Vlan Wifi?

[mister]

Dear all,
I just want to ask a question. Is it possible to configure different wifi ssid and give them a vlan signature?


My setup:
I am using the RT68U in access point mode. The RT86u is my master router with vpn client connection.

I have two wifis. one for the guest using vpn (ssid1) and one for my family (ssid2) with the router of my isp.

Currently I need for each ssid a separate ap.
It would be very cool if the asus access point would be able to send the both ssids and flag them with a vlan signature.

In the guest network setup of the asus, you cant assign vlan flags, can you?

Thanks a lot for your support.

 

[L&LD]

You may want to look at the Jack Yaz YazFi script and see if it can do what you need.

You may also want to start at the beginning and use the amtm Step-by-Step guide to get the above script and more properly installed.

https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/

 

[mister]

thank you.
I take a short look at it, but if I understand that correctly, you only separate the wifis, but you dont assign the vlan mark, is that correct?


Because I never used scripts before I will be very carefull, not to damage my router...

There is no other solution except scripts?

 

[CaptainSTX]

Without using scripts a very workable option is to connect your AC68 to the Internet and then double NAT your AC86 behind the AC68. You will be able to run VPN clients on the AC86 just as you are doing now as well as use most all of the advanced features that the AC86 offers.

Any devices connected to the AC86 will be isolated from all devices on the AC68. Devices on the AC86 will however be able to see devices connected to the AC68.

You can setup both guest and regular WiFi networks on the AC68.

A double NAT setup will not increase your latency or reduce speeds unless you have a gig connection then the AC68 might be a bottle neck.

 

[azdeltawye]

Without using scripts a very workable option is to connect your AC68 to the Internet and then double NAT your AC86 behind the AC68. You will be able to run VPN clients on the AC86 just as you are doing now as well as use most all of the advanced features that the AC86 offers.

Any devices connected to the AC86 will be isolated from all devices on the AC68. Devices on the AC86 will however be able to see devices connected to the AC68.

You can setup both guest and regular WiFi networks on the AC68.

A double NAT setup will not increase your latency or reduce speeds unless you have a gig connection then the AC68 might be a bottle neck.

@CaptainSTX - This sounds like a great way to maintain network isolation without messing with iptables or script writing! Couple questions though; In the double-NAT topology mentioned above, if you wanted to run an OpenVPN server for remote access, which router should run the server?

How would you go about running a VPN server on the AC86 (non-WAN facing router)? It seems like the nested router would have trouble with the DDNS redirection...

Thx in advance!

 

[Val D.]

I have two wifis. one for the guest using vpn (ssid1) and one for my family (ssid2) with the router of my isp. Currently I need for each ssid a separate ap.

As mentioned above, YazFi script allows you to configure Guest SSID1 through VPN and Guest SSID2 through WAN on a single router. You can have also enforced DNS of your choice for each network, have them isolated from Intranet, from each other, etc. Check it out and see, it's not difficult to configure. The fact script works with Guest SSIDs doesn't necessarily mean only guests can connect, right?

 

[mister]

Thanks a lot for your ideas, but I fear, it is not the right solution to me:

The RT68u (AP) is only connected with one LAN cable to the router 86U. So the solution using double NAT won´t work because in that case I need two cables (which is not possible in my flat) ? I am not an expert so apologies, if I write something wrong.

The reason why I have two SSIDs is, that amazon prime or netflix are not working if used via VPN connection. I already read here, that there are solutions by filtering the specific traffic via WAN instead via VPN, but it seems to me, that they have some problems and the configuration seems to be very complex. Especially for Amazon Prime I didn´t found a working solution.

But of course it would be the nicest way, because you stay in the same network. So ideas or a tutorial for amazon prime are welcome.

My manual solution is, switching the WIFI on the tablett, if you want to use Netflix or Prime and switching back if not. Not an elegant solution but it works.

If it would be possible in Merlin, to add VLAN tags to the SSIDs, it would easy solve my solution. I would create a SSID with VPN and one without and separate them via VLAN tag.

The VPN SSID traffic is completely routed through the RT86U , who sends all the traffic through VPN client, the "normal" WIFI is routed the router of my ISP and so Amazon and Netflix can be used without any problem.

 

[Val D.]

I would create a SSID with VPN and one without and separate

You are already in Double NAT with your router behind ISP router. You can do exactly what you want using one router only. Just read how Policy Rules work in OpenVPN Client configuration and what YazFi script does. It's not very complex.

 

[mister]

Hi Val,
thank you for your comments - i will take a deeper look into the Script. I didn´t see a VLAN functionality in the first post, but the script seems to have that. Maybe I can integrate it. I will take a look.
Just two questions:

1. Is YazFi compatible with the new mesh functionality introduced in Merlin 13 ?
2. Do I have the use YazFi scipt on both devices - the router (86U) and the AP(68U) or just on the AP ?

Sorry I am a complete newbee...

Thanks a lot for your support.

 

[Val D.]

Sorry I am a complete newbee...

Forget about those VLANs for a moment and describe in simple words what exactly you want to achieve. Selected devices using different path to Internet WAN/VPN? Or easy switching between the two WAN/VPN? Because it looks like you already have 2 separate SSIDs, one going through WAN and one going through VPN. The way it is right now is the easiest.

 

[mister]

Ok, I try to explain.

I want to secure my network a little bit more by using the VPN client for all my connections to the internet.
Unfortunately, parts of my devices do not work when I use the Asus RT86U router - it may be due to the VPN; it may be due to a setting in the router itself. (I didn´t get information by the supplier, why the components are not working properly or which protocol they need, so I can´t solve this)

I also want to use VOD services like Amazon Prime Video or Netflix on some wifi devices. These don't work for me because of the provider restriction if the internet traffic is routed via VPN. (I'd have to try out the policies there...)

The solution is simple, I have a WIFI from the ISP router (without VPN) and one from the Asus router RT86U (with VPN). The devices that don't work properly over VPN are connected to the ISP router, the others are connected to the Asus router. This also works and I change the WIFI if I want to watch Amazon Prime with a device and then switching back. (More elegant it would be, if I would install rules so I don´t have to switch the SSID - I have to inform myself)

Unfortunately, the WIFI connection is not sufficient in all parts of the apartment, so I need an AP, but only one LAN line available. There is a switch between, which enables VLAN tagging. I borrowed an AP that can span two WIFI networks via VLAN tagging, connect it to the switch and it works in principle. However, the quality of the connection is much worse compared to my previously used Asus AP Router (RT68U). So the WIFI roaming with this AP doesn't work at all and the end device remains "stuck" to the AP instead of switching to the main router RT86U, although the WIFI signal is much stronger.
This was not the case when using the RT68U as AP. I also hope that the new mesh system in 384.13 will completely solve this problem.

I would also like to use the RT68U for this purpose so that I don't have to buy such a router with VLAN tagging myself. But currently I am only to use the AP for one SSID (either with VPN or without VPN) Therefore the Asus AP would have to emit two SSIDs, which I then divide up again on the switch between the two LANs, so that the devices for the dedicated LANs are able to communicate with each other. (If I simply set up a guest network in the asus AP, it is not managed via DHCP by the router ISP and the devices cannot communicate with each other, or do I not understand that correctly?)

Maybe a routing via policies would also be possible : So send all requests to Amazon Prime to the router ISP. But I still have to read this. As far as I know, I would have to find out which IP addresses Amazon Prime Video uses to make a targeted routing or do I see this wrong ?

The picture I uploaded before describes the desired setup very well, whereby the AP would be the RT68U if possible as a mesh node .....

A lot of written text, hopefully you could understand what I mean.

Thanks a lot for your support.

 

[Val D.]

First off, why do you need 2 routers in an apartment? How far is the AP from the Router? Because I have a 3-bedroom good size apartment and a single RT-AC86U covers every single room, including the furthest bathroom through 3 walls 15 meters away in a straight line. It's not necessary to see full 5-bars signal strength in every single corner and it's not necessary to shoot your WiFi to all the neighbors around you. Too many radio devices close to each other only increase interference and do more harm than good. Also, if you have a Router or AP close to your bedrooms, better remove it or move it away.

This what I would do in your case with one router only:
- put the ISP router in Bridge Mode, use it as a modem only
- make RT-AC86U my Main Router, move it to a central location, preferably
- run OpenVPN Client on it as network-wide VPN (local server and fast public DNS for maximum speed)
- assign static IP to all my devices in LAN -> DHCP Server
- select which device will use WAN and which VPN in OpenVPN Client -> Policy Rules
- SSID1 2.4GHz for all older devices, fixed channel, 20MHz wide
- SSID2 5GHz for all newer devices, fixed channel, 80MHz wide
- Guest SSID1 2.4GHz (for compatibility, for actual guests), no access to LAN, no access to each other
- route this Guest SSID1 through WAN and set Adult Content / Malware Filtering DNS (YazFi script)
- Guest SSID2 2.4GHz or 5GHz (depending on what I want to connect there), access to LAN and between each other
- route this Guest SSID2 through WAN, default DNS or anything else I may want (YazFi script)

This way I get:
- less channel pollution and interference, possibly better sleep due to lower radiation levels
- all devices not in DHCP list go through VPN by default, if connected to SSID1 and SSID2
- all devices with Static IP addresses go through WAN or VPN according to my preference
- all guests use Guest SSID1 through WAN and with Parental Control, guests' kids may connect too
- if I want to go temporary through WAN on a device selected to go through VPN -> connect to Guest SSID2

What is needed:
- RT-AC86U router
- Asuswrt-Merlin firmware
- YazFi script
- AcrylicWiFi software (free, or similar) to find the right channels for my WiFi
- read RMerlin instructions for Policy Rules and Jack Yaz instructions for YazFi script

Setup time -> about 1h
Extra expenses -> none
Issues with wife -> none
Level of happiness of family members -> high

What else do you need?
Do you want to sleep on the couch for a very VERY long time with all your VLANs, APs, Cables and Switches? Keep it simple and enjoy the life. I understand RT-AC68U is your old router and you really REALLY want to put that thing to work, but it may not be needed.

 

[ma678]

has OP managed to solve the problem following the above advices?

I have similar situation. Currently I connect a managed switch with a wired Mikrotik router and then connect two TP-Link PoE EAPs with the switch. there are a few VLANs on the router, switch, and two EAPs. I just added RT-AC68U as the third AP to my network. Is there a way to tag one existing VLAN to one SSID from AC68U? I wish Merlin fw would provide UI support for vlan configuration instead of scripts in the future.

Thanks.

 

[L&LD]

From a year and a half ago? I truly hope so.

 

[eibgrad]

I wish Merlin fw would provide UI support for vlan configuration instead of scripts in the future.

Highly unlikely, imo. It's things like this that differentiate one third-party firmware from another. They all have different design goals. The intent of Merlin's software is to closely emulate the ASUS OEM firmware, but w/ some significant enhancements. And VLANs and their complexity are just not in the cards. For those purposes, you're better off using a third-party firmware for whom VLANs are *native*, like FreshTomato (and most other older tomato variants).

As great as Merlin's software is, when you choose to use it, you're buying into a specific set of design goals, even if you don't immediately realize it. And when ppl find out its shortcomings, then come all the various workarounds (i.e., scripts) from other third-parties, when the better option *might* be to choose another firmware whose design goals more closely align w/ your expectations. Of course, everything comes at a price. Now you lose access to other features of Merlin you still like.

In short, NO third-party firmware is either perfect or is the answer to all problems. It takes some experience w/ them all to know the advantages and disadvantages of each and decide which best meets your needs w/ the fewest compromises. And they *all* come with compromises!

 

[L&LD]

@eibgrad, that is a good assessment of the current situation. And the focus of RMerlin firmware is exactly what I expect from a router, today (best mix in consumer hardware).

I also believe that this (VLANs) and more features are coming, in due time. Either for RMerlin supported routers first, or, directly from Asus.

There is no other way to go, but up.

 

[Jack Yaz]

@eibgrad, that is a good assessment of the current situation. And the focus of RMerlin firmware is exactly what I expect from a router, today (best mix in consumer hardware).

I also believe that this (VLANs) and more features are coming, in due time. Either for RMerlin supported routers first, or, directly from Asus.

There is no other way to go, but up.

I've considered making a script to do VLANs, but The problem for Asus routers is that each model has a different port layout (code speaking) which makes it a little painful for supporting VLANs on lots of models without relying on users to test things/report how the LAN ports are mapped internally.

 

[L&LD]

@Jack Yaz, I don't think you would have a shortage of beta testers for such a script. But no pressure!

 

[RMerlin]

Any VLAN support will have to come from Asus. First, they're the ones with access to Broadcom's confidential documentation. And second, they're the ones who can implement it by ensuring it doesn't conflict with the VLAN support they already have in place for ISPs and IPTV that require it.