WiFi Vlan on AC3100

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mentaluproar

Occasional Visitor
I’m setting the network up with a opnsense firewall and switches. I would like to have certain devices, like guests and IoT devices, on a VLAN. Is it possible to do that on my router or is guest networking the best I can hope for?
 

L&LD

Part of the Furniture
Search for robocfg VLANs for answers. :)
 

grifo

Senior Member
It isn't supported officially (eg. through the GUI) but it can be done from the CLI using custom scripts. It's a question that comes up often and there are many threads on the subject, if you run a few searches you'll find how to do it.

As you have an opnsense firewall you could run your AC3100 in AP mode and do the routing, the firewalling and the DHCP on the opnsense, which would make the configuration a lot easier on the AC3100.

Here's a recent thread about configuring vlans on a different Asus router running in AP mode and connecting to a pfsense firewall. The ports numbers are different on your model, you can find the right ones for the AC3100 here.

EDIT: note that you still need to use the guest wifi SSID's but they'll be mapped to VLANs of your choice on different subnets that you can manipulate to your liking.
 
Last edited:

mentaluproar

Occasional Visitor
I’m having trouble with this. So if port 1 on the router shows as port 3 in robocfg show, I make script show “robocfg vlan 5 ports “3t 8t” right?

which radio interface is which? If it’s anything like tomato, the wlx.1 is a guest interface. So which while number sl is which interface? I also see ports 0-8 listed even though there are only 5 physical ports on this model.
 
Last edited:

grifo

Senior Member
I’m having trouble with this. So if port 1 on the router shows as port 3 in robocfg show, I make script show “robocfg vlan 5 ports “3t 8t” right?
Have you set your AC3100 to AP mode? As that changes how the ports have to be configured. If you aren't familiar with this configuration and you have an opnsense firewall, go with AP mode.

In AP mode the ports that you have to assign to the new vlan/s with robocfg are the WAN port (connecting to your opnsense box or switch) and the internal CPU port. Per the second thread I linked to these are 4 and 8 on the AC3100. So the robocfg line would be:
Code:
 robocfg vlan 5 ports "4t 8t"

You don't need to assign any of the LAN ports unless you want to wire some of the IOT or guest devices directly to the AC3100. If you do, you have to configure these ports as untagged, eg. without the "t" next to their port number.

which radio interface is which? If it’s anything like tomato, the wlx.1 is a guest interface. So which while number sl is which interface?
The wlan interfaces are wl0.1, wl0.2 and wl0.3 for the 2.4GHz radio guest SSIDs and wl1.1, wl1.2 and wl1.3 for the 5GHz radio ones.

I also see ports 0-8 listed even though there are only 5 physical ports on this model.
The other ports are internal ports, of these you only need to care about port 8 which is the CPU port.
 
Last edited:

grifo

Senior Member
okay. And for tagging, I still need to declare ports right? even though it's wireless?
The tagging only happens on the physical link between the opnsense box and the AC3100 WAN port and the one between the AC3100's CPU and its built-in switch. It's needed as you're carrying multiple vlans over one physical link, without tagging the devices couldn't know which vlan the traffic belongs to. No tagging happens on the wireless interfaces.

Use the configuration on the second thread I linked to and that should work, of course the opnsense box and any managed switch in between have to be configured to match.
 

mentaluproar

Occasional Visitor
so for the main 2.4 and 5.0 ghz wireless, I'm looking at wl0.0 and wl1.0 or wl1.0 and wl2.0?

I managed to cobble something together for the services-start file based on those link you posted. vlan5 devices are able to get an ip in the appropriate range. vlan6 and vlan9 however, seem to go nowhere. There are properly tagged at the switch I have connected them to, so I'm assuming I did something wrong with the services-start file.

Here is what I have:

robocfg vlan 5 ports "3t 8t"
robocfg vlan 6 ports "3t 8t"
robocfg vlan 9 ports "3t 8t"
vconfig add eth0 5
vconfig add eth0 6
vconfig add eth0 9

ifconfig vlan5 up
ifconfig vlan6 up
ifconfig vlan9 up

brctl addbr br1
brctl addbr br2
brctl addbr br3

brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

brctl addif br1 vlan5
brctl addif br2 vlan6
brctl addif br3 vlan9

brctl addif br1 wl0.0
brctl addif br1 wl1.0
brctl addif br2 wl0.1
brctl addif br3 wl0.2

ifconfig br1 up
ifconfig br2 up
ifconfig br3 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan5 wl0.0 wl1.0"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="vlan6 wl0.1"
nvram set lan2_ifname="br2"
nvram set lan3_ifnames="vlan9 wl0.2"
nvram set lan3_ifname="br3"
nvram commit
killall eapd
eapd
 

grifo

Senior Member
For you main LAN+WLAN you don't need any vlan or other configuration, we leave it as default. On the opnsense use the parent interface for it, eg. without any vlan.

You only need vlans for your IOT and guest networks so they are kept separated from your main LAN+WLAN. Interfaces wl0.0, wl1.0 and wl2.0 don't exist, the main wlan interfaces have a different naming scheme, wlx.x are only for the guest wifi, so change those with the interface numbers per the other thread.

Also if you're using the AC3100 WAN port to connect to the opnsense the right line is robocfg vlan x ports "4t 8t" eg. not 3t
 

mentaluproar

Occasional Visitor
I have the main on vlan 5. each vlan here I have set to get a different IP range, being 10.0.(vlan number).x. So if something ends up in the wrong place, I will know just by looking at its IP address. Baby's first VLAN.

I have a tomato router I set up for this but its slow and unstable, whereas my 3100 was lightning quick, so I'm trying to learn this to address that.

I'm not using the WAN port.

Ideally, I will have LAN port 1 (port 3 in robocfg) connected to my switch with the opnsense firewall connected to it. Based on which network someone joins, they can access different things. IoT and guest devices cannot access my server, etc.

Thanks for your patience, but I'm still not getting this to work. According to robocfg show, it isn't even loading services-start. It's in AP mode, so I can't access the webUI either.
 

grifo

Senior Member
You should still be able to access the webUI in AP mode, just like you can access the CLI.

The script is run at boot, have you rebooted the AC3100 to confirm if it's run? If it still isn't you may not have made it executable, just run on the CLI:
Code:
chmod a+rx /jffs/scripts/*
Or you may have forgotten the shebang at the top of the script:
Code:
#!/bin/sh
You should really leave your main LAN+WLAN as default on vlan 1 otherwise things may break, keep in mind these are all unsupported changes on Asus/Merlin firmware. There isn't much benefit not to use vlan 1 for a home network with consumer hardware.
 

mentaluproar

Occasional Visitor
One of the reasons I did that was to prevent roommates and curious guests from accessing switch, firewall, server and AP webUIs. For some reason, they still can but it's not obvious why, whereas the port I assigned as VLAN 1 doesn't let me access them. At the moment, wifi is the bigger issue as I have totally screwed this network up.

In AP mode, the webUI does not function for me.
 

mentaluproar

Occasional Visitor
progress. we now have errors!

interface wl0.1 does not exist!
interface wl1.1 does not exist!
interface wl0.2 does not exist!
interface wl1.2 does not exist!
interface wl0.0 does not exist!
interface wl1.0 does not exist!
interface wl0.1 does not exist!
interface wl0.2 does not exist!
 

grifo

Senior Member
One of the reasons I did that was to prevent roommates and curious guests from accessing switch, firewall, server and AP webUIs. For some reason, they still can but it's not obvious why, whereas the port I assigned as VLAN 1 doesn't let me access them. At the moment, wifi is the bigger issue as I have totally screwed this network up.

In AP mode, the webUI does not function for me.
Remove the script and reboot the AC3100 and see if you're able to access the webUI.

Put back your tomato router to have a wifi network back, then start from scratch. I'd reset the AC3100 to factory settings, put it in AP mode, then do the webUI side configuration and finally add the script.

Once you have your vlans set up and working you can allow roommates and guests to the guest wifi only and configure the opnsense to prevent them any access to your main LAN.
 

grifo

Senior Member
progress. we now have errors!

interface wl0.1 does not exist!
interface wl1.1 does not exist!
interface wl0.2 does not exist!
interface wl1.2 does not exist!
interface wl0.0 does not exist!
interface wl1.0 does not exist!
interface wl0.1 does not exist!
interface wl0.2 does not exist!
You have to turn on the guest networks on the webGUI else the wlx.x interfaces aren't created, of course first you need to be able to access the webUI so follow what I wrote on my last post.

As I wrote earlier wl0.0 and wl1.0 don't exist at all.

EDIT: I'm going out now, try my suggestions and see how far you get.
 

mentaluproar

Occasional Visitor
OOF! You're right. I reset it and forgot to turn back on the guest networks.

The tomato router is still up. I haven't used tomato in years but remember loving it. It's kind of heartbreaking seeing what happened with it. It's possible the router is defective and just rebooting itself frequently, or this release had a new driver that isn't doing as well as people first thought, but I'm going to put forth the effort to go back to my Asus router.
 

mentaluproar

Occasional Visitor
AP mode has a webUI this time. I wonder what I did wrong before. We also have fewer error messages. Getting closer.

interface wl1.1 does not exist!
interface wl1.2 does not exist!
interface wl0.0 does not exist!
interface wl1.0 does not exist!

Poking around, ifconfig looks like it uses eth devices as normal wifi channels.

br0 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:D8
inet addr:10.0.1.5 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:11018 errors:0 dropped:0 overruns:0 frame:0
TX packets:11713 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:981735 (958.7 KiB) TX bytes:9347556 (8.9 MiB)

eth0 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:D8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11059 errors:0 dropped:0 overruns:0 frame:0
TX packets:11788 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1227642 (1.1 MiB) TX bytes:9461707 (9.0 MiB)
Interrupt:181 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:D8
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:928 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:136205 (133.0 KiB)

eth2 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:DC
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:826 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:119873 (117.0 KiB)

fwd0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:853 errors:0 dropped:0 overruns:0 frame:0
TX packets:262 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:41078 (40.1 KiB)
Interrupt:179 Base address:0x4000

fwd1 Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:808 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:180 Base address:0x5000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:8440 errors:0 dropped:0 overruns:0 frame:0
TX packets:8440 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1788930 (1.7 MiB) TX bytes:1788930 (1.7 MiB)

lo:0 Link encap:Local Loopback
inet addr:127.0.1.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1

vlan1 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:D8
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:11059 errors:0 dropped:0 overruns:0 frame:0
TX packets:11788 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1028580 (1004.4 KiB) TX bytes:9410337 (8.9 MiB)

wl0.1 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:D9
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:751 errors:0 dropped:55 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:100179 (97.8 KiB)

wl0.2 Link encap:Ethernet HWaddr 70:4D:7B:E4:A0:DA
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:751 errors:0 dropped:55 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:100179 (97.8 KiB)

It looks like eth1 and eth2 are virtual ports 5 and 7 and connect to the wifi radios. if I replace wl0.0 and wl1.0 with those eth1 and eth2 interfaces, I can see the changes show up in robocfg, but I cannot pull an IP address though any of those interfaces
 
Last edited:

grifo

Senior Member
Yeah eth1 and eth2 are the non guest wifi interfaces, as I wrote earlier it's best to leave these as default on vlan 1 else other things may break. If you still want to try to get it working this way you'll also have to change the brctl lines to bridge those interfaces with the new vlan instead of vlan 1 and the nvram set lines. It's also best to leave the main LAN+WLAN on br0 not br1. Bottom line, it's a messier config with potential pitfalls for no real benefits.
 

mentaluproar

Occasional Visitor
Okay, I changed things and got rid of the vlan for home network traffic, collapsing it all into vlan 1. Nothing worked right for a while. I had to log into the webUI for a uplink switch, screenshot the settings, factory reset it, reapply those settings, and then it worked. I hate that switch.

NowI have a situation where all the VLANS can talk to each other, but I think that's an issue with opnsense settings and not the router. Here is what I have for services-start now. See anything wrong?

#!/bin/sh
robocfg vlan 6 ports "3t 8t"
robocfg vlan 9 ports "3t 8t"
vconfig add eth0 6
vconfig add eth0 9

ifconfig vlan6 up
ifconfig vlan9 up

brctl addbr br1
brctl addbr br2

brctl delif br0 wl0.1
brctl delif br0 wl0.2

brctl addif br1 vlan6
brctl addif br2 vlan9

brctl addif br1 wl0.1
brctl addif br2 wl0.2

ifconfig br1 up
ifconfig br2 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan2_ifnames="vlan6 wl0.1"
nvram set lan2_ifname="br1"
nvram set lan3_ifnames="vlan9 wl0.2"
nvram set lan3_ifname="br2"
nvram commit
killall eapd
eapd
 

grifo

Senior Member
Looks good. Yes now you have to configure the firewall rules on the opnsense to allow the new vlans limited access.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top