Hi, this is a long/detailed question with the hope to minimize follow-up questions.
I’m about to get crazy with this issue and I would really appreciate help.
My setup is:
ISP -> router running OpenWRT (OpenWrt 21.02.5) -> Trunk (vlan 1, 3t, 4t) -> RT-AC68U (Merlin FW 386.9, AP mode) -> WiFi Clients
The openWRT router has been configured with vlan 1 for LAN devices , 3 for guest devices and 4 for IoT (no WAN access with firewall rule).
VLAN are configured with DSA framework. I followed these video to get started:
These videos explains how to define firewall rules so IoT_Zone doesn’t get WAN access (basically no fowarding rule)
LAN is on 192.168.1.x
IoT is on 10.10.40.xxx, DHCP server enabled, VLAN4
When I test the configuration of OpenWRT router for VLAN 4 (by using one LAN port setup on the VLAN) I get the expected behaviour:
Client device get’s an IP in 10.10.40.xx and no internet access.
LAN devices can access IoT zone as expected.
RT-AC1900P (same as AC68U) has a 5-ports switch. Port 0 goes to WAN connector, port 5 to CPU (host)
It is configured in AP mode (not router)
My switch configuration is as follow:
robocfg vlan 1 ports "0 1 2 5t"
robocfg vlan 3 ports "0t 3 5t"
robocfg vlan 4 ports "0t 4 5t"
I have validated that connecting a device in LAN port 4 gives me a dynamic IP in 10.10.40.xx range as expected. This client cannot access internet as expected.
So from a VLAN/ethernet switch/firmwall point of view, everything seems to be working as expected.
Now with the following script, I setup all WiFi guest network to be part of vlan3 or vlan4.
I have tried with both :
“ip link add link eth0 name vlan4 type vlan id 4” or “vconfig add eth0 4” since some users mentionned ip command may not work on all routers.
And this is the log file:
Finally, I confirmed that the AP I am connecting to has the proper wl** link:
admin@RT-AC1900P-7980:/jffs/scripts# nvram show |grep -i iot
wl0.2_ssid=IoT2
A WiFi client connecting to IoT network will receive an IP address in the 10.10.40.xx range, but it will be able to access the internet, and this is my problem. I have reviewed my script many times and the results of robocfg, brcfg, etc.. I tried different tweeks, I cannot get the expected result.
Client connected to wl0.2 (IoT zone) should not be able to access outside my home network.
My script is setup to use wl1.2 (2nd 5GHz Guest Network), but it's not configured yet. I tried removing it from the script but didn't solve the problem so I put it back in the script (reason for the error msg in the log file).
Do you have any hints on how to troubleshoot?
Thanks in advance.
I’m about to get crazy with this issue and I would really appreciate help.
My setup is:
ISP -> router running OpenWRT (OpenWrt 21.02.5) -> Trunk (vlan 1, 3t, 4t) -> RT-AC68U (Merlin FW 386.9, AP mode) -> WiFi Clients
The openWRT router has been configured with vlan 1 for LAN devices , 3 for guest devices and 4 for IoT (no WAN access with firewall rule).
VLAN are configured with DSA framework. I followed these video to get started:
LAN is on 192.168.1.x
IoT is on 10.10.40.xxx, DHCP server enabled, VLAN4
When I test the configuration of OpenWRT router for VLAN 4 (by using one LAN port setup on the VLAN) I get the expected behaviour:
Client device get’s an IP in 10.10.40.xx and no internet access.
LAN devices can access IoT zone as expected.
RT-AC1900P (same as AC68U) has a 5-ports switch. Port 0 goes to WAN connector, port 5 to CPU (host)
It is configured in AP mode (not router)
My switch configuration is as follow:
robocfg vlan 1 ports "0 1 2 5t"
robocfg vlan 3 ports "0t 3 5t"
robocfg vlan 4 ports "0t 4 5t"
I have validated that connecting a device in LAN port 4 gives me a dynamic IP in 10.10.40.xx range as expected. This client cannot access internet as expected.
So from a VLAN/ethernet switch/firmwall point of view, everything seems to be working as expected.
Now with the following script, I setup all WiFi guest network to be part of vlan3 or vlan4.
Code:
script="/jffs/scripts/services-start"
tee "${script}" > /dev/null << EOF
#!/bin/sh
# multi SSID with VLAN script, for ASUS AC68U/AC1900P with merlin
#
# setup before hand:
# set "router" to "AP Mode"
# this will put all ports and wireless in br0
# create 2+ guest network
# enable Administration => System => Enable JFFS custom scripts and configs
# put this script in /jffs/scripts/, name should be "services-start"
# remember `chmod 775 services-start`
# reboot
# Original AP mode:
# eth0 sw port 0 => UPLink/WAN
# eth0 sw Port 5 => CPU/HOST port (vlan 1 and 2 tag)
# eth0 sw port 1-4 => LAN port 1-4
# eth1 => WiFi 2.4G
# eth2 => WiFi 5G
# wl0.n => WiFi 2.4G guest
# wl1.n => WiFi 5G guest
# This setup:
# UPLink/WAN port (eth0 sw port 0) as a tagged port
# LAN ports (eth0 sw 1-2) and primary WiFi (eth1,2) will be on VLAN 1
# eth0 sw port 1-2 => LAN port 1-2
# eth0 sw port 3 => LAN port 3, (vlan3)
# eth0 sw port 4 => LAN port 4, (vlan4)
# br0 => LAN (vlan1)
# br1 => Guest LAN (vlan3)
# br2 => IoT LAN (vlan4)
# wl0.1 => WiFi 2.4G guest (vlan3)
# wl1.1 => WiFi 5G guest (vlan3)
# wl0.2 => WiFi 2.4G IoT (vlan4)
# wl1.2 => WiFi 5G IoT (vlan4)
#
(
echo "============== START: $(date) =================="
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.1
brctl delif br0 wl1.2
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"
# Remove SW port4 from vlan1
robocfg vlan 1 ports "0 1 2 5t"
robocfg vlan 3 ports "0t 3 5t"
robocfg vlan 4 ports "0t 4 5t"
# Add VLANs
#ip link add link eth0 name vlan3 type vlan id 3
#ip link add link eth0 name vlan4 type vlan id 4
vconfig add eth0 3
vconfig add eth0 4
#ip link set vlan3 up
#ip link set vlan4 up
ifconfig vlan3 up
ifconfig vlan4 up
brctl addbr br1
brctl addif br1 vlan3
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up
nvram set lan1_ifnames="vlan3 wl0.1 wl1.1 "
nvram set br1_ifnames="vlan3 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1
brctl addbr br2
brctl addif br2 vlan4
brctl addif br2 wl0.2
brctl addif br2 wl1.2
ip link set br2 up
nvram set lan2_ifnames="vlan4 wl0.2 wl1.2 "
nvram set br2_ifnames="vlan4 wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"
killall eapd && eapd
robocfg show
brctl show
ip a
ip r
) 2>&1 | tee -a /jffs/scripts/logfile.log
EOF
chmod 775 "${script}"
I have tried with both :
“ip link add link eth0 name vlan4 type vlan id 4” or “vconfig add eth0 4” since some users mentionned ip command may not work on all routers.
And this is the log file:
Code:
admin@RT-AC1900P-7980:/jffs/scripts# ll
-rw-rw-rw- 1 admin root 3764 May 5 2018 logfile.log
-rwxrwxr-x 1 admin root 2777 Feb 10 01:55 services-start*
admin@RT-AC1900P-7980:/jffs/scripts# cat logfile.log
============== START: Fri Feb 10 01:55:46 GMT 2023 ==================
interface wl1.2 does not exist!
interface wl1.2 does not exist!
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: xx:xx:xx:xx:89:e8
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: xx:xx:xx:xx:9d:1d
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 3 jumbo: off mac: xx:xx:xx:xx:23:75
Port 4: DOWN enabled stp: none vlan: 4 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: xx:xx:xx:xx:79:80
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 5t
2: vlan2: 5t
3: vlan3: 0t 3 5t
4: vlan4: 0t 4 5t
bridge name bridge id STP enabled interfaces
br0 8000.xxxxxxxx7980 no vlan1
eth1
eth2
br1 8000.xxxxxxxx7980 no vlan3
wl0.1
wl1.1
br2 8000.xxxxxxxx7980 no vlan4
wl0.2
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 127.0.1.1/8 brd 127.255.255.255 scope host secondary lo:0
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
link/ether xx:xx:xx:xx:c5:cc brd ff:ff:ff:ff:ff:ff
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
link/ether xx:xx:xx:xx:4d:f3 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
5: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
7: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether xx:xx:xx:xx:79:84 brd ff:ff:ff:ff:ff:ff
8: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
9: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
11: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether xx:xx:xx:xx:79:81 brd ff:ff:ff:ff:ff:ff
12: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether xx:xx:xx:xx:79:82 brd ff:ff:ff:ff:ff:ff
13: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether xx:xx:xx:xx:79:85 brd ff:ff:ff:ff:ff:ff
14: vlan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
15: vlan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
16: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
17: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
Finally, I confirmed that the AP I am connecting to has the proper wl** link:
admin@RT-AC1900P-7980:/jffs/scripts# nvram show |grep -i iot
wl0.2_ssid=IoT2
A WiFi client connecting to IoT network will receive an IP address in the 10.10.40.xx range, but it will be able to access the internet, and this is my problem. I have reviewed my script many times and the results of robocfg, brcfg, etc.. I tried different tweeks, I cannot get the expected result.
Client connected to wl0.2 (IoT zone) should not be able to access outside my home network.
My script is setup to use wl1.2 (2nd 5GHz Guest Network), but it's not configured yet. I tried removing it from the script but didn't solve the problem so I put it back in the script (reason for the error msg in the log file).
Do you have any hints on how to troubleshoot?
Thanks in advance.
Last edited: