Using Asus routers as VLAN-capable APs

[agbommarito]

The file must be in the /jffs/scripts directory. Many add-ons, such as those found in AMTM, use the services-start file. If you don't have the file in your /jffs/scripts directory, create it with a text editor.

As an example, here's the one on my AP:

#!/bin/sh

/bin/sh /jffs/addons/amtm/sc_update.mod -set        # Added by amtm

/bin/sh /jffs/scripts/VLAN-GuestNetwork-AP.sh        # manually added

The file was created by AMTM when I first setup my device. I added the last line for the VLAN script. After creation, make sure that the file is executable by issuing the command chmod 0755 VLAN-GuestNetwork-AP.sh

 

[cptnoblivious]

The file must be in the /jffs/scripts directory. Many add-ons, such as those found in AMTM, use the services-start file. If you don't have the file in your /jffs/scripts directory, create it with a text editor.

As an example, here's the one on my AP:

#!/bin/sh

/bin/sh /jffs/addons/amtm/sc_update.mod -set        # Added by amtm

/bin/sh /jffs/scripts/VLAN-GuestNetwork-AP.sh        # manually added

The file was created by AMTM when I first setup my device. I added the last line for the VLAN script. After creation, make sure that the file is executable by issuing the command chmod 0755 VLAN-GuestNetwork-AP.sh

Thanks I'll do that.

However, when I run the script manually I get:

"
wl: wl driver adapter not found
"
Then it tries to run through but obviously I missed something else.


Setup:
AX68 running Merlin 388.9
In AP mode
Enable JFFS custom scripts and configs - set to Yes

 

[agbommarito]

Can you run the script manually from an SSH terminal and post the entire result.

 

[cptnoblivious]

Can you run the script manually from an SSH terminal and post the entire result.

RT-AX68U-B018:/jffs/scripts# ./Unifi-AP-VLAN.sh
wl: wl driver adapter not found
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
cevent_bitvec [0 1 2 3 4 5 6 7 8 9 10 11 12 16 17 23 25 40 46 54 136 180]
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
eapd_brcm_open: Sock buffer size  SO_RCVBUF=1048576  SO_SNDBUF=1048576
wl: wl driver adapter not found

Here's the log from the router:

Apr 17 19:29:56 Unifi-AP-VLAN: Setting up guest network VLANs
Apr 17 19:29:57 kernel: device wl0.1 left promiscuous mode
Apr 17 19:29:57 kernel: br0: port 8(wl0.1) entered disabled state
Apr 17 19:29:57 kernel: device wl0.2 left promiscuous mode
Apr 17 19:29:57 kernel: br0: port 9(wl0.2) entered disabled state
Apr 17 19:29:57 kernel: device wl1.2 left promiscuous mode
Apr 17 19:29:57 kernel: br0: port 10(wl1.2) entered disabled state
Apr 17 19:29:57 kernel: device vlan100 entered promiscuous mode
Apr 17 19:29:57 kernel: device wl0.1 entered promiscuous mode
Apr 17 19:29:57 kernel: device vlan200 entered promiscuous mode
Apr 17 19:29:57 kernel: device wl0.2 entered promiscuous mode
Apr 17 19:29:57 kernel: device wl1.2 entered promiscuous mode
Apr 17 19:29:57 kernel: br1: port 2(wl0.1) entered forwarding state
Apr 17 19:29:57 kernel: br1: port 2(wl0.1) entered forwarding state
Apr 17 19:29:57 kernel: br1: port 1(vlan100) entered forwarding state
Apr 17 19:29:57 kernel: br1: port 1(vlan100) entered forwarding state
Apr 17 19:29:57 kernel: br2: port 3(wl1.2) entered forwarding state
Apr 17 19:29:57 kernel: br2: port 3(wl1.2) entered forwarding state
Apr 17 19:29:57 kernel: br2: port 2(wl0.2) entered forwarding state
Apr 17 19:29:57 kernel: br2: port 2(wl0.2) entered forwarding state
Apr 17 19:29:57 kernel: br2: port 1(vlan200) entered forwarding state
Apr 17 19:29:57 kernel: br2: port 1(vlan200) entered forwarding state
Apr 17 19:30:02 kernel: CSIMON:  CSIMON[1.1.0] Initialization
Apr 17 19:30:02 kernel: CSIMON: M2M usr already registered ...
Apr 17 19:30:12 kernel: br1: port 2(wl0.1) entered forwarding state
Apr 17 19:30:12 kernel: br1: port 1(vlan100) entered forwarding state
Apr 17 19:30:12 kernel: br2: port 3(wl1.2) entered forwarding state
Apr 17 19:30:12 kernel: br2: port 2(wl0.2) entered forwarding state
Apr 17 19:30:12 kernel: br2: port 1(vlan200) entered forwarding state

 

[agbommarito]

It seems there should be more output, in particular the first few lines that display what ports have been determined for WAN, 2.4G and 5G. The error message you're getting is from trying to turn the radios off and on. Are you using the latest version of the script, which is a file attached to this post: https://www.snbforums.com/threads/using-asus-routers-as-vlan-capable-aps.93795/post-945308

 

[lfmidrange]

I'm afraid this script isn't going to work with an AC68U without quite a bit of change. I did find an older thread that discussed adding VLANs to an AC68U. Here's the link:

https://www.snbforums.com/threads/help-setting-up-vlan-on-asus-rt-ac68u.49312/

Maybe the script discussed in this thread will work for you.

Good luck.

Thanks for the help! Much appreciated. Your very readable scripting with instructions is very well done and newb friendly.

 

[cptnoblivious]

It seems there should be more output, in particular the first few lines that display what ports have been determined for WAN, 2.4G and 5G. The error message you're getting is from trying to turn the radios off and on. Are you using the latest version of the script, which is a file attached to this post: https://www.snbforums.com/threads/using-asus-routers-as-vlan-capable-aps.93795/post-945308

thanks, I must have had a previous version. It runs now but need to sort out some errors:

RT-AX68U-B018:/jffs/scripts# ./Unifi-AP-VLAN.sh
Setting up guest network VLANs
Guest Network #1 VLAN ID = 100, 2.4G = enabled, 5G = disabled
Guest Network #2 VLAN ID = 200, 2.4G = enabled, 5G = enabled
WAN port interface = eth?
2.4G radio interface = eth5
5G radio interface = eth6
ERROR -- invalid WAN port interface eth?
ERROR -- br1 already configured for ports wl0.1 vlan100
ERROR -- br2 already configured for ports wl0.2 wl1.2 vlan200
EXITING -- 3 errors found

 

[Tech9]

@agbommarito, looking at your signature... you just need one more U6 Pro/Mesh.

 

[agbommarito]

thanks, I must have had a previous version. It runs now but need to sort out some errors:

RT-AX68U-B018:/jffs/scripts# ./Unifi-AP-VLAN.sh
Setting up guest network VLANs
Guest Network #1 VLAN ID = 100, 2.4G = enabled, 5G = disabled
Guest Network #2 VLAN ID = 200, 2.4G = enabled, 5G = enabled
WAN port interface = eth?
2.4G radio interface = eth5
5G radio interface = eth6
ERROR -- invalid WAN port interface eth?
ERROR -- br1 already configured for ports wl0.1 vlan100
ERROR -- br2 already configured for ports wl0.2 wl1.2 vlan200
EXITING -- 3 errors found

The script isn't automatically determining what the WAN port is. That has always been tricky. You can use the ip a method described in the same post from which you got the latest file version (https://www.snbforums.com/threads/using-asus-routers-as-vlan-capable-aps.93795/post-945308). Once you determine the correct port, modify one line near the start of the script WANport="eth?" # WAN interface port, replacing eth? with the correct WAN port. That should take care of the first error. The second and third errors are from running the script more than once. It only works immediately after a reboot. If you need to make any changes, you have to reboot before rerunning it.

 

[agbommarito]

@agbommarito, looking at your signature... you just need one more U6 Pro/Mesh.

I know I originally said I didn't want to spend more money on Ubiquiti APs, but I guess I couldn't resist the siren song. The Unifi stuff sure does work well.

 

[cptnoblivious]

The script isn't automatically determining what the WAN port is. That has always been tricky. You can use the ip a method described in the same post from which you got the latest file version (https://www.snbforums.com/threads/using-asus-routers-as-vlan-capable-aps.93795/post-945308). Once you determine the correct port, modify one line near the start of the script WANport="eth?" # WAN interface port, replacing eth? with the correct WAN port. That should take care of the first error. The second and third errors are from running the script more than once. It only works immediately after a reboot. If you need to make any changes, you have to reboot before rerunning it.

Thanks again. It's working

Now I just have to figure out how to turn off the 'hotspot check' on the CGU so clients can connect without going through the portal first
Edit: In typical Ubiquiti fashion, a bit hidden, but easy enough to turn off on the CGU!

 

[agbommarito]

Thanks again. It's working

Now I just have to figure out how to turn off the 'hotspot check' on the CGU so clients can connect without going through the portal first
Edit: In typical Ubiquiti fashion, a bit hidden, but easy enough to turn off on the CGU!

I had a similar issue. At first, I was trying to use the "guest network" setting on the CGU, but the hotspot portal thing bit me too. After a phone chat with Ubiquiti support, I was advised to use the network isolation setting instead. I think the current CGU app might have a bug in that the Hotspot Manager icon is missing. By the way, what Asus model are you using for the AP?

 

[cptnoblivious]

I had a similar issue. At first, I was trying to use the "guest network" setting on the CGU, but the hotspot portal thing bit me too. After a phone chat with Ubiquiti support, I was advised to use the network isolation setting instead. I think the current CGU app might have a bug in that the Hotspot Manager icon is missing. By the way, what Asus model are you using for the AP?

I've got both an AX68 and an AX58. The AX68 is working. The AX58 seems to have a bunch of leftover settings that are messing up the ability to connect to the guest networks (in the logs I'm finding entries to services that should have been erased by the factory reset, but weren't, like VPNDirector / YazFi Guest etc, which are no longer instaled). So I probably need to do another hard factory reset to make things work for the 58.

On the CGU side, the setting to disable the portal was under "Insights | Hotspot" then under settings. So I didn't need to contact support or anything.
For reference: https://help.ui.com/hc/en-us/articles/115000166827-UniFi-Hotspots-and-Captive-Portals
In case someone runs into the same thing trying to setup a CGU with an Asus AP.

 

[Tech9]

As far as I remember this captive portal was optional, not default. I don't have one.

 

[cptnoblivious]

As far as I remember this captive portal was optional, not default. I don't have one.

I don't think I turned it on. Maybe it changed recently?

My steps were:
Setup New Virtual Network and chose "Hotspot" for the zone
Then Manual to set the VLAN ID and the DHCP server options so the isolated networks don't try to point to my Internal DNS servers.

Otherwise, no changes from default for setting up the VLANs, with the exception of routing one of them out via VPN.

 

[Tech9]

Setup New Virtual Network and chose "Hotspot" for the zone

Ah, okay... you started with the new Network Application above version 9.x and the new Zone-Based Firewall. This was an upgrade for my UniFi networks and the previous settings were preserved. The new Hotspot zone perhaps sets captive portal automatically and it makes sense for a Hotspot. Does this work with non-UniFi APs like the Asus routers above?

 

[cptnoblivious]

Ah, okay... you started with the new Network Application above version 9.x and the new Zone-Based Firewall. This was an upgrade for my UniFi networks and the previous settings were preserved. The new Hotspot zone perhaps sets captive portal automatically and it makes sense for a Hotspot. Does this work with non-UniFi APs like the Asus routers above?

Yeah, except that of course the CGU was 'untrusted' by the browser. But after that I was able to simply click the checkbox and get out. Didn't affect the setup on the AX68.

Better to turn it off IMO. Hence my link to the Ubiquiti article on the config above.

 

[Tech9]

Got it, thanks for sharing. Hope you're happy with UCG-Ultra.

 

[cptnoblivious]

Got it, thanks for sharing. Hope you're happy with UCG-Ultra.

Yeah, I've been very happy. Feels like a different 'level' of device compared to the Asus routers and I've yet to find something that I _really_ want to 'fiddle with'. Mind you, I run my own Adguardhome servers, so I have flexibility compared to the build in DNS filtering.

One more tip for folks implementing this setup on a CGU:
-Make sure to enable "protection" for the new VLANs, and also turn on Honeypots on them, if desired. That didn't happen by default and I had to add each VLAN.

 

[agbommarito]

Yeah, I've been very happy. Feels like a different 'level' of device compared to the Asus routers and I've yet to find something that I _really_ want to 'fiddle with'. Mind you, I run my own Adguardhome servers, so I have flexibility compared to the build in DNS filtering.

One more tip for folks implementing this setup on a CGU:
-Make sure to enable "protection" for the new VLANs, and also turn on Honeypots on them, if desired. That didn't happen by default and I had to add each VLAN.

In some ways, the CGU is somewhat boring; just set things to auto and leave it.