Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP

[PaulA]

As a newby I have been trying to configure my RT-AX88U-Pro router to isolate a camera system connected to LAN poort 2 from the rest on the LAN, so basically to setup a guestnet which only has access to internet.

Funny enough with Asus stock firmware I can setup a VLAN and configure LAN poort 2 as Access port (untagged), then configure the guestnet with DHCP, etc... but I had to flash my router with Merlin (RT-AX88U_PRO_3004_388.6_2) to be able to configure routed IPTV. After following the manual (https://gathering.tweakers.net/forum/list_messages/1772709/0) this all works nicely, but now I need to use cli (jffs scripts) to setup port isolation myself, this is ok for me but lack of knowledge on this topic (and lack of manuals) got me stuck on this point...

Setup:
- RT-AX88U-Pro running Merlin 3004_388.6_2
- My ISP (KPN) requires 3 VLAN's to be tagged (trunk port); 4=IPTV, 6=Internet, 7=VOIP.
- For now I want to isolate using a seperate bridge; later by adding a VLAN.

So far I have setup a new bridge, attach the eth2 port to it, configure dhcp and enable traffic (iptables), but I think the traffic isn't on VLAN6 so the server gives no response (webpages are not loading properly).

brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.c87f54e4f218    no        eth1
                            eth2
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7

brctl delif br0 eth2
brctl addbr br77
brctl stp br77 on
brctl stp br0 on
brctl addif br77 eth2

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.c87f54e4f218    yes        eth1
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7
br77        8000.c87f54e4f218    yes        eth2

# Set up the IPv4 address for the bridge and bring it up
ifconfig br77 192.168.77.1 netmask 255.255.255.240
ifconfig br77 allmulti up

# dnsmasq
interface=br77
dhcp-range=br77,192.168.77.2,192.168.77.14,255.255.255.240,86400s
dhcp-option=br77,3,192.168.77.1
dhcp-option=br77,28,192.168.77.15
service restart_dnsmasq

# iptables
iptables -I INPUT -i br77 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i br77 -p udp -m udp --dport 67 -j ACCEPT
iptables -I INPUT -i br77 -p udp -m udp --dport 68 -j ACCEPT
iptables -I FORWARD -i br77 -o vlan6 -j ACCEPT
iptables -I FORWARD -i br77 -o ppp0 -j ACCEPT

Questions that I have:
1) The IPTV manual requires to set Internet VID to 6 under LAN - IPTV; I believe this is the default VLAN. But where can I see / configure this using cli? Is this per network interface?
2) My router doesn't have robocfg, only ip tool which I can use to link a VLAN, but I believe this is trunk configuration only? How do I configure physical eth ports to become trunk and/or access ports on the cli?
3) More complicated; how can I terminate a VLAN in the router and forward to another VLAN (6)? I.e. without another switch or using 2 physical eth ports? I believe this is possible since Asus guestnet does something similar (501)?

Many thanks for hints/tips in the right direction.

Paul

 

[PaulA]

I finally managed to get a working solution; although technically it's not entirely clear to me yet, at least I got it working.

First of all I configured a guestnet in the GUI (2.4GHz only, no intranet access)

Then I got following bridges (configured by Merlin):

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.c87f54e4f218    no        eth1
                            eth2
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7
br1        8000.c87f54e4f219    yes        eth1.501
                            eth2.501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            eth7.501
                            wl0.1

Then I configured the eth2 lan port as untagged (on existing vlan 501 used by the guestnet) and add it to the bridge.

vlanctl --mcast --if-create eth2 501
vlanctl --if eth2 --rx --tags 0 --set-rxif eth2.v501 --rule-append
ifconfig eth2.v501 up
brctl addif br1 eth2.v501
brctl delif br0 eth2

This gives following bridges:

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.c87f54e4f218    no        eth1
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7
br1        8000.c87f54e4f219    yes        eth1.501
                            eth2.501
                            eth2.v501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            eth7.501
                            wl0.1

Big thanks to following post: https://forums.hardwarezone.com.sg/threads/need-expert-on-vlanctl-commands.6832725/#post-144842415 which was actually the only info I could find that shows how to configure a physical lan port as access port (untagged) for an RT-AX88U-Pro.

Paul

 

[dacotmeister]

Great Paul that despite no one answered or could assist you on this matter, you shared your results and solution here!