Guest VLANs over the network on ASUS AC5300

[fusionstream]

This is my network layout:

The DIR865L is running Tomato and the AC5300 is running the Christmas release of ASUSWrt by Merlin.

How would I go about vlanning guest wireless traffic from the Asus to the DIR865L?

Doing it on Tomato and the 2 managed switches should be trivial but not so much on the Asus.

I currently have physical ports 3 and 4 on the asus unused but I'd like to try trunking it over the existing LACPed physical ports 1 and 2.

I saw a few threads (specifically this one http://www.snbforums.com/threads/ssid-to-vlan.24791/) that seem to have this working but the internal port mappings don't match up and I can't find a port mapping list. Is there a way to get this?

Based on "robocfg show vlan it would seem that Port 8 is my 2.4GHz wireless (based on MAC address) and it shows that port 8 is in 2 vlans (I have 2 guest networks on 2.4GHz and only one of them can access my "intranet"). I assume vlan2 is the wan vlan and port 0 is my WAN port.

I can only assume internal Ports 5 and 7 are for my 2x 5GHz radios. They both have guest networks WITH access to Intranet. However when I added a guest network WITHOUT access to Intranet, nothing was added to vlan2. In fact, under "brctl show" this new guest network gets added to br0.

RT-AC5300-1DE0#:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.2c56dc5d1de0 yes vlan1
wl0.1
wl0.2
wl1.1
wl1.2
wl2.1

RT-AC5300-1DE0#:/tmp/home/root# robocfg show vlan
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 00:00:0c:9f:f4:ef
Port 1: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 00:24:1d:d1:f1:6c
Port 3: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 2c:56:dc:5d:1d:e0
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 4 5 7 8t
2: vlan2: 0 8u


Can anyone help? A pointer would be great too as I'd like to understand what is happening.

 

[fusionstream]

Anyone? I've got the following so far but still no joy. I am connecting directly to the AC5300's guest network but I get no DHCP now.

@RT-AC5300-1DE0:/tmp/home/root# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 00:00:0c:9f:f3:34
Port 1: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 00:24:1d:d1:f1:6c
Port 3: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 2c:56:dc:5d:1d:e0
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 4 5 7 8t
2: vlan2: 0 8u
5: vlan5: 2t 5t 7t 8t

@RT-AC5300-1DE0:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.2c56dc5d1de0 yes vlan1
br1 8000.000000000001 yes wl0.1
vlan5

@RT-AC5300-1DE0:/tmp/home/root# nvram show | grep lan1
lan1_ipaddr=192.168.2.1
lan1_route=
lan1_ifname=br1
lan1_hwnames=
lan1_wins=
lan1_lease=86400
lan1_stp=1
lan1_gateway=192.168.2.1
lan_ifnames=vlan1 eth1 eth2 eth3
lan1_netmask=255.255.255.0
vlan1hwname=et2
lan1_proto=0
vlan1ports=1 2 3 4 5 7 8*
lan1_domain=
lan1_wps_oob=enabled
lan1_wps_reg=enabled
landevs=vlan1 wl0 wl1 wl2
lan1_ifnames=vlan5 wl0.1
lacpdev=vlan1
lan1_hwaddr=

@RT-AC5300-1DE0:/tmp/home/root# nvram show | grep lan_
lan_state_t=2
lan_dns_fwd_local=0
lan_dnsenable_x=0
lan_auxstate_t=0
lan_gateway=0.0.0.0
lan_domain=
lan_unit=-1
lan_netmask_rt=255.255.255.0
lan_route=
lan_netmask=255.255.255.0
lan_dns2_x=
lan_lease=86400
wl0_vlan_prio_mode=off
lan_stp=1
lan_port=80
lan_ipaddr_rt=192.168.1.1
lan_hwaddr=2C:56C:5D:1D:E0
lan_wps_oob=disabled
lan_wps_reg=enabled
size: 72928 bytes (58144 left)
wl_vlan_prio_mode=off
lan_dns=
lan_ifnames=vlan1 eth1 eth2 eth3
lan_dns1_x=
lan_proto=static
lan_ipaddr=192.168.1.1
led_lan_gpio=4117
lan_sbstate_t=0
wl2_vlan_prio_mode=off
dpsta_lan_uif=1
lan_ifname=br0
lan_wins=
lan_hwnames=
wl1_vlan_prio_mode=off

@RT-AC5300-1DE0:/tmp/home/root# nvram get lan_ifnames
vlan1 eth1 eth2 eth3

@RT-AC5300-1DE0:/tmp/home/root# nvram get lan1_ifname
br1

@RT-AC5300-1DE0:/tmp/home/root# nvram get lan1_ifnames
vlan5 wl0.1

@RT-AC5300-1DE0:/tmp/home/root# nvram get vlan5hwname
et2

 

[fusionstream]

Yea so I managed to somehow assign vlan 5 to my interfaces according to robocfg but it only took that vlan which meant it was no longer a trunk and try as I might I couldn't unset it. Had to reset everything to factory defaults and reload from a saved backup.

So the lack of support here leads me to believe that this is not viable at this time. Hopefully someone else will ask the same question and it will get answered.

 

[Nathan Grennan]

I had a separate bridge, br1, working on my AC-3200. But then I bought a AC-5300, and tried to copy the configuration over. I found that didn't work. The AC-3200 and AC-5300 aren't configured the same, and don't behave the same.

The way to unset a vlan is "robocfg vlan 5 ports ''".

The main difference between the two is that the AC-5300 "ports" are a little different. I had to say 5u instead of 5 for vlan1, "robocfg vlan 1 ports '1 2 3 5u 7 8t'". Otherwise it will say 5t not 5 in "robocfg show" on boot. Ports 5 and 7 don't seem to be required for a working 2.4ghz on another bridge, br1.

I want the 2.4ghz guest network on another bridge so I can tie port 4 to it. I put my Hue bridge on port 4 to add it to the guest-network. I put all my IoT devices on the guest network. I don't trust their security.

I setup the 1:1 NAT so certain internet machines can have external public static ip addresses.

I changed the dhcp range for br1 from 192.168.80.x to 192.168.2.x, because the AC-3200 seemed to have that as the default for br1. 192.168.80.x, would probably also work, but I haven't test it on the AC-3200.

Another difference is the WANIP. I use eth0 as the interface for the AC-5300, but vlan2 for the interface for the AC-3200.

I am now using the AC-3200 as a access point on the other side of the house. It is connected into the network via ethernet. I had to remove the guest network from it, because of the br1 setup. Otherwise half the devices would connect to the AC-3200 and get a 192.168.9.x access, while the other half would get a 192.168.2.x access.

Here is my working AC-5300 configuration:
/jffs/scripts/firewall-start:
#!/bin/sh
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig eth0 | grep 'inet addr' | cut -f2 -d':' | awk '{print $1}')

# Move port 4 to vlan9
robocfg vlan 1 ports '1 2 3 5u 7 8t'
robocfg vlan 9 ports '4 8t'

# remove guest1 2.4Ghz from br0
brctl delif br0 wl0.1

# create br1
brctl addbr br1
brctl addif br1 wl0.1

ifconfig br1 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255

# Setup vlan9
vconfig add eth0 9
ifconfig vlan9 up
brctl addif br1 vlan9

# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2 eth3"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd

# Allow vlan9 and wl0.1 to access each other
ebtables -t filter -I FORWARD -i vlan9 -o wl0.1 -j ACCEPT
ebtables -t filter -I FORWARD -i wl0.1 -o vlan9 -j ACCEPT

# fix dnsmasq not listen to br1 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT

# br1 WAN access
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# block br1 access br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Keep br1 from accessing the router
iptables -I FORWARD -i br1 -d 192.168.9.0/24 -m state --state NEW -j DROP

# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Setup 1:1 NAT
ifconfig eth0:0 56.10.200.57 netmask 255.255.255.248
iptables -t nat -I PREROUTING 1 -d 56.10.200.57 -j DNAT --to 192.168.9.90
iptables -t nat -I POSTROUTING 1 -s 192.168.9.90 -j SNAT --to 56.10.200.57

ifconfig eth0:1 56.10.200.59 netmask 255.255.255.248
iptables -t nat -I PREROUTING 2 -d 56.10.200.59 -j DNAT --to 192.168.9.95
iptables -t nat -I POSTROUTING 2 -s 192.168.9.95 -j SNAT --to 56.10.200.59


/jffs/configs/dnsmasq.conf.add:
# Logging
log-facility=/tmp/dnsmasq.log
log-dhcp
interface=br1
dhcp-range=br1,192.168.2.100,192.168.2.199,255.255.255.0,86400s
dhcp-option=br1,3,192.168.2.1
dhcp-option=br1,6,192.168.2.1
dhcp-option=br1,15,foobar.com


Here is my working AC-3200 configuration:
/jffs/scripts/firewall-start:
#!/bin/sh
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig vlan2 | grep 'inet addr '| cut -f2 -d':' | awk '{print $1}')

# Move port 4 to vlan9
robocfg vlan 1 ports '1 2 3 5t'
robocfg vlan 9 ports '4 5t'

# remove guest1 2.4Ghz from br0
brctl delif br0 wl0.1

# create br1
brctl addbr br1
brctl addif br1 wl0.1

ifconfig br1 192.168.80.1 netmask 255.255.255.0 broadcast 192.168.80.255

# Setup vlan9
vconfig add eth0 9
ifconfig vlan9 up
brctl addif br1 vlan9

# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2 eth3"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan9 wl0.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd

# Allow vlan9 and wl0.1 to access each other
ebtables -t filter -I FORWARD -i vlan9 -o wl0.1 -j ACCEPT
ebtables -t filter -I FORWARD -i wl0.1 -o vlan9 -j ACCEPT

# fix dnsmasq not listen to br1 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT

# br1 WAN access
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# block br1 access br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Keep br1 from accessing the router
iptables -I FORWARD -i br1 -d 192.168.9.0/24 -m state --state NEW -j DROP

# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Setup 1:1 NAT
ifconfig eth0:0 56.10.200.57 netmask 255.255.255.248
iptables -t nat -I PREROUTING 1 -d 56.10.200.57 -j DNAT --to 192.168.9.90
iptables -t nat -I POSTROUTING 1 -s 192.168.9.90 -j SNAT --to 56.10.200.57

ifconfig eth0:1 56.10.200.59 netmask 255.255.255.248
iptables -t nat -I PREROUTING 2 -d 56.10.200.59 -j DNAT --to 192.168.9.95
iptables -t nat -I POSTROUTING 2 -s 192.168.9.95 -j SNAT --to 56.10.200.59


/jffs/configs/dnsmasq.conf.add:
# Logging
log-facility=/tmp/dnsmasq.log
log-dhcp
interface=br1
dhcp-range=br1,192.168.80.100,192.168.80.199,255.255.255.0,86400s
dhcp-option=br1,3,192.168.80.1
dhcp-option=br1,6,192.168.80.1
dhcp-option=br1,15,foobar.com