What's new

VLANs on AIMesh nodes, is this feasible today?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

fulvion75

New Around Here
Hello everybody, just signed up but following this forum since a long time now.
I'm opening this thread to see if i can get some help finalizing my new home network setup.
I introduced a pfSense firewall leveraging the RT-AC86U from routing and firewalling tasks and letting the pfSense take care of them.

So i switched my AC86U from router mode to AP mode.
Thanks to the many threads in this forum, i've been able to obtain the following result:
TNet.jpg

Disclaimer: i know wireless backhauls are not a good choice, but don't have other way atm.

Now, if we ignore the 3 AIMesh nodes, everything works perfectly. All clients are correctly VLAN tagged based on the SSID they're connecting to (or the phisical ports) and they receive IP address from the correct DHCP pool configured on pfSense.

Problems arise when AIMesh nodes kick in.
My guests networks are configured this way:
2.4GHz Guest1 is the IoT VLAN and it is set to be propagated to all AIMesh nodes.
2.4GHz Guest2 is the Guests VLAN and it's only available on the AC86U

When devices connects to IoT SSID exposed by any of the AIMesh nodes, pfSense see them as they're coming from LAN VLAN30 instead of IOT VLAN50. This causes them to obtain an IP address from the wrong DHCP pool in pfSense.

From now on, everything i say is just a speculation since i'm not an expert by any means.

I guess the problem lies in the WDS interfaces being created with no VLANs by the AC86U and, since they belong to br0 bridge, they get VLAN 30 (LAN) when exiting the AC86U toward pfSense.
brctl shows:
Code:
bridge name     bridge id               STP enabled     interfaces
br0             8000.244bfebcd150       yes             eth0.30
                                                        eth4
                                                        eth5
                                                        eth6
                                                        wds0.0.12
                                                        wds0.0.9
                                                        wds1.0.2
                                                        wds1.0.3
br1             8000.244bfebcd150       yes             eth0.40
                                                        wl0.2
br2             8000.244bfebcd150       yes             eth0.50
                                                        eth1
                                                        eth2
                                                        eth3
                                                        wl0.1

the four WDS interfaces (4 instead of 6 because one AIMesh node is actually down) to a closer look show:
Code:
wds0.0.9    wl reports SSID: HomeLan
wds0.0.12   wl reports SSID: HomeLan
wds1.0.2    wl reports SSID: HomeLan_5G
wds1.0.3    wl reports SSID: HomeLan_5G

So i suspect the IOT SSID is propagated via the same wireless bridges as the ones for HomeLan SSID. And this make things even worse.
Also i suspect that this happens because AC86U is now in AP mode, as i recall the WDS being VLAN tagged when AC86U was in router mode and with the same guest networks (no intranet access, option not available in ap mode).

I guess i need to have different WDS (tagged) interfaces for each SSID i want to propagate so i can assign them to the correct bridges with brctl.

So here my questions:
1) Am i spotting the correct problem? :)
2) Is there a solution with my current hardware for this use case? i can switch back to router mode if it might help solve the problem
3) Since the WDS interfaces have random IDs and change often as a node may go up and down, is there an event (like wireless_restart) i can catch whenever a WDS interface is created so i can update my bridge configuration on the fly?

And here my speculative questions:
1) Can i use 'wl' to create a new tagged WDS for the IOT SSID (in AP mode)?
2) Will the AIMesh nodes "accept" the new WDS even if it is not tagged 501 nor 502?
3) Supposing this is feasible by switching back to router mode, shouldn't it be also possible with AP mode by manually configuring interfaces, VLANs, WDS and bridges?

I searched a lot in this forum but haven't found something close to my actual problem.
i saw post stating that AC86U should propagate the first guest network along with VLAN configuration but i think this is only true in router mode as i can't see such a behaviour with AP mode. Also i think i'll have no control over WDS VLAN IDs in router mode.

Any hint, advice, idea would be really appreciated :)
thanks in advance to anyone spending time reading this
 
AFAIC, once you decide to take the VLANs approach, you go ALL IN, NOT some hybrid approach where you're hacking consumer-grade equipment that is NOT natively VLAN capable. For example, Ubiquiti, head to toe. Or at worst, a mix of vendors but AT LEAST fully VLAN capable and standards compliant. I just think to do as you're doing isn't worth the hassle and maintenance headaches. Not unless you're using these consumer-grade APs as simple, dumb APs (but even then, being able to tag APs directly would be much preferred, as would be the case w/ Ubiquiti APs).

Hate to be a Debbie Downer here, but imo these Rube Goldberg solutions should be avoided once you take the plunge outside traditional consumer products like pfSense.

JMTC

P.S. And this is coming from someone who long ago provided info on how to hack VLANs w/ the RT-AC68U, and still warned against it at that time.

 
Last edited:
i agree with your point indeed. i'm slowly upgrading my network devices and disband especially the RP ones.
i just wanted to try this, as i like playing with these things for my own culture. and i'm sooooo close!

but i do agree, totally, with your point :)
thanks for your feedback
 
so no other choice than keeping to "hack" this device 😂
Seriuosly speaking i understand my best option is (i think it is) to just move main lan wifi and iot vlan to a new set of APs and leave asus and aimesh for guests or other fancy things.
I was thinking about an ubiquity main ap and something like MIKROTIK MT RBGrooveGA-52HPacn to better cover my garden
not sure which ubiquity model is a good choice for my use case
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top