wanted: vlan for AC56U in AP-Mode

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Bob.Dig

Regular Contributor
So first, I have almost no clue about vlan but I just hope, that what I want is so easy, that someone will help me with that.

My AC56U is in AP-Mode connected to a pfSense, which is doing the routing, DHCP, vlan etc.

I want that everything connected to the LAN-Ports and to the Wifi is in the same vlan, and everything connected to the guest-Wifi is in another vlan.

Who would help me with that and is it an easy task to begin with or rather complicated?

Greetings
Bob
Code:
br0       Link encap:Ethernet  HWaddr BC:EE:7B:90:00:D0

          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:13333 errors:0 dropped:0 overruns:0 frame:0

          TX packets:20201 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:1494246 (1.4 MiB)  TX bytes:15156582 (14.4 MiB)


eth0      Link encap:Ethernet  HWaddr BC:EE:7B:90:00:D0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:15219 errors:0 dropped:0 overruns:0 frame:0

          TX packets:23524 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2786108 (2.6 MiB)  TX bytes:15911218 (15.1 MiB)

          Interrupt:179 Base address:0x4000


eth1      Link encap:Ethernet  HWaddr BC:EE:7B:90:00:D0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:19200

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          Interrupt:163


eth2      Link encap:Ethernet  HWaddr BC:EE:7B:90:00:D4

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2965 errors:0 dropped:0 overruns:0 frame:62214

          TX packets:3674 errors:1 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:624375 (609.7 KiB)  TX bytes:1316915 (1.2 MiB)

          Interrupt:169


lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

          RX packets:1248 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1248 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:126101 (123.1 KiB)  TX bytes:126101 (123.1 KiB)


vlan1     Link encap:Ethernet  HWaddr BC:EE:7B:90:00:D0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:15219 errors:0 dropped:0 overruns:0 frame:0

          TX packets:23524 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:2546340 (2.4 MiB)  TX bytes:15899338 (15.1 MiB)


wl0.1     Link encap:Ethernet  HWaddr BC:EE:7B:90:00:D1

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:624 errors:0 dropped:0 overruns:0 frame:19200

          TX packets:1685 errors:5 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:81145 (79.2 KiB)  TX bytes:284251 (277.5 KiB)
Code:
Switch: enabled

Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:19:99:e3:1b:e3

Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:17:88:a2:92:56

Port 3:  100FD enabled stp: none vlan: 1 jumbo: off mac: 00:17:88:a2:92:56

Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:17:88:a2:92:56

Port 8:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00

VLANs: BCM5301x enabled mac_check mac_hash

   1: vlan1: 0 1 2 3 4 5t

   2: vlan2: 5

  56: vlan56: 2t 7t 8t

  57: vlan57: 2 4

  58: vlan58: 0 2 4 5t 8t

  59: vlan59: 1t 2t 3 7 8u

  60: vlan60: 0 1 7

  61: vlan61: 2 8u

  62: vlan62: 1t 5
 
Last edited:

grifo

Senior Member
It isn't difficult, you just need to create a services-start script on /jffs/scripts/

Try the below example with tagged VLANs 201 and 202 for IOT and guests and VLAN 1 for the main LAN left at its default, eg. untagged.

Each VLAN has 2 guest wifi interfaces bridged to it: wl0.1, wl0.2 are on the 2.4 GHz radio and wl1.1, wl1.2 are on the 5 GHz.

Note that I've never used an RTAC56U, I've adapted the below from my RT-AC68U running in AP mode by looking up the RTAC56U robocfg port mappings from a previous post. The WAN port should be 4, the LAN ports 0 to 3 and the CPU port 5.

Code:
#!/bin/sh
robocfg vlan 201 ports "4t 5t"
robocfg vlan 202 ports "4t 5t"
vconfig add eth0 201
vconfig add eth0 202
ifconfig vlan201 up
ifconfig vlan202 up

brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addif br1 vlan201
brctl addif br2 vlan202
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br2 wl0.2
brctl addif br2 wl1.2
ifconfig br1 up
ifconfig br2 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan201 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan202 wl0.2 wl1.2"
nvram set lan2_ifname="br2"

nvram commit
killall eapd
eapd
 
Last edited:

Bob.Dig

Regular Contributor
@grifo Thank you. So I "copied" the script unaltered to services-start and made a reboot.
It seems to work according to the log.
Code:
Jan  1 01:00:17 avahi-daemon[599]: Alias name "RT-AC56U" successfully established.
Jan  1 01:00:22 Samba_Server: start deferred by lan state
Jan  1 01:00:22 custom_script: Running /jffs/scripts/services-start
Jan  1 01:00:22 disk_monitor: be idle
Jan  1 01:00:22 kernel: device wl0.1 left promiscuous mode
Jan  1 01:00:22 kernel: br0: port 4(wl0.1) entering forwarding state
Jan  1 01:00:22 kernel: device vlan201 entered promiscuous mode
Jan  1 01:00:22 kernel: device vlan202 entered promiscuous mode
Jan  1 01:00:22 kernel: device wl0.1 entered promiscuous mode
Jan  1 01:00:22 kernel: br1: port 2(wl0.1) entering learning state
Jan  1 01:00:22 kernel: br1: port 2(wl0.1) entering learning state
Jan  1 01:00:22 kernel: br1: port 1(vlan201) entering learning state
Jan  1 01:00:22 kernel: br1: port 1(vlan201) entering learning state
Jan  1 01:00:22 kernel: br2: port 1(vlan202) entering learning state
Jan  1 01:00:22 kernel: br2: port 1(vlan202) entering learning state
Jan  1 01:00:23 ntp: start NTP update
Jan  1 01:00:23 rc_service: udhcpc_lan 550:notify_rc restart_httpd
Jan  1 01:00:23 rc_service: udhcpc_lan 550:notify_rc restart_samba
Jan  1 01:00:23 rc_service: waiting "restart_httpd" via udhcpc_lan ...
Jan  1 01:00:23 httpd: start httpd
Jan  1 01:00:24 Samba_Server: smb daemon is stopped
Jan  1 01:00:24 kernel: gro disabled
Aug  9 16:00:16 rc_service: ntp 695:notify_rc restart_diskmon
Aug  9 16:00:16 ntp: NTP update successful after 1 attempt(s)
Aug  9 16:00:16 disk_monitor: be idle
Aug  9 16:00:27 kernel: br1: port 2(wl0.1) entering forwarding state
Aug  9 16:00:27 kernel: br1: port 1(vlan201) entering forwarding state
Aug  9 16:00:27 kernel: br2: port 1(vlan202) entering forwarding state
Aug  9 16:00:44 HTTP_login: login 'admin' successful from 192.168.1.10:80
Aug  9 16:00:50 crond[589]: time disparity of 5052360 minutes detected
Aug  9 16:01:45 dropbear[711]: Child connection from 192.168.1.10:49387
Aug  9 16:01:46 dropbear[711]: Password auth succeeded for 'admin' from 192.168.1.10:49387
Aug  9 16:01:54 dropbear[711]: Exit (admin): Exited normally
But to me, everything looks identical to before and everything is still working like before.
What to do next?
 
Last edited:

grifo

Senior Member
I've never tried John's fork as it doesn't support my main router RT-AC87U but I did a quick search on its thread and it should support this config.

Could you post:
Code:
cat /jffs/scripts/services-start
robocfg show
brctl show
 

Bob.Dig

Regular Contributor
So it seems to do something, although I might not be able to cope with it. I had hoped I just create these vlans in pfSense and I am good to go but...
My Asus is still looking exactly the same without any vlan but my light bulb connected to the guest-wifi has no internet anymore, so I can't switch on or off, so that had definitely changed to before. So I am probably just not ready to deal with it.
Code:
[email protected]:/tmp/home/root# cat /jffs/scripts/services-start
#!/bin/sh
robocfg vlan 201 ports "4t 5t"
robocfg vlan 202 ports "4t 5t"
vconfig add eth0 201
vconfig add eth0 202
ifconfig vlan201 up
ifconfig vlan202 up

brctl addbr br1
brctl addbr br2
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addif br1 vlan201
brctl addif br2 vlan202
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br2 wl0.2
brctl addif br2 wl1.2
ifconfig br1 up
ifconfig br2 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan201 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan202 wl0.2 wl1.2"
nvram set lan2_ifname="br2"

nvram commit
killall eapd
[email protected]:/tmp/home/root# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:19:99:e3:1b:e3
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:  100FD enabled stp: none vlan: 1 jumbo: off mac: 00:17:88:a2:92:56
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5
  56: vlan56: 2t 7t 8t
  57: vlan57: 0 2 5t
  58: vlan58: 0 2 4 5t 7t 8t
  59: vlan59: 1t 2t 3t 7 8u
  60: vlan60: 0 1 7
  61: vlan61: 2 8u
  62: vlan62: 5 7
201: vlan201: 4t 5t
202: vlan202: 4t 5t
[email protected]:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.bcee7b9000d0       no              vlan1
                                                        eth1
                                                        eth2
br1             8000.bcee7b9000d0       no              vlan201
                                                        wl0.1
br2             8000.bcee7b9000d0       no              vlan202
I made vlan 1 in pfSense but coudn't reach the Asus anymore, it will only work without vlan...
Capture.JPG
 
Last edited:

grifo

Senior Member
The AP config looks good, now you need to configure the pfSense with corresponding VLANs under the parent LAN interface, assign them IP addresses, configure DHCP and firewall rules.

It's not difficult and you're on the right track but it will take a bit of time if you haven't done it before and I guess you'll need your light bulb before it gets dark :) so to revert just delete the services-start script and reboot, you can come back to it at a later time.

BTW if you just need one VLAN for your IOT devices on the 2.4 Ghz radio you can take off several lines from my script, this is all you would need:

Code:
#!/bin/sh
robocfg vlan 201 ports "4t 5t"
vconfig add eth0 201
ifconfig vlan201 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 vlan201
brctl addif br1 wl0.1
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan201 wl0.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd
 

Bob.Dig

Regular Contributor
The AP config looks good, now you need to configure the pfSense with corresponding VLANs under the parent LAN interface, assign them IP addresses, configure DHCP and firewall rules.
I did this but it is not working. Can't even reach the Asus on vlan 1 in my browser.
 
Last edited:

grifo

Senior Member
Do you have your main LAN subnet configured on the LAN parent interface of the pfSense?
 

grifo

Senior Member
So do you use the Asus only for the IOT devices? Eg. not as an AP also for your main LAN? What is connected to your main LAN interface?

It'd be best to connect the Asus to your main LAN interface, configure the main subnet on the parent interface and give the Asus an IP from it, then create the VLAN/s under it which will become its subniterface/s.

EDIT: maybe you meant a different logical interface.

Try this: connect the Asus to the pfSense LAN, reconfigure the LAN parent interface as it was before you started this if you have changed it and reestablish connectivity with the Asus then we'll do the next step.
 
Last edited:

Bob.Dig

Regular Contributor
@grifo The Asus is not only for IOT but for everything Wifi. And with pfSense, everything is connected with everything anyways.
What you described I had before, so no vlan1, but my IOT had no internet, although the vlan was set up in pfSense as a "child interface". But I will make this again, so at least that my Asus is reachable again. Done!
 

Bob.Dig

Regular Contributor
Now it seems to work! There is really no difference to before ...but now the yeelight got a address from pfsense (vlan 201) and has internet. :D
 

grifo

Senior Member
OK, good news. Do some tests and let us know how it goes.

BTW do you now have your main LAN on the pfSense parent interface or on VLAN 1?
 

Bob.Dig

Regular Contributor
@grifo So there is one difference I think, I am now using another port on my Asus to connect to pfSense. Before it was connected on Port labeled 1 (Port 0), now it is connected via the WAN-Port (Port 4) (Asus still in AP-Mode). I thought that all ports would be the same.... So I guess (Port 4) is the trunk Port. :p So eventually I will get it. ;)

"Main LAN" is on the parent interface.
 
Last edited:

grifo

Senior Member
Ah I see, yes you had to use the WAN port as that's the one we configured on the script. Yes in AP mode all ports are the same but for VLANs we need to choose one trunk port and by convention it's straightforward to use the WAN port, yep port 4 for robocfg on the AC56U.
 

Bob.Dig

Regular Contributor
@grifo Thank you!
To bad, if I look an the configs you provided, I still don't get it and I wouldn't be able to come up with it.

But now I am kinda "thirsty". ;)
How would I define another vlan on one of the ports or put on of the ports together with the vlans on wifi? :p
 

grifo

Senior Member
I didn't come up with it either, I got it from older posts.

All you'd have to do is adapt the robocfg line of the script adding the ports you want to assign to the VLAN, keeping in mind how they are mapped on your model:

Code:
Robocfg port mapping
Model { WAN L1 L2 L3 L4 CPU }
RTAC56U: { 4, 0, 1, 2, 3, 5 }
If you want to connect an end device to a port you have to send the traffic out untagged by not using a "t" next to the port number. In that case you would also have to remove (or tag) VLAN 1 from the port as you can't have two untagged VLANs on the same port. So for example to connect a security camera on LAN port 4 under VLAN 201 you would do:

Code:
robocfg vlan 1 ports "0 1 2 4 5t"
robocfg vlan 201 ports "3 4t 5t"
Some models don't like VLAN 1 being taken off ports, namely my RT-AC87U, so not sure if that'll work on yours.

To define more VLANs just follow my original script example, you can create as many as you like but then you'll need lots of firewall rules. Best to keep them to a minimum, I use two of them, one for IOT and another for guests.

BTW run some extended tests as some models have issues with VLANs in AP mode and you may need to turn off HW acceleration. Connect your laptop to the guest SSID and run a few speedtests.
 

Bob.Dig

Regular Contributor
Dear @grifo, is the following doable with vlan and if it is, how would the config look like:

Lets say I have the config from post #6.
Now I want to plugin my PC with no vlan (or vlan1, if it has to have one I guess) on Port 0. Then I want to run a VM on my PC and in/for that I gave it vlan (number) 199 for example.

I am still missing some basics about vlan, please excuse.
 

grifo

Senior Member
It depends on how you want it to work. Is VLAN 199 wired only and just extending between the virtual machine and your pfSense box? Or do you also need it to be bridged to a guest wifi SSID on the AP?

In the first case it's very easy, you just need to create a VLAN 199 and assign it to ports 0 (LAN1) and 4 (WAN). It doesn't need to be assigned to the CPU port (5) as the AP doesn't need to get the traffic, it just gets switched within the built-in switch. So you would add the below lines to your existing script:
Code:
robocfg vlan 199 ports "0t 4t"
vconfig add eth0 199
ifconfig vlan199 up
In the second case you can reuse the script in post #2, changing the 202 on the lines that have it with 199, or reuse it as it is and assign your VM a VLAN ID of 202, in both cases adding 0t to the corresponding robocfg vlan x ports line.
 

Bob.Dig

Regular Contributor
It is the first, I will try that and hope the vm-part (VM-WS on Windows) is not sabotaging my try. Also I have to switch switches now to make it work. It is about time. :)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top