VLAN issue with multiple SSID and RT-AC3200

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mathhov

New Around Here
What is wrong with that router? Its like every SSID are hardware bridged together even if ROBOCFG / IFCONFIG / BRCTL say otherwise. I'm about to lose control here. I got multiple VLAN and SSID working with an RT-AC66 but this RT-AC3200 keep doing crap whatever I do.

As you can see in this screencapture MAC 00:B1:28:2C:CC:E1 is getting tagged on 2 VLAN even if it is connected on SSID related to VLAN20. I'm not having this behavior on my RT-AC66. The device get only tagged on the correct VLAN.
2020-05-04 10_00_49-NETGEAR FS752TP.png

Here is my "services-start" script
Code:
#!/bin/sh
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 vlan1

# add vlans
robocfg vlan 1 ports ""
robocfg vlan 2 ports ""
robocfg vlan 1045 ports ""
robocfg vlan 1046 ports ""
robocfg vlan 1047 ports ""
robocfg vlan 1099 ports ""
robocfg vlan 1100 ports ""
robocfg vlan 1101 ports ""
robocfg vlan 1102 ports ""
robocfg vlan 1103 ports ""
robocfg vlan 10 ports "0t 1u 2u 3u 4u 5t"
robocfg vlan 20 ports "0t 5t"
vconfig add eth0 10
vconfig add eth0 20
ifconfig vlan10 up
ifconfig vlan20 up
ifconfig vlan1 down
vconfig rem vlan1

# reconfigure br0, private LAN
brctl addif br0 vlan10

# set up br1, guest SSID
brctl addbr br1
brctl addif br1 vlan20
brctl addif br1 wl0.1
ip link set br1 up

# setting nvram for eapd
nvram set lan_ifnames="vlan10 eth1 eth2 eth3"

nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 vlan10"
nvram set br1_ifnames="wl0.1 vlan20"
nvram set br1_ifname="br1"

killall eapd
eapd
 

mathhov

New Around Here
Am I the only one having an RT-AC3200 that messed with VLAN on the SSID side? Can someone help me?
 

john9527

Part of the Furniture
I seem to remember that VLAN ids <=100 MAY be used internally by the firmware depending on the router. Try using a different id above 100.
 

mathhov

New Around Here
Thanks John,
Unfortunately it didn't work. I replace tagged VLAN10 for untagged VLAN1 and VLAN20 for VLAN240. Same shirt is happening.
2020-05-08 00_06_34-Window.png
 

mathhov

New Around Here
I've did some additionnal testing and whatever interfaces (ETH1, ETH2, ETH3, WL0.1, ... , WL2.3) I remove from br0 and add to a new br1, all clients on all SSIDs get automatically tagged to both VLAN. :(
What a piece of ... No wonder why Asus stopped firmware support on this one.
 

grifo

Senior Member
I don't have an RT-AC3200 but an RT-AC87U and they're different but possibly the issue is that you are taking off all ports from the VLANs that the router uses for its internal traffic, eg VLANs 1045 and above and possibly 1 and 2.

I'd start taking off all the robocfg vlan x ports "" lines and the removing of VLAN 1 (tag ports 1-4 on it as you need them untagged on VLAN 10) and see if it works, if it does you could try walking that back for VLANs 1 and 2 if you really want to get rid of those and see again if it works, though VLANs 1045 and above most likely need to be left default.

One more thought, if you are moving your LAN off VLAN 1 to VLAN 10 because you have other devices that must use VLAN 10 (or a VLAN other than 1) then okay but if you're doing it purely as a best practice like you may do on a professional router then I wouldn't do it, I keep my LAN on VLAN 1 and only assign the guest SSIDs to different VLANs and it's all hunky-dory.

These are consumer routers and they aren't designed to work like professional ones, VLANs aren't even officially supported and changing the default behaviour too much breaks things, especially on routers like the RT-AC3200 and the RT-AC87U which have a special architecture.
 

mathhov

New Around Here
Thanks all for your answer.
I didn't mention it, but I removed these robocfg vlan x ports "" in additional testing. Since these vlan are down it doesnt matter whatever I delete them or not. The behavior is the same. I know my robocfg lines are correct because wired clients don't get tagged with an SSID vlan as SSID clients are tagged with both. Concerning replacing vlan1 with vlan10. As I have wrotten in my latest post, I'm now letting it default untagged on vlan1 and the mapping to vlan10 is done with my Netgear managed switch. ...unfortunately behavior is the same. I'm sure my bug is either that all SSID are hardware bridged or that my nvram line are not working with this specific model.
 

grifo

Senior Member
Yeah we'd really need someone doing this on an RT-AC3200, meantime could you post your current services-start with VLAN 1 untouched (so all the wired ports are assigned to it) and the guest wifi interface assigned to a different VLAN, then robocfg show and brctl show.
 

mathhov

New Around Here
Sure,
Here is what I've got so far. I'm using the WAN as trunk for untagged vlan1 (that is tagged by my managed switch to vlan10) and tagged vlan240

services-start:
Code:
#!/bin/sh

# remove interfaces we're gonna move to other bridges
brctl delif br0 eth3

# modify vlan1
robocfg vlan 1 ports "0 1 2 3 5t"

# set up vlan240
robocfg vlan 240 ports "0t 4 5t"
vconfig add eth0 240
ifconfig vlan240 up

# set up br1, guest SSID
brctl addbr br1
brctl addif br1 vlan240
brctl addif br1 eth3
ip link set br1 up

# setting nvram for eapd
nvram set lan_ifnames="vlan1 eth1 eth2"

nvram set lan1_ifnames="vlan240 eth3"
nvram set lan1_ifname="br1"

nvram set br0_ifnames="eth1 eth2 vlan1"
nvram set br1_ifnames="eth3 vlan240"
nvram set br1_ifname="br1"

killall eapd
eapd

Ifconfig:
Code:
br0       Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D0
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:124013 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9251 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26280869 (25.0 MiB)  TX bytes:1958398 (1.8 MiB)

br1       Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:798986 errors:0 dropped:0 overruns:0 frame:0
          TX packets:657402 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:489391211 (466.7 MiB)  TX bytes:210951506 (201.1 MiB)
          Interrupt:179 Base address:0x4000

eth1      Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D4
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83233 errors:0 dropped:89 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:22004775 (20.9 MiB)

eth2      Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:17837 errors:0 dropped:0 overruns:0 frame:0
          TX packets:691940 errors:0 dropped:164 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5131436 (4.8 MiB)  TX bytes:380999740 (363.3 MiB)

eth3      Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D8
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:14614 errors:0 dropped:0 overruns:0 frame:0
          TX packets:173603 errors:0 dropped:203 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3716228 (3.5 MiB)  TX bytes:100494874 (95.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:94690 errors:0 dropped:0 overruns:0 frame:0
          TX packets:94690 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20861094 (19.8 MiB)  TX bytes:20861094 (19.8 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

vlan1     Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:798980 errors:0 dropped:0 overruns:0 frame:0
          TX packets:657402 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:463219865 (441.7 MiB)  TX bytes:208483378 (198.8 MiB)

vlan240   Link encap:Ethernet  HWaddr AC:9E:17:A9:FA:D0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1286 (1.2 KiB)  TX bytes:0 (0.0 B)

robocfg show:
Code:
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 6c:f0:49:ed:38:82
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 240 jumbo: off mac: b4:ae:2b:13:0d:88
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 54:60:09:f3:91:1a
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 5t
   2: vlan2: 5t
 240: vlan240: 0t 4 5t
1045: vlan1045: 1t 3 7
1046: vlan1046: 1t 4 7t 8u
1047: vlan1047: 2 5t 7 8u
1099: vlan1099: 0 2t 7t 8t
1100: vlan1100: 0t 2t 4 8u
1101: vlan1101: 0 2t 3 5t
1102: vlan1102: 0t 3 4 5t 7
1103: vlan1103: 0 1 2t 7t 8u

brctl show:
Code:
bridge name     bridge id               STP enabled     interfaces
br0             8000.ac9e17a9fad0       no              vlan1
                                                        eth2
                                                        eth1
br1             8000.ac9e17a9fad0       no              vlan240
                                                        eth3

Results of this:
(Keep in mind port 1-4 are reversed on RT-AC3200)
All wireless clients get untagged on VLAN1 (then tagged on VLAN10) and tagged on VLAN240 including the clients not on ETH3
All wired clients on ports 2, 3 and 4 are untagged on VLAN1 (then tagged on VLAN10)
Wired client on port 1 is only tagged on VLAN240
 

grifo

Senior Member
The RT-AC3200 is running in AP mode, right?

Looking at the config, unless this is different on the RT-AC3200 you should add the WLAN guest interfaces (wl0.1 etc.) to the new bridge, like you did on your first post, not the physical ones (eth3 etc.). To see those interfaces on ifconfig you have to enable the individual guest WLANs first.

Below is a working config of my RT-AC68U running in AP mode, the WAN port is a trunk to my RT-AC87U and port 4 to a Netgear managed switch. Check it against yours and adapt it, it should work unless there are specific RT-AC3200 quirks, hopefully someone with that model will post his config.

services-start
Code:
#!/bin/sh
robocfg vlan 201 ports "0t 4t 5t"
robocfg vlan 202 ports "0t 4t 5t"
vconfig add eth0 201
vconfig add eth0 202
ifconfig vlan201 up
ifconfig vlan202 up

brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addif br1 vlan201
brctl addif br2 vlan202
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br2 wl0.2
brctl addif br2 wl1.2
ifconfig br1 up
ifconfig br2 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan201 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan202 wl0.2 wl1.2"
nvram set lan2_ifname="br2"

nvram commit
killall eapd
eapd

brctl show
Code:
bridge name    bridge id        STP enabled    interfaces
br0        8000.xxxxxxxxxxxx    no        vlan1
                                          eth1
                                          eth2
br1        8000.xxxxxxxxxxxx    no        vlan201
                                          wl1.1
                                          wl0.1
br2        8000.xxxxxxxxxxxx    no        vlan202
                                          wl1.2
                                          wl0.2
 
Last edited:

mathhov

New Around Here
Yep, it is in AP mode. As I've said in my first post, I got this working on an RT-AC66. I'm not new to this. If you don't need the guest interface as I do on my second 5GHz interface, you can directly bridge the physical interface without issue (...and it prevent from having a useless dummy SSID up and crowding your wireless networks list).
I want to know if there someone out there aware of limitations that prevent RT-AC3200 from correctly bridging SSID whatever if its a virtual SSID or regular SSID, or someone who know a work around to get this working. ...Otherwise, I'm going to spend some money and buy a Ubiquiti AP that support VLAN and dynamic VLAN with radius.
 

grifo

Senior Member
Yeah hopefully someone doing this with that model will chime in, though it's not a very common model.

Either way you may be better off getting a dedicated AP and selling the 3200 while it's still worth something (Asus is still supporting it but probably not for long), no point having that big a router just for an AP with no VLAN support out of the box and you already have a managed switch for ports.
 

mathhov

New Around Here
Well, it look like DD-WRT does it right where Merlin doesn't :( I would have prefered working with Merlin because I think it's more stable and less prompt to crashing than DD-WRT ...and VLAN 16 to 21 aren't reserved. ...and WAN LED is messed up. So far there is no other way to go unless this messed up bridged SSID bug is fixe by RMerlin.
 

grifo

Senior Member
I've just recalled a problem affecting multiple SSID's in AP mode due to CTF being enabled which causes traffic to be assigned to the wrong VLAN, it's worth a try, see this post and the ones following.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top