I am operating my Asus 1900P (same F/W as AC68) as an AP only. I use pfSense as my router, and I was wondering if it is possible using this script to place the webgui interface in a separate VLAN from the LAN side?
Ideally in AP mode:
vlan 10: webgui
vlan 20: wifi and switch ports
vlan 30: guest wifi
I am operating my Asus 1900P (same F/W as AC68) as an AP only. I use pfSense as my router, and I was wondering if it is possible using this script to place the webgui interface in a separate VLAN from the LAN side?
Ideally in AP mode:
vlan 10: webgui
vlan 20: wifi and switch ports
vlan 30: guest wifi
even after a router full reset.
It seems there's something wrong in how it tries to bring up the interface, but I'm still unable to pinpoint where's the problem.
At this point I cannot turn up the interface even by hand using the ifconfig ... up command, I always receive the same address error, I have to use the 200 del command to be able to configure the vlan by hand.
It seems to me that even the diag command shows no interesting points:
Code:
# ./VLANSwitch.sh 200 diag
VLAN Switch Port 4 Configuration Diagnostics:
'None200' vlan200 Robocfg Status
================================
1: vlan1: 1 2 3 4t 5t
200: vlan200: 4t 5t
'None200' vlan200 Bridge Status
===============================
'None200' vlan200 Status
========================
vlan200 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.200.1 P-t-P:192.168.200.1 Mask:255.255.255.255
POINTOPOINT MULTICAST MTU:1492 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
alias None200
'None200' vlan200 Statistics
============================
vlan200 VID: 200 REORDER_HDR: 1 dev->priv_flags: 1
total frames received 0
total bytes received 0
Broadcast/Multicast Rcvd 0
total frames transmitted 0
total bytes transmitted 0
total headroom inc 0
total encap on xmit 0
Device: ppp0
INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0
EGRESS priority mappings:
Firewall rules
==============
Chain MyInput (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- vlan200 * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,67
2 0 0 ACCEPT tcp -- vlan200 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 0 0 DROP all -- vlan200 * 0.0.0.0/0 0.0.0.0/0 state NEW
4 1 328 ACCEPT udp -- vlan200 * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,67
5 0 0 ACCEPT tcp -- vlan200 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
6 0 0 DROP all -- vlan200 * 0.0.0.0/0 0.0.0.0/0 state NEW
7 28 8186 ACCEPT udp -- vlan200 * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,67
8 0 0 DROP all -- vlan200 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain MyVLANs (1 references)
num pkts bytes target prot opt in out source destination
3 0 0 DROP all -- br0 vlan200 0.0.0.0/0 0.0.0.0/0 state NEW
4 0 0 DROP all -- vlan200 br0 0.0.0.0/0 0.0.0.0/0 state NEW
5 0 0 ACCEPT all -- vlan200 * 0.0.0.0/0 0.0.0.0/0 state NEW
DNS VPN rules
=============
NVRAM LAN interface configuration
=================================
RT-AC68U NVRAM Switch Port interface configuration
==================================================
vlan1ports=1 2 3 4 5*
lanports=1 2 3 4
'None200' vlan200 ACTIVE devices (ARP only accurate within 60secs?)
===================================================================
The interesting point is that running
Code:
# ip link show
[...]
15: vlan200@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
alias None200
seems to suggest that the interface is actually down, as suggested by the ifconfig failure.
As expected, running
Code:
# ifconfig
doesn't show any vlan200 interface.
Running what I believe are the same commands run by the script (robocfg, vconfig, ifconfig) by hand works and I can bring up the interface.
I'm not really into shell scripting but I'm trying to understand the differences to spot where's the error, I hope I can help.
If you have any question/test you want me to perform please ask.
(regarding my dhcp issues, it seems your firewall rules work better than the ones that I tried, but I still have no definitive answer to this since I'm still working on the setup)
I assume this is due to the fact that I'm connected via PPPoE: the router is connected to my isp (terrible) modem/router configured in bridge mode (used to connect the old phones rj11). My connection is a FTTH type and the fiber is connected to my isp modem using an ethernet adapter.
The router is configured to tag the wan connection using the vlan835 tag (using the IPTV router ui menu).
This is the commands output:
Code:
# nvram get wan0_ifname
vlan835
# nvram get wan0_gw_ifname
ppp0
# nvram get wan0_pppoe_ifname
ppp0
EDIT: add full "robocfg show" output from clean power on:
Code:
# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: xx:xx:xx:xx:xx:xx
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: yy:yy:yy:yy:yy:yy
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: zz:zz:zz:zz:zz:zz
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: tt:tt:tt:tt:tt:tt
Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 4t 5t
2: vlan2: 0 5
56: vlan56: 0t 2t 4t 5t 8t
57: vlan57: 0t 2 3 5
58: vlan58: 3t 5t 7t
59: vlan59: 0t 3t 8u
60: vlan60: 0 1 2t 3t 4t 5
61: vlan61: 1 2 3t 4 7t 8t
62: vlan62: 1 3t 7 8u
99: vlan99: 4t 5t
835: vlan835: 0t 5t
I assume this is due to the fact that I'm connected via PPPoE: the router is connected to my isp (terrible) modem/router configured in bridge mode (used to connect the old phones rj11). My connection is a FTTH type and the fiber is connected to my isp modem using an ethernet adapter.
The router is configured to tag the wan connection using the vlan835 tag (using the IPTV router ui menu).
This is the commands output:
Code:
# nvram get wan0_ifname
vlan835
# nvram get wan0_gw_ifname
ppp0
# nvram get wan0_pppoe_ifname
ppp0
The script will attempt to identify your WAN interface using the three NVRAM variables shown above, and if the derived WAN interface choice is incorrect then the script will fail.
So the script (rightly or wrongly) assumed (due to the 2-to-1 vote) 'ppp0' is the WAN interface to use.
Confusingly, your OP rt-ac68u VLAN indicates you successfully used in your script
vlan-config.sh
Code:
vconfig add eth0 200
So of the following - 'eth0', 'ppp0' or 'vlan835' - which is the correct WAN interface to use?
NOTE: The script still uses the deprecated 'vconfig' rather than the more verbose iproute2 command 'ip link add link ....'
If you try the following, what are the results?
Code:
vconfig add eth0 10
or
vconfig add ppp0 20
or
vconfig add vlan835 30
So now this is embarrassing, I have no answer to your questions and honestly I didn't consider that at all, I just saw the things working using eth0. I am at the point where I know enough to be dangerous but still do things without fully understanding the details.
Running the commands I have no errors:
but I think the error came from the ifconfig up not the vconfig.
Also (vlan200 is currently configured manually on eth0):
Code:
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
And running
Code:
# ifconfig vlan10 up
# ifconfig vlan20 up
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
# ifconfig vlan30 up
gives error only for the vlan on ppp0.
Code:
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
So now this is embarrassing, I have no answer to your questions and honestly I didn't consider that at all, I just saw the things working using eth0. I am at the point where I know enough to be dangerous but still do things without fully understanding the details.
Running the commands I have no errors:
but I think the error came from the ifconfig up not the vconfig.
Also (vlan200 is currently configured manually on eth0):
Code:
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
And running
Code:
# ifconfig vlan10 up
# ifconfig vlan20 up
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
# ifconfig vlan30 up
gives error only for the vlan on ppp0.
Code:
# ip link show
[...]
14: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
15: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
16: vlan20@ppp0: <POINTOPOINT,MULTICAST> mtu 1492 qdisc noop state DOWN mode DEFAULT
link/ether 00:00:00:00:00:00 peer 00:00:00:00:00:00
17: vlan30@vlan835: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 08:62:66:94:ce:b0 brd ff:ff:ff:ff:ff:ff
OK, so clearly auto-detecting the WAN interface in your environment fails.
I have never used the VLAN tagging profiles such as IPTV/UniFi Home etc, but I believe they can/do create a separate bridge 'br1' depending on the profile and will create unique VLANs for their own use.
So the best I can do is to allow you to manually override the auto-WAN interface detection that incorrectly chooses 'ppp0'
Code:
# VLANSwitch 123 wanif=vlan3
# Switch port 4 will have vlan123 tagged to it, but the script will skip the auto WAN interface detection
# and explicitly use 'vlan3'
So you should be able to experiment with the modified script - Please Download v1.28b
Code:
./VLANSwitch.sh 99 del
./VLANSwitch.sh 99 wanif=vlan835
./VLANSwitch.sh 200 del
./VLANSwitch.sh 200 wanif=vlan835
I have never used the VLAN tagging profiles such as IPTV/UniFi Home etc, but I believe they can/do create a separate bridge 'br1' depending on the profile and will create unique VLANs for their own use.
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.08626694ceb0 no vlan1
eth1
eth2
but for sure it creates vlan835 on eth0.
I just discovered this:
Code:
# cat /proc/net/vlan/config
VLAN Dev name | VLAN ID
Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD
vlan1 | 1 | eth0
vlan835 | 835 | eth0
vlan200 | 200 | eth0
As you can see from the previous command output I managed to build the vlan using your script, but had to specify wanif=eth0, using wanif=vlan835 apparently didn't work: my vlan200 devices (server + VM) didn't show up in dhcp leases.
vlan835 configuration is set in menu LAN->IPTV->LAN port, selecting ISP profile as "manual setting" and Internet VID to 835 PRIO 0. I just saw that my ISP modem was configured with that vlan and searched on the internet how to apply the same setting to the ac68u. At the time I didn't really care about that, I just wanted to bypass the terrible ISP modem. Now I'm really curious to understand how this works.
Back to the script, for the moment it seems to work using this command:
My point was if you opt for one of the IPTV GUI Profiles then it can create a separate bridge.
NOTE: My script will also allow you to create a VLAN bridge interface if it suits your requirements
As you can see from the previous command output I managed to build the vlan using your script, but had to specify wanif=eth0, using wanif=vlan835 apparently didn't work: my vlan200 devices (server + VM) didn't show up in dhcp leases.
Back to the script, for the moment it seems to work using this command:
The script has been proven to work on several models, and given you had the RT-AC68U, I only suggested it might be of use to improve the firewall rules and perhaps provide (for novice users) a very quick and easy way to create/delete (multiple) VLANs without worrying about the command syntax used to create a standardVLAN.
Your environment is certainly perplexing, assuming that 'eth0' is the trueWAN interface, but seemingly the NVRAM variables 'wan0_*' can no longer be relied upon to provide the interface name.
However, I think the new 'wanif=' directive should be an apt workaround for those in a similar environment, although I may update the script to report on the failing 'vconfig' command rather than silently ignore it as the script currently does.
Please note that's not the vconfig add that's failing, it's the ifconfig vlanXX ... up that returns error if the vlan is added to the wrong interface (ppp0) because something goes wrong with the ip address. (Maybe due to the 255.255.255.255 netmask of ppp0 itf? I have no ideas)
From what I see, all vlans created by the router are added to the same eth0 interface, being it vlan1 or vlan835 added via gui. It seems to me that the real output itf is the eth0 in any case.
I have some other things that I'm noticing looking for the differences between ppp0, vlan835 and eth0:
in iptables the system adds the same (or very similar) rules for ppp0 and vlan835:
Code:
*nat
[...]
-A PREROUTING -d 176.207.110.156/32 -j VSERVER
-A PREROUTING -d 169.254.141.254/32 -j VSERVER
[...]
-A POSTROUTING ! -s 176.207.110.156/32 -o ppp0 -j MASQUERADE
-A POSTROUTING ! -s 169.254.141.254/32 -o vlan835 -j MASQUERADE
*filter
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o vlan835 -j logdrop
especially the filter rule seems to imply that the system doesn't want anything other eth0 to forward data to vlan835.
From the router itself I cannot even ping a device on vlan200 when created using wanif=vlan835 (and I'm not sure why).
As a last note, I noticed that the script seems to leave some iptables chains and rules after using the del argument:
MyInput and MyVLANS chains are not deleted
MyInput rules are not deleted, creating and deleting vlans without rebooting leads to rules multiplication.
Please note that's not the vconfig add that's failing, it's the ifconfig vlanXX ... up that returns error if the vlan is added to the wrong interface (ppp0)
I have no ideas
Clearly, if you read the code, the failure to add the VLAN to an invalidNVAM derived WAN interface e.g. 'ppp0' (which occurs before the ifconfig) is deliberately silenced as I assumed the only way the command request would fail is due to it already existing
e.g. as per the comments
Code:
# We don't check if the VLAN is already UP etc, as this allows the script to re-apply the Firewall rules regardless!
# NOTE: 'vconfig' is deprecated by 'ip'
vconfig add $WAN_IF $VLAN_ID 2> /dev/null
However, now that the WAN interface can be manually passed to the script, v1.29b will prudently verify that the user hasn't made a typo
e.g. 'etho' rather than 'eth0'
and consequently (with the benefit of hindsight) will now also verify the NVRAM derived WAN interface, and never get to execute the ill-fated 'vconfig/ipconfig' commands.
As a last note, I noticed that the script seems to leave some iptables chains and rules after using the del argument:
MyInput and MyVLANS chains are not deleted
I have 4 VLANs created during the boot sequence, hence the two chains are static and, as I personally no longer use the 'vlanfw' directive, consequently I have no need to physically delete either of the chains.
However, rather embarrassingly , I wasn't aware that the following 'vlanfw' sequence does indeed fail for only the 'MyInput' chain
Code:
./VLANSwitch.sh 123 4 vlanfw
./VLANSwitch.sh 123 del vlanfw
+ Firewall -D MyInput 1 -i vlan123 -m state --state NEW -j DROP
+ /usr/sbin/iptables -D MyInput 1 -i vlan123 -m state --state NEW -j DROP
+ local RC=2
+ [ 2 -gt 0 ]
+ local FIREWALL_ERROR=2
Thanks for the heads-up, and the 'del vlanfw' issue will be fixed in v1.29b
May i get the copy of your script for my ASUS ac68u please?
I have a default configuration with LAN 192.168.1.0/24 - no changes from original settings.
I'd like just to create 2 vlans on port 4 , let say vlan 100 and vlan 101, and i would like to use subnet 192.168.2.0/24 for vlan 100 and subnet 192.168.3.0/24 for vlan 101, along with exisitng default subnet 192.168.1.0/24. Is it possible?
Between the Clients (PC, NAS) and router will be unmanaged switch with vlan tagging support.
May i get the copy of your script for my ASUS ac68u please?
I have a default configuration with LAN 192.168.1.0/24 - no changes from original settings.
I'd like just to create 2 vlans on port 4 , let say vlan 100 and vlan 101, and i would like to use subnet 192.168.2.0/24 for vlan 100 and subnet 192.168.3.0/24 for vlan 101, along with exisitng default subnet 192.168.1.0/24. Is it possible?
Between the Clients (PC, NAS) and router will be unmanaged switch with vlan tagging support.
I've just joined this forum after reading this thread from top to bottom. You have been very useful here to plenty of people so far, so honestly, you deserve very big applauses (at least)
I'm wondering if you shared this Bash script in GitHub or similar Version Control System already, I believe you'd get a lot of stars and other coders can even contribute to it!
If the above is not the case, I'd be delighted with the latest working copy of it - I can provide useful feedback if you want too
I have an AC-3200 running the latest stable AsusWRT as of now (384.11) and I want to tag my WAN interface traffic with 802.1Q frames (a.k.a. trunk link) as well as other LAN interfaces (access interfaes) in order to isolate and segregate traffic from other devices and networks.
I have a main box (sophos utm) that's used for the home network control. On occasion I need to take it offline for maintenance and updates/upgrades. It would be great to be able to hook up the rt-ac68u in the interm to retain some level of internet.
I've already implemented this - https://github.com/bypassrg/att . The obi boxes reside on their own vlan. Would be nice if I can configure the asus box to provide dhcp/dns/nat/etc services to this vlan. I believe that's what this script enables.
Question, is it possible to define multiple vlans with the above services using this script?
1) vlan 1 (default) untagged on all ports except lan port 2
2) vlan 3 tagged on ports 1, 3, 4
3) vlan 3 untagged on port 2
4) dhcp/dns services for vlan 3
The following would establish vlan 3 and set up dhcp/dns services
This works, but, devices which get an ip on vlan1 before vlan configures subsequently don't get an ip on vlan3. A work around this was to set the router's main dhcp server to 120s time out. Not the best solution.
Any suggestions for implementing what I want in a more robust way?
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.