VLANs, Trunk interface, tagged and untagged traffic RT-AX86U and RT-AX88U

vlanvlan

New Around Here
It took me a while to make this thing work. I could find some configs but nothing worked as provided. After combining information from several different posts I came to the working solution posted below. As it took me a while to get it to work I figured I'd share it here in case anyone else might be looking for similar configs. All credits go to the people originally finding the right commands for these platforms, I just tied them together for my specific case.

This setup uses the WAN port as dot1q trunk interface to an upstream firewall on the RT-AX88U router, and the 2.5Gbit interface on the RT-AX86U router. To prevent any config accidents no networks have been configured in the default (untagged) VLAN. I choose to keep using br0 as management network as I figured the software might perhaps have all sorts of issues if switching the layer 3 config to another bridge. I have not tested this, just assumed it. The IP address doesn't require to be set in the config, its just a failsafe incase I messed something up. I advice to load your config in a testfile and execute this to test if things work as intended. If not, a simple power-cycle of your device will bring it back in its original state. Once you're done figuring out your settings you can add it to /jffs/scripts/services-start. (For testing: nano test -> paste config -> safe file. chmod +x test. To execute write ./test - Once working, add your config to /jffs/scripts/services-start and give a chmod +x /jffs/scripts/services-start - your config will be loaded during boot time)

The vlanctl commands are required to add and remove VLAN tags for the dot1q trunk when it passes through the vlan subinterface. The bridge interfaces tie the interfaces together. For some reason the vconfig part was required to make everything communicate.

Code:
# RT-AX88U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> (not tested) hardware bridge LAN5-8
# eth6 -> 2.4Ghz radio (non guest)
# eth7 -> 5Ghz radio (non guest)
# wl0.1 -> First wireless guest 2.4Ghz
# wl1.1 -> First wireless guest 5Ghz
# wl0.2 -> Second wireless guest 2.4Ghz
# wl1.2 -> Second wireless guest 5Ghz


# Remove interfaces from default br0 interface
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
brctl delif br0 eth5
brctl delif br0 eth6
brctl delif br0 eth7
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2


# VLAN 2
vlanctl --mcast --if-create eth0 2
vlanctl --if eth0 --rx --tags 1 --filter-vid 2 0 --pop-tag --set-rxif eth0.v2 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v2 --push-tag --set-vid 2 0 --rule-append
ifconfig eth0.v2 up
brctl addif br0 eth0.v2
ifconfig br0 10.0.0.2 netmask 255.255.255.0
brctl setfd br0 0
ip link set br0 up


# VLAN 3
vlanctl --mcast --if-create eth0 3
vlanctl --if eth0 --rx --tags 1 --filter-vid 3 0 --pop-tag --set-rxif eth0.v3 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v3 --push-tag --set-vid 3 0 --rule-append
ifconfig eth0.v3 up
brctl addbr br3
brctl setfd br3 0
brctl addif br3 eth0.v3
brctl addif br3 eth6
brctl addif br3 eth7
brctl addif br3 eth1
brctl addif br3 eth3
brctl addif br3 eth4
vconfig add br3 3
ip link set br3 up


# VLAN 4
vlanctl --mcast --if-create eth0 4
vlanctl --if eth0 --rx --tags 1 --filter-vid 4 0 --pop-tag --set-rxif eth0.v4 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v4 --push-tag --set-vid 4 0 --rule-append
ifconfig eth0.v4 up
brctl addbr br4
brctl setfd br4 0
brctl addif br4 eth0.v4
brctl addif br4 wl0.1
brctl addif br4 wl1.1
vconfig add br4 4
ip link set br4 up


# VLAN 6
vlanctl --mcast --if-create eth0 6
vlanctl --if eth0 --rx --tags 1 --filter-vid 6 0 --pop-tag --set-rxif eth0.v6 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v6 --push-tag --set-vid 6 0 --rule-append
ifconfig eth0.v6 up
brctl addbr br6
brctl setfd br6 0
brctl addif br6 eth0.v6
brctl addif br6 eth2
vconfig add br6 6
ip link set br6 up


# VLAN 7
vlanctl --mcast --if-create eth0 7
vlanctl --if eth0 --rx --tags 1 --filter-vid 7 0 --pop-tag --set-rxif eth0.v7 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v7 --push-tag --set-vid 7 0 --rule-append
ifconfig eth0.v7 up
brctl addbr br7
brctl setfd br7 0
brctl addif br7 eth0.v7
brctl addif br7 wl0.2
brctl addif br7 wl1.2
vconfig add br7 7
ip link set br7 up


# Deal with DHCP etc, prevent from working in untagged
vlanctl --if eth0 --set-if-mode-rg
vlanctl --if eth0 --tx --tags 0 --default-miss-drop


# Deals with traffic between local interfaces when operating with sub-interfaces
ethswctl -c hw-switching -o disable

Code:
# RT-AX86U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> LAN 2.5Gbit
# eth6 -> WLAN 2.4 GHz (but not used?)
# eth7 -> WLAN 5 GHz (but not used?)
# wl0.1 -> WLAN 2.4 GHz
# wl1.1 -> WLAN 5Ghz
# wl0.2 -> Wireless guest 2.4Ghz
# wl1.2 -> Wireless guest 5Ghz


# Remove interfaces from default br0 interface
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
brctl delif br0 eth5
brctl delif br0 eth6
brctl delif br0 eth7
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2


# VLAN 2
vlanctl --mcast --if-create eth5 2
vlanctl --if eth5 --rx --tags 1 --filter-vid 2 0 --pop-tag --set-rxif eth5.v2 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v2 --push-tag --set-vid 2 0 --rule-append
ifconfig eth5.v2 up
brctl addif br0 eth5.v2
ifconfig br0 10.0.0.3 netmask 255.255.255.0
ip route add 0/0 via 10.0.0.1
brctl setfd br0 0
ip link set br0 up


# VLAN 3
vlanctl --mcast --if-create eth5 3
vlanctl --if eth5 --rx --tags 1 --filter-vid 3 0 --pop-tag --set-rxif eth5.v3 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v3 --push-tag --set-vid 3 0 --rule-append
ifconfig eth5.v3 up
brctl addbr br3
brctl setfd br3 0
brctl addif br3 eth5.v3
brctl addif br3 eth5
brctl addif br3 eth6
brctl addif br3 eth2
vconfig add br3 3
ip link set br3 up


# VLAN 4
vlanctl --mcast --if-create eth5 4
vlanctl --if eth5 --rx --tags 1 --filter-vid 4 0 --pop-tag --set-rxif eth5.v4 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v4 --push-tag --set-vid 4 0 --rule-append
ifconfig eth5.v4 up
brctl addbr br4
brctl setfd br4 0
brctl addif br4 eth5.v4
brctl addif br4 wl0.1
brctl addif br4 wl0.2
vconfig add br4 4
ip link set br4 up


# VLAN 5
vlanctl --mcast --if-create eth5 5
vlanctl --if eth5 --rx --tags 1 --filter-vid 5 0 --pop-tag --set-rxif eth5.v5 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v5 --push-tag --set-vid 5 0 --rule-append
ifconfig eth5.v5 up
brctl addbr br5
brctl setfd br5 0
brctl addif br5 eth5.v5
brctl addif br5 eth3
brctl addif br5 eth1
vconfig add br5 5
ip link set br5 up


# VLAN 7
vlanctl --mcast --if-create eth5 7
vlanctl --if eth5 --rx --tags 1 --filter-vid 7 0 --pop-tag --set-rxif eth5.v7 --rule-append
vlanctl --if eth5 --tx --tags 0 --filter-txif eth5.v7 --push-tag --set-vid 7 0 --rule-append
ifconfig eth5.v7 up
brctl addbr br7
brctl setfd br7 0
brctl addif br7 eth5.v7
brctl addif br7 wl1.1
brctl addif br7 wl1.2
vconfig add br7 7
ip link set br7 up


# Deal with DHCP etc, prevent from working in untagged
vlanctl --if eth5 --set-if-mode-rg
vlanctl --if eth5 --tx --tags 0 --default-miss-drop


# Deals with traffic between local interfaces when operating with sub-interfaces
ethswctl -c hw-switching -o disable
 
Last edited:

L&LD

Part of the Furniture
Welcome to the forums @vlanvlan.

This looks great!

Will this possibly become an interactive script w/GUI in amtm anytime soon? :)
 

vlanvlan

New Around Here
Welcome to the forums @vlanvlan.

This looks great!

Will this possibly become an interactive script w/GUI in amtm anytime soon? :)
Thanks!

I've only only found out about this custom firmware a few days ago as I was redoing my setup. I wouldn't get my hopes up for a script with GUI.

Cheers,
 

L&LD

Part of the Furniture
Never say never! There are many individuals around who can help make this become a reality (time and interest permitting).

@thelonelycoder, @Jack Yaz, @Martineau, and many, many others.
 

Jack Yaz

Part of the Furniture
Never say never! There are many individuals around who can help make this become a reality (time and interest permitting).

@thelonelycoder, @Jack Yaz, @Martineau, and many, many others.
this does look really promising, nice work @vlanvlan

Unlikely to be me adopting it in the near future, kind of hard to beat this:
1649666453617.png
1649666688512.png
 
Last edited:

Yota

Senior Member
After 5 years of obscure usage of vlanctl in HND routers, finally figured out the correct way to set VLAN, good job @vlanvlan ;)

Would you like to add a guide to the wiki? So more people can see it.
 

vlanvlan

New Around Here
After 5 years of obscure usage of vlanctl in HND routers, finally figured out the correct way to set VLAN, good job @vlanvlan ;)

Would you like to add a guide to the wiki? So more people can see it.
I really don't know enough about all the Asus devices to be able to tell people which devices, other than my current ax86u and ax88u this will work on. I notice I have an oddity with the ax86u where occasionally the guest network interface jumps back to br0. This must be because the guest network gets disabled/enabled sometimes, but I am not sure (yet) why. I'll have to work out some fix for this later. Once I deem everything stable maybe I can spend some time on writing a bit more detailed guide.
 

Jack Yaz

Part of the Furniture
I really don't know enough about all the Asus devices to be able to tell people which devices, other than my current ax86u and ax88u this will work on. I notice I have an oddity with the ax86u where occasionally the guest network interface jumps back to br0. This must be because the guest network gets disabled/enabled sometimes, but I am not sure (yet) why. I'll have to work out some fix for this later. Once I deem everything stable maybe I can spend some time on writing a bit more detailed guide.
The multi model thing is one of the main reasons I haven't implemented vlans in YazFi. There's a lot of configurations and I'd have to rely on users to help me out with port layouts
 

idefix

Occasional Visitor
It took me a while to make this thing work. I could find some configs but nothing worked as provided. After combining information from several different posts I came to the working solution posted below. As it took me a while to get it to work I figured I'd share it here in case anyone else might be looking for similar configs. All credits go to the people originally finding the right commands for these platforms, I just tied them together for my specific case.

This setup uses the WAN port as dot1q trunk interface to an upstream firewall on the RT-AX88U router, and the 2.5Gbit interface on the RT-AX86U router. To prevent any config accidents no networks have been configured in the default (untagged) VLAN. I choose to keep using br0 as management network as I figured the software might perhaps have all sorts of issues if switching the layer 3 config to another bridge. I have not tested this, just assumed it. The IP address doesn't require to be set in the config, its just a failsafe incase I messed something up. I advice to load your config in a testfile and execute this to test if things work as intended. If not, a simple power-cycle of your device will bring it back in its original state. Once you're done figuring out your settings you can add it to /jffs/scripts/services-start. (For testing: nano test -> paste config -> safe file. chmod +x test. To execute write ./test - Once working, add your config to /jffs/scripts/services-start and give a chmod +x /jffs/scripts/services-start - your config will be loaded during boot time)

The vlanctl commands are required to add and remove VLAN tags for the dot1q trunk when it passes through the vlan subinterface. The bridge interfaces tie the interfaces together. For some reason the vconfig part was required to make everything communicate.

Thanks a lot for posting this.
I nearly lost hope after following the earlier robocfg examples on my AX88U only to find out that these do not work on the HW ;-)

Will this work also with the AX88U in AP mode and across other mesh nodes?
I currently have the following setup:

ONT/MODEM --> pfSense --> AX88U in AP Mode (LAN1) ----> 2x AX92U (LAN Backhaul)

I'm trying to keep the rest of the network on the default VLAN0 but add VLAN5, which is configured on pfSense, for the first AX88U Guestnetwork only.
Not sure if I understand your code fully but would this achieve what I'm looking for?

Thanks a lot !

Code:
# RT-AX88U interface layout
# eth0 -> WAN
# eth1 -> LAN4
# eth2 -> LAN3
# eth3 -> LAN2
# eth4 -> LAN1
# eth5 -> (not tested) hardware bridge LAN5-8
# eth6 -> 2.4Ghz radio (non guest)
# eth7 -> 5Ghz radio (non guest)
# wl0.1 -> First wireless guest 2.4Ghz
# wl1.1 -> First wireless guest 5Ghz
# wl0.2 -> Second wireless guest 2.4Ghz
# wl1.2 -> Second wireless guest 5Ghz


# Remove interfaces from default br0 interface
brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
brctl delif br0 eth5
brctl delif br0 eth6
brctl delif br0 eth7
brctl delif br0 wl0.1
brctl delif br0 wl1.1


# VLAN 0
vlanctl --mcast --if-create eth4 0
vlanctl --if eth4 --rx --tags 1 --filter-vid 0 0 --pop-tag --set-rxif eth0.v0 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth0.v0 --push-tag --set-vid 0 0 --rule-append
ifconfig eth4.v0 up
brctl addif br0 eth4.v0
brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
brctl addif br0 eth3
brctl addif br0 eth5
brctl addif br0 eth6
brctl addif br0 eth7
ifconfig br0 10.0.0.2 netmask 255.255.255.0
brctl setfd br0 0
ip link set br0 up


# VLAN 5
vlanctl --mcast --if-create eth4 5
vlanctl --if eth4 --rx --tags 1 --filter-vid 5 0 --pop-tag --set-rxif eth0.v5 --rule-append
vlanctl --if eth4 --tx --tags 0 --filter-txif eth0.v5 --push-tag --set-vid 5 0 --rule-append
ifconfig eth4.v5 up
brctl addbr br1
brctl setfd br1 0
brctl addif br1 eth4.v5
brctl addif br1 wl0.1
brctl addif br1 wl1.1
vconfig add br1 5
ip link set br1 up


# Deal with DHCP etc, prevent from working in untagged - REQUIRED in AP MODE?
# vlanctl --if eth4 --set-if-mode-rg
# vlanctl --if eth4 --tx --tags 0 --default-miss-drop


# Deals with traffic between local interfaces when operating with sub-interfaces
ethswctl -c hw-switching -o disable
 

vlanvlan

New Around Here
Hi,

It should work - at least, at my setup it does, as I run it in AP mode with mesh on the two device types mentioned in the original post.

Cheers,
 

idefix

Occasional Visitor
Hi,

It should work - at least, at my setup it does, as I run it in AP mode with mesh on the two device types mentioned in the original post.

Cheers,

Thanks. This confused me a bit as the AP configuration from ASUS mentioned the main AP to connect via LAN and the 2 mesh AP's via their WAN port.
So if I have 1 AP with 2 mesh nodes I would need to configure all 3 for VLAN as described above?
When you mentioned you did not use the default VLAN to avoid accidents, does this mean it will not work with the default VLAN enabled?

Thanks and sorry for the questions, have a hard time understanding the code you posted and how to adjust for my config. Thanks !
 

idefix

Occasional Visitor
not that straightforward from the looks of it :-(
I can get the different bridges up and running but when connecting to the guest wifi I either get no IP or can't connect at all.
Found another script here but the same issue: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

Maybe trying to only add a VLAN for the guest network and leave the rest on the default/untagged vlan 0 does not work?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top