Using AC86U and N66U as router and managed switched for VLAN tagging/trunking

zinge

Occasional Visitor
Hello! I wanted to check if this idea made sense/was possible before I break apart my working network and start flashing and reconfiguring things. I currently have an AC86U that I'm using as a router/switch/AP, and an old N66U that isn't currently in use. I have a single ethernet run between my upstairs and downstairs gear, but want to be able to have a wired "guest network"/isolated VLAN upstairs and downstairs in addition to the regular traffic. I was thinking I can put asuswrt-merlin on both devices (current on the AC86U and John's fork on the N66U), and use the single ethernet cable as a trunk between the two devices. I would assign one port on each for that trunk to carry all the tagged VLAN traffic, and then assign one or two ports on each device to an isolated VLAN so that I could have a place upstairs and downstairs to plug in wired devices that I want to be isolated from my main network traffic.

I know there isn't a GUI for VLAN configuration; I haven't done much with network config specifically, but am comfortable with bash scripting and command line access. I also still want to be able to use the regular and guest network wifi settings on the AC86U, and would also like DHCP from the AC86U to be available on each of the VLANs.

Would this work?
 

eibgrad

Part of the Furniture
Given there is no native support for user-defined VLANs and bridges on Merlin or John, it seems to me you're making this unnecessarily complicated.

I recommend you install FT (FreshTomato) on the N66U and configure it as a bridge (disable its WAN, disable its DHCP server, connect it LAN to LAN w/ the primary router (AC86U), etc.). Then create VAPs (virtual APs) on the FT router that deny access to the private network while still allowing internet access. Thus, no need for VLANs or tagging, at all.

That's not to say using VLANs, tagging, trunking, et al., wouldn't typically be a way to solve this kind of problem. But again, when you're dealing w/ devices that don't support it natively, I'd rather just avoid it and use what's available directly in the GUI.

P.S. With FT, it is possible (since it natively supports user-defined VLANs and bridges) to add one or more LAN ports to your guest networks.
 
Last edited:

zinge

Occasional Visitor
I'll take a look at FreshTomato, I haven't seen that before. I think I'm missing a step though? How would I get one or more LAN ports on the AC86U on the guest network at that point? I was under the impression that Asus native doesn't have any support for that at all and I'd have to flash something on there as well. Or are you suggesting FT on both?
 

zinge

Occasional Visitor
I plan on using the N66U just as a managed switch, no wireless or routing, with whatever firmware is easiest to do that, I guess. I just need to figure out how to add the equivalent capabilities to the AC86U as well.
 

drinkingbird

Senior Member
To do "wired guest" and VLANs/trunking on Merlin, the only way is using a script. It is not terribly complex to do and there are several examples and tutorials here. In fact, the 386 code base actually implements a couple "extra" VLANs for AIMESH backhaul related to Guest Network #1 which you could pretty easily just reassign to the ports you want. They already have a DHCP range associated with them etc. I haven't tried using those but from what I can see there is no issue using them as long as you aren't using AIMESH. Or to be safe you can create your own VLAN ID(s) and put them in the same bridge and they'll use those unique DHCP ranges and be isolated into the same segment as Guest Network 1.

If you want GUI based you'll need to look at other 3rd party firmwares which do give GUI implementations of the VLAN configuration and associated DHCP etc.

Though you're approaching the point where using some Ubiquiti gear might start making more sense. It is not expensive and supports all this stuff natively.
 

zinge

Occasional Visitor
To do "wired guest" and VLANs/trunking on Merlin, the only way is using a script. It is not terribly complex to do and there are several examples and tutorials here. In fact, the 386 code base actually implements a couple "extra" VLANs for AIMESH backhaul related to Guest Network #1 which you could pretty easily just reassign to the ports you want. They already have a DHCP range associated with them etc. I haven't tried using those but from what I can see there is no issue using them as long as you aren't using AIMESH. Or to be safe you can create your own VLAN ID(s) and put them in the same bridge and they'll use those unique DHCP ranges and be isolated into the same segment as Guest Network 1.

If you want GUI based you'll need to look at other 3rd party firmwares which do give GUI implementations of the VLAN configuration and associated DHCP etc.

Though you're approaching the point where using some Ubiquiti gear might start making more sense. It is not expensive and supports all this stuff natively.
Ooh, using one of the existing vlans or existing bridge sounds like a great idea. I was mostly worried about the DHCP config or breaking existing guest wifi IP options. I was looking at maybe upgrading to something like Ubiquiti, but at the moment it looks like most of their gear is sold out, so I figured I'd see what I could manage with what I had on hand already. I'm also pretty cloud-averse; do you happen to know if Ubiquiti can run with no cloud/internet access at all? Last time I checked a few years ago they were going all-in on cloud.
 

drinkingbird

Senior Member
Ooh, using one of the existing vlans or existing bridge sounds like a great idea. I was mostly worried about the DHCP config or breaking existing guest wifi IP options. I was looking at maybe upgrading to something like Ubiquiti, but at the moment it looks like most of their gear is sold out, so I figured I'd see what I could manage with what I had on hand already. I'm also pretty cloud-averse; do you happen to know if Ubiquiti can run with no cloud/internet access at all? Last time I checked a few years ago they were going all-in on cloud.

Yes I use their stuff and you can administer it from a local PC. Actually the cloud option is newer, previously it was all done via local server/pc. You don't even have to leave the management server running unless you want to collect traffic/log stats or run the Captive Portal (where you have to login or pay to use wifi). The devices will restore the last config from local NVRAM if rebooted. They have FAQ and documentation on their site as to what each device (AP, router, firewall, etc) needs to have the management server always running, but it is mostly for the stuff I listed above. I just run the server "on demand" when I need to change something. I used to run it 24x7 but that was when I had a server that was always online anyway. Now it isn't worth wasting the power. If you have certain brands of NAS, I think some people have even gotten it to run on there, since it is online always anyway and consumes less power than a PC and is just a linux box.

The cloud key service is actually something you have to pay an annual fee for and is more for people running large deployments at multiple site typically.

For the Asus solution, this will only work on 386 code base as that implemented these new vlans, subnets, and DHCP ranges. Actually in your case you'd only need 386 on the main router. On the remote switch you could use older firmware (not sure if the N series supports 386?) and create VLAN 501 or 502 yourself, as no DHCP or L3 interfaces are needed if just using as a switch and/or AP. Actually if only using it as a dumb switch with no wifi, you won't have guest network and thus have to create the VLANs yourself anyway which is simple.

If you wanted to use VLAN 501 (2.4Ghz under BR1) or 502 (5 ghz under BR2) then just enable guest wireless 1, reboot, then create a script to use robocfg to add it tagged on the port to your other AP. Then you can pick another port, remove VLAN 1 from it, and add VLAN 501 or 502 to that untagged which will put it in the guest wireless network.

Same on the other side.

Something like this
robocfg vlan 1 ports "1 2 3 5t" (remove non-guest VLAN from port 4)
robocfg vlan 501 ports "1t 4 5t" (added tagged on port1 to other AP and untagged on port 4 for wired guest, or in my case fixing someone's computer that may have viruses etc)
This will send VLAN 1 untagged to the other AP and VLAN 501 tagged. In my case, my Ubiquiti AP likes it this way. Some like to see VLAN 1 tagged when doing a trunk port but this is not common. Not sure how Asus is, you might have to use "1T" on vlan 1. Techically VLAN 1 is the native vlan on a 802.1Q trunk and is not supposed to be tagged, but again, have seen it required sometimes. The reason asus is tagging it on the VLAN port (5) is a different reason I won't get into, the tag gets stripped off once it hits the CPU.

All VLANs always have to be tagged on the CPU port (5 in my case). The ports above are for an RT-AC1900, yours may differ.

Doesn't really matter if you use 501 or 502, you could even use both if you wanted to have two wired guest networks. One is mapped to 2.4ghz wireless and one to 5ghz but that doesn't really matter for wired connections. Each gets its own /24 192.168 subnet. Note these guest networks have 24 hour lease times and no IP address reservations, at least not via the GUI, but you could change both via script I believe.

Since I wasn't 100% sure if there would be any other implications of using these two AIMESH VLANs (on quick look, didn't seem to be) I created a new vlan 999 and added it to the same bridge as 501. Then did the robocfg above but with 999 instead of 501. The script is a little longer but not much. The guest firewall filters are applied between the main interfaces and not the VLAN so you can put as many VLAN IDs into the BR1 or BR2 and they will get the filters applied so they can't communicate to LAN (again, this is on my router, each model can exhibit differences, so always test after and make sure there is no access).

Technically proper networking practices say that VLAN 1 never carries traffic when used in an 802.1Q trunk. It is just the "native" vlan which carries control traffic related to the trunk. However since Asus is using this VLAN for various purposes, it may be somewhat involved to change and use something like 10 for your regular LAN. Haven't looked into it, in the home environment, its fine to use VLAN 1. But in my day job, its a big "no no".
 

zinge

Occasional Visitor
Updated the AC86U to Merlin 386.5_2, ssh'd in and tried to run `robocfg show` and then realized I hadn't done enough homework. It looks like robocfg is not available on the AC86U and I'll need to use vlanctl or vconfig instead.

This seems to be the page with the best info I can find so far: https://www.snbforums.com/threads/a...-by-u128393-i-found-on-a-chinese-forum.63113/

I'll have to look through that and see if I can come up with the equivalent commands.
 

drinkingbird

Senior Member
Ah yeah, the chipsets without robocfg are more complex, looks like it is doable though. The N66 should have robocfg I think so you should be able to get both ends working, just different commands.
 

zinge

Occasional Visitor
I loaded FreshTomato onto the N66U and set up a trunk port (VID 1, 501, and 502 tagged), and 3 individual untagged ports. I'm now trying to figure out how to set up the AC86U to pass data properly through the trunk port, but I'm having a lot of trouble figuring out what I should be doing with either vlanctl or vconfig. I'm trying to take advantage of the existing wifi guest networks, so I basically want to add the untagged ports to VLAN 501 and 502 so I can get a DHCP address from the guest wifi bridge.

eth4 (LAN 1) is the port I'm going to use for the trunk.

Code:
# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.0c9d92463908    yes        eth1
                            eth2
                            eth3
                            eth5
                            eth5.0
                            eth6
                            eth6.0
br1        8000.0c9d92463909    yes        eth1.501
                            eth2.501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            wl0.1
br2        8000.0c9d9246390d    yes        eth1.502
                            eth2.502
                            eth3.502
                            eth4.502
                            eth5.502
                            eth6.502
                            wl1.1

So I know I need to use `brctl delif br0 eth4` to remove eth4 from br0 because the trunk port shouldn't be in a bridge. But I can't figure out the next step. On the FreshTomato side (or robocfg), I would now set that port to use VLAN 501 and 502 tagged. But vconfig doesn't seem to have anything to do with tags, and vlanctl seems to be logic based on what to do if a packet comes in with a certain number of tags.

I think I want something like:

Code:
vlanctl --if eth4 --rx --tags 1 --filter-vid 501 0 --pop-tag --set-rxif eth4.501 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth4.501 --push-tag --set-vid 501 0 --rule-append

vlanctl --if eth4 --rx --tags 1 --filter-vid 502 0 --pop-tag --set-rxif eth4.502 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth4.502 --push-tag --set-vid 502 0 --rule-append

Which I believe says:
1. If a packet comes in on eth4 and has 1 tag, and the tag is VID 501, drop the tag and route it to eth4.501
2. If a packet is sent through eth4 and using eth4.501 and doesn't have a tag, add a VID 501 tag to it
and the same for 502.

However, when I try to run `vlanctl --if eth4 --rx --tags 1 --filter-vid 501 0 --pop-tag --set-rxif eth4.501 --rule-append`, I get an error:
`[ERROR vlanctl] vlanCtl_insertTagRule, 386: Invalid argument`
 

zinge

Occasional Visitor
Progress:

I thought the interface eth4.501 that already existed from the guest Wifi setup was a VLAN, but it wasn't. I had to start with `vlanctl --if-create eth4 501` and then change `eth4.501` in my other lines to `eth4.v501` and now I can run the tag commands without an error. Continuing on in testing...
 

zinge

Occasional Visitor
Current setup:

Code:
# Remove LAN 1 from br0 bridge
brctl delif br0 eth4

# Add vlanctl table rules for 501 and 502 to eth4
vlanctl --if-create eth4 501
vlanctl --if eth4 --rx --tags 1 --filter-vid 501 0 --pop-tag --set-rxif eth4.v501 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth4.v501 --push-tag --set-vid 501 0 --rule-append
ifconfig eth4.v501 up

vlanctl --if-create eth4 502
vlanctl --if eth4 --rx --tags 1 --filter-vid 502 0 --pop-tag --set-rxif eth4.v502 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth4.v502 --push-tag --set-vid 502 0 --rule-append
ifconfig eth4.v502 up

# Add VLANs to bridges
brctl addif br1 eth4.v501
brctl addif br2 eth4.v502

I don't get any error, and it says "Created new Tag Rule", but when I run `vlanctl --if eth4 --rx --tags 1 --show-table`, there's nothing listed in the table, and I'm not getting a DHCP address with a device plugged in the untagged port on the N66U. I also added the new VLAN interfaces to the appropriate bridges, which I'm not sure is necessary. Anyone know what I might be missing?
 
Last edited:

drinkingbird

Senior Member
With robocfg sometimes you have to kill and restart the eapd process to get it to take effect, not sure if there is something similar on yours.

On the ones with robocfg, 501 and 502 are definitely tagged VLANs, not sure why it would be different on yours even if the code doesn't match. There wouldn't be much point in them creating those two interfaces if they couldn't be trunked over the backhaul. Maybe there is something you aren't seeing?

There could be other nuances to those VLANs, maybe reboot and start fresh with like VLAN 999. I know on mine, the 192.168.10.x and 192.168.20.x subnets and DHCP are assigned to the br1 and br2 interfaces and not the vlans, so you can use whatever vlan you want and as long as you add it to the bridge, it will be in that subnet and use the associated DHCP. In my case the firewall rules that filter and prevent the subnets from talking to each other are also related to the bridge and not the vlans. But not sure in your case if all that is the same.

I wonder if you got aimesh working between the two if that would extend 501 and 502 to your N router then you could just assign it to a port with robocfg. But then you'd have wireless running on the N router which I know you aren't looking to do.

There are also lines of code to define the interfaces you've created as LAN1 (2.4ghz guest in my case) or LAN2 (5ghz guest in my case) - however I'm not sure what that does, it seemed to work fine for me without it, but I added it just to be safe in case it was referenced somewhere.

nvram set lan1_ifnames="wl0.1 eth0.501 eth1.501 eth2.501 vlan999"
nvram set lan2_ifnames="wl1.1 eth0.502 eth1.502 eth2.502 vlan999"
nvram commit

Here is another post that may help - https://www.snbforums.com/threads/rt-86u-vlanctl-ethctl-usage-puzzle.54375/
And also https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/vlanctl/unitTest/vlantest

It looks like you have to disable hardware switching to get it to work, and modify various other parameters. However they also say that once you disable the hardware switching, you can use standard linux commands for configuring VLANs and trunking so that may make it easier for you.

You can also google vlanctl and some other stuff comes up.

Since asus is already creating the code for 501 and 502 for you (reboot the router after enabling guest wifi as some of the config, at least on mine, doesn't seem to generate until you do), I'd say start over and look through nvram, ifconfig, vlanctl, etc and try to find all the code related to those vlans/interfaces and see what they're doing, reverse engineer it. They must be vlans, they may be done in a different way than what the chinese site was doing though.
 
Last edited:

zinge

Occasional Visitor
Yup, was looking through all those posts. I feel like I'm close but also not sure I want to spend the time trying to figure out what exactly is going on. I'm going to order 2 cheap managed switches online and give myself until they show up to figure it out. If I don't get it by then, I'll just use the two switches for now. Pretty much, I want all the existing features I'm using in Asus/Merlin, but need two cables running from upstairs to downstairs instead of one and don't want to cut through the walls. Two VLAN ports and a trunk port on two managed switches should handle that, and I'll re-flash the N66U with native Asus and put it back to being in front of the AC86U and pull a cable from each to go into the managed switch.
 

zinge

Occasional Visitor
For anyone following along, I spent another couple hours trying different things, including following another page on trying to create isolated LAN ports on just the AC86U using ebtables or iptables, and nothing seemed to have any effect.

I ended up buying two cheap TP Link managed switches (TL-SG108E, $30 each), put one upstairs and one downstairs, and did the VLAN config for tagged and untagged ports in about 30 minutes. Then I set up the N66U and AC86U cascaded so that the AC86U is my trusted network, wifi, and guest wifi, and the N66U is the untrusted network, and used the two managed switches to assign a couple wire ports to each of those vlans (trusted/untrusted) and the one cable I have from upstairs to downstairs as a trunk/tagged with all VLANs.
 

drinkingbird

Senior Member
For anyone following along, I spent another couple hours trying different things, including following another page on trying to create isolated LAN ports on just the AC86U using ebtables or iptables, and nothing seemed to have any effect.

I ended up buying two cheap TP Link managed switches (TL-SG108E, $30 each), put one upstairs and one downstairs, and did the VLAN config for tagged and untagged ports in about 30 minutes. Then I set up the N66U and AC86U cascaded so that the AC86U is my trusted network, wifi, and guest wifi, and the N66U is the untrusted network, and used the two managed switches to assign a couple wire ports to each of those vlans (trusted/untrusted) and the one cable I have from upstairs to downstairs as a trunk/tagged with all VLANs.

Only limitation there is personally I would want the guest WIFI in the untrusted network but can't do that in this case. But with LAN access filtered I guess you have it as a "semi trust" network of sorts.
 

zinge

Occasional Visitor
Only limitation there is personally I would want the guest WIFI in the untrusted network but can't do that in this case. But with LAN access filtered I guess you have it as a "semi trust" network of sorts.
Yeah, I could theoretically turn the wifi on for the N66U and use that as the guest network, but I like having the guest network use my internal DNS server without having to forward a port from untrusted back into trusted.
 

drinkingbird

Senior Member
Yeah, I could theoretically turn the wifi on for the N66U and use that as the guest network, but I like having the guest network use my internal DNS server without having to forward a port from untrusted back into trusted.

Nah you'd have the same issue, no way to prevent clients on the N66U from hitting your LAN off the 86U. Even if you used it as a router and isolated the guest network, the 86U would be considered "WAN" at that point and be reachable. You could use IPTABLES to filter that out but now it's becoming an even messier solution. Guess you've got what works best for you with the 86U and its limitations/differences. Though others seem to have gotten VLANs working on the 86U, just a matter of finding that magical combination.

I've got mine set up where the guest network on the Asus is in the same VLAN as one of the physical ports, and is also trunked (along with the non-guest VLAN) to my outside AP. So my whole guest network and untrusted physical port are in one subnet, totally isolated, and trusted ports and main wifi in another. In that setup, guests can actually resolve LAN hostnames but not access them (honestly I'd rather they not be able to resolve the hostnames at all but not a big deal).

Of course if you were ok with having two 100M connections to the downstairs, you could just use the existing cable without switches. 100M only uses 2 pairs so you can have two 100M connections on a single UTP.
 

zinge

Occasional Visitor
So a fun thing I just found in researching (and testing) those TP Link switches is that you can't define a management VLAN and the management IP is available from every port on the switch, no matter what settings you change. So my "untrusted" VLAN can still access the management IP if you set a static IP in the correct range, and can still see traffic to/from the management IP. Going to replace them with two D-Link DGS-1100-08V2 that should do the same thing for $10 more each but allow setting a separate management VLAN that's not accessible from all ports.

@drinkingbird Just for reference, right now I have cable modem going into N66U WAN, and untrusted VLAN + hardware I don't own + the AC86U going into LAN. The N66U LAN port goes to WAN on the AC86U. That way I don't have the "hardware I don't own" (work gear) inside the AC86U firewall. I guess the next thing I should do is use robocfg to actually isolate the LAN ports on the N66U anyway, just so they can't theoretically sniff traffic coming out of the AC86U and can't get to the management page on the N66U. I'll have to switch to an old Merlin or John firmware for that, I had flashed the N66U back to stock Asus because it was newer than Merlin.
 

drinkingbird

Senior Member
So a fun thing I just found in researching (and testing) those TP Link switches is that you can't define a management VLAN and the management IP is available from every port on the switch, no matter what settings you change. So my "untrusted" VLAN can still access the management IP if you set a static IP in the correct range, and can still see traffic to/from the management IP. Going to replace them with two D-Link DGS-1100-08V2 that should do the same thing for $10 more each but allow setting a separate management VLAN that's not accessible from all ports.

@drinkingbird Just for reference, right now I have cable modem going into N66U WAN, and untrusted VLAN + hardware I don't own + the AC86U going into LAN. The N66U LAN port goes to WAN on the AC86U. That way I don't have the "hardware I don't own" (work gear) inside the AC86U firewall. I guess the next thing I should do is use robocfg to actually isolate the LAN ports on the N66U anyway, just so they can't theoretically sniff traffic coming out of the AC86U and can't get to the management page on the N66U. I'll have to switch to an old Merlin or John firmware for that, I had flashed the N66U back to stock Asus because it was newer than Merlin.

That's actually quite odd. Since there is no routing functionality in the switches they must be replicating the management IP to every VLAN or the management virtual interface is stripping off VLAN tags. Typically when you can't change the management VLAN, it is locked into VLAN 1 and you just use custom vlans for everything else and leave VLAN 1 for management only. You sure the traffic isn't somehow looping through one of your routers or something?

Though the risk is pretty low, since it is a wired switch nobody can sniff your management traffic at least not without ARP spoofing. Are there a lot of hackers in your house :)

The N66U is pretty low processing power, not sure what your internet speed is but it could get to the point where it is limiting your throughput since everything is going through it.

If you're spending $80 on managed switches maybe a Ubiquiti or Meraki router would be a better investment at this point. UBNT stuff is coming back in stock various places (and you can get older edgerouters cheap on ebay) and then you can use your 86 as an AP and 66 as a switch.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top