AC86U VLAN Tagging with MerlinWRT

[maxbraketorque]

Am I correct finding out interfaces assignment?
eth1 - ???
ath0 - lan
ath1 - lan
ath2 - lan
ath001 - 2.4 WiFi
ath101 - 5 WiFi
eth0 - wan


I have:
View attachment 49768

Dude, you do have the CT8 set up as an AiMesh node. There is an "AP" mode in the "Administration" tab of the router GUI.

 

[drinkingbird]

Am I correct finding out interfaces assignment?
eth1 - ???
ath0 - lan
ath1 - lan
ath2 - lan
ath001 - 2.4 WiFi
ath101 - 5 WiFi
eth0 - wan


I have:

Find the interfaces by watching ifconfig while you plug/unplug stuff and enable/disable wireless radios.

 

[drinkingbird]

Finally got it working on the AC86U so figured I would share incase anyone else is interested.
In my setup my main network is VLAN 1 Untagged and then VLAN 200 Tagged on the port with the AC86U in AP mode

Adopted from https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

This will take Guest Network 1 for 2.4 and 5ghz and push it into its own VLAN

#!/bin/sh
# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on Untagged VLAN (In my case VLAN 1 is untagged on this port)
#       guest network 1 will be on VLAN 200


#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
# take down both radios to force all clients to deauth
wl -i eth5 down
wl -i eth6 down

# sleep to allow deauth to finish
sleep 1
# echo $PATH > /tmp/script_debug
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

# set up br1, guest LAN, more wl0.1 and wl1.1 to br1 for Guest Networks
brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up


# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

nvram set lan1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set lan1_ifname="br1"


# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

nvram set br1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set br1_ifname="br1"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log



# sleep for 5 seconds just incase a script is still running before we bring up the radios
sleep 5

# bring back up the radios
wl -i eth5 up
wl -i eth6 up

Edit:

Added rules to take down the wifi radios to force all clients to DeAuth and Disassociate and then at the end bring the radios back up and all clients should Auth






Just sharing incase anyone else is interested. I am running a PFSense router and a 24 port managed switch.

Out of curiosity if you remove one of the wired ports (like eth4/port 1) from br0 and put it in your br1 or br2 does it get a guest IP and get guest restrictions? At first I thought you might need to use vlanctl to add and strip tags but I don't think that's the case actually. Probably have to update the nvram variables too. I don't have an HND router to try it on.

 

[r2d4]

Finally got it working on the AC86U so figured I would share incase anyone else is interested.
In my setup my main network is VLAN 1 Untagged and then VLAN 200 Tagged on the port with the AC86U in AP mode

Adopted from https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

This will take Guest Network 1 for 2.4 and 5ghz and push it into its own VLAN

#!/bin/sh
# multi SSID with VLAN script, for ASUS AC86U with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2 guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod a+x services-start`
#       I strongly suggest you use static IP instead of DHCP
#               In my test, the "router" will pickup DHCP lease from VLAN 1 instead of VLAN 227
#       reboot
# some basic info of the original AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're reversed
#       eth5 => WiFi 2.4G
#       eth6 => WiFi 5G
#       wl0.1, wl0.2 => WiFi 2.4G guest networks
# this setup:
#       WAN port (eth0) will be repurposed as a tagged port
#       LAN ports (eth1~4) and primary WiFi (eth5,6) will be on Untagged VLAN (In my case VLAN 1 is untagged on this port)
#       guest network 1 will be on VLAN 200


#echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 1 $(date) ==================" >> /jffs/scripts/log
# take down both radios to force all clients to deauth
wl -i eth5 down
wl -i eth6 down

# sleep to allow deauth to finish
sleep 1
# echo $PATH > /tmp/script_debug
# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl1.1

ip link add link eth0 name eth0.200 type vlan id 200
ip link set eth0.200 up

# set up br1, guest LAN, more wl0.1 and wl1.1 to br1 for Guest Networks
brctl addbr br1
brctl addif br1 eth0.200
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up


# seems like eapd reads config from these
# no need to set lan_ifname since it's already there
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

nvram set lan1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set lan1_ifname="br1"


# doesn't seem to affect anything, just make it align
nvram set br0_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

nvram set br1_ifnames="wl0.1 wl1.1 eth0.200"
nvram set br1_ifname="br1"

# we do NOT issue `nvram commit` here since it won't survive reboot anyway

# is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

#echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log
#brctl show >> /jffs/scripts/log
#echo "============== END 2 $(date) ==================" >> /jffs/scripts/log



# sleep for 5 seconds just incase a script is still running before we bring up the radios
sleep 5

# bring back up the radios
wl -i eth5 up
wl -i eth6 up

Edit:

Added rules to take down the wifi radios to force all clients to DeAuth and Disassociate and then at the end bring the radios back up and all clients should Auth






Just sharing incase anyone else is interested. I am running a PFSense router and a 24 port managed switch.

After much research, endless hours of no sleep, and copying this and several other codes from this forum, I finally got it to work. My main issue was that after removing the virtual wireless, stop authenticating as soon as you remove it from br0. I wish there were a lot more documentation or Merlin implemented it in the GUI, but he clearly stated he would not do it. Of note, the "router" is in AP mode. My home router is an opnsense machine. Bellow my solution with comments:

#!/bin/sh

#Asus AC68U Interface to Physical definitions
# WAN    eth0
# LAN 4  eth1
# LAN 3  eth2
# LAN 2  eth3
# LAN 1  eth4
# WLAN2  eth5
# WLAN5  eth6

# My desire Configuration
# WAN      :Trunk Port
# LAN 1    : VLAN11 - Home
# LAN 2    : VLAN12 - IoT
# LAN 3    : VLAN14 - Work
# LAN 4    : VLAN14 - Guess Untagged LAN

# Guest WiFi:
#         wl0.1 - ASUS [IOT]      : VLAN12
#         wl1.1 - ASUS_5G [Home]  : VLAN11
#         wl1.2 - ASUS_5G [Work]  : VLAN13
#         wl1.3 - ASUS_5G [Guess] : VLAN14

##Delete Interfaces from br0##

###Physicals
#brctl delif br0 eth0 #It does not seem to be need to be deleted
#brctl delif br0 eth1
brctl delif br0 eth2
brctl delif br0 eth3
brctl delif br0 eth4
#brctl delif br0 eth5
#brctl delif br0 eth6

###Virtuals
brctl delif br0 wl0.1 #IoT
brctl delif br0 wl1.1 #Home
brctl delif br0 wl1.2 #Work
brctl delif br0 wl1.3 #Guess

nvram set lan_ifnames="eth0 eth1 eth4" #Very Important to remove them from lan_ifnames Will cause wifi to never authenticate

ethswctl -c hw-switching -o disable #Still Questioning this line
vlanctl --if eth0 --set-if-mode-rg #Set Ports to be VLAN Acknolage(Trunk?)??
#vlanctl --if eth0 --tx --tags 0 --default-miss-drop #Make it Strick I dont use this...

#Create Tag 11 on WAN Physical Port eth0 (Note its just another LAN Port) This Will be My Home Network
vlanctl --mcast --if-create eth0 11
vlanctl --if eth0 --rx --tags 1 --filter-vid 11 0 --pop-tag --set-rxif eth0.v11 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v11 --push-tag --set-vid 11 0 --rule-append
ifconfig eth0.v11 up

# Creating VLAN 12 and the Input / Output rules (IoT network)
vlanctl --mcast --if-create eth0 12
vlanctl --if eth0 --rx --tags 1 --filter-vid 12 0 --pop-tag --set-rxif eth0.v12 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v12 --push-tag --set-vid 12 0 --rule-append
ifconfig eth0.v12 up

# Creating VLAN 13 and the Input / Output rules (Work network)
vlanctl --mcast --if-create eth0 13
vlanctl --if eth0 --rx --tags 1 --filter-vid 13 0 --pop-tag --set-rxif eth0.v13 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v13 --push-tag --set-vid 13 0 --rule-append
ifconfig eth0.v13 up

# Creating VLAN 14 and the Input / Output rules (Guess network)
vlanctl --mcast --if-create eth0 14
vlanctl --if eth0 --rx --tags 1 --filter-vid 14 0 --pop-tag --set-rxif eth0.v14 --rule-append
vlanctl --if eth0 --tx --tags 0 --filter-txif eth0.v14 --push-tag --set-vid 14 0 --rule-append
ifconfig eth0.v14 up


#Create Home Bridge for VLAN TAG Number 11
brctl addbr br11 #Create Bride
brctl addif br11 wl1.1 #Add 5G Wirelss
brctl addif br11 eth4
brctl addif br11 eth0.v11
vconfig add br11 11 #Is it needed?
ifconfig br11 192.168.11.240 netmask 255.255.255.0 up #SetUp Static IP
brctl setfd br11 0 #Is it needed?
ip link set br11 up #Is this redundant?
nvram set lan1_ifnames="eth0.v11 wl1.1" #Does LAN needs to be lo numbers? Yes I think It has to be lower than 10? or maybe just in order?
nvram set lan1_ifname="br11"

# IoT LAN
brctl addbr br12 # IoT
brctl addif br12 eth0.v12 # VLAN12 TRUNK WAN
brctl addif br12 wl0.1 # IoT 2G WIFI
brctl addif br12 eth3 # LAN2
ifconfig br12 192.168.12.240 netmask 255.255.255.0 up
nvram set lan2_ifnames="eth0.v12 wl0.1 eth3"
nvram set lan2_ifname="br12"

# Work LAN
brctl addbr br13 # Work
brctl addif br13 eth0.v13 # VLAN13 TRUNK WAN
brctl addif br13 wl1.2  # Work 5G WIFI
brctl addif br13 eth2 # LAN3
ifconfig br13 192.168.13.240 netmask 255.255.255.0 up
nvram set lan3_ifnames="eth0.v13 eth2 wl1.2"
nvram set lan3_ifname="br13"

# Guest LAN
brctl addbr br14 # Guest
brctl addif br14 eth0.v14 # VLAN14 TRUNK WAN
brctl addif br14 wl1.3  # Guest 5G WIFI
ifconfig br14 192.168.14.240 netmask 255.255.255.0 up
nvram set lan4_ifnames="eth0.v14 wl1.3" #I tryed lan14_ifnames and did not work
nvram set lan4_ifname="br14"
#nvram set wl1.3_ap_isolate="1"

#Reset Enhanced Authentication Protocol Daemon #Dont ask why Everyone does it
killall eapd
eapd