Vlans on Merlin (mini howto)

Ronald1368

New Around Here
Hello,

What i want to do with my Rt-AC68U is the following:

1 have switches that are connected to each other with a uplink , on a switch a have a untagged port in VLAN 100.
i want the Asus to receive the tagged vlan on port 1 of the switch (this is the uplink) and i put port 3 untagged in VLAN100 and port 1 and 8 tagged
But when i connect a dhcp server to the switch my laptop on port 3 of the Asus does not get a ip adress.
i am new to scripting.

what i did was :

make a vlan 100, connected it to br0 and put ports in it 8t 3 1t,.
i am not sure if i must put something in iptables or ebtables because i don't have to route anything it is on the internal switch.
i use the latest MERLIN 380.63 .

how can i achieve this goal?

Kind regards,
Ronald.
 

mhofman

New Around Here
I started to go down the road of setting up my network to isolate some devices from each others (e.g. guests from authenticated, risky IoT & media devices from regular devices), while allowing some supervised communications between the groups (e.g. regular devices can control and present on media devices, but risky IoT devices cannot start probing my network).

I also have the requirement that most devices are wired if possible, but I also have 4 APs to properly cover wireless devices (thanks plaster on wire mesh for creating faraday cages).
While I haven't yet decided on the solution to isolate the devices from each other (bridge with filters or selective routing+broadcast relay), both would require setting up VLANs, sharing those over tagged ethernet, and bridging the VLANs with their respective virtual wireless interfaces.

In a nutshell, the required steps are
- configure the switch to offer the tagged VLANs on the physical port and CPU port.
- create a virtual interface for VLAN ID
- bring the interface up
- create a bridge if none already exists for that network (e.g. bridge guest wireless with guest vlan, but isolate through routing instead of bridge filters)
- add interface to the bridge
- configure network and services on the interface/bridge, e.g. IPv4, IPv6 from prefix delegation and sla-id, Dnsmasq
- setup firewall rules and/or bridge filters

There seem to be a lot variations in suggestions on how to performs these steps.
Most of them are user script based, optionally leveraging of builtin features through nvram configs.

Ultimately, I'd like to have a solution where each step is performed at the right time (init, service start, lan up/down etc), with scripts containing as little configuration as possible, leveraging nvram for settings, in a way that doesn't conflict too much with GUI operations hopefully leverages builtin features.

When digging through the firmware source, I realized some code exists for a lot of the vlan operations above, but it seems to be mostly behind the RTCONFIG_PORT_BASED_VLAN config flag, which seems to have been introduced in the code base when merging GPL code 380_2345 (https://github.com/RMerl/asuswrt-merlin/commit/c19e98a5072455965867004b3f07fb78d7b3bffe).
From what I understand, when the config is enabled, 3 new pages are available (Advanced_VLAN_Content.asp, Advanced_VLAN_DHCP_Content.asp and Advanced_VLAN_Group_Content.asp), and a bunch of nvram settings control the VLAN operations:
- vlan_rulelist to list the different vlans, their state, which ports and wireless interfaces are included.
- lan%d_* to control the parameters of each lan, derived from vlan_ruleset it seems.
- vlan_index to indicate the last lan index in use.
- Some other related to filters, etc.

It would seem that the vlan created are automatically numbered starting at vlan4, which is a bit of a bummer. I'm not sure if ports carry the vlans tagged or not.

Has anyone tried to build a version of the firmware with this feature enabled to see how it works in real life?
It would seem some limitations could be vlan ids and ipv6 prefix delegation subnets.

At the very least, it should be a good source of inspiration for how to setup VLANs, especially everything in the following file: https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/vlan.c
 

Denna

Senior Member
@RMerlin

Any chance of the above mentioned VLAN WebGUI tabs being enabled in a future version of the firmware ?​
 

RMerlin

Asuswrt-Merlin dev
No.
 

lilCodie

New Around Here
If I recall the Merlin build, and official build are the only ones with HWAccel NAT/Switching and other ASUS/board specific features available - and ideally I want to use them as APs with dual ethernet running back to my main switch(s) and other ports for the TV, game console, or whatever is near - with each AP SSID on its own vlan and a dual gigabit LAGG/bonding/LACP(if possible) for the backhaul - with DHCPd, routing, NAT, DNS, and other stuff handled by PfSense - or with 1 of the AC66U's(or other Asus home gateway) as a router/DHCP/nat/AP/Switch and the other as Switch&AP - so having something, even if just to add VLANs to WAN [for customers needing it wanting to replace FiOs gear], and SSIDs w/ VLANs for guest isolation and on the switch maybe LAGGs/bonding/LACP(if available) to switch ports so port/wifi saturation doesn't max out the backhaul - and not anything overly complicated(dropping LACP if needed) would be nice - as running more prosumer gear(possibly with noisy fans) in the open with LAG/LACP/bonding, VLANs, and AP usually doesn't meet WAF or budget criteria just for the media center and main floor - unless you have ideas for other gear that might -- thinking maybe a MikroTik switch with dual SFP+, 8+ gigabit ports, and a standalone AP like AeroHive AP250 - but an ASUS RT-AC66U is much cheaper and my preferred route if someone has an easy way to do config - maybe with the APs pulling a readable/IOS/Broadcom like config down on boot, parsing it and running needed commands, or reading a local file? -- I know the official response is no GUI support ever, just wondering if we might get better CLI support or if people have any ideas for another device or way to do the config easier -- I'm just more used to Cisco IOS or Broadcoms fastpath OS(s) or a WebGUI - Not so much DD-WRT CLI/related CLI's. Thanks! PS sorry if the config method has changed some since I looked into it last and is much of what I stated - just point me at the links (i was also wondering if maybe parts of VyOS/Vyatta might be able to be used for a config file and parsing and such, although not sure how they do it either) Ideas anyone?
 

burntoc

Occasional Visitor
That is an excellent referral. Using that information I have succeeded in isolating all of the ethernet ports from each other.
Once I have fully tested my script I plan to post it to that thread.
Thanks

Hi @mystical, did you ever get this working and post it? I'm trying to figure this all out and it would really help. Thanks!
 

Wisiwyg

Senior Member
Hi @mystical, did you ever get this working and post it? I'm trying to figure this all out and it would really help. Thanks!
Same here... I just want to setup an AP with one 2.4 Guest Wifi, tag it with a vlan, and then send that vlan out one of the 4 LAN ports. Still researching how to get it done.
 

SystemF

Regular Contributor
Hi! I don't want to open new topic so will write here, recently swicth to Merlin, average user not an expert so please gyus bear with me. On rt-ac88u i want to do this for iptv: my internet is on vlan 2839 iptv on 546 untagged, the web interface can't set up maually, so i decide it to use script.
robocfg show this:
Code:
Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:  100FD enabled stp: none vlan: 1 jumbo: off mac: f0:de:f1:9d:50:77
Port 4: 1000FD enabled stp: none vlan: 2 jumbo: off mac: a4:7b:2c:05:5f:ac
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 84:c7:ea:3b:63:0b
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 34:97:f6:23:66:50
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 5 7 8t
   2: vlan2: 4 8u

From what i read, i manage to set up this not tested yet:
Code:
#!/bin/sh

# Force LAN Port4 to use IPTV

#VID=546U
robocfg vlan 1 port 0 1 2 5 7 8t
robocfg vlan 546 port "4u"
vconfig add eth0 546
ifconfig vlan546 up
brctl addif br0 vlan546

Am I on right way? Imho everythig in script I wrote is wrong but...
 

amplatfus

Senior Member
Hi! I don't want to open new topic so will write here, recently swicth to Merlin, average user not an expert so please gyus bear with me. On rt-ac88u i want to do this for iptv: my internet is on vlan 2839 iptv on 546 untagged, the web interface can't set up maually, so i decide it to use script.
robocfg show this:
Code:
Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:  100FD enabled stp: none vlan: 1 jumbo: off mac: f0:de:f1:9d:50:77
Port 4: 1000FD enabled stp: none vlan: 2 jumbo: off mac: a4:7b:2c:05:5f:ac
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 84:c7:ea:3b:63:0b
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 34:97:f6:23:66:50
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 5 7 8t
   2: vlan2: 4 8u

From what i read, i manage to set up this not tested yet:
Code:
#!/bin/sh

# Force LAN Port4 to use IPTV

#VID=546U
robocfg vlan 1 port 0 1 2 5 7 8t
robocfg vlan 546 port "4u"
vconfig add eth0 546
ifconfig vlan546 up
brctl addif br0 vlan546

Am I on right way? Imho everythig in script I wrote is wrong but...
Hi,

Please, in the meantime, did you solve it?

Thank you,
amplatfus
 

Quadari

New Around Here
Hi Everyone-- Thank you for this thread as it helped me (with a lot of tinkering) solve my issue. I want to document my solution here, for future reference in case it helps anyone!

My setup:
  • Wireless router is an ASUS TM-AC1900, which has been flashed first to ASUS RT-AC68U firmware and now to Asuswrt-Merlin. Currently on version 384.5. (Since I can't upgrade higher than that.) Router is currently acting only as a wireless access point. It's in "Access Point" mode.
  • The actual router on my network is a Netgear router that has been flashed to OpenWRT.
  • TM-AC1900 is connected to the Netgear router via an ethernet cable. From the WAN port of the TM-AC1900 to LAN1 port on the Netgear.

My goal:
  • I have three wireless networks running on the TM-AC1900. Two "real" networks (2.4GHZ and 5GHZ) and one guest network. I want the "real" networks to pass their data via VLAN1 to the Netgear router. I want the "guest" network clients to be passed via VLAN6 to the Netgear router.
  • I then use OpenWRT firewall rules on the Netgear router to limit what the "guest" network clients can do.

The setup that appears to be working:
On the Netgear (OpenWRT) router:
  • In the "Network > Switch" page on LuCI, VLAN 1 is untagged on LAN 1. VLAN6 is tagged on LAN1.
  • From "Network > Interfaces", I created a GUEST_WIFI interface that is connected to eth0.6 and has the static IP address 192.168.6.1. It provides DHCP services in that 192.168.6.X range, and is assigned to the appropriate firewall zone.
  • In Firewalls I created a "Guest" firewall zone and set up rules around that.....(beyond the scope of this post....covered elsewhere. E.g., the "configure firewall" section here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface )

On the ASUS TM-AC1900 router:

Here's the script I used:
Bash:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# I discovered that I have to tag port 0 on both vlan 1 and vlan 6 to get it to work
robocfg vlan 1 ports "0t 1 2 3 4 5t"
robocfg vlan 6 ports "0t 5t"
vconfig add eth0 6
ifconfig vlan6 up

killall eapd

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan6
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan6 wl0.1"
nvram set lan1_ifname="br1"

nvram commit

eapd

Notes: On this router, the non-guest wireless interfaces are interface eth2. Any guest wireless access show up under the wl0 interface. So, e.g., the first guest wireless network you create is wl0.1. The second one is wl0.2. Etc. Hence why I'm putting wl0.1 in it's own bridge & vlan.

On the ASUS router, I placed this script in /jffs/scripts/services-startup. Then made sure it was executable. (chmod a+rx /jffs/scripts/*) Then had to go into the web GUI interface of the ASUS router and enable JFFS scripts. Administration > System > "Enable JFFS custom scripts and configs"



Hope this is helpful to at least someone else out there.

If any of the more knowledgeable people on the forum here have suggestions/improvements, please chime in! I'm new to VLANs, so was basically doing a lot of guessing and checking until I got something that worked.
 
Last edited:

octopus

Part of the Furniture
Hi Everyone-- Thank you for this thread as it helped me (with a lot of tinkering) solve my issue. I want to document my solution here, for future reference in case it helps anyone!

My setup:
  • Wireless router is an ASUS TM-AC1900, which has been flashed first to ASUS RT-AC68U firmware and now to Asuswrt-Merlin. Currently on version 384.5. (Since I can't upgrade higher than that.) Router is currently acting only as a wireless access point. It's in "Access Point" mode.
  • The actual router on my network is a Netgear router that has been flashed to OpenWRT.
  • TM-AC1900 is connected to the Netgear router via an ethernet cable. From the WAN port of the TM-AC1900 to LAN1 port on the Netgear.

My goal:
  • I have three wireless networks running on the TM-AC1900. Two "real" networks (2.4GHZ and 5GHZ) and one guest network. I want the "real" networks to pass their data via VLAN1 to the Netgear router. I want the "guest" network clients to be passed via VLAN6 to the Netgear router.
  • I then use OpenWRT firewall rules on the Netgear router to limit what the "guest" network clients can do.

The setup that appears to be working:
On the Netgear (OpenWRT) router:
  • In the "Network > Switch" page on LuCI, VLAN 1 is untagged on LAN 1. VLAN6 is tagged on LAN1.
  • From "Network > Interfaces", I created a GUEST_WIFI interface that is connected to eth0.6 and has the static IP address 192.168.6.1. It provides DHCP services in that 192.168.6.X range, and is assigned to the appropriate firewall zone.
  • In Firewalls I created a "Guest" firewall zone and set up rules around that.....(beyond the scope of this post....covered elsewhere. E.g., the "configure firewall" section here: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface )

On the ASUS TM-AC1900 router:

Here's the script I used:
Bash:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# I discovered that I have to tag port 0 on both vlan 1 and vlan 6 to get it to work
robocfg vlan 1 ports "0t 1 2 3 4 5t"
robocfg vlan 6 ports "0t 5t"
vconfig add eth0 6
ifconfig vlan6 up

killall eapd

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan6
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan6 wl0.1"
nvram set lan1_ifname="br1"

nvram commit

eapd

On the ASUS router, I placed this script in /jffs/scripts/services-startup. Then made sure it was executable. (chmod a+rx /jffs/scripts/*) Then had to go into the web GUI interface of the ASUS router and enable JFFS scripts. Administration > System > "Enable JFFS custom scripts and configs"



Hope this is helpful to at least someone else out there.

If any of the more knowledgeable people on the forum here have suggestions/improvements, please chime in! I'm new to VLANs, so was basically doing a lot of guessing and checking until I got something that worked.
https://www.snbforums.com/threads/the-tm-ac1900-is-not-supported.48056/

https://www.snbforums.com/threads/a...d-forks-on-non-asus-devices-is-illegal.44636/
 

Mmishael

New Around Here
I started to go down the road of setting up my network to isolate some devices from each others (e.g. guests from authenticated, risky IoT & media devices from regular devices), while allowing some supervised communications between the groups (e.g. regular devices can control and present on media devices, but risky IoT devices cannot start probing my network).

I also have the requirement that most devices are wired if possible, but I also have 4 APs to properly cover wireless devices (thanks plaster on wire mesh for creating faraday cages).
While I haven't yet decided on the solution to isolate the devices from each other (bridge with filters or selective routing+broadcast relay), both would require setting up VLANs, sharing those over tagged ethernet, and bridging the VLANs with their respective virtual wireless interfaces.

In a nutshell, the required steps are
- configure the switch to offer the tagged VLANs on the physical port and CPU port.
- create a virtual interface for VLAN ID
- bring the interface up
- create a bridge if none already exists for that network (e.g. bridge guest wireless with guest vlan, but isolate through routing instead of bridge filters)
- add interface to the bridge
- configure network and services on the interface/bridge, e.g. IPv4, IPv6 from prefix delegation and sla-id, Dnsmasq
- setup firewall rules and/or bridge filters

There seem to be a lot variations in suggestions on how to performs these steps.
Most of them are user script based, optionally leveraging of builtin features through nvram configs.

Ultimately, I'd like to have a solution where each step is performed at the right time (init, service start, lan up/down etc), with scripts containing as little configuration as possible, leveraging nvram for settings, in a way that doesn't conflict too much with GUI operations hopefully leverages builtin features.

When digging through the firmware source, I realized some code exists for a lot of the vlan operations above, but it seems to be mostly behind the RTCONFIG_PORT_BASED_VLAN config flag, which seems to have been introduced in the code base when merging GPL code 380_2345 (https://github.com/RMerl/asuswrt-merlin/commit/c19e98a5072455965867004b3f07fb78d7b3bffe).
From what I understand, when the config is enabled, 3 new pages are available (Advanced_VLAN_Content.asp, Advanced_VLAN_DHCP_Content.asp and Advanced_VLAN_Group_Content.asp), and a bunch of nvram settings control the VLAN operations:
- vlan_rulelist to list the different vlans, their state, which ports and wireless interfaces are included.
- lan%d_* to control the parameters of each lan, derived from vlan_ruleset it seems.
- vlan_index to indicate the last lan index in use.
- Some other related to filters, etc.

It would seem that the vlan created are automatically numbered starting at vlan4, which is a bit of a bummer. I'm not sure if ports carry the vlans tagged or not.

Has anyone tried to build a version of the firmware with this feature enabled to see how it works in real life?
It would seem some limitations could be vlan ids and ipv6 prefix delegation subnets.

At the very least, it should be a good source of inspiration for how to setup VLANs, especially everything in the following file: https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/vlan.c
Hi,

have you managed to show the hidden pages of vlan on your routers?
Thanks
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top