VLAN for Ubiquiti WiFi guest network on RT-N66U

[jamestx10]

I am wanting to setup VLAN tagging to use a UniFi AP with both Isolated guest access and regular LAN access using my RT-N66U currently running Merlin 380.64_2. I have seen several threads showing examples for isolating one of the switch ports but not one for just tagging. So I am turning to the forum gurus to help me figure this out.

My settings:
WAN connection is DHCP via FIOS
LAN is 192.169.1.0 255.255.255.0 with the router providing DHCP
I have both regular LAN and guest WiFi setup on the router and would like to keep those. There is no need for the router guest networks to be connected to the UniFi AP guest network but they can be if that is a simpler setup.
I would like to have the guest VLAN provide DHCP in another subnet for example 10.0.1.0 255.255.255.0

 

[jamestx10]

Can the N66U even do this or do I need to look into a managed switch to handle this?

 

[jamestx10]

Is there not enough information there?

 

[bgsmith]

Does this help? http://www.mattiasholm.com/security...rt-ac66u-with-asuswrt-merlin-firmware-380-59/

 

[Nullity]

If you search, there's a good thread regarding VLANs somewhere on here. It's not a simple task but it's possible though I'm a bit unclear about what you are trying to do.

 

[jamestx10]

That link takes port 4 on the router and makes it part of the guest network.

What I am trying to do is have a Guest SSID and a normal LAN SSID on my AP using VLAN Tagging and then have a single Ethernet connection from the router to the AP that sees the VLAN tagging and handles the traffic accordingly.

For example if by default the router:
VLAN 1 is LAN
VLAN2 is guest
I would then setup a Guest SSID on my AP and tag it with VLAN2 and setup a normal LAN SSID and tag it as VLAN1

 

[roberto]

I found this searching for vlan support on Asus / Merlin firmware. Fundamentally, does the Asus hardware support vlans? I too, would love to be able to create vlans on The Asus router.

@jamestx10 are you plugging in a Unifi AP into the Asus router? I have what you're trying to do working with a Unifi Security Gateway.

 

[Nullity]

Maybe this will help? https://www.snbforums.com/threads/vlan-configuration.8801/

Look at @Blargh's posts.

 

[jamestx10]

@jamestx10 are you plugging in a Unifi AP into the Asus router? I have what you're trying to do working with a Unifi Security Gateway.

I am. I would prefer to stick with the Asus if I could rather then going the security gateway route.

 

[jamestx10]

Maybe this will help? https://www.snbforums.com/threads/vlan-configuration.8801/

Look at @Blargh's posts.

That still looks like a port is configured for a single VLAN. I need the ability for a single port to have 2 VLANs.

 

[Nullity]

That still looks like a port is configured for a single VLAN. I need the ability for a single port to have 2 VLANs.

Oh, you could probably do that by using custom user scripts and iptables, ebtables, and vconfig.

 

[roberto]

I have searched around and creating vlans per port is definitely possible. I will have to collect all my findings into something shareable, but for sure is doable. Not sure about doing it in the UI, though; it would require ssh'ing into the console and setting up custom scripts as @Nullity points out. Simply by running `ifconfig` on a fresh system there look to be two vlans already:

vlan1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:230051 errors:0 dropped:0 overruns:0 frame:0
TX packets:844894 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:48323060 (46.0 MiB) TX bytes:105575610 (100.6 MiB)

vlan2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.176 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16124151 errors:0 dropped:0 overruns:0 frame:0
TX packets:7863435 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19477385251 (18.1 GiB) TX bytes:1445299063 (1.3 GiB)

 

[Fitz Mutch]

I don't own an RT-AC66U. However, on the RT-AC68U, the VLAN tagging for wired Ethernet ports works fine, but the Asus Wi-Fi driver does not support the frame classifiers that would allow a person to do VLAN tagging on an SSID. Example:

/usr/sbin/wl -i eth1 tclas_list

wl: Unsupported

/usr/sbin/wl --help

...

tclas_add
    add tclas frame classifier type entry
    Usage: wl tclas_add <user priority> <type> <mask> <...>
    type 0 eth2:     <src mac> <dst mac> <ether type>
    type 1/4 ipv4:   <ver> <src> <dst> <s_port> <d_port> <dscp> <prot>
    type 2 802.1Q:   <vlan tag>
    type 3 filter:   <offset> <value> <mask>
    type 4 ipv6:     <ver> <src> <dst> <s_port> <d_port> <dscp> <nxt_hdr> <flw_lbl>
    type 5 802.1D/Q: <802.1Q PCP> <802.1Q CFI> <802.1Q VID>

tclas_del
    delete tclas frame classifier type entry
    Usage: wl tclas_del [<idx> [<len>]]

tclas_list
    list the added tclas frame classifier type entry
    Usage: wl tclas_list

...

 

[Nullity]

I don't own an RT-AC66U. However, on the RT-AC68U, the VLAN tagging for wired Ethernet ports works fine, but the Asus Wi-Fi driver does not support the frame classifiers that would allow a person to do VLAN tagging on an SSID.

but I think he wants to simply recognize tagged VLAN traffic rather than tag it on the AsusWRT device. The Unifi AP will be doing the tagging.

 

[mstombs]

Just to point out there are two uses of the term "vlan" in Broadcom routers. It is used internally to describe how the external ports on the internal 5-port Ethernet Switch are physically split into LAN/WAN, which is done via nvram params read by the Broadcom Ethernet device driver

vlan1ports=1 2 3 4 8*
vlan2ports=0 8u

The port used for the WAN can be changed, or multiple ports assigned to the WAN by correct mangling of the above.

The second use is for "VLAN tagging" (IEEE 802.1Q) of Ethernet frames passing through the router, often used for ISP delivered IPTV, for example, for traffic entering via the WAN port, tagged packets can directed to specific port vlans.

I am not up to speed on the latter, but wonder if the OPs requirement can be met by creating an additional port vlan to connect the access port by Ethernet to. The nvram element would be once-off config, but I am sure custom commands would be needed on every boot/wan change to add script rules to control routing/isolation. Normally the Ethernet and wireless lans are bridged to form lan bridges, guest wifi gets its own bridge.

Some versions of dd-wrt and Tomato have web guis for both types.

 

[Fitz Mutch]

How to see all VLANs in action, on the router. This only captures the VLAN traffic. Then use Wireshark to view the packet capture.

tcpdump -i eth0 -en -Uw /path/to/public/share/vlans-eth0.cap vlan

 

[jamestx10]

but I think he wants to simply recognize tagged VLAN traffic rather than tag it on the AsusWRT device. The Unifi AP will be doing the tagging.

That is exactly what I want to do.

 

[jamestx10]

Some versions of dd-wrt and Tomato have web guis for both types.

I am wondering if I need to move to one of those to pull this off.

I only use normal router functions, DDNS and OpenVPN Server

 

[Fitz Mutch]

That is exactly what I want to do.

I use a 24-port managed Ethernet switch to tag packets with either vlan1 or vlan14, depending on which port block (ports 2-12 or ports 13-24) that the Ethernet cable is plugged into. My RT-AC68U router then treats vlan1 as full access and vlan14 as Internet-only Guest access, for example.

LAN port 4 on the RT-AC68U router is a trunk to handle both vlan1 and vlan14 traffic coming and going to the switch.

/jffs/scripts/firewall-start

#!/bin/sh
/usr/sbin/robocfg show | /bin/grep -qF "vlan14:"
if [ $? -ne 0 ]; then
  /usr/sbin/robocfg vlan 1 ports "1 2 3 4t 5t"
  /usr/sbin/robocfg vlan 14 ports "4t 5t"
  /sbin/vconfig add eth0 14
  /sbin/ifconfig vlan14 up
  /usr/sbin/brctl addif br0 vlan14
fi

So this example just sets up the new vlan14. The next step is to do something with that traffic. For instance, you could route the vlan14 traffic through OpenVPN or a Tor network.

 

[jamestx10]

My RT-AC68U router then treats vlan1 as full access and vlan14 as Internet-only Guest access, for example.
So this example just sets up the new vlan14. The next step is to do something with that traffic. For instance, you could route the vlan14 traffic through OpenVPN or a Tor network.

This is getting much closer to what I am wanting to do. Can the N66U support this same behavior?

Could your provide the rest of your configuration that is treating vlan14 as internet-only as that is my goal with this configuration.