AC86U VLAN Tagging with MerlinWRT

[drinkingbird]

Last Update because I am done playing with this router. I am probably going to replace it with an Aruba AP-325

I realized I have been having some weird issues with the router (ignoring commands to reboot and logging that it is ignoring the commands, ignoring manual updates, ect.) so I went through a long long LOOOOOOOOOOOOOng process of recovering stock firmware using the asus recovery tool and then manually reflashing merlinwrt over the newest asuswrt firmware. Now everything is working WITH flow cache and runner enabled. I am starting to think my router got corrupted somehow during the flash from 386.9 to 386.10 (or maybe older than that) and I just never noticed because I wasn't looking hard enough until I started this little VLAN project. I haven't noticed some of the quarks I was noticing before so far, so hopefully that fixed it.

386.9 and 386.10 have some issues with NVRAM space. Not as severe on your router but still a concern. If it becomes unstable again, you may want to stick with 386.7_2. Or maybe like you said it just was in need of a reset anyway, seems to be mandatory with 386.9 and 10.

 

[maxbraketorque]

I've got it working. If I understand how this VLAN stuff works, VLAN 501 and 502 are isolated from each other, and since I'm keeping all my IOT stuff on 2.4G guest and using 5G guest for actual guests, I decided maintain the VLAN 501=2.4G and 502=5G topology on the AP.

Here is the core of the script. I experimented with disabling the nvram entries, Runner, and FC. Runner and FC do not need to be disabled to work on my AP. I found that one of the nvram entries was unneeded, but the others were all needed for the AP guest networks to function. So everything that's listed here is needed.

Considering how simple and logical this code is, I'm amazed that someone hadn't figured this out long ago. I suppose part of the reason is that VLAN implementation of Guest Network #1 on ASUS main routers appears to be a fairly recent change to the firmware. Perhaps another reason is that I suspect that only a few people are using ASUS routers in AP mode (which is unfortunate because AP mode appears to be way more reliable and configurable than Aimesh mode if wired backhaul is available).

Can you folks let me know if you see anything that can be improved? After that, I will create a new thread and post it there.

One question for anyone - I have my main router configured to act as an NTP server and force devices on my network to use it. Will devices on these VLAN guest networks on the AP be able to reach the main router NTP server? Is there a way to test this?

# Remove hash tags from the following lines if setting up 2.4G Guest Network #1 on the AP.

# Create VLAN 501 and link to eth0 (WAN port),
ip link add link eth0 name eth0.501 type vlan id 501
ip link set eth0.501 up

# Remove wl0.1 interface from br0.
brctl delif br0 wl0.1

# Set up br1, and then link VLAN 501 and wl0.1 (2.4G Guest Network #1) to br1.
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
ip link set br1 up

# Create names in nvram.
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"

# End setup of 2.4G Guest Network #1 on the AP.


# Remove hash tags from the following lines if setting up 5G Guest Network #1 on the AP.

# Create VLAN 502 and link to eth0 (WAN port),
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.502 up

# Remove wl1.1 interface from br0.
brctl delif br0 wl1.1

# Create br2, then link VLAN 502 and wl1.1 (5G Guest Network #1) to br2.
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl1.1
ip link set br2 up

# Create names in nvram.
nvram set lan2_ifnames="wl1.1 eth0.502"
nvram set lan2_ifname="br2"

nvram set br2_ifnames="wl1.1 eth0.502"
nvram set br2_ifname="br2"

# End setup of 5G Guest Network #1 on the AP.


# eapd reads config from these.
# No need to set lan_ifname since it's already there.
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# Do NOT issue `nvram commit` here since it won't survive reboot.  (Is this really true?)

# Restart eapd.
# Is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

 

[drinkingbird]

I've got it working. If I understand how this VLAN stuff works, VLAN 501 and 502 are isolated from each other, and since I'm keeping all my IOT stuff on 2.4G guest and using 5G guest for actual guests, I decided maintain the VLAN 501=2.4G and 502=5G topology on the AP.

Here is the core of the script. I experimented with disabling the nvram entries, Runner, and FC. Runner and FC do not need to be disabled to work on my AP. I found that one of the nvram entries was unneeded, but the others were all needed for the AP guest networks to function. So everything that's listed here is needed.

Considering how simple and logical this code is, I'm amazed that someone hadn't figured this out long ago. I suppose part of the reason is that VLAN implementation of Guest Network #1 on ASUS main routers appears to be a fairly recent change to the firmware. Perhaps another reason is that I suspect that only a few people are using ASUS routers in AP mode (which is unfortunate because AP mode appears to be way more reliable and configurable than Aimesh mode if wired backhaul is available).

Can you folks let me know if you see anything that can be improved? After that, I will create a new thread and post it there.

One question for anyone - I have my main router configured to act as an NTP server and force devices on my network to use it. Will devices on these VLAN guest networks on the AP be able to reach the main router NTP server? Is there a way to test this?

# Remove hash tags from the following lines if setting up 2.4G Guest Network #1 on the AP.

# Create VLAN 501 and link to eth0 (WAN port),
ip link add link eth0 name eth0.501 type vlan id 501
ip link set eth0.501 up

# Remove wl0.1 interface from br0.
brctl delif br0 wl0.1

# Set up br1, and then link VLAN 501 and wl0.1 (2.4G Guest Network #1) to br1.
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
ip link set br1 up

# Create names in nvram.
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"

# End setup of 2.4G Guest Network #1 on the AP.


# Remove hash tags from the following lines if setting up 5G Guest Network #1 on the AP.

# Create VLAN 502 and link to eth0 (WAN port),
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.502 up

# Remove wl1.1 interface from br0.
brctl delif br0 wl1.1

# Create br2, then link VLAN 502 and wl1.1 (5G Guest Network #1) to br2.
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl1.1
ip link set br2 up

# Create names in nvram.
nvram set lan2_ifnames="wl1.1 eth0.502"
nvram set lan2_ifname="br2"

nvram set br2_ifnames="wl1.1 eth0.502"
nvram set br2_ifname="br2"

# End setup of 5G Guest Network #1 on the AP.


# eapd reads config from these.
# No need to set lan_ifname since it's already there.
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# Do NOT issue `nvram commit` here since it won't survive reboot.  (Is this really true?)

# Restart eapd.
# Is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

Looks ok at quick glance. Not sure if NTP intercept works on the guest wireless. Test it out. Would think it would but they may have overlooked that. Could probably do some iptables and ebtables rules to replicate it.

Various iterations of this setup have been done on AP and router but each person's use case is different, and people have gradually found better/cleaner ways. This seems like the simplest one yet, but partially due to Asus already doing a lot of the hard stuff by creating the VLANs, subnets, and firewall rules for you now. In the past people had to do all that which made it more complex.

It is actually way easier than this on the non HND routers with robocfg.

 

[svh]

I've got it working. If I understand how this VLAN stuff works, VLAN 501 and 502 are isolated from each other, and since I'm keeping all my IOT stuff on 2.4G guest and using 5G guest for actual guests, I decided maintain the VLAN 501=2.4G and 502=5G topology on the AP.

Here is the core of the script. I experimented with disabling the nvram entries, Runner, and FC. Runner and FC do not need to be disabled to work on my AP. I found that one of the nvram entries was unneeded, but the others were all needed for the AP guest networks to function. So everything that's listed here is needed.

Considering how simple and logical this code is, I'm amazed that someone hadn't figured this out long ago. I suppose part of the reason is that VLAN implementation of Guest Network #1 on ASUS main routers appears to be a fairly recent change to the firmware. Perhaps another reason is that I suspect that only a few people are using ASUS routers in AP mode (which is unfortunate because AP mode appears to be way more reliable and configurable than Aimesh mode if wired backhaul is available).

Can you folks let me know if you see anything that can be improved? After that, I will create a new thread and post it there.

One question for anyone - I have my main router configured to act as an NTP server and force devices on my network to use it. Will devices on these VLAN guest networks on the AP be able to reach the main router NTP server? Is there a way to test this?

# Remove hash tags from the following lines if setting up 2.4G Guest Network #1 on the AP.

# Create VLAN 501 and link to eth0 (WAN port),
ip link add link eth0 name eth0.501 type vlan id 501
ip link set eth0.501 up

# Remove wl0.1 interface from br0.
brctl delif br0 wl0.1

# Set up br1, and then link VLAN 501 and wl0.1 (2.4G Guest Network #1) to br1.
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
ip link set br1 up

# Create names in nvram.
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"

# End setup of 2.4G Guest Network #1 on the AP.


# Remove hash tags from the following lines if setting up 5G Guest Network #1 on the AP.

# Create VLAN 502 and link to eth0 (WAN port),
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.502 up

# Remove wl1.1 interface from br0.
brctl delif br0 wl1.1

# Create br2, then link VLAN 502 and wl1.1 (5G Guest Network #1) to br2.
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl1.1
ip link set br2 up

# Create names in nvram.
nvram set lan2_ifnames="wl1.1 eth0.502"
nvram set lan2_ifname="br2"

nvram set br2_ifnames="wl1.1 eth0.502"
nvram set br2_ifname="br2"

# End setup of 5G Guest Network #1 on the AP.


# eapd reads config from these.
# No need to set lan_ifname since it's already there.
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# Do NOT issue `nvram commit` here since it won't survive reboot.  (Is this really true?)

# Restart eapd.
# Is there a better way to do this like `service restart eapd` ?
killall eapd
eapd

Have you managed to get it working with external DHCP server or you are using static IPs?

 

[maxbraketorque]

Have you managed to get it working with external DHCP server or you are using static IPs?

Its working fine with the main router acting as the DHCP server. Are you wanting to use this script for an ASUS router main/AP combo? If yes, I started a thread in the Merlin Addons forum specifically on that topic.

 

[svh]

Its working fine with the main router acting as the DHCP server. Are you wanting to use this script for an ASUS router main/AP combo? If yes, I started a thread in the Merlin Addons forum specifically on that topic.

I use pfsense as main router. RT-AC86U (main) and CT8 as mesh APs connected by ethernet. I'd like to have 2.4G guest subnet for my iot devices in separate vlan and get IPs (different ip range) from pfsense.

 

[maxbraketorque]

I use pfsense as main router. RT-AC86U (main) and CT8 as mesh APs connected by ethernet. I'd like to have 2.4G guest subnet for my iot devices in separate vlan and get IPs (different ip range) from pfsense.

That's way beyond my knowledge, but there are people on the forum that likely can help. I guess you aren't running both ASUS devices as APs because you want to use aimesh wifi backhaul for the connection between the two routers?

 

[svh]

That's way beyond my knowledge, but there are people on the forum that likely can help. I guess you aren't running both ASUS devices as APs because you want to use aimesh wifi backhaul for the connection between the two routers?

Nope, both asus devices are used as APs and connected with 1Gbit ethernet. Static addresses are used for APs themselves.

 

[drinkingbird]

Nope, both asus devices are used as APs and connected with 1Gbit ethernet. Static addresses are used for APs themselves.

Pretty straighforward, follow @Eric Lieb 's tutorial in another thread or you can find the iterations of the script in this thread too. You need to create your own VLANs like he did, one for the 2.4 guest and one for the 5 guest.

 

[svh]

Pretty straighforward, follow @Eric Lieb 's tutorial in another thread or you can find the iterations of the script in this thread too. You need to create your own VLANs like he did, one for the 2.4 guest and one for the 5 guest.

I don't have/need 5 guest. I want 2.4 guest and 2.4/5 internal networks. But when i tried it few days ago, i was unable to force it for getting IPs from vlan dhcp. Guest didn't work for me or all devices in guest were receiving internal network ips.

 

[drinkingbird]

I don't have/need 5 guest. I want 2.4 guest and 2.4/5 internal networks. But when i tried it few days ago, i was unable to force it for getting IPs from vlan dhcp. Guest didn't work for me or all devices in guest were receiving internal network ips.

You don't have to have 5 guest. Either you got something wrong in the script or your router was not configured correctly to match the VLANs and tagging. You'll need to toy with it and double check everything. Or if unwilling/unable, buy a couple VLAN aware APs.

 

[svh]

You don't have to have 5 guest. Either you got something wrong in the script or your router was not configured correctly to match the VLANs and tagging. You'll need to toy with it and double check everything. Or if unwilling/unable, buy a couple VLAN aware APs.

What's the best way to connet everything together? My config: Ethernet link from pfsense with VLAN 501 and 501 and dhcp servers on them is connected to WAN port of Asus RT-AC86U and then from its LAN port goes to Asus CT8 (gigabit mesh link). How i can bring LAN (without vlan) network to asus devices (to connect all other clients, not belonged to guest networks)? If i add another (pfsense lan) link into asus lan port, all devices in all vlans receive ips from it.

 

[maxbraketorque]

What's the best way to connet everything together? My config: Ethernet link from pfsense with VLAN 501 and 501 and dhcp servers on them is connected to WAN port of Asus RT-AC86U and then from its LAN port goes to Asus CT8 (gigabit mesh link). How i can bring LAN (without vlan) network to asus devices (to connect all other clients, not belonged to guest networks)? If i add another (pfsense lan) link into asus lan port, all devices in all vlans receive ips from it.

If this is your config, I would think that the script in this thread is exactly what you need. My guess is that for the CT8 to work, it needs to be connected directly to pfsense just like the AC86U.

 

[svh]

If this is your config, I would think that the script in this thread is exactly what you need. My guess is that for the CT8 to work, it needs to be connected directly to pfsense just like the AC86U.

Shold i run the script on both routers? Seems my ZenWiFi AC (CT8) doesn't support this config.
brctl show for ZenWiFi AC (CT8) mesh slave and RT-AC86u mesh master:

 

[drinkingbird]

Shold i run the script on both routers? Seems my ZenWiFi AC (CT8) doesn't support this config.
brctl show for ZenWiFi AC (CT8) mesh slave and RT-AC86u mesh master:
View attachment 49761View attachment 49762

The script is not a one-size-fits-all. You have to modify it for your particular hardware, interface names, etc.

The first screenshot does not appear to have Aimesh guest configured on it, have you selected to propagate it to nodes on the master?

 

[maxbraketorque]

Shold i run the script on both routers? Seems my ZenWiFi AC (CT8) doesn't support this config.
brctl show for ZenWiFi AC (CT8) mesh slave and RT-AC86u mesh master:
View attachment 49761View attachment 49762

Sounds like you are less familiar with VLANs than I am. If you are trying to continue to use an AiMesh master/slave config, then you're going to have to do some reading and experimenting with configs to see if its possible. I find it pretty unlikely that your AiMesh master router is going to look to your pfsense for DHCP assignment of devices connected to it, let alone the slave. The AC86U master has no reason to do it because its acting as a router.

If you want to be done with this, put a 4-port switch at the AC86U, plug your pfsense into it, and then run ethernet cables from the switch into the WAN ports on the AC86U and CT8, and then set both routers to AP mode. Then you can uses Eric's script pretty much verbatim for the AC86U and with minor mods for the CT8.

 

[svh]

The script is not a one-size-fits-all. You have to modify it for your particular hardware, interface names, etc.

The first screenshot does not appear to have Aimesh guest configured on it, have you selected to propagate it to nodes on the master?

Yes, and seems this is the problem.

Sounds like you are less familiar with VLANs than I am. If you are trying to continue to use an AiMesh master/slave config, then you're going to have to do some reading and experimenting with configs to see if its possible. I find it pretty unlikely that your AiMesh master router is going to look to your pfsense for DHCP assignment of devices connected to it, let alone the slave. The AC86U master has no reason to do it because its acting as a router.

If you want to be done with this, put a 4-port switch at the AC86U, plug your pfsense into it, and then run ethernet cables from the switch into the WAN ports on the AC86U and CT8, and then set both routers to AP mode. Then you can uses Eric's script pretty much verbatim for the AC86U and with minor mods for the CT8.

Yes, vlans on asus is completely new for me
As i wrote earlier both routers are configured as APs and connected to the switch with vlans support.

 

[drinkingbird]

Yes, and seems this is the problem.

Yes, vlans on asus is completely new for me
As i wrote earlier both routers are configured as APs and connected to the switch with vlans support.

If you don't have AiMesh configured on the second router, it will not have the necessary VLAN 501 and 502 for the "easy" method, so you'll need to configure those VLANs with the script. If you aren't familiar with vlans and Linux scripting, you're going to want to just buy a couple VLAN aware access points (and possibly a VLAN aware switch if you need it).

 

[maxbraketorque]

Yes, and seems this is the problem.

Yes, vlans on asus is completely new for me
As i wrote earlier both routers are configured as APs and connected to the switch with vlans support.

ok. Then you're pretty much there. You just need to select the correct interfaces for some of the commands. Since my script is essentially a cleaned up and reorganized version of Eric's, I think you can use my script. It will work straight-out on your AC86U, and for your CT8, you'll likely need to make the following changes:

• Replace "eth0" (LAN port on the AC86U) in my script with "eth1" (which I expect is the LAN port on the CT8).
• Change <nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"> to something like <nvram set lan_ifnames="eth1 ath0 ath1 ath2 ath001 ath101 eth0">.

 

[svh]

ok. Then you're pretty much there. You just need to select the correct interfaces for some of the commands. Since my script is essentially a cleaned up and reorganized version of Eric's, I think you can use my script. It will work straight-out on your AC86U, and for your CT8, you'll likely need to make the following changes:

• Replace "eth0" (LAN port on the AC86U) in my script with "eth1" (which I expect is the LAN port on the CT8).
• Change <nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"> to something like <nvram set lan_ifnames="eth1 ath0 ath1 ath2 ath001 ath101 eth0">.

Am I correct finding out interfaces assignment?
eth1 - ???
ath0 - lan
ath1 - lan
ath2 - lan
ath001 - 2.4 WiFi
ath101 - 5 WiFi
eth0 - wan

If you don't have AiMesh configured on the second router, it will not have the necessary VLAN 501 and 502 for the "easy" method, so you'll need to configure those VLANs with the script. If you aren't familiar with vlans and Linux scripting, you're going to want to just buy a couple VLAN aware access points (and possibly a VLAN aware switch if you need it).

I have: