Help setting up VLAN on ASUS RT-AC68U

[Martineau]

@Martineau

I got to play with the script using a rt-ac68u.

My requirement is the following.

1) vlan 1 (default) untagged on all ports except lan port 2
2) vlan 3 tagged on ports 1, 3, 4
3) vlan 3 untagged on port 2
4) dhcp/dns services for vlan 3

The following would establish vlan 3 and set up dhcp/dns services

vlanswitch.sh 3 1 autodnsmasq

However, it removes vlan 1 untagged from port 1.

So, I used the following to bring it back.

./vlanswitch.sh 3 1 autodnsmasq
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 3 ports "1t 2 3t 4t 5t"

This works, but, devices which get an ip on vlan1 before vlan configures subsequently don't get an ip on vlan3. A work around this was to set the router's main dhcp server to 120s time out. Not the best solution.

Any suggestions for implementing what I want in a more robust way?

The script was originally written to assign multiple VLANs to a single switch port to support multiple downstream VLAN-aware switches.

I never needed/considered mapping a VLAN across several switch ports.

Clearly there are three options:

1. Don't use my script! - it's rubbish anyway!
2. Hack my script to statically define the VLANs for your environment.
3. Wait until v1.30 if I decide to allow the script to include this (complex) optional feature.​

For Option 2, you can try and hack the section of code in the script where the new VLAN is created and VLAN1 is modified:

LINES 1348-1384

ROBO_PORT=$SWITCH_PORT

#if [ "$HARDWARE_MODEL" == "RT-AC56U" ];then
    #ROBO_PORT=$((SWITCH_PORT-1))
#fi
# The physical Switch port may be mapped to a different robocfg port
# e.g. RT-AC56U uses robocfg ports '0 1 2 3 5t' so physical Switch port '3' is robocfg port '2'
I=1

<snip>

else
    if [ "$(echo $@ | grep -cw 'utag')" -eq 0 ];then
        Edit_VLAN1 "Delete" $ROBO_PORT                      # set robocfg vlan 1 ports "1 2 3 4 5t" -> "1 3 4 5t"
        robocfg vlan $VLAN_ID ports "${ROBO_PORT} ${WAN_ROBOCFG_PORT}"
    else
        Edit_VLAN1 "Tag" $ROBO_PORT "u"                     # set robocfg vlan 1 ports "1 2 3 4 5t" -> "1 2 3 4u 5t"
        robocfg vlan $VLAN_ID ports "${ROBO_PORT}u ${WAN_ROBOCFG_PORT}"
    fi
 
fi

So you may replace Lines 1348 to 1384 with hard-coded robocfg commands for your specific VLANs
e.g.

case $VLAN in
    vlan3) robocfg vlan 1 ports "1 3 4 5t"
           robocfg vlan 3 ports "1t 2 3t 4t 5t"
           ;;
esac

EDIT: @gpz1100 Updated v1.30 script;so please see PM download link if you wish to test it.

I decided to simply allow you to manually specify the switch ports you wish to use for VLAN1 and the new VLAN. (No user input validation is performed on the syntax!)

NOTE: It is recommended you stay away from single digit VLANs as some are reserved by Asus.

e.g. Using VLAN 80 rather than VLAN 3, I supplied your desired VLAN ports
NOTE: Because I'm lazy, you must specify a valid port number as a 'dummy' place-holder when using the 'robocfg=' directive :-(

./VLANSwitch.sh 80 4 autodnsmasq robocfg="1 3 4 5t,1t 2 3t 4t 5t"

(VLANSwitch.sh): 7255 v1.30 © 2016-2019 Martineau. VLAN configuration utility.

 (VLANSwitch.sh): 7255 VLAN 'vlan80' alias 'None80' (10.88.80.0/24) via Switch Ports ( 1t 2 3t 4t ) created

robocfg show

Switch: enabled
<snip>
VLANs: BCM5301x enabled mac_check mac_hash
   0: vlan0: 1 3 4 5t
   1: vlan1: 1 3 4 5t
   2: vlan2: 0 5
  20: vlan20: 4t 5t
  30: vlan30: 4t 5t
  40: vlan40: 4t 5t
  56: vlan56: 0 3 7t 8t
  57: vlan57: 0t 1 2t 4t 5t 8u
  58: vlan58: 1t 3t 5 7
  59: vlan59: 0 3t 5 8u
  60: vlan60: 0t 2 7t
  61: vlan61: 0 1 2t 5t 7t
  62: vlan62: 0 2
  80: vlan80: 1t 2 3t 4t 5t
 200: vlan200: 4t 5t

For the VLAN 80 delete, optionally,you only need to supply the VLAN 1 ports that you wish to restore, if not supplied, then they remain as-is.

e.g. in my case, port 4 is my main VLAN trunk port

./VLANSwitch.sh 80 del robocfg="1 2 3 4t 5t"

(VLANSwitch.sh): 8146 v1.30 © 2016-2019 Martineau. VLAN configuration utility.

 (VLANSwitch.sh): 8146 VLAN 'vlan80' (alias 'None80') 10.88.80.0/24 via Switch Ports ( 1t 2 3t 4t ) DELETED.

robocfg show

Switch: enabled
<snip>
VLANs: BCM5301x enabled mac_check mac_hash
   0: vlan0: 1 3 4 5t
   1: vlan1: 1 2 3 4t 5t
   2: vlan2: 0 5
  20: vlan20: 4t 5t
  30: vlan30: 4t 5t
  40: vlan40: 4t 5t
  56: vlan56: 0 3 7t 8t
  57: vlan57: 0t 1 2t 4t 5t 8u
  58: vlan58: 1t 3t 5 7
  59: vlan59: 0 3t 5 8u
  60: vlan60: 0t 2 7t
  61: vlan61: 0 1 2t 5t 7t
  62: vlan62: 0 2
 200: vlan200: 4t 5t

 

[gpz1100]

Thanks for your reply.

I prefer to stick with vlan3. There's 2 other downstream boxes (also rt-ac68u's) with that vlan already defined. Not to mention the main utm box is also making use of vlan3. Sure it can all be changed but why reinvent the wheel. Damn IoT devices to hell!!

I'll give 1.30 a try later today.

Any thoughts however on dealing with the dhcp issue? That is, initially upon router reboot, devices on the different ports are assigned the vlan1's subnet. Rather than the vlan assignments after your script runs.

 

[Martineau]

Any thoughts however on dealing with the dhcp issue? That is, initially upon router reboot, devices on the different ports are assigned the vlan1's subnet. Rather than the vlan assignments after your script runs.

1. Ensure VLANs are created as soon as possible during the boot.
2. Modify dnsmasq to assign reserved VLAN3 IPs to devices (perhaps I should helpfully explicitly add

'tag:' directives to the 'autodnsmasq' function )​

Not sure I've ever noticed/experienced the issue, but I would ensure that Option 1 is fully investigated/reviewed before tediously exploring Option 2.

For Option 2, I'm not sure if you can easily block a subset of devices (say by MAC address) from obtaining an IP address from VLAN1, so you will need to either manually assign VLAN3 IPs to the MAC address, or force them to only retrieve an IP from the VLAN3 IP address pool.

 

[gpz1100]

I haven't had time to try your suggestions but did try adding a static dhcp entry. It refused to add complaining of the IP being on a different subnet than the lan. However, when added as a bogus entry, it did show up in nvram. Was able to edit it through console to reflect the correct IP. The web UI has validation code apparently.

So option #1 above, how does one do that - services-start script?

On my UTM setup, the IP assignment is based on mac so regardless which vlan id the device is on, it'll still get the correct IP.

Forcing vlan3 on the obi device is possible via tagging (there's a vlan setting in the local webui). However, that can open up challenges if the device ever needs troubleshooting. I may effectively shoot myself in the foot.

 

[Martineau]

I haven't had time to try your suggestions but did try adding a static dhcp entry. It refused to add complaining of the IP being on a different subnet than the lan. However, when added as a bogus entry, it did show up in nvram. Was able to edit it through console to reflect the correct IP.

You should read Wiki/documentation for Asuswrt-merlin given VLANSwitch.sh creates /jffs/configs/dnsmasq.conf.add see Replacing or appending content to config files

The web UI has validation code apparently.

Not surprising really as the firmware doesn't officially support VLAN subnets.

So option #1 above, how does one do that - services-start script?

Ideally you want the VLANs to be defined before dnsmasq starts.

So one-off events such as init-start or service-start should work, as I don't recall ever seeing the firmware arbitrarily flush any custom VLANs, although that's not to say this couldn't happen.

However, depending on your environment, if you are on firmware >v384.11, you could exploit the service event trigger script see i.e. Run VLANSwitch.sh in Service Event script(s) to check/define VLANs before dnsmasq (re)starts

custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
custom_script: Running /jffs/scripts/service-event-end (args: restart dnsmasq)

 

[gpz1100]

@Martineau

I tried inserting the proper vlanswitch.sh command line into a number of different scripts including the ones you suggest above. No go. No luck with static dhcp assignments on a different subnet either (via nvram).

Perhaps the service-event method (to prevent dnsmasq from starting in the first place) is the way to go but I couldn't find any samples of proper format/syntax. Maybe you can help with this.

In the mean time I came up with the following.

init-start

#!/bin/sh
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 3 ports "1t 2 3t 4t 5t"

This sets up the vlan definitions as early as possible and prevents the device on the untagged port from grabbing a vlan1 subnet ip.

Then, services-start has the following at the end of the existing script

/jffs/vlanswitch.sh 3 2 autodnsmasq robocfg="1 3 4 5t,1t 2 3t 4t 5t"

 

[Martineau]

I came up with the following.
init-start

#!/bin/sh
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 3 ports "1t 2 3t 4t 5t"

This sets up the vlan definitions as early as possible and prevents the device on the untagged port from grabbing a vlan1 subnet ip.
Then, services-start has the following at the end of the existing script

/jffs/vlanswitch.sh 3 2 autodnsmasq robocfg="1 3 4 5t,1t 2 3t 4t 5t"

If your solution works, then I suggest you move on.

Perhaps the service-event method (to prevent dnsmasq from starting in the first place) is the way to go but I couldn't find any samples of proper format/syntax.
Maybe you can help with this.

service-event can either be based on the openvpn-event script RMerlin Wiki e.g. openvpn-eventopenvpn-event where @john9527 kindly provided
openvpn-event trigger script and you can choose which trigger script is executed i.e. a separate discrete script for each unique event
e.g. say start-dnsmasq, stop-dnsmasq, restart-dnsmasq etc.

or you could retain the monolithic service-event style, where every service event is defined in-line.....

e.g.

!#/bin/sh

case $1 in
   *start)   # For both start and restart events
              case $2 in
                dnsmasq) /jffs/scripts/VLANSwitch.sh 3 2 autodnsmasq robocfg="1 3 4 5t,1t 2 3t 4t 5t";;
              esac
              ;;
    stop) :;;
    *)    :;;
esac

 

[dimitris]

Hi, thanks for the VLANSwitch script.
It seems to work well on an RT-AC66U router, with "john9527's fork 374.43_39E3j9527", using "100 4 notag autodnsmasq wanif=eth0" as parameters.

Line "ip link set dev $VLAN alias $VLAN_ALIAS" is not supported (alias parameter); it gives "Error: either "dev" is duplicate, or "alias" is a garbage."

 

[Martineau]

Hi, thanks for the VLANSwitch script.
It seems to work well on an RT-AC66U router, with "john9527's fork 374.43_39E3j9527", using "100 4 notag autodnsmasq wanif=eth0" as parameters.

Line "ip link set dev $VLAN alias $VLAN_ALIAS" is not supported (alias parameter); it gives "Error: either "dev" is duplicate, or "alias" is a garbage."

Many thanks for the feeback.

Whilst iproute2 is the Linux networking toolkit that replaced net-tools (ifconfig, vconfig, route, arp etc.) I tried to maintain backward compatibility with older models.

Could you post the output of

ip   -V

NOTE: The use of the alias directive (to assign a human-readable descriptive tag to an interface) is only used in assisting with identifying the VLAN in reports, and is purely cosmetic:

e.g. I run multiple VLANs

ip -o link show

17: vlan20@eth0:  <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT \    link/ether ac:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff\    alias Media
18: vlan30@eth0:  <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT \    link/ether ac:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff\    alias IoT
21: vlan40@eth0:  <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT \    link/ether ac:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff\    alias Internet
24: vlan200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT \    link/ether ac:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff\    alias None200

 

[dimitris]

Thanks for the clarification.
Output of ip -V is:
ip utility, iproute2-ss060323

By the way, robofcg in default configuration for RT-AC66U shows:
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

 

[ShaMAD]

I'm not sure what issues you faced with the various other scripts/commands posted on the forum, but if have the time and want to beta-test my script I can send you a link?

Hi, can you send link for me please, i'm need some vlan configuration for internal lan in my router.

 

[Sam Sok]

Hello, could anyone please help and forward me a copy of "vlanswitch.sh" ? I'm trying to create vlan's on my ac68u and following this thread, but feeling a little confused right now :-(

Thanks

 

[cleopatra19]

I just tried the VLANSwitch.sh but I get the error below. I have the RT-AC1900P which uses the same firmware as RT-AC68U on the Asus-Merlin firmware site which I installed and is working fine. Only difference is the CPU is 1.4ghz processor compare to 800 mhz processor on the AC68U. I'm guessing if I add RT-AC1900P to this line it should work?

Line 1011:     RT-N66U|RT-AC56U|RT-AC68U|RT-AC5300|RT-AC66U|RT-AC66U_B1|RT-AC3200|)

-sh: ./vlanswitch.sh: not found
/jffs/scripts$ ./VLANSwitch.sh 30
[91m
(VLANSwitch.sh): 16824 ***ERROR Unsupported Router Model: RT-AC1900P
    [0m

Ok I got it to work by adding in my router model.

I have a 10 port managed switch and i tagged port 1 to connect to the Asus router port 4. .

./VLANSwitch.sh 30 autodnsmasq

/jffs/scripts$ ./VLANSwitch.sh 30 status verbose
[97m
    VLAN Switch Port 4 Configuration Status:
[96m

    'None30' vlan30 Robocfg Status
    ==============================[95m
   1: vlan1: 1 2 3 4t 5t
  30: vlan30: 4t 5t
[96m

    'None30' vlan30 Bridge Status
    =============================[95m

[96m

    'None30' vlan30 Status
    ======================[95m
vlan30    Link encap:Ethernet  HWaddr 4C:ED:FB:XX:XX:F0
          inet addr:192.168.30.1  Bcast:192.168.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:966953 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1046590 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1072484374 (1022.8 MiB)  TX bytes:1070053953 (1020.4 MiB)

          alias None30
[96m

    'None30' vlan30 Statistics
    ==========================[95m
vlan30  VID: 30     REORDER_HDR: 1  dev->priv_flags: 1
         total frames received       966954
          total bytes received   1072484536
      Broadcast/Multicast Rcvd         3619

      total frames transmitted      1046590
       total bytes transmitted   1070053953
            total headroom inc            0
           total encap on xmit         1360
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:
[96m
        Firewall rules
        ==============[95m
Chain MyInput (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1       19  3198 ACCEPT     udp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
2        0     0 ACCEPT     tcp  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3      211 18427 DROP       all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain MyVLANs (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        4   240 ACCEPT     all  --  vlan+  *       0.0.0.0/0            192.168.2.58         state NEW
4        2   104 DROP       all  --  br0    vlan+   0.0.0.0/0            0.0.0.0/0            state NEW
5        0     0 DROP       all  --  vlan+  br0     0.0.0.0/0            0.0.0.0/0            state NEW
6       17  1839 ACCEPT     all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW
[96m
        DNS VPN rules
        =============[95m


    [96m'None30' [0m[93mvlan30[92m ACTIVE devices[0m (ARP only accurate within 60secs?)
    =================================================================
[95m192.168.30.3    2c:fd:a1:XX:XX:e8    N/A        (?)
[0m

/jffs/scripts$ robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 44:07:0b:XX:XX:84
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 2c:fd:a1:XX:XX:e8
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 30:f9:ed:XX:XX:cc
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 30:f9:ed:XX:XX:cc
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 2c:fd:a1:XX:XX:e8
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 4c:ed:fb:XX:XX:f0
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4t 5t
   2: vlan2: 0 5
  30: vlan30: 4t 5t

I tested by plugging a computer to ports 2-10 on the switch and am able to get an IP on the 192.168.30.x subnet and can access the internet. If I plug to port 1 on the switch (the port I set to tagged)I get the 192.168.2.x IP subnet, same if I plug my computer directly to port 4 on the Asus Router.

Is this working like it should according to the above? My VLAN1 was not able to ping the VLAN30 but maybe I have to set the route? I checked the help file many times and studied the code but I think the VLANSwitch 200 lanip=192.168.1.100,192.168.1.200 is only to get the VLAN30 to talk to VLAN1.



@Martineau Thanks for this awesome script! I'm close to getting my router the way I want it to.

 

[Martineau]

I'm guessing if I add RT-AC1900P to Line 1011: it should work?

RT-N66U|RT-AC56U|RT-AC68U|RT-AC5300|RT-AC66U|RT-AC66U_B1|RT-AC3200)
change to
RT-N66U|RT-AC56U|RT-AC68U|RT-AC5300|RT-AC66U|RT-AC66U_B1|RT-AC3200|RT-AC1900P)

Yes, if the hardware is truly identical (apart from the increase in CPU speed) the correct firmware hardware model description should be appended to the line in the script.

Check the NVRAM variables

nvram get odmpid
nvram get productid

to identify the actual hardware model.

i.e. if the 'odmpid' NVRAM variable is not blank then it's value should be used, otherwise use the NVRAM 'productid' value.

 

[cleopatra19]

/jffs/scripts$ nvram get odmpid
RT-AC1900P

/jffs/scripts$ nvram get productid
RT-AC68U

I entered in RT-AC1900P and got it working. Does the status output look correct? I edited my post above thanks!

 

[Martineau]

My VLAN1 was not able to ping the VLAN30 but maybe I have to set the route?

I checked the help file many times and studied the code but I think the VLANSwitch 200 lanip=192.168.1.100,192.168.1.200 is only to get the VLAN30 to talk to VLAN1.

The raison d'être for using VLANs is similar to the Guest networks i.e. keep devices (e.g. IoT ) on the new VLAN(s) isolated by default from the main LAN whilst still allowing internet access.

However, the 'lanip=' option is indeed a concession to be used to create an inbound firewall pin-hole from the new VLAN(s)

The script isn't very sophisticated (it's really only 5 commands with a bit of cosmetic diagnostic debugging added); consequently if you are able to 'study' and understand the code then you should be able to manually configure additional firewall rules.

 

[Martineau]

/jffs/scripts$ nvram get odmpid
RT-AC1900P

/jffs/scripts$ nvram get productid
RT-AC68U

I entered in RT-AC1900P and got it working.

Thanks, I've added the RT-AC1900P model to my master-copy of the script.

 

[johninatx]

Can you share your script with me?

 

[Gelsi]

Hi. I am wondering the same. How can I get the script? Thanks
I am trying to tag my guest WiFi and have it the dhcp from another router if possible.
The other router will be a microtik router without WiFi. thanks
I have an ac68u

 

[BinaryBite]

Thanks, I've added the RT-AC1900P model to my master-copy of the script.

Can I get a copy of the script for 68u please?