Menu
What's new
By:
Filters Better Search

Help setting up VLAN on ASUS RT-AC68U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I am operating my Asus 1900P (same F/W as AC68) as an AP only. I use pfSense as my router, and I was wondering if it is possible using this script to place the webgui interface in a separate VLAN from the LAN side?

Ideally in AP mode:
vlan 10: webgui
vlan 20: wifi and switch ports
vlan 30: guest wifi
 
IsaacFL said:
I am operating my Asus 1900P (same F/W as AC68) as an AP only. I use pfSense as my router, and I was wondering if it is possible using this script to place the webgui interface in a separate VLAN from the LAN side?

Ideally in AP mode:
vlan 10: webgui
vlan 20: wifi and switch ports
vlan 30: guest wifi
Click to expand...

Unfortunately AP mode is not supported - sorry.
 
Hi @Martineau,
sorry for the late reply but has been a busy week.

Launching your script returns:
Code: 
# ./VLANSwitch.sh 200 4 vlanfw

(VLANSwitch.sh): 3202 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 3202 VLAN 'vlan200' alias 'None200' (192.168.200.0/24) via Switch Port 4 created for downstream VLAN switch(s)

even after a router full reset.
It seems there's something wrong in how it tries to bring up the interface, but I'm still unable to pinpoint where's the problem.
At this point I cannot turn up the interface even by hand using the ifconfig ... up command, I always receive the same address error, I have to use the 200 del command to be able to configure the vlan by hand.

It seems to me that even the diag command shows no interesting points:

Code: 
# ./VLANSwitch.sh 200 diag

        VLAN Switch Port 4 Configuration Diagnostics:


        'None200' vlan200 Robocfg Status
        ================================
   1: vlan1: 1 2 3 4t 5t
 200: vlan200: 4t 5t


        'None200' vlan200 Bridge Status
        ===============================



        'None200' vlan200 Status
        ========================
vlan200   Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.200.1  P-t-P:192.168.200.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None200


        'None200' vlan200 Statistics
        ============================
vlan200  VID: 200        REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: ppp0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW
4        1   328 ACCEPT     udp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
5        0     0 ACCEPT     tcp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6        0     0 DROP       all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW
7       28  8186 ACCEPT     udp  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
8        0     0 DROP       all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan200  0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan200 br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan200 *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        NVRAM LAN interface configuration
        =================================



        RT-AC68U NVRAM Switch Port interface configuration
        ==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4


        'None200' vlan200 ACTIVE devices (ARP only accurate within 60secs?)
        ===================================================================

The interesting point is that running
Code: 
# ip link show
[...]
15: vlan200@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
    alias None200

seems to suggest that the interface is actually down, as suggested by the ifconfig failure.

As expected, running
Code: 
# ifconfig
doesn't show any vlan200 interface.

Running what I believe are the same commands run by the script (robocfg, vconfig, ifconfig) by hand works and I can bring up the interface.
I'm not really into shell scripting but I'm trying to understand the differences to spot where's the error, I hope I can help.

If you have any question/test you want me to perform please ask.

(regarding my dhcp issues, it seems your firewall rules work better than the ones that I tried, but I still have no definitive answer to this since I'm still working on the setup)
 
nonno said:
Hi @Martineau,
sorry for the late reply but has been a busy week.

Launching your script returns:
Code: 
# ./VLANSwitch.sh 200 4 vlanfw

(VLANSwitch.sh): 3202 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 3202 VLAN 'vlan200' alias 'None200' (192.168.200.0/24) via Switch Port 4 created for downstream VLAN switch(s)

even after a router full reset.
Click to expand...

Can you try to create a different VLAN using most basic invocation command request
(NOTE: You should be prompted for the 'autodnsmasq' directive)
Code: 
./VLANSwitch.sh   99 

./VLANSwitch.sh   99   diag
 
I'm sorry but the error persisted:
Code: 
# ./VLANSwitch.sh 99 autodnsmasq

(VLANSwitch.sh): 2720 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 2720 VLAN 'vlan99' alias 'None99' (192.168.99.0/24) via Switch Port 4 created for downstream VLAN switch(s)


# ./VLANSwitch.sh 99 diag

        VLAN Switch Port 4 Configuration Diagnostics:


        'None99' vlan99 Robocfg Status
        ==============================
   1: vlan1: 1 2 3 4t 5t
  99: vlan99: 4t 5t


        'None99' vlan99 Bridge Status
        =============================



        'None99' vlan99 Status
        ======================
vlan99    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.99.1  P-t-P:192.168.99.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None99


        'None99' vlan99 Statistics
        ==========================
vlan99  VID: 99  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: ppp0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan99  0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan99 br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        NVRAM LAN interface configuration
        =================================



        RT-AC68U NVRAM Switch Port interface configuration
        ==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4


        'None99' vlan99 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================
 
nonno said:
I'm sorry but the error persisted:
Code: 
# ./VLANSwitch.sh 99 autodnsmasq

(VLANSwitch.sh): 2720 v1.27 Non-Public Beta © 2016-2018 Martineau. VLAN configuration utility.


ifconfig: SIOCSIFFLAGS: Cannot assign requested address

        (VLANSwitch.sh): 2720 VLAN 'vlan99' alias 'None99' (192.168.99.0/24) via Switch Port 4 created for downstream VLAN switch(s)


# ./VLANSwitch.sh 99 diag

        VLAN Switch Port 4 Configuration Diagnostics:


        'None99' vlan99 Robocfg Status
        ==============================
   1: vlan1: 1 2 3 4t 5t
  99: vlan99: 4t 5t


        'None99' vlan99 Bridge Status
        =============================



        'None99' vlan99 Status
        ======================
vlan99    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.99.1  P-t-P:192.168.99.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          alias None99


        'None99' vlan99 Statistics
        ==========================
vlan99  VID: 99  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            0
       total bytes transmitted            0
            total headroom inc            0
           total encap on xmit            0
Device: ppp0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:

                Firewall rules
                ==============
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3        0     0 DROP       all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
3        0     0 DROP       all  --  br0    vlan99  0.0.0.0/0            0.0.0.0/0            state NEW
4        0     0 DROP       all  --  vlan99 br0     0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 ACCEPT     all  --  vlan99 *       0.0.0.0/0            0.0.0.0/0            state NEW

                DNS VPN rules
                =============


        NVRAM LAN interface configuration
        =================================



        RT-AC68U NVRAM Switch Port interface configuration
        ==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4


        'None99' vlan99 ACTIVE devices (ARP only accurate within 60secs?)
        =================================================================
Click to expand...

I suspect your WAN interface isn't 'eth0/vlan2/vlan3'... i.e. probably 'ppp0'?

Can you provide the output of the three commands:
Code: 
nvram get wan0_ifname
nvram get wan0_gw_ifname
nvram get wan0_pppoe_ifname

as it appears the script attempted to create VLAN99 on 'pppX'
Code: 
        'None99' vlan99 Status
        ======================
vlan99    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.99.1  P-t-P:192.168.99.1  Mask:255.255.255.255
          POINTOPOINT MULTICAST  MTU:1492  Metric:1
 
I assume this is due to the fact that I'm connected via PPPoE: the router is connected to my isp (terrible) modem/router configured in bridge mode (used to connect the old phones rj11). My connection is a FTTH type and the fiber is connected to my isp modem using an ethernet adapter.
The router is configured to tag the wan connection using the vlan835 tag (using the IPTV router ui menu).

This is the commands output:
Code: 
# nvram get wan0_ifname
vlan835
# nvram get wan0_gw_ifname
ppp0
# nvram get wan0_pppoe_ifname
ppp0

EDIT: add full "robocfg show" output from clean power on:
Code: 
# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: xx:xx:xx:xx:xx:xx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: yy:yy:yy:yy:yy:yy
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: zz:zz:zz:zz:zz:zz
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: tt:tt:tt:tt:tt:tt
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4t 5t
   2: vlan2: 0 5
  56: vlan56: 0t 2t 4t 5t 8t
  57: vlan57: 0t 2 3 5
  58: vlan58: 3t 5t 7t
  59: vlan59: 0t 3t 8u
  60: vlan60: 0 1 2t 3t 4t 5
  61: vlan61: 1 2 3t 4 7t 8t
  62: vlan62: 1 3t 7 8u
  99: vlan99: 4t 5t
 835: vlan835: 0t 5t
 
nonno said:
I assume this is due to the fact that I'm connected via PPPoE: the router is connected to my isp (terrible) modem/router configured in bridge mode (used to connect the old phones rj11). My connection is a FTTH type and the fiber is connected to my isp modem using an ethernet adapter.
The router is configured to tag the wan connection using the vlan835 tag (using the IPTV router ui menu).

This is the commands output:
Code: 
# nvram get wan0_ifname
vlan835
# nvram get wan0_gw_ifname
ppp0
# nvram get wan0_pppoe_ifname
ppp0
Click to expand...

The script will attempt to identify your WAN interface using the three NVRAM variables shown above, and if the derived WAN interface choice is incorrect then the script will fail.

So the script (rightly or wrongly) assumed (due to the 2-to-1 vote) 'ppp0' is the WAN interface to use.
Confusingly, your OP rt-ac68u VLAN indicates you successfully used in your script

vlan-config.sh
Code: 
vconfig add eth0 200
So of the following - 'eth0', 'ppp0' or 'vlan835' - which is the correct WAN interface to use?
NOTE: The script still uses the deprecated 'vconfig' rather than the more verbose iproute2 command 'ip link add link ....'

If you try the following, what are the results?
Code: 
vconfig add eth0 10
or
vconfig add ppp0 20
or
vconfig add vlan835 30
 
So now this is embarrassing, I have no answer to your questions and honestly I didn't consider that at all, I just saw the things working using eth0. I am at the point where I know enough to be dangerous but still do things without fully understanding the details.
Running the commands I have no errors:
Code: 
# vconfig add eth0 10
# vconfig add ppp0 20
# vconfig add lan835 30
but I think the error came from the ifconfig up not the vconfig.

Also (vlan200 is currently configured manually on eth0):
Code: 
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

And running
Code: 
# ifconfig vlan10 up
# ifconfig vlan20 up
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
# ifconfig vlan30 up
gives error only for the vlan on ppp0.

Code: 
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

I think I have some other things to understand!!!
 
nonno said:
So now this is embarrassing, I have no answer to your questions and honestly I didn't consider that at all, I just saw the things working using eth0. I am at the point where I know enough to be dangerous but still do things without fully understanding the details.
Running the commands I have no errors:
Code: 
# vconfig add eth0 10
# vconfig add ppp0 20
# vconfig add lan835 30
but I think the error came from the ifconfig up not the vconfig.

Also (vlan200 is currently configured manually on eth0):
Code: 
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

And running
Code: 
# ifconfig vlan10 up
# ifconfig vlan20 up
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
# ifconfig vlan30 up
gives error only for the vlan on ppp0.

Code: 
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
    link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff

I think I have some other things to understand!!!
Click to expand...
OK, so clearly auto-detecting the WAN interface in your environment fails.

I have never used the VLAN tagging profiles such as IPTV/UniFi Home etc, but I believe they can/do create a separate bridge 'br1' depending on the profile and will create unique VLANs for their own use.

So the best I can do is to allow you to manually override the auto-WAN interface detection that incorrectly chooses 'ppp0'
Code: 
#           VLANSwitch  123 wanif=vlan3
#                       Switch port 4 will have vlan123 tagged to it, but the script will skip the auto WAN interface detection
#                       and explicitly use 'vlan3'
So you should be able to experiment with the modified script - Please Download v1.28b
Code: 
./VLANSwitch.sh   99   del

./VLANSwitch.sh   99   wanif=vlan835

./VLANSwitch.sh   200   del

./VLANSwitch.sh   200   wanif=vlan835
 
Martineau said:
I have never used the VLAN tagging profiles such as IPTV/UniFi Home etc, but I believe they can/do create a separate bridge 'br1' depending on the profile and will create unique VLANs for their own use.
Click to expand...
I'm not sure that's the case, I see only br0:
Code: 
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.08626694ceb0       no              vlan1
                                                        eth1
                                                        eth2
but for sure it creates vlan835 on eth0.
I just discovered this:
Code: 
# cat /proc/net/vlan/config
VLAN Dev name    | VLAN ID
Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD
vlan1          | 1  | eth0
vlan835        | 835  | eth0
vlan200        | 200  | eth0

As you can see from the previous command output I managed to build the vlan using your script, but had to specify wanif=eth0, using wanif=vlan835 apparently didn't work: my vlan200 devices (server + VM) didn't show up in dhcp leases.

vlan835 configuration is set in menu LAN->IPTV->LAN port, selecting ISP profile as "manual setting" and Internet VID to 835 PRIO 0. I just saw that my ISP modem was configured with that vlan and searched on the internet how to apply the same setting to the ac68u. At the time I didn't really care about that, I just wanted to bypass the terrible ISP modem. Now I'm really curious to understand how this works.

Back to the script, for the moment it seems to work using this command:
Code: 
# ./vlanswitch.sh 200 4 wanif=eth0 vlanfw [autodnsmasq]
Please let me know if I can perform some other tests or just give you more infos about my configuration.

I'll let you know if I can understand something more about the different interfaces.
Thank you very much for your efforts, patience and kindness.
 
nonno said:
I'm not sure that's the case, I see only br0:
Code: 
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.08626694ceb0       no              vlan1
                                                        eth1
                                                        eth2
but for sure it creates vlan835 on eth0.
Click to expand...

My point was if you opt for one of the IPTV GUI Profiles then it can create a separate bridge.
NOTE: My script will also allow you to create a VLAN bridge interface if it suits your requirements :)
nonno said:
As you can see from the previous command output I managed to build the vlan using your script, but had to specify wanif=eth0, using wanif=vlan835 apparently didn't work: my vlan200 devices (server + VM) didn't show up in dhcp leases.

Back to the script, for the moment it seems to work using this command:
Code: 
# ./vlanswitch.sh 200 4 wanif=eth0 vlanfw [autodnsmasq]
Click to expand...
Hopefully the 'status verbose' command shows relevant traffic statistics etc.?
nonno said:
Please let me know if I can perform some other tests or just give you more infos about my configuration.
Click to expand...
The script has been proven to work on several models, and given you had the RT-AC68U, I only suggested it might be of use to improve the firewall rules and perhaps provide (for novice users) a very quick and easy way to create/delete (multiple) VLANs without worrying about the command syntax used to create a standard VLAN.

Your environment is certainly perplexing, assuming that 'eth0' is the true WAN interface, but seemingly the NVRAM variables 'wan0_*' can no longer be relied upon to provide the interface name.:eek:

However, I think the new 'wanif=' directive should be an apt workaround for those in a similar environment, although I may update the script to report on the failing 'vconfig' command rather than silently ignore it as the script currently does.:oops::rolleyes:

Job done!:)
 
Last edited:
Martineau said:
... although I may update the script to report on the failing 'vconfig' command rather than silently ignore it as the script currently does.:oops::rolleyes:
Click to expand...
Please note that's not the vconfig add that's failing, it's the ifconfig vlanXX ... up that returns error if the vlan is added to the wrong interface (ppp0) because something goes wrong with the ip address. (Maybe due to the 255.255.255.255 netmask of ppp0 itf? I have no ideas)

From what I see, all vlans created by the router are added to the same eth0 interface, being it vlan1 or vlan835 added via gui. It seems to me that the real output itf is the eth0 in any case.

I have some other things that I'm noticing looking for the differences between ppp0, vlan835 and eth0:
in iptables the system adds the same (or very similar) rules for ppp0 and vlan835:
Code: 
*nat
[...]
-A PREROUTING -d 176.207.110.156/32 -j VSERVER
-A PREROUTING -d 169.254.141.254/32 -j VSERVER
[...]
-A POSTROUTING ! -s 176.207.110.156/32 -o ppp0 -j MASQUERADE
-A POSTROUTING ! -s 169.254.141.254/32 -o vlan835 -j MASQUERADE

*filter
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o vlan835 -j logdrop
especially the filter rule seems to imply that the system doesn't want anything other eth0 to forward data to vlan835.
From the router itself I cannot even ping a device on vlan200 when created using wanif=vlan835 (and I'm not sure why).

As a last note, I noticed that the script seems to leave some iptables chains and rules after using the del argument:
  • MyInput and MyVLANS chains are not deleted
  • MyInput rules are not deleted, creating and deleting vlans without rebooting leads to rules multiplication.
Thank you again
 
nonno said:
Please note that's not the vconfig add that's failing, it's the ifconfig vlanXX ... up that returns error if the vlan is added to the wrong interface (ppp0)
I have no ideas
Click to expand...
Clearly, if you read the code, the failure to add the VLAN to an invalid NVAM derived WAN interface e.g. 'ppp0' (which occurs before the ifconfig) is deliberately silenced as I assumed the only way the command request would fail is due to it already existing

e.g. as per the comments
Code: 
# We don't check if the VLAN is already UP etc, as this allows the script to re-apply the Firewall rules regardless!
# NOTE: 'vconfig' is deprecated by 'ip'
vconfig add $WAN_IF $VLAN_ID 2> /dev/null
However, now that the WAN interface can be manually passed to the script, v1.29b will prudently verify that the user hasn't made a typo

e.g. 'etho' rather than 'eth0'

and consequently (with the benefit of hindsight) will now also verify the NVRAM derived WAN interface, and never get to execute the ill-fated 'vconfig/ipconfig' commands.
nonno said:
As a last note, I noticed that the script seems to leave some iptables chains and rules after using the del argument:
MyInput and MyVLANS chains are not deleted
Click to expand...
I have 4 VLANs created during the boot sequence, hence the two chains are static and, as I personally no longer use the 'vlanfw' directive, consequently I have no need to physically delete either of the chains.

However, rather embarrassingly :oops:, I wasn't aware that the following 'vlanfw' sequence does indeed fail for only the 'MyInput' chain
Code: 
./VLANSwitch.sh   123   4     vlanfw

./VLANSwitch.sh   123   del   vlanfw

+ Firewall -D MyInput 1 -i vlan123 -m state --state NEW -j DROP
+ /usr/sbin/iptables -D MyInput 1 -i vlan123 -m state --state NEW -j DROP
+ local RC=2
+ [ 2 -gt 0 ]
+ local FIREWALL_ERROR=2
Thanks for the heads-up, and the 'del vlanfw' issue will be fixed in v1.29b ;)
 
Hi @Martineau,

May i get the copy of your script for my ASUS ac68u please?
I have a default configuration with LAN 192.168.1.0/24 - no changes from original settings.

I'd like just to create 2 vlans on port 4 , let say vlan 100 and vlan 101, and i would like to use subnet 192.168.2.0/24 for vlan 100 and subnet 192.168.3.0/24 for vlan 101, along with exisitng default subnet 192.168.1.0/24. Is it possible?

Between the Clients (PC, NAS) and router will be unmanaged switch with vlan tagging support.

Thanks!
 
alexxel said:
Hi @Martineau,

May i get the copy of your script for my ASUS ac68u please?
I have a default configuration with LAN 192.168.1.0/24 - no changes from original settings.

I'd like just to create 2 vlans on port 4 , let say vlan 100 and vlan 101, and i would like to use subnet 192.168.2.0/24 for vlan 100 and subnet 192.168.3.0/24 for vlan 101, along with exisitng default subnet 192.168.1.0/24. Is it possible?

Between the Clients (PC, NAS) and router will be unmanaged switch with vlan tagging support.

Thanks!
Click to expand...
I'd like to test this as well, if possible.
Thanks
 
Hello @Martineau

I've just joined this forum after reading this thread from top to bottom. You have been very useful here to plenty of people so far, so honestly, you deserve very big applauses (at least) o_O

I'm wondering if you shared this Bash script in GitHub or similar Version Control System already, I believe you'd get a lot of stars and other coders can even contribute to it!

If the above is not the case, I'd be delighted with the latest working copy of it :) - I can provide useful feedback if you want too :)

I have an AC-3200 running the latest stable AsusWRT as of now (384.11) and I want to tag my WAN interface traffic with 802.1Q frames (a.k.a. trunk link) as well as other LAN interfaces (access interfaes) in order to isolate and segregate traffic from other devices and networks.

Awaiting your response, thanks in advance!
 
Last edited:
To the OP, thanks for the PM.

I have a main box (sophos utm) that's used for the home network control. On occasion I need to take it offline for maintenance and updates/upgrades. It would be great to be able to hook up the rt-ac68u in the interm to retain some level of internet.

I've already implemented this - https://github.com/bypassrg/att . The obi boxes reside on their own vlan. Would be nice if I can configure the asus box to provide dhcp/dns/nat/etc services to this vlan. I believe that's what this script enables.

Question, is it possible to define multiple vlans with the above services using this script?
 
@Martineau

I got to play with the script using a rt-ac68u.

My requirement is the following.

1) vlan 1 (default) untagged on all ports except lan port 2
2) vlan 3 tagged on ports 1, 3, 4
3) vlan 3 untagged on port 2
4) dhcp/dns services for vlan 3

The following would establish vlan 3 and set up dhcp/dns services

Code: 
vlanswitch.sh 3 1 autodnsmasq

However, it removes vlan 1 untagged from port 1.

So, I used the following to bring it back.

Code: 
./vlanswitch.sh 3 1 autodnsmasq
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 3 ports "1t 2 3t 4t 5t"

This works, but, devices which get an ip on vlan1 before vlan configures subsequently don't get an ip on vlan3. A work around this was to set the router's main dhcp server to 120s time out. Not the best solution.

Any suggestions for implementing what I want in a more robust way?
 
You must log in or register to reply here.

Similar threads

Siff
Setting dnsmasq on Asuswrt-Merlin
Replies
8
Views
775
Siff
Siff
Phantomski
Questions about VLAN support in 3006
Replies
5
Views
514
Tech9
Tech9
N
ET12 All Guest/IoT Devices go to main router
Replies
1
Views
521
nonnot
N
F
VLANs on AIMesh nodes, is this feasible today?
Replies
4
Views
853
fulvion75
F
R
Solved Help finding workarounds for a WiFi bridge repeater that doesn't support VLANs
Replies
3
Views
858
robca
R
Similar threads
Thread starter Title Forum Replies Date
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
R Need help setting up DLNA server Asuswrt-Merlin 8
A Solved Need help setting up DDNS for cloudflare Asuswrt-Merlin 6
el_pedr0 Please help me diagnose knotty routing problem Asuswrt-Merlin 0
staralfur12 Need help with Namecheap -> Router -> Caddy Asuswrt-Merlin 10
P Asus aimesh node disconnects frequently, corresponding log entries recorded. Need help understanding the log. Asuswrt-Merlin 5
V Asus RT-AX3000 Help Asuswrt-Merlin 5
StrikerXXX Need help configuring NextDNS Asuswrt-Merlin 14
L ASUS RT-AX5400 Help Asuswrt-Merlin 1
Sunny786 Help Needed: Configuring OpenVPN Server and Instant Guard on Asus GT-AX11000 with Technicolor CobraXh Modem Router Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 823 (members: 21, guests: 802)
Top