Guest Network on 386 builds doesn't play nice with Chromecast, and a potential workaround

[JWoo]

As far as I know, this is not fixed in code and if you don't want AP isolation on your guest network you need to turn if off by setting the variable to 0. @john9527 is in the best position to comment on the way forward on the solution for the GUI.

 

[gat0rdave]

The seems to be some confusion in this thread about some terminology.

1. Asus doesn't use VLANs to create guest WiFi networks.

2. "Access Intranet - enable/disable" is achieved by using packet filtering rules. (And now has the added complication of using a separate subnet for the first guest network per band.)

3. ap_isolate is a WiFi driver setting which only effects client to client communication between devices connected to the same BSSID. This value is usually set per band in Wireless > Professional.


John added this to his firmware some time ago.

I know this posted is a few months old and is probably old news, but just to be clear, ASUS is setting up VLANs for guest network #1 (at least on the AC68U). I know early on there was some contention about AP isolation, VLAN isolation, and iptables isolation. In any case, guest network #1 is setup by ASUS using VLAN 501 for 2.4GHz interface and VLAN 502 for 5GHz interface.

These WLAN interfaces are configured on the AiMesh router node bridges br1 and br2 respectively (this configuration shows one main 2.4/5GHz network (eth1/eth2), guest network #1 (w0.1/w1.1) , and guest network #2 (w0.2/w1.2)):

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.88d7f6xxxxxx    yes        vlan1
                            eth1
                            eth2
                            wl0.2
                            wl1.2
br1        8000.88d7f6xxxxxx    yes        wl0.1
                            eth0.501
                            eth1.501
                            eth2.501
br2        8000.88d7f6xxxxxx    yes        wl1.1
                            eth0.502
                            eth1.502
                            eth2.502

# robocfg show
...
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t

When in an AiMesh configuration, this VLAN configuration is propagated to the AiMesh node (confusingly, on the AiMesh node, the main SSID is wl0.1/wl1.1, which is guest network #1 on the AiMesh router, guest network #2 not automatically propagated to the AiMesh nodes):

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.40167exxxxxx    no        vlan1
                            wl0.1
                            wl1.1
                            vlan2
br1        8000.40167exxxxxx    yes        wl0.2
                            eth0.501
                            wl0.1.501
                            wl1.1.501
br2        8000.40167exxxxxx    yes        wl1.2
                            eth0.502
                            wl0.1.502
                            wl1.1.502

# robocfg show
...
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t

I've tested with my managed switches and it properly isolates LAN/WLAN clients on my other VLANs LAN/WLAN clients (previously, only wireless clients were isolated with ap_isolation). Notice that my guest network #2 is setup on br0 on the router

+1 to get a GUI update for enabling / disabling the ap_isolation field for guest network 1. I use this network as my IoT network and I want these devices to be able to communicate with each other and the internet, but not the intranet LAN clients. This works on VLANs 501 and separately for VLAN 502 LAN clients, but the ap_isolation breaks guest wifi client <-> guest wifi client and guest wifi client <-> lan client on the same AP switch. Thanks to @JWoo for the work-around!

As a side note, I have also enabled VLAN 501 and 502 to communicate with each other using iptables FORWARD filter rules on the main router. However, I really wish ASUS would merge the two VLANs for a single guest wifi column. I may end up scripting some bridge re-configuration to move the guest wifi #1 2.4 GHz and 5 GHz networks to VLAN 501 and hijack VLAN 502 for guest wifi #2 configuration. The AiMesh configuration makes that harder to automate and just haven't found the time to test the reconfiguration. I was hoping @Jack Yaz might come to GUI-based solution there before I get to it

 

[ColinTaylor]

Thanks for the additional info @gat0rdave. My original comment regarding the lack of VLANs was regarding to use of 802.1Q over the LAN. The "vlans" shown by robocfg were only used internally to logically group together physical switch ports into a virtual interface. The packets sent over the wire did not have VLAN tags though. Are you saying that's now changed and the guest network traffic does use 802.1Q?

 

[gat0rdave]

Yes, while I haven't setup port mirroring with a network capture to confirm the VLAN tag is on the frames hitting the external managed switch, the guest network #1 would not function (couldn't get an IP) until I setup the two ports on my managed switch with my AC68Us connected as a trunked ports for VLAN 501 and 502 between the AiMesh node port and AiMesh router port (I also left those ports as untagged management VLAN 1).

Additionally, you can see in my managed switch Address Table that my AiMesh node shows up across all 3 VLANs as expected:

This means the AiMesh node is leaving those tags in place on the frames leaving the switch.

I don't think it is for internal-only configuration??? "robocfg" configures the Broadcom switching layer, while the "brctl addif" commands are what group the physical and virtual interfaces together. If I understand the "robocfg" output correctly, VLAN 1 is setup untagged across LAN ports 1-4 (access ports), but VLAN 501 and 502 are setup as tagged (trunked ports) across all ports including the WAN port. So if traffic comes in untagged, it will be tagged with VLAN 1 by default (I'm not sure if robocfg PVID config?) and if it comes in tagged as 501 or 502, it will be accepted on any of those ports as well. L2 switching will not route between the tagged 501/502 VLAN ports and the untagged VLAN1 clients (as expected). Then the VLAN tagging is used within the AiMesh router node to select the correct dnsmasq netblock and allow access to the internet (but not the intrAnet).

Interestingly, this configuration works as expected with an unmanaged switch without extra configuration. It's most likely undefined behavior since some unmanaged switches will just pass through VLAN tagged packets, while others will drop the packets. Also, the LAN clients on the unmanaged switch wouldn't need to understand VLAN tagged frames to do anything with them. It worked between the AiMesh node and router because they both understand VLAN tagged frames and my unmanaged TP-Link gigabit switches just happened to pass the VLAN tagged frames without dropping them (luckily?).

If i get some time, I'll run some more experiments with port mirroring to get some network captures.

 

[ColinTaylor]

Thanks for confirming the VLAN information, it looks pretty conclusive even without any packet captures. Regarding robocfg, I wasn't suggesting that it could only be used internally by the router but that historically that was how Asus chose to use it. There was no need to support VLANs on the network in the pre-AiMesh2.0 era. But as we had seen before there were already some user created scripts that did enable VLAN tagging.

 

[gat0rdave]

Thanks for the information! That makes sense.

I wish ASUS took it a step further and expanded the support to all 3 guest networks and (like I said above), kept each guest network on the same VLAN (both 2.4 and 5G). I guess I may be doing some custom scripts to fix things up in the future.

I have a strong embedded networking background, but I haven't done much customization with my home ASUS devices. My Sonos system was causing STP havoc on my network (unknowingly) and working from home has pushed me to invest some more time in my network configuration.

 

[Jack Yaz]

I know this posted is a few months old and is probably old news, but just to be clear, ASUS is setting up VLANs for guest network #1 (at least on the AC68U). I know early on there was some contention about AP isolation, VLAN isolation, and iptables isolation. In any case, guest network #1 is setup by ASUS using VLAN 501 for 2.4GHz interface and VLAN 502 for 5GHz interface.

These WLAN interfaces are configured on the AiMesh router node bridges br1 and br2 respectively (this configuration shows one main 2.4/5GHz network (eth1/eth2), guest network #1 (w0.1/w1.1) , and guest network #2 (w0.2/w1.2)):

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.88d7f6xxxxxx    yes        vlan1
                            eth1
                            eth2
                            wl0.2
                            wl1.2
br1        8000.88d7f6xxxxxx    yes        wl0.1
                            eth0.501
                            eth1.501
                            eth2.501
br2        8000.88d7f6xxxxxx    yes        wl1.1
                            eth0.502
                            eth1.502
                            eth2.502

# robocfg show
...
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t

When in an AiMesh configuration, this VLAN configuration is propagated to the AiMesh node (confusingly, on the AiMesh node, the main SSID is wl0.1/wl1.1, which is guest network #1 on the AiMesh router, guest network #2 not automatically propagated to the AiMesh nodes):

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.40167exxxxxx    no        vlan1
                            wl0.1
                            wl1.1
                            vlan2
br1        8000.40167exxxxxx    yes        wl0.2
                            eth0.501
                            wl0.1.501
                            wl1.1.501
br2        8000.40167exxxxxx    yes        wl1.2
                            eth0.502
                            wl0.1.502
                            wl1.1.502

# robocfg show
...
501: vlan501: 0t 1t 2t 3t 4t 5t
502: vlan502: 0t 1t 2t 3t 4t 5t

I've tested with my managed switches and it properly isolates LAN/WLAN clients on my other VLANs LAN/WLAN clients (previously, only wireless clients were isolated with ap_isolation). Notice that my guest network #2 is setup on br0 on the router

+1 to get a GUI update for enabling / disabling the ap_isolation field for guest network 1. I use this network as my IoT network and I want these devices to be able to communicate with each other and the internet, but not the intranet LAN clients. This works on VLANs 501 and separately for VLAN 502 LAN clients, but the ap_isolation breaks guest wifi client <-> guest wifi client and guest wifi client <-> lan client on the same AP switch. Thanks to @JWoo for the work-around!

As a side note, I have also enabled VLAN 501 and 502 to communicate with each other using iptables FORWARD filter rules on the main router. However, I really wish ASUS would merge the two VLANs for a single guest wifi column. I may end up scripting some bridge re-configuration to move the guest wifi #1 2.4 GHz and 5 GHz networks to VLAN 501 and hijack VLAN 502 for guest wifi #2 configuration. The AiMesh configuration makes that harder to automate and just haven't found the time to test the reconfiguration. I was hoping @Jack Yaz might come to GUI-based solution there before I get to it

Waiting for Asus to fix VLANs on the HND platform before I work on anything. While I could likely integrate YazFi with AiMesh 2.0 for non-HND routers, I want to be able to support HND routers at the same time. While I have a "working" setup, my AC86U picks up a lot of "protocol is buggy" messages in syslog and does unfortunately seem to produce lost packets. It's possible I could force off h/w acceleration to see if this improves things, but I see that as a non-starter and am waiting to see if Asus develop an approach that doesn't produce these errors. Perhaps if we hit 386.4/a few GPL merges and the issue is still present in Asus' stock code I will bite the bullet and develop anyway

 

[gat0rdave]

Ah makes sense. I'm not seeing any packet loss on my two AC68Us using 2x managed Netgear GS108Tv3s in between. I assume this is just something buggy in the Asus broadcom HND switch driver and doesn't affect the non-HND router configurations?

 

[Jack Yaz]

Ah makes sense. I'm not seeing any packet loss on my two AC68Us using 2x managed Netgear GS108Tv3s in between. I assume this is just something buggy in the Asus broadcom HND switch driver and doesn't affect the non-HND router configurations?

That's what I suspect.

 

[icodehead]

JWoo,
Thank you for your help on this. I hope this issue is going to get fixed in the next release.
I didn't see this issue reported at www.snbforums.com/forums/asuswrt-merlin.42. Has this issue been reported?
Update 3/5/21 - Sorry, I referred the wrong site, I meant the Issues section on github (https://github.com/RMerl/asuswrt-merlin.ng/issues). Still don't see any mention their.

 

[L&LD]

You're replying in the forum you're linking to.

 

[bluecatus]

Sorry, please help me clarify that:
In AP mode, does ASUS set up VLAN 501 for guest network #1 and VLAN 502 for guest network #2 with Aimesh 2.0 for both aimesh router and aimesh node?
Thanks.

 

[gat0rdave]

386.1 firmware sets up VLAN 501 for guest network #1 2.4Ghz and VLAN 502 for guest network #1 5GHz across both the AiMesh router and AiMesh node. This is when the main router is in Router Mode and has the 2nd “router” as an AiMesh node, which is essentially AP mode.

Guest network #2 and #3 (as of right now) do not use VLANs and they are not sync’d to the AiMesh node (only show up on the main router). The only isolation you get is AP isolation (the whole topic of this thread). With VLAN isolation on guest network #1, the AP isolation isn’t absolutely necessary if you want those clients to be able to communicate (e.g. IoT devices).

 

[bluecatus]

386.1 firmware sets up VLAN 501 for guest network #1 2.4Ghz and VLAN 502 for guest network #1 5GHz across both the AiMesh router and AiMesh node. This is when the main router is in Router Mode and has the 2nd “router” as an AiMesh node, which is essentially AP mode.

Guest network #2 and #3 (as of right now) do not use VLANs and they are not sync’d to the AiMesh node (only show up on the main router). The only isolation you get is AP isolation (the whole topic of this thread). With VLAN isolation on guest network #1, the AP isolation isn’t absolutely necessary if you want those clients to be able to communicate (e.g. IoT devices).

Thanks for your explain.
I'm cleared that 386.1 firmware will have VLAN 501 and VLAN 502 for the first guest network of 2.4GHz/5GHz in only Router mode, not AP mode. Is it right?

 

[gat0rdave]

I'm not sure how the VLANs are setup in AP Mode. You can enable SSH, login, and run "robocfg show" and "brctl show" to see how things are configured in that mode.

I doubt it would setup the VLANs, since it also sets up separate DHCP netblocks for each the VLANs and in AP mode, you wouldn't be running a DHCP server.

 

[bluecatus]

I tested some firmware and figured out that merlin 361.1, 361.1_2, and asuswrt has no VLAN 501 & VLAN 501 in AP mode, except from some ASUSWRT 386 RC2 public betas as rc2-5, rc2-6, rc2-7.
When I run "brctl show" on each AP (not mesh) with ASUSWRT rc2-5 fimware, there are br1 (vlan1,...) br2 (vlan 501, wl0.1,...) br3 (valn 502, wl1.1,...) but if APs were using aimesh, br2 and br3 would convert wl0.2 and wl1.2 as post # 122 of @gat0rdave.

 

[Daan1976]

Yes, while I haven't setup port mirroring with a network capture to confirm the VLAN tag is on the frames hitting the external managed switch, the guest network #1 would not function (couldn't get an IP) until I setup the two ports on my managed switch with my AC68Us connected as a trunked ports for VLAN 501 and 502 between the AiMesh node port and AiMesh router port (I also left those ports as untagged management VLAN 1).

Can anybody help me.
I have the managed switch "TPlink T1700G-28TQ".

The Router Asus AX88U is on port 1 of the switch. The Node AC88U is on port 2 of the switch. (Mesh Setup)
All is working fine.
But: If i would connect to the guest network via de node, i didn't get an IP. (failed)
If i connect de node directly to the main router (AX88U) i will get an IP via the guest network (192.168.102.xxx 5ghz)

I doubt it has something to do with the VLAN 501 & 502, explained by gat0rdave. I have tried to setup it in the switch (802.1Q VLAN), but i wouldn't get an ip in the guestnetwork

 

[jksmurf]

+1 to get a GUI update for enabling / disabling the ap_isolation field for guest network 1.

+1 for me too. I’m not sure if @john9527 ever got @JWoo manual AP Isolation solution working but I’m in the same boat, Guest Wi-Fi for which I do not want Intranet Access enabled but I would very much like AP Isolation disabled so Guests can use a Chromecast attached to the same Wi-Fi.

I don’t mind if the Guests can see each other, it would be a very small group and they are all known to each other.