlan4 down
etcdown: Operation not supported
xxxx@router:/tmp/home/root#