VLAN tagging of Guest Network

[Nuru]

I bought an Asus RT-AX86U to replace my Apple Time Capsule (TC). I have a home office and enough extra requirements that I have a separate router and network switch, so I was using the TC in bridge mode. One of the things I liked about the Apple device is that the guest network was tagged with VLAN ID 1003, so I was able top set up network isolation and special rules for the guest network by filtering traffic based on the VLAN ID.

I would like to do the same thing with the Asus, using the official Asus firmware (in part because I want official support for Time Machine on an external drive), but it does not have GUI access to set up a VLAN ID on the guest networks. I want to set that up, and I am OK with doing it via scripts or command line, but I have not found quite all the information I need. I read these threads:

• Guest Network in Access Point Mode
• Handling Tagged VLAN on a AC86U
• RT-86U - vlanctl & ethctl usage puzzle

They suggest that what I want to do can be done, but are missing some of the required details, in part because they are covering different use cases.

What I Want

I have the Asus set up in Access Point (AP) mode using the official Asus (USA) firmware. All the Wireless traffic goes out the WAN port to my Router. What I want is the traffic from guest networks to be tagged with a VLAN ID indicating which guest network the traffic came from. I want traffic from the non-guest networks to remain untagged, or, failing that, be tagged with a different VLAN ID.

What I Think I am Missing

• I do not know how to map Guest Network SIDs to interfaces on the Asus OS.
• I do not understand the role of Bridges in the Asus OS.
• I do not know the interaction between VLAN IDs and bringing and routing on the Asus.

Ideally, the guest network would map to an eth<n> interface, and I could just add a setting that says "add VLAN ID tag xxx to any traffic received on this interface." If that would cause the packets to get forwarded out the WAN port to my network router's IP address with the VLAN ID included, that would solve my problem.

I do not want to use open source firmware.

Please answer or provide links to answers for any or all of my questions. Thank you.

 

[OzarkEdge]

I bought an Asus RT-AX86U to replace my Apple Time Capsule (TC). I have a home office and enough extra requirements that I have a separate router and network switch, so I was using the TC in bridge mode. One of the things I liked about the Apple device is that the guest network was tagged with VLAN ID 1003, so I was able top set up network isolation and special rules for the guest network by filtering traffic based on the VLAN ID.

I would like to do the same thing with the Asus, using the official Asus firmware (in part because I want official support for Time Machine on an external drive), but it does not have GUI access to set up a VLAN ID on the guest networks. I want to set that up, and I am OK with doing it via scripts or command line, but I have not found quite all the information I need. I read these threads:

• Guest Network in Access Point Mode
• Handling Tagged VLAN on a AC86U
• RT-86U - vlanctl & ethctl usage puzzle

They suggest that what I want to do can be done, but are missing some of the required details, in part because they are covering different use cases.

What I Want

I have the Asus set up in Access Point (AP) mode using the official Asus (USA) firmware. All the Wireless traffic goes out the WAN port to my Router. What I want is the traffic from guest networks to be tagged with a VLAN ID indicating which guest network the traffic came from. I want traffic from the non-guest networks to remain untagged, or, failing that, be tagged with a different VLAN ID.

What I Think I am Missing

• I do not know how to map Guest Network SIDs to interfaces on the Asus OS.
• I do not understand the role of Bridges in the Asus OS.
• I do not know the interaction between VLAN IDs and bringing and routing on the Asus.

Ideally, the guest network would map to an eth<n> interface, and I could just add a setting that says "add VLAN ID tag xxx to any traffic received on this interface." If that would cause the packets to get forwarded out the WAN port to my network router's IP address with the VLAN ID included, that would solve my problem.

I do not want to use open source firmware.

Please answer or provide links to answers for any or all of my questions. Thank you.

I have no experience with VLANs but I will mention that ASUS recently adjusted guest1 2.4/5.0 WLANs to be able to sync to AiMesh nodes... and it has been said here that 2.4/5.0 clients receive IPs *.101/102.xxx, and 2.4/5.0 WLANs have VLAN tags 501/502. Maybe this is relevant.

OE

 

[bbunge]

I bought an Asus RT-AX86U to replace my Apple Time Capsule (TC). I have a home office and enough extra requirements that I have a separate router and network switch, so I was using the TC in bridge mode. One of the things I liked about the Apple device is that the guest network was tagged with VLAN ID 1003, so I was able top set up network isolation and special rules for the guest network by filtering traffic based on the VLAN ID.

I would like to do the same thing with the Asus, using the official Asus firmware (in part because I want official support for Time Machine on an external drive), but it does not have GUI access to set up a VLAN ID on the guest networks. I want to set that up, and I am OK with doing it via scripts or command line, but I have not found quite all the information I need. I read these threads:

• Guest Network in Access Point Mode
• Handling Tagged VLAN on a AC86U
• RT-86U - vlanctl & ethctl usage puzzle

They suggest that what I want to do can be done, but are missing some of the required details, in part because they are covering different use cases.

What I Want

I have the Asus set up in Access Point (AP) mode using the official Asus (USA) firmware. All the Wireless traffic goes out the WAN port to my Router. What I want is the traffic from guest networks to be tagged with a VLAN ID indicating which guest network the traffic came from. I want traffic from the non-guest networks to remain untagged, or, failing that, be tagged with a different VLAN ID.

What I Think I am Missing

• I do not know how to map Guest Network SIDs to interfaces on the Asus OS.
• I do not understand the role of Bridges in the Asus OS.
• I do not know the interaction between VLAN IDs and bringing and routing on the Asus.

Ideally, the guest network would map to an eth<n> interface, and I could just add a setting that says "add VLAN ID tag xxx to any traffic received on this interface." If that would cause the packets to get forwarded out the WAN port to my network router's IP address with the VLAN ID included, that would solve my problem.

I do not want to use open source firmware.

Please answer or provide links to answers for any or all of my questions. Thank you.

With the current Asus firmware what you want is not going to happen. Especially in AP mode. Router mode with Merlin firmware...maybe. If you are planning to use the AX86U for Time Capsule with an external drive...good luck with that. While the router was designed to use USB drives for Samba shares, Time Capsul and etc. it does not do it well. You are better off getting a NAS or attaching the external drive directly to the Mac.

At a distant point in time you may have been able to work out the vlan tagging but with recent Asus improved security measures...not.

 

[JohnBull]

I have no experience with VLANs but I will mention that ASUS recently adjusted guest1 2.4/5.0 WLANs to be able to sync to AiMesh nodes... and it has been said here that 2.4/5.0 clients receive IPs *.101/102.xxx, and 2.4/5.0 WLANs have VLAN tags 501/502. Maybe this is relevant.

OE

AHA!!!
This was interesting
I have been running an AX86U as main router for a while and used two of my old n66u in AP mode.
Recently I swapped the n66u's for a pair of XD6 and I could not get guest network to work when connected to nodes. Clients could not get IP adresses.
I tried to set Access Intranet=Enabled and then it worked.
I was on my way returning the XD6's...but started to think about if it could be VLAN tagging involved, so I bypassed my switch and then Guest network 1 worked on nodes with Access Intranet=Disabled and my test devices got 192.168.102.x IPs!

According to info I have seen on some Asus web page, it should use through switches as well...
I sent an email to ASUS asked them about VLAN tagging and they replied ASUS does not support VLAN tagging...

So, if I re-config some ports in my switch and tag 501 and 502 with my VID for intranet untagged it might work!?
Then I can put one XD6 in my TV-bench where I have another manageable switch for IPTV! I really hope it's that simple!
Need to try it out some day!

 

[OzarkEdge]

So, if I re-config some ports in my switch and tag 501 and 502 with my VID for intranet untagged it might work!?
Then I can put one XD6 in my TV-bench where I have another manageable switch for IPTV! I really hope it's that simple!

Judging from another post around here, I think you can get it to work.

From my notes: 2.4/5.0 Guest1 WLAN IPs (non-reserveable) will be 101.x/102.x (VLAN 501/502).

OE