AC86U VLAN Tagging with MerlinWRT

[drinkingbird]

Is there a way to get an AP router (not a mesh-enable satellite router) to utilize the VLANs setup by the main router?

Yes, do what Eric did but use the Asus VLANs (501, 502, etc). It will be a bit different but pretty similar. You can even look at the main router to get some hints on what needs to be configured.

 

[maxbraketorque]

Yes, do what Eric did but use the Asus VLANs (501, 502, etc). It will be a bit different but pretty similar. You can even look at the main router to get some hints on what needs to be configured.

Thanks. I was wondering if that would work. What I didn't (and still don't understand) is how the main router makes VLAN 501/502 available to the AP.

 

[drinkingbird]

Thanks. I was wondering if that would work. What I didn't (and still don't understand) is how the main router makes VLAN 501/502 available to the AP.

It adds tagged vlans to all wired LAN ports as well as the wireless interfaces (for wireless backhaul). Basically every LAN port as well as the wireless interfaces become 802.1Q VLAN trunks.

Normal devices ignore these tagged frames, only devices with those VLANs configured will see them.

If you enable guest wireless 1, disable intranet access, and then reboot, you can do ifconfig and brctl show and you'll several 501 and 502 subinterfaces. It looks different on HND and non-HND routers.

You can tell if your router is HND or not by doing a "robocfg show". If it gives an output, it is non-HND. If it gives an error it is HND.

Edit - I see you have an AC86U which is HND. So the commands you'll use are similar to Eric's but you'll be using VLANs 1, 501, and 502 (assuming you have both 2.4 and 5ghz guest). For example eth0.501 and eth0.502 for the WAN port to tag those VLANs back to the main router.

 

[Eric Lieb]

Yes, do what Eric did but use the Asus VLANs (501, 502, etc). It will be a bit different but pretty similar. You can even look at the main router to get some hints on what needs to be configured.

I figured it had to do some sort of VLAN isolation for the Client Isolation, just dont have a spare router to mess with. Wonder if YazFI uses the same VLAN assignments. I believe YazFI lets you assign Client Isolation to all 3 2.4 and 5ghz guest networks, also it lets you assign new subnets.

 

[Eric Lieb]

Thanks. I was wondering if that would work. What I didn't (and still don't understand) is how the main router makes VLAN 501/502 available to the AP.

Here is my updated script that adds a 3rd VLAN

#!/bin/sh
wl -i eth5 down
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 eth5

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up
ip link add link eth0 name eth0.100 type vlan id 100
ip link set eth0.100 up


brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up

brctl addbr br2
brctl addif br2 eth0.100
brctl addif br2 eth5
ip link set br2 up

nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth6 eth0"

nvram set lan1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="eth5 eth0.100"
nvram set lan2_ifname="br2"


nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth6 eth0"

nvram set br1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set br1_ifname="br1"

nvram set br2_ifnames="eth5 eth0.100"
nvram set br2_ifname="br2"

killall eapd
eapd
runner disable
fc disable
wl -i eth5 up

 

[Eric Lieb]

RT-AC86U owner, but not an expert. With that, I can offer the following suggestions:

To disable the radios, try properly adding these to init-start (hopefully that's not too early in the boot process):

wl -i eth5 down     # 2.4 GHz radio
wl -i eth6 down     # 5.0 GHz radio

EDIT: If it's indeed too early, you could potentially mitigate that by inserting a few seconds of "sleep" before the "wl -i" commands. Based on my experience, init-start is triggered about 5 or 6 seconds before services-start.

And to re-enable the radios, add these somewhere in your script:

wl -i eth5 up     # 2.4 GHz radio
wl -i eth6 up     # 5.0 GHz radio

I'd appreciate if you could report back. I hope it works!

Thanks that actually helped out a lot. Here is a question, if I set eth5 to down, does wl0.X networks go down with it? Do do I need to set eth5 down and all of my wl0.X down also?

 

[maxbraketorque]

ok, I've got ASUS router main/AP VLAN guest networking operational for 2.4 GHz on the AP, but not for combined 2.4 GHz and 5 GHz on the AP. I suspect that I am incorrectly using one of the nvram commands. If I want to set lan1_ifnames for the 2.4 GHz and 5 GHz guest networks, can I use the following two commands:

nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifnames="wl1.1 eth0.502"

Or is it necessary to define all the interface names with a single command, e.g.,:

nvram set lan1_ifnames="wl0.1 eth0.501 wl1.1 eth0.502"

If its the latter, is there an requirement on ordering of the names?

 

[Eric Lieb]

ok, I've got ASUS router main/AP VLAN guest networking operational for 2.4 GHz on the AP, but not for combined 2.4 GHz and 5 GHz on the AP. I suspect that I am incorrectly using one of the nvram commands. If I want to set lan1_ifnames for the 2.4 GHz and 5 GHz guest networks, can I use the following two commands:

nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifnames="wl1.1 eth0.502"

Or is it necessary to define all the interface names with a single command, e.g.,:

nvram set lan1_ifnames="wl0.1 eth0.501 wl1.1 eth0.502"

If its the latter, is there an requirement on ordering of the names?

You have 2 different VLANs so you will need an additional lan.

nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan2_ifnames="wl1.1 eth0.502"

Can you run brctl show and put the output? You need to name sure you set the ifname (not ifnames) to the bridge.

 

[maxbraketorque]

You have 2 different VLANs so you will need an additional lan.

nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan2_ifnames="wl1.1 eth0.502"

Can you run brctl show and put the output? You need to name sure you set the ifname (not ifnames) to the bridge.

ok, so I do need a lan2 (and br2?). I understand what you mean about ifname vs ifnames. I'll try the lan2 setup in a little while. I've got some work work that I need to get done.

 

[Eric Lieb]

ok, so I do need a lan2 (and br2?). I understand what you mean about ifname vs ifnames. I'll try the lan2 setup in a little while. I've got some work work that I need to get done.

Please run

brctl show

and post

 

[Eric Lieb]

FYI I have added some additional stuff to the first post. Disabling the radios in init-start doesn't work because the radios are brought up after that runs again, so instead I just have it bring down the radios and sleep for 1 seconds to make sure all devices deauth and at the end I bring back up the radios which should force all the devices to reauth.

This has been a real learning experience but I may just buy an Aruba AP-325 because this still seems to be finicky (having issues with devices randomly dropping off that I cant seem to figure out).

 

[drinkingbird]

ok, I've got ASUS router main/AP VLAN guest networking operational for 2.4 GHz on the AP, but not for combined 2.4 GHz and 5 GHz on the AP. I suspect that I am incorrectly using one of the nvram commands. If I want to set lan1_ifnames for the 2.4 GHz and 5 GHz guest networks, can I use the following two commands:

nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifnames="wl1.1 eth0.502"

Or is it necessary to define all the interface names with a single command, e.g.,:

nvram set lan1_ifnames="wl0.1 eth0.501 wl1.1 eth0.502"

If its the latter, is there an requirement on ordering of the names?

If you want both guest frequencies (2.5 and 5) on the same VLAN you can just use vlan 501 and ignore 502. I'm using 501 for wireless guest and 502 assigned to a few physical ports for wired guest (working on PCs that I don't trust, etc).

You have to set the entire variable with one command, the second one overwrites the first.

 

[Eric Lieb]

If you want both guest frequencies (2.5 and 5) on the same VLAN you can just use vlan 501 and ignore 502. I'm using 501 for wireless guest and 502 assigned to a few physical ports for wired guest (working on PCs that I don't trust, etc).

You have to set the entire variable with one command, the second one overwrites the first.

... Not sure it works that way in router mode but I am not familiar enough to say for certain. Are you using the Asus router as the dhcp server?

 

[drinkingbird]

Here is my updated script that adds a 3rd VLAN

#!/bin/sh
wl -i eth5 down
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 eth5

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up
ip link add link eth0 name eth0.100 type vlan id 100
ip link set eth0.100 up


brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up

brctl addbr br2
brctl addif br2 eth0.100
brctl addif br2 eth5
ip link set br2 up

nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth6 eth0"

nvram set lan1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="eth5 eth0.100"
nvram set lan2_ifname="br2"


nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth6 eth0"

nvram set br1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set br1_ifname="br1"

nvram set br1_ifnames="eth5 eth0.100"
nvram set br1_ifname="br2"

killall eapd
eapd
runner disable
fc disable
wl -i eth5 up

At the end you need to set br2_ifnames not br1 (you're just overwriting your previous statements). Though honestly I don't think that nvram variable (and probably the br1 also) will do anything, the code likely is not calling it. Every variable in NVRAM has to be referenced somewhere in the code of the router to actually do something.

 

[Eric Lieb]

At the end you need to set br2_ifnames not br1 (you're just overwriting your previous statements). Though honestly I don't think that nvram variable (and probably the br1 also) will do anything, the code likely is not calling it. Every variable in NVRAM has to be referenced somewhere in the code of the router to actually do something.

Hahahaha... That is a typo I will fix. It isn't like that in my services-start file BUT copying and pasting from nano isn't exactly easy

 

[drinkingbird]

... Not sure it works that way in router mode but I am not familiar enough to say for certain.

Which part? I've combined both guest frequencies to use VLAN 501 and use 502 for a different purpose. My router is non-HND but no reason it can't be done on HND also. Though the wired ports being in the 501/502 vlan may be a bit more difficult, I think you need to use a command to strip the tag off when it hits that port. The non-HND make this a lot easier.

 

[maxbraketorque]

Please run

brctl show

and post

I'll have time this evening.

 

[Eric Lieb]

Which part? I've combined both guest frequencies to use VLAN 501 and use 502 for a different purpose. My router is non-HND but no reason it can't be done on HND also. Though the wired ports being in the 501/502 vlan may be a bit more difficult, I think you need to use a command to strip the tag off when it hits that port. The non-HND make this a lot easier.

Makes sense but that can be a real pain in HND routers. This is why I gave up originally and went with a PFSense and managed switch, works a lot better (especially for my 100+ active clients).

 

[drinkingbird]

Makes sense but that can be a real pain in HND routers. This is why I gave up originally and went with a PFSense and managed switch, works a lot better (especially for my 100+ active clients).

Here is one with the pop-tag and push-tag commands, would need to be modified a bit to work with the LAN ports. Basically you strip the tag off when traffic leaves the port and add it on when traffic comes into the port.

VLANs, Trunk interface, tagged and untagged traffic RT-AX86U and RT-AX88U

It took me a while to make this thing work. I could find some configs but nothing worked as provided. After combining information from several different posts I came to the working solution posted below. As it took me a while to get it to work I figured I'd share it here in case anyone else...

www.snbforums.com

 

[Eric Lieb]

Last Update because I am done playing with this router. I am probably going to replace it with an Aruba AP-325

I realized I have been having some weird issues with the router (ignoring commands to reboot and logging that it is ignoring the commands, ignoring manual updates, ect.) so I went through a long long LOOOOOOOOOOOOOng process of recovering stock firmware using the asus recovery tool and then manually reflashing merlinwrt over the newest asuswrt firmware. Now everything is working WITH flow cache and runner enabled. I am starting to think my router got corrupted somehow during the flash from 386.9 to 386.10 (or maybe older than that) and I just never noticed because I wasn't looking hard enough until I started this little VLAN project. I haven't noticed some of the quarks I was noticing before so far, so hopefully that fixed it.