Help setting up VLAN on ASUS RT-AC68U

[joe scian]

Glad it works on your RT-AC5300 , and many thanks for the feedback.

Many thanks to you and your brilliant coding skills

 

[joe scian]

Hi Martineau

I ran WIFIVPN with commands wifivpn.sh wl0.1 novpn vlan1 autodnsmasq and this is what it produced:-

(wifivpn.sh): 32267 v1.05 © 2016-2018 Martineau, Guest WiFi Bridge request.....[wl0.1 novpn vlan1 autodnsmasq]
(wifivpn.sh): 32267 ***Warning Bridge 'br1' not defined in '/etc/dnsmasq.conf' - auto updating '/jffs/configs/dnsmasq.conf.add' with 'br1' statements.....
ifconfig: SIOCSIFFLAGS: Network is down
ifconfig: bad address '.1'
Sorry, rule does not exist.
Sorry, rule does not exist.
iptables v1.4.15: Invalid rule number `3
4'
Try `iptables -h' or 'iptables --help' for more information.
(wifivpn.sh): 32267 WiFi (wl0.1) 2.4GHz Guest 1 ASUS_Guest1 (.0/24) via bridge:br1

The contents of /etc/dnsmasq.conf are as follows:- ( the dns entry is incorrect? )
# Bridge br1 uses DHCP pool 192.168.101.2 - 192.168.101.20
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.20,255.255.255.0,14400s
dhcp-option=br1,3,192.168.101.1
dhcp-option=br1,6,192.168.101.1
dhcp-option=br1,252,"\n"

joescian@RT-AC5300-0680:/jffs/scripts# brctl show

bridge name bridge id STP enabled interfaces
br0 8000.d017c2ec0680 yes vlan1
wl1.1
wl2.1
br1 8000.d017c2ec0681 no wl0.1
vlan10

joescian@RT-AC5300-0680:/jffs/scripts# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: fc:5b:39:27:de:50
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: 10HD enabled stp: none vlan: 1 jumbo: off mac: 00:25:9b:9c:36:68
Port 3: 100FD enabled stp: none vlan: 1 jumbo: off mac: 00:05:fe:85:23:55
Port 4: 100FD enabled stp: none vlan: 1 jumbo: off mac: 7c:2f:80:b5:b8:ed
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 18:74:2e:9a:d2:bd
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 50:1a:c5:f6:9a:85
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: d0:17:c2:ec:06:80
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 2 3 4 5t 7 8t
2: vlan2: 0 8u
10: vlan10: 1t 8t

PS - I cant join ASUS_Guest1 - keeps coming up with wrong password even though its correct

 

[58chev]

However, I suggest you create a separate script such as my 'GS108E.sh' ... perhaps you could call it 'Cisco2960X.sh' as it makes it more convenient to manually manage ALL of the VLANs i.e. check the status/stats in one command:

Thank you SIR. You have been a tremendous help.

Another stupid question.
Do I call this script from firewall-start?

 

[Martineau]

Thank you SIR. You have been a tremendous help.

Another stupid question.
Do I call this script from firewall-start?

"Never stupid questions...only stupid answers"

In an ideal world, you would only need to create the VLANs once during the boot process, so init-start or services-start would be preferred.
However, depending on the environment, firewall-start and nat-start can fire more than once during the boot process

I personally use nat-start (I posted a template that includes code to ensure the nat-start script only runs once during the boot process) to call my GS108E.sh VLAN management script.

 

[Martineau]

Many thanks to you and your brilliant coding skills

I bet you now regret posting that!

I ran WIFIVPN with commands wifivpn.sh wl0.1 novpn vlan1 autodnsmasq and this is what it produced:-

(wifivpn.sh): 32267 v1.05 © 2016-2018 Martineau, Guest WiFi Bridge request.....[wl0.1 novpn vlan1 autodnsmasq]
(wifivpn.sh): 32267 ***Warning Bridge 'br1' not defined in '/etc/dnsmasq.conf' - auto updating '/jffs/configs/dnsmasq.conf.add' with 'br1' statements.....
ifconfig: SIOCSIFFLAGS: Network is down
ifconfig: bad address '.1'
Sorry, rule does not exist.
Sorry, rule does not exist.
iptables v1.4.15: Invalid rule number `3
4'
Try `iptables -h' or 'iptables --help' for more information.
(wifivpn.sh): 32267 WiFi (wl0.1) 2.4GHz Guest 1 ASUS_Guest1 (.0/24) via bridge:br1

<snip>

PS - I cant join ASUS_Guest1 - keeps coming up with wrong password even though its correct

Always the way with lazy programming, in this case trying to make (VPN specific) code address a non-VPN problem it wasn't originally designed for.

So if you remove the invalid dross from '/jffs/configs/dnsmasq.conf.add', and run

wifivpn.sh   wl0.1   novpn   autodnsmasq

Hopefully the script should now work - albeit without the additional Port 1 VLAN10 mapped to to WiFi 2.4Ghz Guest #1.

The error

iptables v1.4.15: Invalid rule number 3'   4'

implies that there are duplicate conflicting rules so the script fails to insert its rule in the appropriate place and fails.

I suspect perhaps you didn't delete VLAN10 having already used:

./VLANSwitch.sh 10 bridge notag

and WiFIVPN.sh didn't expect it? ,so I may decide to revert back to my original design and modify VLANSwitch.sh to bind to either a WiFi VPN bridge (as originally designed) , or add a new option (say 'bind=br10') to allow binding to the non-VPN bridge.

EDIT: Just tested on RT-AC56U (no previous VLANs) and script didn't fail with any errors....​

./WiFiVPN.sh wl0.1 novpn vlan1 notag autodnsmasq

(WiFiVPN.sh): 678 v1.05 © 2016-2018 Martineau, Guest WiFi Bridge request.....[wl0.1 novpn vlan1 autodnsmasq]

(WiFiVPN.sh): 678 WiFi (wl0.1) 2.4GHz Guest 1 G241 (192.168.101.0/24) via bridge:br1

robocfg show

Switch: enabled
<snip>
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 2 3 5t
   2: vlan2: 4 5
  10: vlan10: 1 5t
  56: vlan56: 0 1t 4t 5 7
  57: vlan57: 1 2t 3 4t 5t
  58: vlan58: 4 5 7t
  59: vlan59: 3 4t 7 8t
  60: vlan60: 1 2 3t 5t 8u
  61: vlan61: 3 5t
  62: vlan62: 0 3 7t 8u

brctl show

bridge name bridge id  STP enabled interfaces
br0  8000.acxxxxxxx yes  vlan1
                         eth1
                         eth2
br1  8000.aczzzzzzzz no  wl0.1
                         vlan10

 

[joe scian]

I bet you now regret posting that!

Always the way with lazy programming, in this case trying to make (VPN specific) code address a non-VPN problem it wasn't originally designed for.

So if you remove the invalid dross from '/jffs/configs/dnsmasq.conf.add', and run

wifivpn.sh   wl0.1   novpn   autodnsmasq

Hopefully the script should now work - albeit without the additional Port 1 VLAN10 mapped to to WiFi 2.4Ghz Guest #1.

The error

iptables v1.4.15: Invalid rule number 3'   4'

implies that there are duplicate conflicting rules so the script fails to insert its rule in the appropriate place and fails.

I suspect perhaps you didn't delete VLAN10 having already used:

./VLANSwitch.sh 10 bridge notag

and WiFIVPN.sh didn't expect it? ,so I may decide to revert back to my original design and modify VLANSwitch.sh to bind to either a WiFi VPN bridge (as originally designed) , or add a new option (say 'bind=br10') to allow binding to the non-VPN bridge.

EDIT: Just tested on RT-AC56U (no previous VLANs) and script didn't fail with any errors....​

./WiFiVPN.sh wl0.1 novpn vlan1 notag autodnsmasq

(WiFiVPN.sh): 678 v1.05 © 2016-2018 Martineau, Guest WiFi Bridge request.....[wl0.1 novpn vlan1 autodnsmasq]

(WiFiVPN.sh): 678 WiFi (wl0.1) 2.4GHz Guest 1 G241 (192.168.101.0/24) via bridge:br1

robocfg show

Switch: enabled
<snip>
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 2 3 5t
   2: vlan2: 4 5
  10: vlan10: 1 5t
  56: vlan56: 0 1t 4t 5 7
  57: vlan57: 1 2t 3 4t 5t
  58: vlan58: 4 5 7t
  59: vlan59: 3 4t 7 8t
  60: vlan60: 1 2 3t 5t 8u
  61: vlan61: 3 5t
  62: vlan62: 0 3 7t 8u

brctl show

bridge name bridge id  STP enabled interfaces
br0  8000.acxxxxxxx yes  vlan1
                         eth1
                         eth2
br1  8000.aczzzzzzzz no  wl0.1
                         vlan10

Thanks Martineau

BTW no regrets whatsoever on my statement - you are a brilliant coder - period.

 

[FalconB]

So, I'm back again, alive and kicking! And I'm happy to say that my router seems to be back in its full glory after a factory reset . Don't know what happened to it, but it's performing as expected for now .

So, back to business!

First of all, a big thanks to @Martineau for supporting me through my struggles with my router and the script! Hopefully the future won't be as troubelsome. Going back to where it all started, I'm interested in creating a spearate subnet connected through an unmanaged switch to my router's LAN port 4. I don't want this IoT-net to have access to my personal LAN. However I would like to be able to reach the IoT-devices from my personal LAN (to be able to configure them) and I would also like the IoT-devices to be able to use DNSCrypt (running on the router). What command (if any) should I run to acheive this (I realize that this script only is a part of the complete solution).

(Oh, and by now it's probably obvious that my knowledge in dnsmasq and such things are limited, to say the least ).

 

[Martineau]

So, I'm back again, alive and kicking! And I'm happy to say that my router seems to be back in its full glory after a factory reset

Good to hear...yet again proof (if proof were needed) that a 'factory reset' works wonders

I'm interested in creating a spearate subnet connected through an unmanaged switch to my router's LAN port 4.

What command (if any) should I run to acheive this

Unfortunately the command remains the same...the one that apparently causes your router to crash

./VLANSwitch.sh   40   bridge   notag

but @joe scian has used the 'bridge notag' method successfully.

P.S. I suggest you download the latest version, although the latest release just adds additional routers to be supported.

 

[FalconB]

@Martineau: Well, at least my router didn't hang (yay!), but the command gave the following error:

(VLANSwitch.sh): 20747 ***ERROR Bridge brbridge0 (vlan144) via Switch Port 4 not defined in '/etc/dnsmasq.conf' - (see 'VLANSwitch.sh' help)

Using version 1.21.

I wonder if it has to do with the other stuff I'm running on my router? Currently I'm running:

• Merlin 384.7
• Diversion with Pixelserv-tls
• DNSCrypt

Contents of my '/etc/dnsmasq.conf':

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
no-poll
no-negcache
cache-size=1500
min-port=4096
bogus-priv
domain-needed
dhcp-range=lan,192.168.1.230,192.168.1.250,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
interface=tun21
interface=tun22
trust-anchor=.,19036,8,2,XXXXXXX
trust-anchor=.,20326,8,2,XXXXXX
dnssec
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
server=127.0.0.1#65053
# start of Diversion directives #
addn-hosts=/opt/share/diversion/list/blacklist
addn-hosts=/opt/share/diversion/list/blockinglist
log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log
# end of Diversion directives #

The directory '/jffs/configs' does not contain any files.

'robocfg show' returns:

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: XXX
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XXX
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: XXX
Port 3:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: XXX
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 5t
   2: vlan2: 0 5

'brctl show' returns:

bridge name     bridge id               STP enabled     interfaces
br0             8000.XXX                yes             vlan1
                                                        eth1
                                                        eth2
                                                        wl0.1

It's almost like this was not meant to be !

EDIT: Spelling and formatting

 

[FalconB]

@Martineau: Restarting my router and running the command again yields:

 (VLANSwitch.sh): 1608 ***ERROR Invalid Switch Port 'brdige' - range 1-4 ONLY! RT-AC68U (RT-AC87U range 2-4!!!)

(By the way, is it a typo in the error message, 'brdige' instead of 'bridge'?)

'robocfg show', 'brctl show' give the same result as before. Still no files in '/jffs/configs' and the '/etc/dnsmasq.conf' is the same as before.

 

[Martineau]

 (VLANSwitch.sh): 1608 ***ERROR Invalid Switch Port 'brdige' - range 1-4 ONLY! RT-AC68U (RT-AC87U range 2-4!!!)

(By the way, is it a typo in the error message, 'brdige' instead of 'bridge'?)

No, the script simply echoes back what you typed and as it isn't a recognised keyword, it assumes it is the (optional) Port physical number.

One final attempt, I suggest (as per the PM), you ensure that you copy'n'paste the command from post #48 and run it in debug mode and please PM the debug trace output back to me.

 

[FalconB]

OMG ! So embarrassing and I'm really sorry for that! Will do a proper copy-paste to avoid any more basic mistakes. Once again, sorry for messing up (1000 x )! I have PM'd the output...

 

[FalconB]

OK folks,I finally got the script working. Basically, I had two issues:

1. My router had ended up in a confused state. The reason for that is unknown at the moment. It could have been my own trial'n'error, the script or something else that caused it to behave strange.
2. I can't type a simple command without a typo

So, this what I did to get it to work:

1. Did a factory reset on my router
2. Got feeback on my typing and thus entered the command correctly (through copy-paste)

So, since the script now works I would say that the script itself is/was NOT the cause of my initial problems. They were probably related to me doing stuff on the router that I didn't understood what they were doing. So, if you got the impression from my earlier posts/problems that script might cause your router to crash, it won't unless there's somethings already messed up.

I have learned my lesson: Don't try stuff that you don't know what it's doing without taking in to consideration that a factory reset may be necessary to make all things good again. As for the typo, I won't comment it further , just use copy-paste.



So the command I entered was:

./VLANSwitch.sh   40   bridge   notag    autodnsmasq

• This created a VLAN 144 on my router port 4. To that port I am now able to connect an unmanaged switch where I have a laptop connected which is now getting an ip-address through DHCP for the 192.168.144.x-net.
• The .144-net is isolated from the .1-net (private-net)
• I'm able to reach the .144-net from the .1-net

One issue that occured was that I got a DNS-leak on the .144-net. I'm using DNSCrypt on my router and its address were sent as DNS through the DHCP, but a openDNS and google-DNS address were also sent. This, I learned (from the guru himself, aka @Martineau), can be changed by editing the file '/jffs/configs/dnsmasq.conf.add'. Haven't tried it yet, but it should easily be fixed. (EDIT: I can now confirmed that it works!)

So that's where I stand now. I still need to read up on a few things (iptables and more) to complete my desired configuration, but I think I'll just pause for a while and enjoy the moment for now .

A big thanks to @Martineau for the script itself and the support and guidance through my VLAN-journey. Great work and thanks a million!

 

[Martineau]

OK folks,I finally got the script working. Basically, I had two issues:

1. My router had ended up in a confused state. The reason for that is unknown at the moment. It could have been my own trial'n'error, the script or something else that caused it to behave strange.
2. I can't type a simple command without a typo

So, this what I did to get it to work:

1. Did a factory reset on my router
2. Got feeback on my typing and thus entered the command correctly (through copy-paste)

So, since the script now works I would say that the script itself is/was NOT the cause of my initial problems. They were probably related to me doing stuff on the router that I didn't understood what they were doing. So, if you got the impression from my earlier posts/problems that script might cause your router to crash, it won't unless there's somethings already messed up.

I have learned my lesson: Don't try stuff that you don't know what it's doing without taking in to consideration that a factory reset may be necessary to make all things good again. As for the typo, I won't comment it further , just use copy-paste.



So the command I entered was:

./VLANSwitch.sh   40   bridge   notag    autodnsmasq

• This created a VLAN 144 on my router port 4. To that port I am now able to connect an unmanaged switch where I have a laptop connected which is now getting an ip-address through DHCP for the 192.168.144.x-net.
• The .144-net is isolated from the .1-net (private-net)
• I'm able to reach the .144-net from the .1-net

One issue that occured was that I got a DNS-leak on the .144-net. I'm using DNSCrypt on my router and its address were sent as DNS through the DHCP, but a openDNS and google-DNS address were also sent. This, I learned (from the guru himself, aka @Martineau), can be changed by editing the file '/jffs/configs/dnsmasq.conf.add'. Haven't tried it yet, but it should easily be fixed. (EDIT: I can now confirmed that it works!)

So that's where I stand now. I still need to read up on a few things (iptables and more) to complete my desired configuration, but I think I'll just pause for a while and enjoy the moment for now .

A big thanks to @Martineau for the script itself and the support and guidance through my VLAN-journey. Great work and thanks a million!

Many thanks for your comprehensive (and admirably honest 'confessional' ) feedback - it puts to shame those that can't be bothered to provide any at all.

Without your testing, I would have still remained ignorant of the timing issue. The weird thing is that apart from the now enforced 2-second delay (and added support for the non-RT-AC68U routers) the script has remained unchanged and working in my environments for at least a year but since DNS leaks/DNSSEC was not a concern/available when I originally wrote the script, restarting dnsmasq apparently now takes longer. Clearly the 2-second delay is dumb overkill, so I will probably try and reduce the enforced wait....or as you suggested, issue a 'please wait/be patient/the router isn't crashing' message!

Given your future 'advanced' design/topology requirements (once you have 'relaxed!)), then you may be better served by using a VLAN tagging capable downstream switch where additional ACL restriction may be applied to enforce client isolation within the new VLAN.

Good luck.

 

[octopus]

Many thanks for your comprehensive (and admirably honest 'confessional' ) feedback - it puts to shame those that can't be bothered to provide any at all.

Sorry I havent provide any feedback. I have familj issue to take care of at then moment. Sorry

 

[FalconB]

Many thanks for your comprehensive (and admirably honest 'confessional' ) feedback - it puts to shame those that can't be bothered to provide any at all.

Without your testing, I would have still remained ignorant of the timing issue. The weird thing is that apart from the now enforced 2-second delay (and added support for the non-RT-AC68U routers) the script has remained unchanged and working in my environments for at least a year but since DNS leaks/DNSSEC was not a concern/available when I originally wrote the script, restarting dnsmasq apparently now takes longer. Clearly the 2-second delay is dumb overkill, so I will probably try and reduce the enforced wait....or as you suggested, issue a 'please wait/be patient/the router isn't crashing' message!

Given your future 'advanced' design/topology requirements (once you have 'relaxed!)), then you may be better served by using a VLAN tagging capable downstream switch where additional ACL restriction may be applied to enforce client isolation within the new VLAN.

Good luck.

Thank you! I have a feeling I might need it .

 

[Martineau]

Sorry I havent provide any feedback. I have familj issue to take care of at then moment. Sorry

@octopus - apologies, I wasn't including you as you have always previously provided useful feedback.

NOTE: Family should always take priority.

 

[58chev]

@Martineau
I have tried to use your GS108e.sh to auto run the VLANSwitch.sh but not having any luck.

********@RT-AC66U_B1:/jffs/scripts# ./nat-start

        ***ERROR Cannot display status; VLAN 20 (or Bridge br20) not found

********@RT-AC66U_B1:/jffs/scripts# ./Cisco2960X.sh

        ***ERROR Cannot display status; VLAN 20 (or Bridge br20) not found

this is my nat-start

#!/bin/sh
/jffs/scripts/Cisco2960X.sh

This is Cisco2960X.sh - Only change I made was to initially run one VLAN on port 4 and change the switch name from yours to my Cisco.

#!/bin/sh
VER="v1.01"
#======================================================================================================= © 2016-2018 Martineau, v1.01
#
# Manage the VLANs (call this script from appropriate system script e.g. init-start/nat-start/services-start)
#

#  Validate the request
OPTION=
if [ "$1" == "del" ]; then
    OPTION="del"
fi
# Allow use of abbreviated 'status verbose'
if [ "$1" == "verbose" ]; then
    OPTION="status verbose"
fi
# Allow use of abbreviated 'status diag'
if [ "$1" == "diag" ]; then
    OPTION="status diag"
fi
# Set 'status' as the Default action if no args
if [ -z "$1" ] || [ "$(echo $@ | grep -cw "status")" -gt 0 ];then
    OPTION="status"
    if [ "$2" == "verbose" ];then
        OPTION=$OPTION" "$2
    fi
fi

# Multiple VLANs on Port 4 (Tagged Trunk) for downstream VLAN capable switches
#
#    Cisco 2960X
#
/jffs/scripts/VLANSwitch.sh  20  autodnsmasq $OPTION "alias=Guest"               # VLAN20
#/jffs/scripts/VLANSwitch.sh 30  $OPTION "alias=IoT"                 # VLAN30
#/jffs/scripts/VLANSwitch.sh 40  $OPTION "alias=Internet"            # VLAN40
#/jffs/scripts/VLANSwitch.sh 50  $OPTION "vpn1" "vlanfw" "alias=VPN" # VLAN50  force via VPN Client bridge (br1) and use explicit vlan50 Firewall rules
#/jffs/scripts/VLANSwitch.sh 200 $OPTION                             # VLAN200 for testing

# VLAN on Port 1 (UnTagged)
#/jffs/scripts/VLANSwitch.sh 70  $OPTION "1 bridge notag alias=CCTV" # VLAN70 (Artificially exclude 60!)

if [ "$1" == "del" ] || [ "$1" == "status" ];then
    # Perform any additional post-deletion or status activities here
    exit 0
fi

# Perform any additional post-creation activities here

exit 0

For now I run ./VLANSwitch.sh 20 4 autodnsmasq alias=GUEST manually after a reboot

BTW, your script runs flawlessly with wired clients connected to my 2960 (ports configured for VLAN20) and WIFI clients that connect to a Cisco 3602i that I have with several SSID's and GUEST in VLAN20.

 

[Martineau]

@Martineau
I have tried to use your GS108e.sh to auto run the VLANSwitch.sh but not having any luck.

********@RT-AC66U_B1:/jffs/scripts# ./nat-start

        ***ERROR Cannot display status; VLAN 20 (or Bridge br20) not found

********@RT-AC66U_B1:/jffs/scripts# ./Cisco2960X.sh

        ***ERROR Cannot display status; VLAN 20 (or Bridge br20) not found

this is my nat-start

#!/bin/sh
/jffs/scripts/Cisco2960X.sh

Try changing nat-start to

#!bin/sh
/jffs/scripts/Cisco2960X.sh   init

Also it might be best if you keep the order of the positional args
e.g. Change

/jffs/scripts/VLANSwitch.sh  20  autodnsmasq $OPTION "alias=Guest"               # VLAN20
to
/jffs/scripts/VLANSwitch.sh  20  $OPTION  autodnsmasq "alias=Guest"               # VLAN20

 

[58chev]

Try changing nat-start to

#!bin/sh
/jffs/scripts/Cisco2960X.sh init

Also it might be best if you keep the order of the positional args
e.g. Change

/jffs/scripts/VLANSwitch.sh 20 autodnsmasq $OPTION "alias=Guest" # VLAN20
to
/jffs/scripts/VLANSwitch.sh 20 $OPTION autodnsmasq "alias=Guest" # VLAN20

That did the trick.

ThanX