Tutorial How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

[Jumpstarter]

You didn't answer whether the satellite routers are in Mesh or AP mode.

Aimesh parent is in AP mode, satellite routers are in Aimesh node mode off the parent.

 

[maxbraketorque]

Aimesh parent is in AP mode, satellite routers are in Aimesh node mode off the parent.

ok. I don't know if that setup can produce a wifi-wide isolated GN. I've never tried that, and I don't have any insight into how an ASUS router in AP mode will communicate with satellite routers in Aimesh mode. I didn't think it would even work.

 

[Tekko]

Ok so apologies beforehand for not being a network wiz, far from it, but would appreciate if someone could shed some light if what I'm trying to achieve is possible as my head is spinning from trying to understand the VLAN topic for my situation. This tutorial, while greatly appreciated and giving me some hope that I wouldn't need to upgrade to the latest gen of Asus routers that have VLAN options embedded, still didn't clear things up for me so please bear with me if I may:

I'm running a RT-AC5300 and RT-AX56 in Ai Mesh mode with the AC5300 being the router. Both are on their respective latest AsusWRT-Merlin FW's.
I understand I can run the Guest network and disable intranet to isolate devices connected to that network.
However, what I'm trying to achieve is for certain devices (my robovacs, broadlink IR/RF devices and some future CCTV cameras) to be isolated from the rest of my network except for my home assistant instance that I have running on the non-guest network. All those devices will connect wirelessly so no physical VLAN is required for my situation.
For the robovacs and Broadlink devices they will need access to the internet but I want to prevent them from accessing the rest of my network. My home assistant instance needs to stay on the main network for integration purposes to a host of other things but will need to be able to have one-directional access to those devices on the VLAN to send commands.
As far as the cameras go, I assume they strictly speaking don't need to be on the VLAN as long as I block internet access for them. Still would feel better to also have them on a separate VLAN however.

So is what I'm describing possible with the HW I currently have? If not, what would be the easiest and cheapest way be to achieve this? Many thanks in advance!!

 

[tiddlywink]

..

 

[Tech9]

my robovacs, broadlink IR/RF devices and some future CCTV cameras

This fear of IoTs will cost you entire setup replacement and with something better than home routers. It will also require way above average networking knowledge to setup.

 

[Tekko]

No. Both models are EOL and you should not being using them as your main router. Your RT-AC5300 appears to run freshtomato and you should flash that ASAP.

vlans with intervlan routing is not newbie friendly and likely won't be for a while.

A) RT-AC5300 flashed with freshtomato and then find another freshtomato router to act as an AP; vlans will be unlocked and will work via GUI.
B) Any Asus filogic model flashed with openwrt will have full vlan support unlocked and accessible via GUI.
C) Merlin 3.0.0.6 with vlans/Guest Networking Pro on router and all nodes + manually scripting firewall changes

I think synology routers may have some kind of support for intervlan routing with default firmware.

Thanks @tiddlywink, not what I wanted to hear but really appreciate your insight

A) I'll look into freshtomato to see if I can wrap my head around what is required there. If the AX56 doesn't support freshtomato (which I assume from your response), I'd be more than happy to add a different freshtomato capable AP into the mix if it gets me to where I need to be.

B) By Asus filogic models I assume you mean their latest gen which I've seen called out on their support site as having VLAN capability enabled (through Beta FW if I remember correctly). I do need mesh capability as I have 2 parts to my house which are seperated by a 10 meter corridor so having to swap out both my routers would be a bit much, so option A would take preference if setting up freshtomato for VLAN isn't too daunting.

C) Yeah I was seeing a lot of scripting options that were just way too advanced for me which is how I stumbled onto this thread.

 

[Tekko]

This fear of IoTs will cost you entire setup replacement and with something better than home routers. It will also require way above average networking knowledge to setup.

I obviously want to keep costs down as much as possible but if push came to shove I'd probably replace the whole setup if that gave me peace of mind. The problem will be the requirement for above average networking skills
I'm always keen to learn, Home Assistant being just one example of where tinkerling with yaml etc has become quite a normal thing to do, but I've never really taken to the networking side of the IT puzzle so aside from the basics I quickly feel out of depth and sometimes knowing a little and thinking you know a lot can do more damage than not doing anything at all, which is why I'd rather ask the experts here rather than launch myself into a half arsed attempt at scripting.

But do I get the sense from what you said that my fear of IoT devices is misplaced and I shouldn't go to the lengths of interVLAN to put that fear to rest? I've seen it suggested pretty much everywhere in conversations whether related to CCTV, Robovacs and/or home assistant.
Or is it just that the fear is justified but that it's going to cost me
If the latter, I'm open to any additional suggestions on top of what @tiddlywink has already called out.

 

[tiddlywink]

..

 

[Tekko]

Mediatek filogic SoC. TUF-AX6000, TUF-AX4200 RT-AX59U, RT-AX52, and a few cheaper models not yet released. A 10 second flash with openwrt gives full vlan and intervlan routing.

Run ethernet down those 10 meter corridors to eliminate the need for mesh networking forever. vlans and mesh is going to be beyond your capability. If you absolutely 100% must use mesh, stick with stock asus firmware.


Run ethernet down those 2 corridors, buy 2 TUF-AX4200's, flash openwrt, set basic network settings, create vlans, set firewall zones (i.e. intervlan routing), and that is it. No scripting and everything done with a GUI. There's no reason spend more money on worse small business devices from say Ubiquity or tplink.

Thx again @tiddlywink, much appreciated!
I already ran ethernet cable so my AiMesh is with ethernet backhaul. Main reason for going with Asus Aimesh back in the day, aside from convenience and cost (adding the RT-AX56 was the easiest option given that I already had the RT-AC5300), was that I needed a decent wireless connection at the front of the house and seemless roaming when moving between the front of the house and back of the house with mobile phones and laptops. It's worked pretty flawlessly up until now so if I wasn't looking into VLAN, I probably wouldn't even change anything.

I had considered Ubiquity previously actually as the front of the house is about 20 meters from the beach and it would be great to be able to extend my wifi there. Something like the U7 outdoor for example as an AP could cover the front of the house and the beach rather than using my RT-AX56 as an AiMesh AP that only covers the front of the house. So if I'm doing the whole refresh, may as well consider this option again.
Given that the U7 Outdoor is just an AP, I'm assuming that it'll play nicely with something like the AX4200 and I'd then only need to concern myself with proper setup of VLANs on my router so the Filogic routers are sounding like a good option if they are that convenient to configure via UI. As long as I can keep the roaming intact of course! Haven't looked at OpenWRT yet so that's my next stop.

 

[tiddlywink]

..

 

[Tech9]

The problem will be the requirement for above average networking skills

This is a problem either way you go. The easiest - double NAT two routers, the first one serves your IoTs, the second one serves your "secured" clients. You'll have access from the second router network to the first router network, but not vice versa. Not ideal, but easy and cheap. Some folks use this method when the ISP provided device is a modem/gateway. IoTs, backup Wi-Fi, guest access, etc. No much networking skills required.

 

[Tekko]

You are adding on outdoor wifi 7 with 2.5G uplinks to serve devices at the beach?

"the easiest and cheapest way be to achieve this?"

Just go with ubiquity for everything and pretend it was cheap.

Yeah, where I live 3G/4G/5G reception is absolutely dreadful even on the best of days. And when the weather turns nice and the towers get congested forget about even opening a web page I've been out of a job since July so I've now got time to do a lot of improvement projects, the downside being that $$$ are now a direct opposite of time availability

 

[Tekko]

This is a problem either way you go. The easiest - double NAT two routers, the first one serves your IoTs, the second one serves your "secured" clients. You'll have access from the second router network to the first router network, but not vice versa. Not ideal, but easy and cheap. Some folks use this method when the ISP provided device is a modem/gateway. IoTs, backup Wi-Fi, guest access, etc. No much networking skills required.

Problem with that will be that I'd actually need 3 devices if I understand correctly in that scenario as my IOT devices are spread across both front and back of the house. So 2 routers double NATed in the back building and an access point at the front of the house would suffice? I might look into this, move the AX56 next to the AC5300 and set it up as a second router instead of an AiMesh node and then put an AP at the front of the house. Assuming I can get IoT devices that connect to the AP instead of directly to the IoT router, to be routed by the IoT router in that scenario whilst non-IoT devices that connect to that AP would still be routed by the main router?

 

[Tech9]

So 2 routers double NATed in the back building and an access point at the front of the house would suffice?

This is going to be quite rough solution. Just connect your IoTs to the main network like 99% of the people do and continue your life just like before.

 

[Tekko]

This is going to be quite rough solution. Just connect your IoTs to the main network like 99% of the people do and continue your life just like before.

I'm starting to think that I could do without this headache indeed Maybe I'll look into switching to something like a full Ubiquiti solution as suggested to make life easier on myself once I land a new gig

 

[fearz]

Does this work on AP mode? anyone tested?

 

[fearz]

Hi guys,

I have my rt-ac5300 on 386.13 merlin / ap mode connected to a linksys 28 managed port (VLAN tagged 20) connected to my dhcp/router on opnsense.

Which works fine and all wireless devices connected on vlan 20 with 192.168.2.x subnet.

What I want to do is to have the Guest wireless connect on a different VLAN, is that done out of the box for guest vlan tagged on 501?

When I set this up, devices connected to guest wifi dont take the subnet on vlan 501.

Are there any required scripts or configurations that I need to do on the asus rt-ac5300?

 

[tiddlywink]

...