WAP/Guest SSID/Port based VLAN

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

net101

Occasional Visitor
I have two RT-N66U devices running in WAP mode. I run a pfSense device as a firewall/router. I run Merlin firmware over DD-WRT because I get way more throughput using Merlin. However, DD-WRT allows port based VLAN configuration and this helps me configure my network as depicted in the attachment.

I haven’t been able to configure the Merlin firmware to allow me to do so. The GUI doesn’t have the affordance and my attempts to dabble with the scripts have been epic failures. Can I ask anyone willing to help come up with scripts to achieve this? I have looked at et robowr, vconfig and the likes and my heads is spinning! 

Thanks in advance.
 

Attachments

  • MyHomeNetwork.pdf
    127 KB · Views: 1,386

net101

Occasional Visitor
I realize that it may be bad form to reply to your own query but I am excited that I have this working now and wanted to document it and share it with you. Here are the steps to make it happen:
  1. Setup Guest Wireless network using GUI
  2. Connect to the WAP using Putty or a similar tool
  3. Enter the following commands
Code:
nvram set vlan2ports=8u
nvram set vlan1ports="0 1 2 3 8*"
nvram set vlan3ports="4 8"
nvram set vlan2hwname=et0
nvram set vlan1hwname=et0
nvram set vlan3hwname=et0

nvram set rc_startup='
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan3
ifconfig br1 192.168.235.202 netmask 255.255.255.0
ifconfig br1 up
'
nvram commit
reboot

The configuration is persisted across reboots.
 

net101

Occasional Visitor
Looks like I lied. Even though commands in rc_startup are persisted across reboots, the bridge configurations gets reset.

Anyone have ideas on what might be going on? Where should I look for clues?

Thanks!
 

RMerlin

Asuswrt-Merlin dev
Looks like I lied. Even though commands in rc_startup are persisted across reboots, the bridge configurations gets reset.

Anyone have ideas on what might be going on? Where should I look for clues?

Thanks!

See the Wiki documentation on custom scripts.

rc_startup is not officially supported in Asuswrt-Merlin.
 

net101

Occasional Visitor
Thanks for the clue. Can you comment on whether the commands listed (nvram variables etc.) are supported?

Thanks again.
 

RMerlin

Asuswrt-Merlin dev
Thanks for the clue. Can you comment on whether the commands listed (nvram variables etc.) are supported?

Thanks again.

Probably not. At least, I don't remember seeing these names.
 

net101

Occasional Visitor
I have modified my earlier script and now have a /jffs/scripts/services-start script as indicated in the wiki. After setting up guest wlans and rebooting, this script executes.
Code:
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 2 ports "0 8t"
robocfg vlan 3 ports "4 8t"
vconfig add eth0 3
ifconfig vlan3 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan3
brctl addif br0 vlan2
ifconfig br1 192.168.235.201 netmask 255.255.255.0
ifconfig br1 up

And, all is well! This time I have gone through multiple reboots. Please let me know if I am using any unsupported features.

PS: I want to thank RMerlin for active help and ghost_o for his prior post.
 
Last edited:

jet45

Occasional Visitor
Hi net101,

I want to separate my guest network like you did here, like you I'm running pfSense as a firewall. I made some modifications of your script to fit my needs. I have my RT-N66U runnning Asuswrt-Merlin 374.39 as an AP. I'm want to make trunk port on port 1 and tag vlan 1 and 10 to it. I created the guest network via the gui (just one guest network on the 2.4 GHz Channel) and made the below modifcations to your script and placed it in /jffs/scripts/services-start. Does the script look right to you? I had a similar setup with tomato but I was able to accomplish everything through the gui.

Code:
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 1 ports "1t 2 3 4 8"
robocfg vlan 2 ports "0 8"
robocfg vlan 10 ports "1t 8"
vconfig add eth0 10
ifconfig vlan10 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan10
brctl addif br0 vlan2
ifconfig br1 192.168.100.1 netmask 255.255.255.0
ifconfig br1 up
 
Last edited:

nahun

New Around Here
Sorry if I shouldn't resurrect an old thread, but I've got pretty much the same setup. Pfsense router with a RT-AC66U in AP mode running 374.43.

I just want one port and a guest network isolated on a different network. Everything seems to setup correctly, but traffic doesn't seem to flow from the wireless network through the bridge. I can't get DHCP from the router. When I plug directly into the pfsense router I get DHCP fine.

I can ping br1 from the router. Anything I'm missing?

My services-start:
Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 2 ports "0 8t"
robocfg vlan 3 ports "4 8t"
vconfig add eth0 3
ifconfig vlan3 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan3
brctl addif br0 vlan2
ifconfig br1 192.168.2.2 netmask 255.255.255.0
ifconfig br1 up
 

nahun

New Around Here
Sorry if I shouldn't resurrect an old thread, but I've got pretty much the same setup. Pfsense router with a RT-AC66U in AP mode running 374.43.

I just want one port and a guest network isolated on a different network. Everything seems to setup correctly, but traffic doesn't seem to flow from the wireless network through the bridge. I can't get DHCP from the router. When I plug directly into the pfsense router I get DHCP fine.

I can ping br1 from the router. Anything I'm missing?

My services-start:
Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 2 ports "0 8t"
robocfg vlan 3 ports "4 8t"
vconfig add eth0 3
ifconfig vlan3 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan3
brctl addif br0 vlan2
ifconfig br1 192.168.2.2 netmask 255.255.255.0
ifconfig br1 up

Quick update: I actually got it to work when I make the guest network open, so no WPA2/security at all. On either the 2.4 or 5 networks. With WPA2 personal though, I can't associate to the the guest network. I made the key very simple (12345678), so I'm definitely typing it right.

I'm still working on it, but can anyone think why this would happen? thanks.
 

wiz561

Occasional Visitor
I have modified my earlier script and now have a /jffs/scripts/services-start script as indicated in the wiki. After setting up guest wlans and rebooting, this script executes.
Code:
#!/bin/ash
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 2 ports "0 8t"
robocfg vlan 3 ports "4 8t"
vconfig add eth0 3
ifconfig vlan3 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan3
brctl addif br0 vlan2
ifconfig br1 192.168.235.201 netmask 255.255.255.0
ifconfig br1 up

And, all is well! This time I have gone through multiple reboots. Please let me know if I am using any unsupported features.

PS: I want to thank RMerlin for active help and ghost_o for his prior post.

Sorry to resurrect an old thread, but can you explain what the above does? I think I'm trying to accomplish the same thing. I have a pfsense box that has two nic's that are on seperate LAN's; an internal and guest. I want 'port 1' on the ac66u to be on the internal lan wireless and 'port 2' on the guest ssid.

Thanks!
 

Potato Sack

New Around Here
Quick update: I actually got it to work when I make the guest network open, so no WPA2/security at all. On either the 2.4 or 5 networks. With WPA2 personal though, I can't associate to the the guest network. I made the key very simple (12345678), so I'm definitely typing it right.

I'm still working on it, but can anyone think why this would happen? thanks.

Hey there, did you ever figure this out? I seem to be running into the same issue -- I can't associate with "guest" SSIDs with WPA2 encryption.

However, the commonality seems to be I can't associate to those SSIDs only after I've moved them out of the default bridge interface on the router (br0) and placed them into another bridge interface that I have bridged with a vlan interface. However, if I change encryption to Open, it works. However, open encryption on this particular network isn't a solution for me, unfortunately.

Example that breaks WPA2 association:

Code:
[email protected]:/sbin# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.10c37bd125e0       no              vlan1
                                                        eth1
                                                        eth2
                                                        wl0.1
br1             8000.000000000000       no
br2             8000.000000000000       no
br3             8000.000000000000       no
br4             8000.000000000000       no
br5             8000.10c37bd125e0       no              wl0.3
                                                        vlan50

...so if I try to associate to the corresponding SSID of the wl0.3 virtual interface, and it has WPA2 encryption enabled, it doesn't work. Open encryption, no problem.

It's confusing since this seems like it wouldn't have anything to do with a bridged interface -- AP association is layer 1 and 2, not layer 3...

Any solutions? Do I need to associate my vlan interfaces with something other than eth0?

EDIT: yes, the br5 interface has an IP address on it, in the same subnet that the vlan50 interface corresponds to. I can ping the VLAN 50 interface on my firewall, and other hosts on VLAN 50 from the Asus router, so I believe my VLAN trunking to be working appropriately. It seems to be limited to SSID association.
 

Naito

New Around Here
Followed the examples here to make my own script, should be a little more generalizable. Seems to work well on the latest Merlin(378.51) with my RT-N66U.

My default VLAN is 3, and my Guest VLAN is 4.

Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

#TrunkPort=0
MainVLAN=3

GuestVLAN=4
GuestIP="192.168.100.3"
GuestNetmask="255.255.255.0"
GuestIFs="wl0.1 wl1.1"

#Switch default vlan
if [ ! -z "$MainVLAN" -a "$MainVLAN" != "1" ]; then
    robocfg vlan 1 ports ""
    robocfg port 0 state disabled vlan ${MainVLAN} ports "0t 1 2 3 4 8t" port 0 state enabled
    vconfig rem vlan1
    vconfig add eth0 ${MainVLAN}
    ifconfig vlan${MainVLAN} up
#    brctl delif br0 vlan1
    brctl addif br0 vlan${MainVLAN}
fi

#Check the GuestIFs have been set up in the GUI
for wlIF in ${GuestIFs}; do
    ifconfig | grep -cq $wlIF
    if [ $? -ne 0 ]; then
        echo Guest Interface not found
        echo Set up in GUI first
        exit 1
    fi
done

robocfg vlan ${GuestVLAN} ports "0t 8t"
vconfig add eth0 ${GuestVLAN}
ifconfig vlan${GuestVLAN} up
brctl addbr br1
for wlIF in ${GuestIFs}; do
    brctl delif br0 ${wlIF}
    brctl addif br1 ${wlIF}
done
brctl addif br1 vlan${GuestVLAN}
ifconfig br1 ${GuestIP} netmask ${GuestNetmask}
ifconfig br1 up

exit 0
 

Potato Sack

New Around Here
I ended up moving to Tomato.

Really it was just out of desperation to see if it would let me create tagged vlans, add a wireless interface to it, and set WPA2 Encryption on that interface. It turns out it does -- the GUI interface is a little bit broken as it won't let you assign both a tagged an untagged value to a single port -- but the problem is easily worked around with a shell script (similar to above) to set the switch ports, define the vlan, attach it to eth0, and add it to a bridged interface.

The best part is that WPA2 works fine on these virtual wireless interfaces.

If Merlin can provide a fix on this -- I'd probably move back as I really like his firmware and community participation. But, for now, I've got to stick with a slightly kludged Tomato (but, it works).
 

Naito

New Around Here
I had this set up working on Tomato before, I thought I'd try it on Merlin to see if there are any performance benefits. You're right though, WPA2 doesn't appear to be working on the guest networks.

There is definitely a performance benefit however. On Tomato I found that connecting to my main router through the WAN port limited my throughput to only approx 100mbps, but if the uplink was on the switched ports then my throughput shot up to just above 300mbps. On Merlin, the performance between the WAN port and switched ports was identical. Also, it seems I'm getting a slightly stronger signal from the radio on Merlin.

I hadn't tested it on a wired connection yet, but there was definitely an impressive improvement for the WAN port. Haven't decided if I'll keep it yet.
 

Maurizio

Occasional Visitor
Hi.
Can this method be used for PPTP VPNs?

i tried the script in the wiki, changed the parameters for IF and it runs... but then ALL interfaces are in VPN, including the cabled ones...

is there something i am doing wrong?

script attached, not to clog the post...

thx

M
 

Attachments

  • wifivpn.txt
    3.9 KB · Views: 600

net101

Occasional Visitor
Potato Sack, I can confirm your findings. This works for RT-N66U but not for RT-N68U. Bummer! Would love to see a fix for this.

BTW, port on 66, 0-4, 8. On 68, 0-5.
 
  • Like
Reactions: bmi

starfall

Occasional Visitor
Potato Sack, I can confirm your findings. This works for RT-N66U but not for RT-N68U. Bummer! Would love to see a fix for this.

BTW, port on 66, 0-4, 8. On 68, 0-5.

This is also working for me now on the AC68U after tweaking the nvram settings and restarting eapd. Check it out here - SSID to VLAN
 
Last edited:

net101

Occasional Visitor
It hasn't been working for me. Any help root-causing the issue is appreciated. I am using AP mode.

Here is my script:
Code:
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
rm /tmp/000services-start

robocfg vlan 1 ports "0t 1 5t"
robocfg vlan 26 ports "0t 2 3 4 5t"
robocfg vlan 27 ports "0t 5t"

vconfig add eth0 26
ifconfig vlan26 up

vconfig add eth0 27
ifconfig vlan27 up

ifconfig br1 down
brctl delbr br1
brctl addbr br1

ifconfig br2 down
brctl delbr br2
brctl addbr br2

brctl delif br0 wl0.1
brctl delif br0 wl1.1

brctl delif br0 wl0.2
brctl delif br0 wl1.2

brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan26

brctl addif br2 wl0.2
brctl addif br2 wl1.2
brctl addif br2 vlan27

ifconfig br1 192.168.26.3 netmask 255.255.255.0
ifconfig br1 up

ifconfig br2 192.168.27.3 netmask 255.255.255.0
ifconfig br2 up

nvram set lan26_ifnames="vlan26 wl0.1 wl1.1"
nvram set lan26_ifname="br1"

nvram set lan27_ifnames="vlan27 wl0.2 wl1.2"
nvram set lan27_ifname="br2"

nvram commit

killall eapd
eapd

touch /tmp/000services-start

Here's the output from various commands:
Code:
[email protected]:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.10c37bXXXXXX       no              vlan1
                                                        eth1
                                                        eth2
br1             8000.10c37bXXXXXX       no              wl0.1
                                                        wl1.1
                                                        vlan26
br2             8000.10c37bXXXXXX       no              wl0.2
                                                        wl1.2
                                                        vlan27

[email protected]:/tmp/home/root# robocfg show vlan
Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: f0:de:f1:f5:c0:d2
Port 2:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 26 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0t 1 5t
   2: vlan2: 5t
  26: vlan26: 0t 2 3 4 5t
  27: vlan27: 0t 5t
  56: vlan56: 1t 2 4 5
  57: vlan57: 1t 2t 3t 4 7
  58: vlan58: 0t 8u
  59: vlan59: 0t 2t 4 8t
  60: vlan60: 0t 1t 2t 3
  61: vlan61: 1 2t 3t 4 7t 8u
  62: vlan62: 2t 7t

[email protected]:/tmp/home/root# nvram show | grep ifnames
size: 42544 bytes (22992 left)
wl0_vifnames=wl0.1 wl0.2 wl0.3
wl1_vifnames=wl1.1 wl1.2 wl1.3
lan26_ifnames=vlan26 wl0.1 wl1.1
dpsta_ifnames=
lan_ifnames=vlan1 eth1 eth2 wl0.1 wl0.2 wl1.1 wl1.2
lan27_ifnames=vlan27 wl0.2 wl1.2
wan_ifnames=vlan2
wl_ifnames=eth1 eth2
wl_vifnames=wl0.1 wl0.2 wl0.3
acs_ifnames=eth1 eth2
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top