Handling Tagged VLAN on a AC86U

[rumi409]

Hi All,

Hoping to get some clarification and solution to my network setup. I currently have a Edgerouter X and a UniFi AP. My network consists of three VLANs (Main, IoT, and Guest). The main Lan can access IoT but the IoT can't access the main Lan. The guest VLAN is isolated but has access to the WAN. The Edgerouter handles this well.

I want to replace the Edgerouter with the Asus AC86U running Merlin to take advantage of the AC86U's hardware accelerated VPN features. My research has turned up solutions that use port based VLANs. Since I have one AP that tags devices based on the wifi network it's connected to, I haven't been able to use those solutions. I'm also not using the wifi radios on the AC86U since it will be in the basement and can't provide the necessary coverage to the whole house.

My question is, is it possible for the AC86U to handle tagged VLANs from the UniFi AP? If so, how should I go about setting things up?

If not, is there a way to use the AC86U as a VPN server only?

Thanks in advance.

 

[L&LD]

Welcome to the forums @rumi409.

I don't think HND routers (which the RT-AC86U is) are capable of VLANs. Please use the Better Search option to find more info on that topic on these forums.

If the RT-AC86U isn't in full router mode, I don't believe it can be a VPN server either (if I'm wrong, this bump to your thread will be corrected soon).

 

[eibgrad]

If not, is there a way to use the AC86U as a VPN server only?

Yes. But my understanding is the same as @L&LD. You can't do so in AP mode, which is normally how you would configure such a router that was only serving as your VPN server. IOW, you'd bridge it (LAN to LAN) to the primary network. However, nothing prevents you from using a routed configuration provided its WAN port is patched to a LAN port on the primary router. It's just that access to the primary router's local network (and any other *upstream* IP networks) is only reachable over its WAN rather than the LAN. And the LAN side of the VPN router is functionally useless (wired and wireless), unless you decide to use it for other purposes.

So it can be done.

 

[rumi409]

Thanks for the replies @L&LD and @eibgrad.
If I put the AC86U ahead of the Edgerouter would I be able to configure the VPN server on the AC86U so I have access to the full network downstream?

 

[L&LD]

Yes.

 

[Jeffrey Young]

Posting this thread as you mentioned you had done some research on VLANS with the AC86U. You have probably seen the thread already, but i case you have not, here it is. I am watching this thread with interest as I am considering switching to a RasPi Router with external APs to handle both my main network and IoT network should the current ASUS GPL issue can not be resolved. In which case, I may be looking into VLANs to sperate my network.

RT-86U - vlanctl & ethctl usage puzzle

All, While the search revealed several hits on the vlanctl and ethctl commands used in the new Broadcom chips, as in the RT-86U, there is not yet a definitive guide or howto on to properly use them to control the VLANs on these routers. Obviously in contrast to the more we’ll known robocfg...

www.snbforums.com

 

[rumi409]

@L&LD,
Will I be able to use the Edgerouter to do the DHCP assignments and have the AC86U handle the routing and firewall? If so, what do I need to setup on the AC86U to make aware of the different networks?


@Jeffrey Young,
Thanks for the thread link. I did see it and am monitoring it as you are.

 

[L&LD]

That may not be possible? Because of VPN Director. May be worth a try though.

 

[PDinDetroit]

I ran into roadblocks trying to use VLANS on RT-AC86U/RT-AX88U/RT-AX86U. I wanted the separation similar to yours, especially IOT. I instead went with AiMesh Router/AiMesh Nodes configuration and using the 1st Guest for IOT 2.4/5 GHz (which works across Router & Nodes). It just works and made things for house set-up easy (Ring Doorbells, Ring Spotlight Cams, Lennox Smart Thermostat, etc). I am just starting in some further home automation and will see if I run into roadblocks, but nothing so far. I have yet to configure VPN through VPN Director, but will soon as time permits. Just another option to consider, hope you find a solution that works for you.

 

[rumi409]

@PDinDetroit,
I tried the AIMesh route with a AC68U but the performance and range was lacking. That's why I went with the Ubiquiti route. I may look into using three Unifi APs for the three networks, setup under three bridges and not use VLANs. Even though its such a waste of resources. Hopefully the geniuses on this forum can figure out a way to get VLANs working on the HND routers.

 

[PDinDetroit]

I didn't have an AC68U, I started with AC86Us but moved to AX88U AiMesh Router (in basement), AX86U AiMesh Node (1st Level, far end of house), and AX88U AiMesh Node (2nd level, far other end of house). It's overkill but I got to a point where I just wanted it to work for Main WiFi Networks and AiMesh Guest Networks and cover a long house. I have the WiFi signal strength (Tx power adjustment) turned down from "Performance" to "Good" and Roaming Assistant enabled at -45 dBm on 2.4 GHz/-55 dBm on 5 GHz. I have had one or both AiMesh Nodes not working and still have the Main WiFi Network and IOT devices on Guest Network 1 connected and working successfully with another AiMesh Node or AiMesh Router.

 

[rumi409]

I'm wondering if anyone has done a topology like this with the Asus Router and a managed switch. Would this work if the VLANs were on separate ports on the managed switch? The router ports would be isolated and assigned to separate bridges. I have a Netgear JGS516PE managed switch that I would attach unifi APs to that would tag wireless clients to separate VLANs.

 

[Deleted member 62525]

I have RT-86U as a main router set up in a bridge mode. Since this router does not support VLAN directly I opted to use brctl cmd to create separate network LANS on its ports. This is totally possible and working good. This may give you some ideas.

Tutorial - LAN port isolation on Asus Merlin example

It would be great if Asus supported VLAN on their routers for all of us that want a quick way to configure LAN ports isolation. Until that time this is a quick way to use LAN bridge concepts to provide this functionality. I am using Asus RT-AC86U. I am sharing here my own setup where I have a...

www.snbforums.com

 

[rumi409]

I have RT-86U as a main router set up in a bridge mode. Since this router does not support VLAN directly I opted to use brctl cmd to create separate network LANS on its ports. This is totally possible and working good. This may give you some ideas.

Tutorial - LAN port isolation on Asus Merlin example

It would be great if Asus supported VLAN on their routers for all of us that want a quick way to configure LAN ports isolation. Until that time this is a quick way to use LAN bridge concepts to provide this functionality. I am using Asus RT-AC86U. I am sharing here my own setup where I have a...

www.snbforums.com

Thanks for posting that Mark. I did come across your post and the other one you referenced. My problem with that route is that it will mean I have to have APs for each group of users and the user base has both wired and wireless clients. I may rethink my topology to see if I can consolidate all the devices into two groups.

In reading up on the managed switch to unmanaged router solution, I found that the solution wouldn't work since the traffic coming back isn't tagged so the switch wouldn't know which VLAN to send the packets back to. So back to the drawing board.

 

[Deleted member 62525]

I have a similiar network topology and do not need VLANS. My main router is bridged so I do have public IP on WAN. The router 2 physical ports are on separate br100 network LAN. This br100 LAN is secured and isolated from br0 LAN - IoT devices. My Guest network br1 is on separate LAN and isolated from any local LAN's. I manage main LAN and IoT LAN security/access with iptables rules.

This setup does not remove router hw accelaration and I can run VPN clients or server on my LAN if I want to. Synology DDNS provides me with outside access to any services I run inside my network but only to secured main LAN on br100.

You too can have similar separation without VLAN and I thinks it will be easier to manage and troubleshoot later.

 

[rumi409]

I have a similiar network topology and do not need VLANS. My main router is bridged so I do have public IP on WAN. The router 2 physical ports are on separate br100 network LAN. This br100 LAN is secured and isolated from br0 LAN - IoT devices. My Guest network br1 is on separate LAN and isolated from any local LAN's. I manage main LAN and IoT LAN security/access with iptables rules.

This setup does not remove router hw accelaration and I can run VPN clients or server on my LAN if I want to. Synology DDNS provides me with outside access to any services I run inside my network but only to secured main LAN on br100.

You too can have similar separation without VLAN and I thinks it will be easier to manage and troubleshoot later.

Are you using the built-in wifi or do you have external APs for your wireless clients? How are you separating the main LAN wireless clients from the IoT wireless clients? As I mentioned before, I'm using Unifi APs (3 of them) for all wireless clients and am separating them into different VLANs.

 

[Deleted member 62525]

Main router provides LAN ports (br100) for secured LAN and 3 WIFI AP's. 2 of these AP's are part of br0 and guest AP (br1) is isloated from all and only access internet. None of the br0 connected devices have access to my internal br100 LAN. Its a separate lan segment and few iptables rules to configure that.

Your IoT devices can simply connect to new guest network on separate network bridge. This bridge is created as soon as you configure new guest AP. The rest is only config and if you need some additonal iptables rules you can.

I have a second rt-ac86u working in media bridge mode. All clients must use LAN ports on this router but they connect to br0 LAN.

 

[rumi409]

Main router provides LAN ports (br100) for secured LAN and 3 WIFI AP's. 2 of these AP's are part of br0 and guest AP (br1) is isloated from all and only access internet. None of the br0 connected devices have access to my internal br100 LAN. Its a separate lan segment and few iptables rules to configure that.

Your IoT devices can simply connect to new guest network on separate network bridge. This bridge is created as soon as you configure new guest AP. The rest is only config and if you need some additonal iptables rules you can.

I have a second rt-ac86u working in media bridge mode. All clients must use LAN ports on this router but they connect to br0 LAN.

Thanks. I'll see if that topography will work for me. What APs are you using?

 

[Deleted member 62525]

In this context my AP is my main router. It provides wired secured br100 LAN (port 3,4) and is an AP for IoT devices at home (br0). Separate Guest WIFI (main router) is dedicated to IoT's that cannot access local network, only internet.
Second router acting as Media Bridge has only wired devices and its located in a basement. These devices are part of br0 LAN. Some of the devices on br0 have static IP's assign and this allows me better manage and secure them inside br0 network.

 

[rumi409]

In this context my AP is my main router. It provides wired secured br100 LAN (port 3,4) and is an AP for IoT devices at home (br0). Separate Guest WIFI (main router) is dedicated to IoT's that cannot access local network, only internet.
Second router acting as Media Bridge has only wired devices and its located in a basement. These devices are part of br0 LAN. Some of the devices on br0 have static IP's assign and this allows me better manage and secure them inside br0 network.

Got it. Thanks for the clarification.