ASUS RT-AC68U Access Point with VLAN for IOT/Guest Wifi

[oofer]

Ok, I really thought I was going to figure this out today but massively failed. Here's a preface to what I have and what I'm setting up right now.

I have an EdgeRouter X that's acting as my Router, DHCP, firewall, etc.
I have an ASUS RT-AC68U flashed with Merlin 386.3_2 that's setup in access point mode.

Previously the AC68U had Tomato firmware on it and I'd setup a wifi network for normal use and an IOT/guest SSID that would be on a separate subnet and have firewall restrictions placed on it from the edgerouter. I more or less followed this guide to setup the IOT VLAN and DHCP (switch.20, 10.10.20.1/24). On the AC68U, I'd configured a virtual wifi interface similar to this guide but without DHCP and with the VID of 20. It all worked pretty great, no complaints.

Well...so why did I mess with it? I'm incorporating another AC68U into my setup to do AiMesh, so I have to use the ASUS WRT or Merlin firmwares to do that. As part of that transition, I'm trying to get this VLAN and virtual wifi stuff setup again, and I'm hitting a huge wall now. I'm trying to come up with a services-start script based on a few other threads I've seen. Here's what it currently looks like, but it's not working. I'm able to connect to the virtual ssid, but I'm not getting an IP assigned from the edgerouter's DHCP.

I'm using vlan20 because that's what I have setup on the edgerouter already (switch.20). I have Port 1 of the Edgerouter going to Port 4 of the AC68U. I'm also using the second guest wifi (so 0.2 instead of 0.1). Last, I'm using br3 because when I used br1 or br2, it looks like there's some stuff in the dnsmasq.conf for some reason that enables DHCP for those two bridges even though I'm in AP mode. This is mostly following what I'd seen in this post.

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg vlan 20 ports "4t 5t"
vconfig add eth0 20
ifconfig vlan20 up

brctl addbr br3
brctl delif br0 wl0.2
brctl addif br3 wl0.2
brctl addif br3 vlan20
ifconfig br3 10.10.20.10 netmask 255.255.255.0 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan20 wl0.2"
nvram set lan1_ifname="br3"

nvram commit
killall eapd
eapd

Anyway, no luck there. Spent a ton of time trying some variations of this without avail either. I also tried using port 0 (the WAN port) on the AC68U instead and tagging that instead, but same results. One post said they had luck by tagging the same port on VLAN1. I don't know how it worked for them, doing that just locks up my router (and requires a hard reset if I tried to doing it with the startup script).

I should also mention that I'm able to ping the AP at both IP subnets I'm using from the edge router's CLI. So 192.168.1.10 and 10.10.20.10 both return ping. From the AP I was able to ping the router of course for both cases (I had to disable my IOT firewall to get the 10.10.x.x ping to work). So...something's fishy with the tagging still I guess?

I'm not sure what else to try. Most of what I'm finding on the forums are folks that are using their AC68U as a router with the DHCP server, so I'm curious if that's really the difference here. Otherwise, it's also quite possible I'm missing something very fundamental.

 

[eibgrad]

The problem I'm having w/ that other link is determining the operating mode the ASUS router was using at the time. I can't tell from if the router is in Router or AP mode, and that could make a difference.

Vlans on Merlin (mini howto)

Hello, What i want to do with my Rt-AC68U is the following: 1 have switches that are connected to each other with a uplink , on a switch a have a untagged port in VLAN 100. i want the Asus to receive the tagged vlan on port 1 of the switch (this is the uplink) and i put port 3 untagged in...

www.snbforums.com

The OP just leaves that unanswered and describes making the WAN port (0) the trunk port for both the default VLAN (1) and his new VLAN (6).

If you're using a routed config, port 0 is necessarily assigned to vlan2. But if you reconfigure for AP mode, it moves from vlan2 to vlan1 (which makes sense). I would *think* using AP mode would make the most sense for the other OP, but again, I can't tell from his description whether it's routed or in AP mode.

In your own case, we have the complication of AiMesh, which I assume uses WDS (yet another mode). It's not clear to me you can use VLAN tagging across WDS, at least as ASUS has defined it for the purposes of AiMesh (esp. since WDS is proprietary). That's the problem w/ trying to jury-rig VLANs on a platform that doesn't support it. Too many unknowns. All these various modes (Router, AP, WDS/AiMesh) could have an impact on how to make this work, or whether it will work at all. So I'm NOT convinced you can simply take the results of someone else who's probably NOT using AiMesh and assume the same VLAN configuration will work for you. My gut tells me this is a bridge too far (no pun intended).

 

[oofer]

In your own case, we have the complication of AiMesh, which I assume uses WDS (yet another mode). It's not clear to me you can use VLAN tagging across WDS, at least as ASUS has defined it for the purposes of AiMesh (esp. since WDS is proprietary). That's the problem w/ trying to jury-rig VLANs on a platform that doesn't support it. Too many unknowns. All these various modes (Router, AP, WDS/AiMesh) could have an impact on how to make this work, or whether it will work at all. So I'm NOT convinced you can simply take the results of someone else who's probably NOT using AiMesh and assume the same VLAN configuration will work for you. My gut tells me this is a bridge too far (no pun intended).

Let's forget about AiMesh for a moment. I have it working, but for the issue I'm describing, I've disconnected that access point completely and completely reset the RT-AC68U I'm working on to factory default. I've just removed it from the equation and am interested in tackling this particular issue from an academic standpoint for now. As for AiMesh, I'll cross that bridge D) when I come to it.

The problem I'm having w/ that other link is determining the operating mode the ASUS router was using at the time. I can't tell from if the router is in Router or AP mode, and that could make a difference.

The OP just leaves that unanswered and describes making the WAN port (0) the trunk port for both the default VLAN (1) and his new VLAN (6).

If you're using a routed config, port 0 is necessarily assigned to vlan2. But if you reconfigure for AP mode, it moves from vlan2 to vlan1 (which makes sense). I would *think* using AP mode would make the most sense for the other OP, but again, I can't tell from his description whether it's routed or in AP mode.

I agree here. I get the impression that most are using router mode in a lot of these forum posts. I assumed the OP was using AP mode because they described having a different network device acting as router/DHCP. Seems plausible given that--like you'd said--they're using the WAN port as the trunk on VLAN1 and VLAN6 (instead of VLAN2 and 6). I thought their script would kind of be my holy grail here but like I'd mentioned earlier, if I try to tag port 0 on VLAN1 and VLAN20, the AC68U just locks up on me. I also tried tagging port 4 on VLAN1 and VLAN20 and it locked up. The problem occurs the moment I try to tag the same port on two different VLANs. If I remove the port from VLAN1, and tag on VLAN20 then we don't lock up, but then I'm also still not getting an IP for the guest ssid network from the DHCP on my router.

I'll keep tooling around today. Just need to wait until the family doesn't need to use the wifi.

 

[oofer]

As I'm reading through some more posts, I'm starting to get the idea that this would just be easier if I moved both AC68U's over to FreshTomato and do a wired backhaul to extend the wireless network. Just using stock AiMesh (forgetting about this guest wifi VLAN business for a moment), I have a wired connection between both AC68Us and am using the wired backhaul setting. In this post one of the commenters mentions that using wired backhaul isn't actually considered a mesh. So if I can wire up the two AC68Us, I guess I'm wondering why I'm bothering with AiMesh (unless maybe it offers better client handling, switching between the stronger AP).

Not entirely sure how to do this yet, but I already know I can get one AC68U with FT connected to my edgerouter in this manner (that was my previous configuration). I assume I'll just daisy chain the second AC68U to the first and...I don't know...bridge and VLAN some stuff. Think I'll have to see it first.

Here's how I'm thinking of connecting it off the top of my head.

EdgeRouter X Port 1 -> Port 1 AC68U#1 Port 2 -> Port 1 AC68U#2

On AC68U#1, I'll setup a static IP (i.e. 192.168.1.10) and point the EdgeRouter. Disable DHCP and WAN so it's an access point.
On AC68U#1, I'll create br1 with a static IP for the IOT/guest network (i.e. 10.10.20.10). Again disable DHCP.
On AC68U#1, I'll setup the wifi networks and the virtual wifi interface for IOT/Guest.
On AC68U#1, I'll create a VLAN with VID20 with LAN1 (br1).
On AC68U#1, I'll bridge the virtual wifi interface wl0.1 (IOT/Guest) with LAN1 (br1).

This should get me back to where I was before.

Not sure what to do with the second AC68U yet, but I assume I'll follow the same steps above but assign it different static IPs for br0 and br1 (i.e. 192.168.1.11 and 10.10.20.11). Not clear if I have to bridge the ports I'm using to connect the two AC68Us as well.

 

[eibgrad]

I agree that if you can't justify the need for AiMesh, then it makes sense to dump Merlin completely from the APs and just use FT, where you get all the VLAN and tagging support you need natively.

Also, realize that even VLAN tagging can be overkill if those additional networks (e.g., IOT and guest) don't necessarily need to share the same, logical ethernet segments. IOW, if I have guests located on the primary router, and both APs, they typically have no particular reason to communicate w/ each other. All they need is access to the internet (I probably even have AP isolation enabled). In that case, each guest network can be configured and managed independently on each device. However, let's say you want/need to have all your guests share a service on the primary router (e.g., captive portal), then I could see the value of VLAN tagging. NOW you need all those guest networks to be treated as a single logical ethernet network.

IOW, don't make things more complicated than they need to be. I find there's a tendency for users to assume the need for complexity, then back off once they run into problems, then discover (out of necessity) they didn't need all that complexity anyway.

 

[oofer]

Yeah I just reverted back. Only downside to my current setup is that I need to run the other AP with the same SSID's but on a different channel then the first AP. Not quite as seamless but whatever.

The virtual wireless interface really just gets used for IOT devices (not many guests using our wifi). I have IOT devices and regular devices sharing the same access points and interacting with each other to some degree. So for example, I'll have IOT devices that will need to interact with something like Home Assistant and I'll need to be able to interact with some of the IOT devices (like MQTT) locally instead of commanding them or seeing their status through the internet. At the same time while I'm ok with devices on the LAN interacting with the IOT devices, I don't want the IOT devices to be able to interact with devices on the LAN. So IOT VLAN, setup firewall rules on the EdgeRouter that tell the VLAN what it can and can't access.

I'll be honest, don't really know if the setup is more complicated than it needs to be, but it was easy enough to setup (in the Tomato firmware, Merlin notwithstanding!).