Help setting up VLAN on ASUS RT-AC68U

[IsaacFL]

I am operating my Asus 1900P (same F/W as AC68) as an AP only. I use pfSense as my router, and I was wondering if it is possible using this script to place the webgui interface in a separate VLAN from the LAN side?

Ideally in AP mode:
vlan 10: webgui
vlan 20: wifi and switch ports
vlan 30: guest wifi

 

[Martineau]

I am operating my Asus 1900P (same F/W as AC68) as an AP only. I use pfSense as my router, and I was wondering if it is possible using this script to place the webgui interface in a separate VLAN from the LAN side?

Ideally in AP mode:
vlan 10: webgui
vlan 20: wifi and switch ports
vlan 30: guest wifi

Unfortunately AP mode is not supported - sorry.

 

[nonno]

Hi @Martineau,
sorry for the late reply but has been a busy week.

Launching your script returns:

# ./VLANSwitch.sh 200 4 vlanfw

(VLANSwitch.sh): 3202 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 3202 VLAN 'vlan200' alias 'None200' (192.168.200.0/24) via Switch Port 4 created for downstream VLAN switch(s)

even after a router full reset.
It seems there's something wrong in how it tries to bring up the interface, but I'm still unable to pinpoint where's the problem.
At this point I cannot turn up the interface even by hand using the ifconfig ... up command, I always receive the same address error, I have to use the 200 del command to be able to configure the vlan by hand.

It seems to me that even the diag command shows no interesting points:

Spoiler: diag output

# ./VLANSwitch.sh 200 diag

        VLAN Switch Port 4 Configuration Diagnostics:


        'None200' vlan200 Robocfg Status
        ================================
   1: vlan1: 1 2 3 4t 5t
 200: vlan200: 4t 5t


        'None200' vlan200 Bridge Status
        ===============================



        'None200' vlan200 Status
        ========================
vlan200   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.200.1  P-t-P:192.168.200.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None200


        'None200' vlan200 Statistics
        ============================
vlan200  VID: 200        REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: ppp0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW
4        1   328 ACCEPT     udp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
5        0     0 ACCEPT     tcp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6        0     0 DROP       all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW
7       28  8186 ACCEPT     udp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
8        0     0 DROP       all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan200  0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan200 br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        NVRAM LAN interface configuration
        =================================



        RT-AC68U NVRAM Switch Port interface configuration
        ==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4


        'None200' vlan200 ACTIVE devices (ARP only accurate within 60secs?)
        ===================================================================

The interesting point is that running

# ip link show
[...]
15: vlan200@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
    alias None200

seems to suggest that the interface is actually down, as suggested by the ifconfig failure.

As expected, running

# ifconfig

doesn't show any vlan200 interface.

Running what I believe are the same commands run by the script (robocfg, vconfig, ifconfig) by hand works and I can bring up the interface.
I'm not really into shell scripting but I'm trying to understand the differences to spot where's the error, I hope I can help.

If you have any question/test you want me to perform please ask.

(regarding my dhcp issues, it seems your firewall rules work better than the ones that I tried, but I still have no definitive answer to this since I'm still working on the setup)

 

[Martineau]

Hi @Martineau,
sorry for the late reply but has been a busy week.

Launching your script returns:

# ./VLANSwitch.sh 200 4 vlanfw

(VLANSwitch.sh): 3202 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 3202 VLAN 'vlan200' alias 'None200' (192.168.200.0/24) via Switch Port 4 created for downstream VLAN switch(s)

even after a router full reset.

Can you try to create a different VLAN using most basic invocation command request
(NOTE: You should be prompted for the 'autodnsmasq' directive)

./VLANSwitch.sh   99 

./VLANSwitch.sh   99   diag

 

[nonno]

I'm sorry but the error persisted:

Spoiler: vlanswitch 99 autodnsmasq

# ./VLANSwitch.sh 99 autodnsmasq

(VLANSwitch.sh): 2720 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 2720 VLAN 'vlan99' alias 'None99' (192.168.99.0/24) via Switch Port 4 created for downstream VLAN switch(s)


# ./VLANSwitch.sh 99 diag

        VLAN Switch Port 4 Configuration Diagnostics:


        'None99' vlan99 Robocfg Status
        ==============================
   1: vlan1: 1 2 3 4t 5t
  99: vlan99: 4t 5t


        'None99' vlan99 Bridge Status
        =============================



        'None99' vlan99 Status
        ======================
vlan99    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.99.1  P-t-P:192.168.99.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None99


        'None99' vlan99 Statistics
        ==========================
vlan99  VID: 99  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: ppp0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan99  0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan99 br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        NVRAM LAN interface configuration
        =================================



        RT-AC68U NVRAM Switch Port interface configuration
        ==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4


        'None99' vlan99 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================

 

[Martineau]

I'm sorry but the error persisted:

Spoiler: vlanswitch 99 autodnsmasq

# ./VLANSwitch.sh 99 autodnsmasq

(VLANSwitch.sh): 2720 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 2720 VLAN 'vlan99' alias 'None99' (192.168.99.0/24) via Switch Port 4 created for downstream VLAN switch(s)


# ./VLANSwitch.sh 99 diag

        VLAN Switch Port 4 Configuration Diagnostics:


        'None99' vlan99 Robocfg Status
        ==============================
   1: vlan1: 1 2 3 4t 5t
  99: vlan99: 4t 5t


        'None99' vlan99 Bridge Status
        =============================



        'None99' vlan99 Status
        ======================
vlan99    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.99.1  P-t-P:192.168.99.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None99


        'None99' vlan99 Statistics
        ==========================
vlan99  VID: 99  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: ppp0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan99  0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan99 br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        NVRAM LAN interface configuration
        =================================



        RT-AC68U NVRAM Switch Port interface configuration
        ==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4


        'None99' vlan99 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================

I suspect your WAN interface isn't 'eth0/vlan2/vlan3'... i.e. probably 'ppp0'?

Can you provide the output of the three commands:

nvram get wan0_ifname
nvram get wan0_gw_ifname
nvram get wan0_pppoe_ifname

as it appears the script attempted to create VLAN99 on 'pppX'

        'None99' vlan99 Status
        ======================
vlan99    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.99.1  P-t-P:192.168.99.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1

 

[nonno]

I assume this is due to the fact that I'm connected via PPPoE: the router is connected to my isp (terrible) modem/router configured in bridge mode (used to connect the old phones rj11). My connection is a FTTH type and the fiber is connected to my isp modem using an ethernet adapter.
The router is configured to tag the wan connection using the vlan835 tag (using the IPTV router ui menu).

This is the commands output:

# nvram get wan0_ifname
vlan835
# nvram get wan0_gw_ifname
ppp0
# nvram get wan0_pppoe_ifname
ppp0

EDIT: add full "robocfg show" output from clean power on:

Spoiler

# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: xx:xx:xx:xx:xx:xx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: yy:yy:yy:yy:yy:yy
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: zz:zz:zz:zz:zz:zz
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: tt:tt:tt:tt:tt:tt
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4t 5t
   2: vlan2: 0 5
  56: vlan56: 0t 2t 4t 5t 8t
  57: vlan57: 0t 2 3 5
  58: vlan58: 3t 5t 7t
  59: vlan59: 0t 3t 8u
  60: vlan60: 0 1 2t 3t 4t 5
  61: vlan61: 1 2 3t 4 7t 8t
  62: vlan62: 1 3t 7 8u
  99: vlan99: 4t 5t
 835: vlan835: 0t 5t

 

[Martineau]

I assume this is due to the fact that I'm connected via PPPoE: the router is connected to my isp (terrible) modem/router configured in bridge mode (used to connect the old phones rj11). My connection is a FTTH type and the fiber is connected to my isp modem using an ethernet adapter.
The router is configured to tag the wan connection using the vlan835 tag (using the IPTV router ui menu).

This is the commands output:

# nvram get wan0_ifname
vlan835
# nvram get wan0_gw_ifname
ppp0
# nvram get wan0_pppoe_ifname
ppp0

The script will attempt to identify your WAN interface using the three NVRAM variables shown above, and if the derived WAN interface choice is incorrect then the script will fail.

So the script (rightly or wrongly) assumed (due to the 2-to-1 vote) 'ppp0' is the WAN interface to use.
Confusingly, your OP rt-ac68u VLAN indicates you successfully used in your script

vlan-config.sh

vconfig add eth0 200

So of the following - 'eth0', 'ppp0' or 'vlan835' - which is the correct WAN interface to use?
NOTE: The script still uses the deprecated 'vconfig' rather than the more verbose iproute2 command 'ip link add link ....'

If you try the following, what are the results?

vconfig add eth0 10
or
vconfig add ppp0 20
or
vconfig add vlan835 30

 

[nonno]

So now this is embarrassing, I have no answer to your questions and honestly I didn't consider that at all, I just saw the things working using eth0. I am at the point where I know enough to be dangerous but still do things without fully understanding the details.
Running the commands I have no errors:

# vconfig add eth0 10
# vconfig add ppp0 20
# vconfig add lan835 30

but I think the error came from the ifconfig up not the vconfig.

Also (vlan200 is currently configured manually on eth0):

# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

And running

# ifconfig vlan10 up
# ifconfig vlan20 up
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
# ifconfig vlan30 up

gives error only for the vlan on ppp0.

# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

I think I have some other things to understand!!!

 

[Martineau]

So now this is embarrassing, I have no answer to your questions and honestly I didn't consider that at all, I just saw the things working using eth0. I am at the point where I know enough to be dangerous but still do things without fully understanding the details.
Running the commands I have no errors:

# vconfig add eth0 10
# vconfig add ppp0 20
# vconfig add lan835 30

but I think the error came from the ifconfig up not the vconfig.

Also (vlan200 is currently configured manually on eth0):

# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

And running

# ifconfig vlan10 up
# ifconfig vlan20 up
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
# ifconfig vlan30 up

gives error only for the vlan on ppp0.

# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

I think I have some other things to understand!!!

OK, so clearly auto-detecting the WAN interface in your environment fails.

I have never used the VLAN tagging profiles such as IPTV/UniFi Home etc, but I believe they can/do create a separate bridge 'br1' depending on the profile and will create unique VLANs for their own use.

So the best I can do is to allow you to manually override the auto-WAN interface detection that incorrectly chooses 'ppp0'

#           VLANSwitch  123 wanif=vlan3
#                       Switch port 4 will have vlan123 tagged to it, but the script will skip the auto WAN interface detection
#                       and explicitly use 'vlan3'

So you should be able to experiment with the modified script - Please Download v1.28b

./VLANSwitch.sh   99   del

./VLANSwitch.sh   99   wanif=vlan835

./VLANSwitch.sh   200   del

./VLANSwitch.sh   200   wanif=vlan835

 

[nonno]

I have never used the VLAN tagging profiles such as IPTV/UniFi Home etc, but I believe they can/do create a separate bridge 'br1' depending on the profile and will create unique VLANs for their own use.

I'm not sure that's the case, I see only br0:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.08626694ceb0       no              vlan1
                                                        eth1
                                                        eth2

but for sure it creates vlan835 on eth0.
I just discovered this:

# cat /proc/net/vlan/config
VLAN Dev name    | VLAN ID
Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD
vlan1          | 1  | eth0
vlan835        | 835  | eth0
vlan200        | 200  | eth0

As you can see from the previous command output I managed to build the vlan using your script, but had to specify wanif=eth0, using wanif=vlan835 apparently didn't work: my vlan200 devices (server + VM) didn't show up in dhcp leases.

vlan835 configuration is set in menu LAN->IPTV->LAN port, selecting ISP profile as "manual setting" and Internet VID to 835 PRIO 0. I just saw that my ISP modem was configured with that vlan and searched on the internet how to apply the same setting to the ac68u. At the time I didn't really care about that, I just wanted to bypass the terrible ISP modem. Now I'm really curious to understand how this works.

Back to the script, for the moment it seems to work using this command:

# ./vlanswitch.sh 200 4 wanif=eth0 vlanfw [autodnsmasq]

Please let me know if I can perform some other tests or just give you more infos about my configuration.

I'll let you know if I can understand something more about the different interfaces.
Thank you very much for your efforts, patience and kindness.

 

[Martineau]

I'm not sure that's the case, I see only br0:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.08626694ceb0       no              vlan1
                                                        eth1
                                                        eth2

but for sure it creates vlan835 on eth0.

My point was if you opt for one of the IPTV GUI Profiles then it can create a separate bridge.
NOTE: My script will also allow you to create a VLAN bridge interface if it suits your requirements

As you can see from the previous command output I managed to build the vlan using your script, but had to specify wanif=eth0, using wanif=vlan835 apparently didn't work: my vlan200 devices (server + VM) didn't show up in dhcp leases.

Back to the script, for the moment it seems to work using this command:

# ./vlanswitch.sh 200 4 wanif=eth0 vlanfw [autodnsmasq]

Hopefully the 'status verbose' command shows relevant traffic statistics etc.?

Please let me know if I can perform some other tests or just give you more infos about my configuration.

The script has been proven to work on several models, and given you had the RT-AC68U, I only suggested it might be of use to improve the firewall rules and perhaps provide (for novice users) a very quick and easy way to create/delete (multiple) VLANs without worrying about the command syntax used to create a standard VLAN.

Your environment is certainly perplexing, assuming that 'eth0' is the true WAN interface, but seemingly the NVRAM variables 'wan0_*' can no longer be relied upon to provide the interface name.

However, I think the new 'wanif=' directive should be an apt workaround for those in a similar environment, although I may update the script to report on the failing 'vconfig' command rather than silently ignore it as the script currently does.

Job done!

 

[nonno]

... although I may update the script to report on the failing 'vconfig' command rather than silently ignore it as the script currently does.

Please note that's not the vconfig add that's failing, it's the ifconfig vlanXX ... up that returns error if the vlan is added to the wrong interface (ppp0) because something goes wrong with the ip address. (Maybe due to the 255.255.255.255 netmask of ppp0 itf? I have no ideas)

From what I see, all vlans created by the router are added to the same eth0 interface, being it vlan1 or vlan835 added via gui. It seems to me that the real output itf is the eth0 in any case.

I have some other things that I'm noticing looking for the differences between ppp0, vlan835 and eth0:
in iptables the system adds the same (or very similar) rules for ppp0 and vlan835:

*nat
[...]
-A PREROUTING -d 176.207.110.156/32 -j VSERVER
-A PREROUTING -d 169.254.141.254/32 -j VSERVER
[...]
-A POSTROUTING ! -s 176.207.110.156/32 -o ppp0 -j MASQUERADE
-A POSTROUTING ! -s 169.254.141.254/32 -o vlan835 -j MASQUERADE

*filter
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o vlan835 -j logdrop

especially the filter rule seems to imply that the system doesn't want anything other eth0 to forward data to vlan835.
From the router itself I cannot even ping a device on vlan200 when created using wanif=vlan835 (and I'm not sure why).

As a last note, I noticed that the script seems to leave some iptables chains and rules after using the del argument:

• MyInput and MyVLANS chains are not deleted
• MyInput rules are not deleted, creating and deleting vlans without rebooting leads to rules multiplication.

Thank you again

 

[Martineau]

Please note that's not the vconfig add that's failing, it's the ifconfig vlanXX ... up that returns error if the vlan is added to the wrong interface (ppp0)
I have no ideas

Clearly, if you read the code, the failure to add the VLAN to an invalid NVAM derived WAN interface e.g. 'ppp0' (which occurs before the ifconfig) is deliberately silenced as I assumed the only way the command request would fail is due to it already existing

e.g. as per the comments

# We don't check if the VLAN is already UP etc, as this allows the script to re-apply the Firewall rules regardless!
# NOTE: 'vconfig' is deprecated by 'ip'
vconfig add $WAN_IF $VLAN_ID 2> /dev/null

However, now that the WAN interface can be manually passed to the script, v1.29b will prudently verify that the user hasn't made a typo

e.g. 'etho' rather than 'eth0'

and consequently (with the benefit of hindsight) will now also verify the NVRAM derived WAN interface, and never get to execute the ill-fated 'vconfig/ipconfig' commands.

As a last note, I noticed that the script seems to leave some iptables chains and rules after using the del argument:
MyInput and MyVLANS chains are not deleted

I have 4 VLANs created during the boot sequence, hence the two chains are static and, as I personally no longer use the 'vlanfw' directive, consequently I have no need to physically delete either of the chains.

However, rather embarrassingly , I wasn't aware that the following 'vlanfw' sequence does indeed fail for only the 'MyInput' chain

./VLANSwitch.sh   123   4     vlanfw

./VLANSwitch.sh   123   del   vlanfw

+ Firewall -D MyInput 1 -i vlan123 -m state --state NEW -j DROP
+ /usr/sbin/iptables -D MyInput 1 -i vlan123 -m state --state NEW -j DROP
+ local RC=2
+ [ 2 -gt 0 ]
+ local FIREWALL_ERROR=2

Thanks for the heads-up, and the 'del vlanfw' issue will be fixed in v1.29b

 

[alexxel]

Hi @Martineau,

May i get the copy of your script for my ASUS ac68u please?
I have a default configuration with LAN 192.168.1.0/24 - no changes from original settings.

I'd like just to create 2 vlans on port 4 , let say vlan 100 and vlan 101, and i would like to use subnet 192.168.2.0/24 for vlan 100 and subnet 192.168.3.0/24 for vlan 101, along with exisitng default subnet 192.168.1.0/24. Is it possible?

Between the Clients (PC, NAS) and router will be unmanaged switch with vlan tagging support.

Thanks!

 

[vinegar]

i'd also like to try the script out, please!

 

[Littlelight]

Hi @Martineau,

May i get the copy of your script for my ASUS ac68u please?
I have a default configuration with LAN 192.168.1.0/24 - no changes from original settings.

I'd like just to create 2 vlans on port 4 , let say vlan 100 and vlan 101, and i would like to use subnet 192.168.2.0/24 for vlan 100 and subnet 192.168.3.0/24 for vlan 101, along with exisitng default subnet 192.168.1.0/24. Is it possible?

Between the Clients (PC, NAS) and router will be unmanaged switch with vlan tagging support.

Thanks!

I'd like to test this as well, if possible.
Thanks

 

[Marcos Soutullo]

Hello @Martineau

I've just joined this forum after reading this thread from top to bottom. You have been very useful here to plenty of people so far, so honestly, you deserve very big applauses (at least)

I'm wondering if you shared this Bash script in GitHub or similar Version Control System already, I believe you'd get a lot of stars and other coders can even contribute to it!

If the above is not the case, I'd be delighted with the latest working copy of it - I can provide useful feedback if you want too

I have an AC-3200 running the latest stable AsusWRT as of now (384.11) and I want to tag my WAN interface traffic with 802.1Q frames (a.k.a. trunk link) as well as other LAN interfaces (access interfaes) in order to isolate and segregate traffic from other devices and networks.

Awaiting your response, thanks in advance!

 

[gpz1100]

To the OP, thanks for the PM.

I have a main box (sophos utm) that's used for the home network control. On occasion I need to take it offline for maintenance and updates/upgrades. It would be great to be able to hook up the rt-ac68u in the interm to retain some level of internet.

I've already implemented this - https://github.com/bypassrg/att . The obi boxes reside on their own vlan. Would be nice if I can configure the asus box to provide dhcp/dns/nat/etc services to this vlan. I believe that's what this script enables.

Question, is it possible to define multiple vlans with the above services using this script?

 

[gpz1100]

@Martineau

I got to play with the script using a rt-ac68u.

My requirement is the following.

1) vlan 1 (default) untagged on all ports except lan port 2
2) vlan 3 tagged on ports 1, 3, 4
3) vlan 3 untagged on port 2
4) dhcp/dns services for vlan 3

The following would establish vlan 3 and set up dhcp/dns services

vlanswitch.sh 3 1 autodnsmasq

However, it removes vlan 1 untagged from port 1.

So, I used the following to bring it back.

./vlanswitch.sh 3 1 autodnsmasq
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 3 ports "1t 2 3t 4t 5t"

This works, but, devices which get an ip on vlan1 before vlan configures subsequently don't get an ip on vlan3. A work around this was to set the router's main dhcp server to 120s time out. Not the best solution.

Any suggestions for implementing what I want in a more robust way?