VLAN with L2 switches and Asus Aimesh

[ali.]

Hello all,

I am planning to create VLANs on my PfSense appliance, however there are couple of issues I want to overcome. From what I understand I will need layer 2 switches which are VLAN aware to accomplish what I am trying to do. The added complexity is that I want one VLAN to be broadcast on my Asus Aimesh setup. How to wire this setup is something I am struggling with. Specifically where to situate my head node which is a GTX 11000.

Kindly let me know if the attached diagram is possible especially putting the GTX 11000 where I am putting so that it can AIMESH with other nodes.

Also which L2 switch you would recommend for this homelab setup; I am looking for something inexpensive and functional.

Thanks in advance

 

[Tech9]

Send the mix and match home routers to eBay and get proper VLAN capable Access Points. There is no Ai and no Mesh in AiMesh anyway.

 

[ali.]

Send the mix and match home routers to eBay and get proper VLAN capable Access Points. There is no Ai and no Mesh in AiMesh anyway.

Ok. Which access points you recommend?

 

[Tech9]

Popular choices around are lower priced models from Ubiquiti Unifi, TP-Link Omada, Cisco Business series, Zyxel, etc. Similar to home routers APs have different specs and price point. If you want good system on affordable price look at TP-Link Omada offers. They have large variety of APs in ceiling, wall plate, outdoor form. If you want better roaming or wireless AP options you need Omada SDN Controller. Business APs are PoE powered.

Affordable price good for home application models:
TP-Link Omada EAP620HD/EAP650
Ubiquiti UniFi U6 Lite/ U6 Long Range
Cisco Business CBW150AX
Zyxel NWA50AX/NWA210AX

Of course, you may find something better for your specific application. You know better what do you need and what your budget is.

 

[drinkingbird]

Hello all,

I am planning to create VLANs on my PfSense appliance, however there are couple of issues I want to overcome. From what I understand I will need layer 2 switches which are VLAN aware to accomplish what I am trying to do. The added complexity is that I want one VLAN to be broadcast on my Asus Aimesh setup. How to wire this setup is something I am struggling with. Specifically where to situate my head node which is a GTX 11000.

Kindly let me know if the attached diagram is possible especially putting the GTX 11000 where I am putting so that it can AIMESH with other nodes.

Also which L2 switch you would recommend for this homelab setup; I am looking for something inexpensive and functional.

Thanks in advance

I use the TP Link TL-SG108E which is 8 ports and usually runs between $25 and $30. Netgear's GS308E and GS108E (basically the same thing 308 is newer and cheaper) equivalents are nearly the same, a few less features (no LAG and less QOS options) but also usually a bit cheaper too. They each have larger ones too but obviously more expensive. TrendNET has a similar one too, any should work fine. Those are fairly basic smart switches with VLAN and some basic QOS (and in some cases LAG). If you want full features you need to look at fully managed switches.

Aimesh on the Asus without guest wireless 1 (or with guest 1 but intranet access enabled) will work with any switch, even dumb ones, it just uses VLAN 1 untagged. If you want GW1 with intranet disabled, you will need a VLAN aware switch (or at the very least, one that will pass vlan tags, many newer switches with jumbo frame support will, but it is hit or miss) like the ones above and all the links that go to the asus devices will need VLAN 1 untagged, VLAN 501 and 502 tagged, and if any are a tri-band model VLAN 503 tagged too.

You can then set any port on the switch into VLAN 501/502 (and 503 if you have it) to put wired devices into the corresponding guest network. You can also tag those VLANs to your PFsense over a trunk port.

If you want more than to just make use of the Asus built in VLANs (and their corresponding subnets and DHCP pools) you either have to get into scripting or ditch the Asus and go with VLAN aware APs. The scripting for just customizing the built in VLANs and/or IPs/DHCP pools is somewhat straightforward, if you want to assign your own VLAN IDs etc it is a lot more complex.

If you plan to run them all in AP mode then it should still create the VLANs but there will be no subnets or DHCP pools associated, you would configure those on the PFSense. In router mode it default tags the 50x VLANs out all LAN ports, I believe in AP mode it also tags them out the WAN port.

This is of course a bit of a hack, it is not true VLAN support where you can customize everything and have a lot of flexibility, so it is fit for some purposes, not others. You can of course create other VLANs on the PFsense and switches, it just won't be on the Asus unless you first route it (literally L3 routing) through the PFsense onto one of the Asus VLANs).

On the flip side, if all you want is for your Asus APs to be in one VLAN off the PFsense, that is easy, just plug them into any port on the switch and set it as an access port for that VLAN. As far as the Asus is concerned it is VLAN 1 (as long as you put them all on the same VLAN on your switch). You won't have guest wireless or LAN isolation functionality in that setup (unless you put different APs into different VLANs and used the PFSense to control communication between them, and Aimesh won't function if you do that most likely unless you can identify all the traffic needed for Aimesh and forward it between the VLANs.

 

[ali.]

Send the mix and match home routers to eBay and get proper VLAN capable Access Points. There is no Ai and no Mesh in AiMesh anyway.

I ended up sticking with the "AiMesh" and made it work. The network all segmented and working as designed.

 

[ali.]

Thanks all. I was able to implement he solution after reading countless blogs and watching YouTube videos. Exact network segmentation as I wanted. Will load the diagram here soon.

 

[ToasterPC]

Thanks all. I was able to implement he solution after reading countless blogs and watching YouTube videos. Exact network segmentation as I wanted. Will load the diagram here soon.

Hey there man!

I've got a setup that's pretty similar to yours (OPNSense on Proxmox node with 4 VLANs going to a GT-AX11000 and a RT-AX86U, both in AP mode with the 2.5GbE ports as an Ethernet Backhaul through a Layer 2 unmanaged switch).

Is there any chance you still have the scripts around? I'd love to attempt to segment my network with what I already have, so any help would be appreciated.

 

[coxhaus]

Hey there man!

I've got a setup that's pretty similar to yours (OPNSense on Proxmox node with 4 VLANs going to a GT-AX11000 and a RT-AX86U, both in AP mode with the 2.5GbE ports as an Ethernet Backhaul through a Layer 2 unmanaged switch).

Is there any chance you still have the scripts around? I'd love to attempt to segment my network with what I already have, so any help would be appreciated.

That sounds like a problem just waiting to happen to me.

 

[ali.]

Hey there man!

I've got a setup that's pretty similar to yours (OPNSense on Proxmox node with 4 VLANs going to a GT-AX11000 and a RT-AX86U, both in AP mode with the 2.5GbE ports as an Ethernet Backhaul through a Layer 2 unmanaged switch).

Is there any chance you still have the scripts around? I'd love to attempt to segment my network with what I already have, so any help would be appreciated.

Hello there, I did not need to write or run any scripts, all my VLAN segmentation was done on PfSense GUI frontend. And my ASUS routers are on a single VLAN dedicated to WiFi, I have not found any good solution to pass through multiple VLANs over different SSIDs on ASUS router models I have.

 

[ToasterPC]

Hello there, I did not need to write or run any scripts, all my VLAN segmentation was done on PfSense GUI frontend. And my ASUS routers are on a single VLAN dedicated to WiFi, I have not found any good solution to pass through multiple VLANs over different SSIDs on ASUS router models I have.

In that regard, I might have some good news.

I'm still banging my head on the desk trying to give the Ethernet ports individual tags, but at least on the wireless front all of the guest networks come up correctly now using the following script:

#### Info #########################################################
#                             GT-AX11000
#
# eth0      Physical port WAN
# eth1      Physical port 1
# eth2      Physical port 2
# eth3      Physical port 3
# eth4      Physical port 4
# eth5      Physical port 2.5GbE
#
# eth6      WiFi 2.4GHz
# eth7      WiFi 5.0GHz
#
# wl0.1     WiFi 2.4GHz guest1
# wl1.1     WiFi 5.0GHz-1 guest1
# wl2.1     WiFi 5.0GHz-2 guest1
#
# wl0.2     WiFi 2.4GHz guest2
# wl1.2     WiFi 5.0GHz-1 guest2
# wl2.2     WiFi 5.0GHz-2 guest2
#
# wl0.3     WiFi 2.4GHz guest3
# wl1.3     WiFi 5.0GHz-1 guest3
# wl2.3     WiFi 5.0GHz-2 guest3
###################################################################
script="/jffs/scripts/services-start"
ip="192.168.3.2" # Default network static IP
taggedPort="eth5" # Tagged "WAN" port
guest1_1="wl0.1" # Guest network 1 interface 2.4GHz
guest1_2="wl1.1" # Guest network 1 interface 5GHz-1
guest1_3="wl2.1" # Guest network 1 interface 5GHz-2

guest2_1="wl0.2" # Guest network 2 interface 2.4GHz
guest2_2="wl1.2" # Guest network 2 interface 5GHz-1
guest2_3="wl2.2" # Guest network 2 interface 5GHz-2

guest3_1="wl0.3" # Guest network 3 interface 2.4GHz
guest3_2="wl1.3" # Guest network 3 interface 5GHz-1
guest3_3="wl2.3" # Guest network 3 interface 5GHz-2
vlanId0=10 # Default network VLAN ID
vlanId1=40 # Guest network 1 VLAN ID (Guests)
vlanId2=20 # Guest network 2 VLAN ID (IoT)
vlanId3=30 # Guest network 3 VLAN ID (Security)

tee "${script}" > /dev/null << EOF
#!/bin/sh

# Remove separate networks from default bridge
brctl delif br0 ${taggedPort}
brctl delif br0 ${guest1_1}
brctl delif br0 ${guest1_2}
brctl delif br0 ${guest1_3}
brctl delif br0 ${guest2_1}
brctl delif br0 ${guest2_2}
brctl delif br0 ${guest2_3}
brctl delif br0 ${guest3_1}
brctl delif br0 ${guest3_2}
brctl delif br0 ${guest3_3}

# Add VLANs
ip link add link ${taggedPort} name ${taggedPort}.${vlanId0} type vlan id ${vlanId0}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId1} type vlan id ${vlanId1}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId2} type vlan id ${vlanId2}
ip link add link ${taggedPort} name ${taggedPort}.${vlanId3} type vlan id ${vlanId3}
ip link set ${taggedPort}.${vlanId0} up
ip link set ${taggedPort}.${vlanId1} up
ip link set ${taggedPort}.${vlanId2} up
ip link set ${taggedPort}.${vlanId3} up

# Default network
ifconfig br0 "${ip}" netmask 255.255.255.0
brctl addif br0 ${taggedPort}.${vlanId0}
nvram set lan_ifnames="${otherPorts} ${taggedPort}.${vlanId0}"
nvram set br0_ifnames="${otherPorts} ${taggedPort}.${vlanId0}"
brctl stp br0 on

# Guest network 1
brctl addbr br1
brctl addif br1 ${taggedPort}.${vlanId1}
brctl addif br1 ${guest1_1}
brctl addif br1 ${guest1_2}
brctl addif br1 ${guest1_3}
brctl stp br1 on
ip link set br1 up
nvram set lan1_ifnames="${guest1_1} ${guest1_2} ${guest1_3} ${taggedPort}.${vlanId1}"
nvram set br1_ifnames="${guest1_1} ${guest1_2} ${guest1_3} ${taggedPort}.${vlanId1}"
nvram set ${guest1_1}_ap_isolate=0
wl -i ${guest1_1} ap_isolate 0
nvram set ${guest1_2}_ap_isolate=0
wl -i ${guest1_2} ap_isolate 0
nvram set ${guest1_3}_ap_isolate=0
wl -i ${guest1_3} ap_isolate 0

# Guest network 2
brctl addbr br2
brctl addif br2 ${taggedPort}.${vlanId2}
brctl addif br2 ${guest2_1}
brctl addif br2 ${guest2_2}
brctl addif br2 ${guest2_3}
brctl stp br2 on
ip link set br2 up
nvram set lan2_ifnames="${guest2_1} ${guest2_2} ${guest2_3} ${taggedPort}.${vlanId2}"
nvram set br2_ifnames="${guest2_1} ${guest2_2} ${guest2_3} ${taggedPort}.${vlanId2}"
nvram set ${guest2_1}_ap_isolate=0
wl -i ${guest2_1} ap_isolate 0
nvram set ${guest2_2}_ap_isolate=0
wl -i ${guest2_2} ap_isolate 0
nvram set ${guest2_3}_ap_isolate=0
wl -i ${guest2_3} ap_isolate 0

# Guest network 3
brctl addbr br3
brctl addif br3 ${taggedPort}.${vlanId3}
brctl addif br3 ${guest3_1}
brctl addif br3 ${guest3_2}
brctl addif br3 ${guest3_3}
brctl stp br3 on
ip link set br3 up
nvram set lan2_ifnames="${guest3_1} ${guest3_2} ${guest3_3} ${taggedPort}.${vlanId3}"
nvram set br2_ifnames="${guest3_1} ${guest3_2} ${guest3_3} ${taggedPort}.${vlanId3}"
nvram set lan2_ifname="br3"
nvram set br2_ifname="br3"
nvram set ${guest3_1}_ap_isolate=0
wl -i ${guest3_1} ap_isolate 0
nvram set ${guest2_2}_ap_isolate=0
wl -i ${guest2_2} ap_isolate 0
nvram set ${guest2_3}_ap_isolate=0
wl -i ${guest2_3} ap_isolate 0
# Restart eapd
killall eapd
eapd
ethswctl -c hw-switching -o disable
EOF

chmod a+x "${script}"
reboot

As long as you can adapt the mappings to the appropiate ports, you might be able to segment your WiFi network by SSID.