What's new

AC86 VLAN issue

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Eric Lieb

Senior Member
So I have setup my PFSense and Switch and now working on my AC86U that I want to use for both my main network and a guest network

Vlan 1 - Main Network
Vlan 200 - Guest network


I ran this
#!/bin/sh

# multi SSID with VLAN script, for ASUS AC86U with merlin


#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

# echo $PATH > /tmp/script_debug

# remove eth0 which will be reconfigured as a tagged port
brctl delif br0 eth0
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl1.1

# add vlans
# interestingly, depending on the time passed since system boot,
# vlan interfaces will be named eth0.1 or vlan1, I guess some udev rules got loaded.
# so we use ip link instead of vconfig to specify a name explicitly.
ip link add link eth0 name eth0.01 type vlan id 1
ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.01 up
ip link set eth0.200 up

# reconfigure br0, private LAN
brctl addif br0 eth0.01

# set up br1, guest LAN
brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl1.1
ip link set br1 up


# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.01"

nvram set lan1_ifnames="wl1.1 eth0.200"
nvram set lan1_ifname="br1"

# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0.01"

nvram set br1_ifnames="wl1.1 eth0.200"
nvram set br1_ifname="br1"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd
Which works great for the guest network (it gets tagged as VLAN 200 and everything), but the main network on VLAN 1 doesnt seem to be working. Any ideas?
 
So I have setup my PFSense and Switch and now working on my AC86U that I want to use for both my main network and a guest network

Vlan 1 - Main Network
Vlan 200 - Guest network


I ran this

Which works great for the guest network (it gets tagged as VLAN 200 and everything), but the main network on VLAN 1 doesnt seem to be working. Any ideas?

You should not be tagging VLAN1. Also not sure why you're doing eth0.01 and not eth0.1. Never seen that before, not sure if it will cause problems or not.
 
You should not be tagging VLAN1. Also not sure why you're doing eth0.01 and not eth0.1. Never seen that before, not sure if it will cause problems or not.
So is there anyway I can keep the main traffic on VLAN1 and only move the Guest network to VLAN 200?
 
So is there anyway I can keep the main traffic on VLAN1 and only move the Guest network to VLAN 200?

You may find it easier to avoid VLAN 1 completely and just use two tagged VLANs for your purpose. I believe in order to be untagged you need to assign it to the parent interface like "eth0" not a subinterface, but there are other ways, I think you can do "pop tag" or something like that to remove the tag. Have also seen mention of using "VLAN ID 0" to tell it to be untagged. Don't have a lot of experience with vlans in linux, luckily my router supports robocfg etc which makes it easy.
 
Last edited:
So is there anyway I can keep the main traffic on VLAN1 and only move the Guest network to VLAN 200?

Yeah come to think of it from when I was messing around with it, if you want to use VLAN1 for your main LAN, just leave eth0 and br0 alone, remove the guest wireless from br0, and put it in a new bridge along with eth0.200.

Do not create eth0.1 (or eth0.01) or vlan 1 at all, those are already there, vlan 1 is the default when untagged.

Technically from a security perspective, it is better to leave vlan 1 unused and use two other VLANs, like 100 and 200, for your LAN stuff. But not sure if that would interfere with the management of the AP, my have to toy with that a bit but I think if you had eth0 and eth0.100 in the same bridge it would probably work. Not critical in a home environment anyway, using 1 is fine.
 
Yeah come to think of it from when I was messing around with it, if you want to use VLAN1 for your main LAN, just leave eth0 and br0 alone, remove the guest wireless from br0, and put it in a new bridge along with eth0.200.

Do not create eth0.1 (or eth0.01) or vlan 1 at all, those are already there, vlan 1 is the default when untagged.

Technically from a security perspective, it is better to leave vlan 1 unused and use two other VLANs, like 100 and 200, for your LAN stuff. But not sure if that would interfere with the management of the AP, my have to toy with that a bit but I think if you had eth0 and eth0.100 in the same bridge it would probably work. Not critical in a home environment anyway, using 1 is fine.

I went the even easier route and just removed a port from vlan 1 on my switch and untagged it on vlan 200 and plugged another router in AP mode into that port. Both the radios on that router (2.4 and 5hz) now go to the guest vlan 200. I had the spare router laying around so decided just to get my network working and maybe I will play around with vlans in asus at a later date. But in all honesty this entire process of trying to get it work made me just want to go with an actual AP hardware with VLAN support already baked in. Tried Freshtomato and DDWRT on an AC68R and even those didnt work compared to my friends who just have ubiquiti equipment.
 
But in all honesty this entire process of trying to get it work made me just want to go with an actual AP hardware with VLAN support

The better way. Omada and UniFi APs start from as low as $60 on sale.
 
I went the even easier route and just removed a port from vlan 1 on my switch and untagged it on vlan 200 and plugged another router in AP mode into that port. Both the radios on that router (2.4 and 5hz) now go to the guest vlan 200. I had the spare router laying around so decided just to get my network working and maybe I will play around with vlans in asus at a later date. But in all honesty this entire process of trying to get it work made me just want to go with an actual AP hardware with VLAN support already baked in. Tried Freshtomato and DDWRT on an AC68R and even those didnt work compared to my friends who just have ubiquiti equipment.

The Asus has VLAN support, just not intended to be user configurable. Obviously it will be a bit more work than just buying something that is intended to have VLANs configured by the user (through the GUI).

I have a Ubiquiti access point connected to my AC68U with VLANs and tagging, works well.

FT should work on the AC68, again may have been something to do with trying to tag VLAN 1 or similar.
 
When you guys find a working solution help @eleVator here:

 
I think the other person is probably going to have to take on the experimenting, but this should be a good place to start.

brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl1.1
ip link set br1 up

nvram set lan1_ifnames="wl1.1 eth0.200"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl1.1 eth0.200"
nvram set br1_ifname="br1"

killall eapd
eapd
 
I think the other person is probably going to have to take on the experimenting, but this should be a good place to start.

brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl1.1
ip link set br1 up

nvram set lan1_ifnames="wl1.1 eth0.200"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl1.1 eth0.200"
nvram set br1_ifname="br1"

killall eapd
eapd
Wanted to give this another try to setup

brctl delif br0 wl0.1
brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up

nvram set lan1_ifnames="wl0.1 eth0.200"
nvram set lan1_ifnames="wl1.1 eth0.200"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.200"
nvram set br1_ifnames="wl1.1 eth0.200"
nvram set br1_ifname="br1"

killall eapd
eapd

ethswctl -c hw-switching -o disable
runner disable




bridge name bridge id STP enabled interfaces
br0 8000.04d4c41aa5b8 no eth0
eth1
eth2
eth3
eth4
eth5
eth6
br1 8000.04d4c41aa5b8 no eth0.200
wl0.1
wl1.1


So it looks like it setup correctly. I made sure VLAN 1 was untagged and VLAN200 is tagged on that port.

But when I try to connect to the Guest Wifi on my laptop all I get is "cant connect to this network".

Edit: The problem appears to be WPA2 authentication. When I switch the guest network to "open" it works fine. So not sure why WPA2 is messing it up.
 
Last edited:
Wanted to give this another try to setup

brctl delif br0 wl0.1
brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up

nvram set lan1_ifnames="wl0.1 eth0.200"
nvram set lan1_ifnames="wl1.1 eth0.200"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.200"
nvram set br1_ifnames="wl1.1 eth0.200"
nvram set br1_ifname="br1"

killall eapd
eapd

ethswctl -c hw-switching -o disable
runner disable




bridge name bridge id STP enabled interfaces
br0 8000.04d4c41aa5b8 no eth0
eth1
eth2
eth3
eth4
eth5
eth6
br1 8000.04d4c41aa5b8 no eth0.200
wl0.1
wl1.1


So it looks like it setup correctly. I made sure VLAN 1 was untagged and VLAN200 is tagged on that port.

But when I try to connect to the Guest Wifi on my laptop all I get is "cant connect to this network".

Edit: The problem appears to be WPA2 authentication. When I switch the guest network to "open" it works fine. So not sure why WPA2 is messing it up.

Seems like you're close, my guess is some link between the new VLAN 200 and the CPU is needed, or maybe an iptables rule, to allow authentication to happen.

You're setting lan1_ifnames twice, the second is overwriting the first. Maybe it uses that NVRAM variable for a firewall rule or authentication. Does it work on 5ghz but not 2.4? In the current state you're removing the 2.4 when you add the 5. Same for br1_ifnames. It needs to be all in a single command.
 
https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508/ - Finally got it working


Had to run FC Disable and also change the ifnames to be proper

Seems like you're close, my guess is some link between the new VLAN 200 and the CPU is needed, or maybe an iptables rule, to allow authentication to happen.

You're setting lan1_ifnames twice, the second is overwriting the first. Maybe it uses that NVRAM variable for a firewall rule or authentication. Does it work on 5ghz but not 2.4? In the current state you're removing the 2.4 when you add the 5. Same for br1_ifnames. It needs to be all in a single command.


Yup you were right, I was setting ifnames improperly and forgot to assign lan (0) ifnames...
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top