Router Used as Smart (managed) Switch

[gpz1100]

Hello,

I'd like to implement some vlans in my home network to isolate a few IoT type devices from the rest of the network. Sticking with the asusmerlin firmware should yield the best wifi experience because of the native drivers.

One key difference from most of the posts I've read on the topic is that the ac68u router will not be used for any dhcp, dns, nat, or any other packet/firewall processing. A separate piece of hardware running sophos utm will handle all the traffic control functions. The routers (there will be 2 or 3) will just be used for vlan and wifi purposes only.

I flashed tomato to an another 68u to get an idea of what's involved. It appears there's several definitions that are made.

On the basic settings page, several bridges are defined.

http://i.imgur.com/YO6bTtC.png

The default gateway and some dns servers are defined. I don't believe this is really necessary. Mainly I defined these so the device could set its time from an ntp server running on the UTM box. As a smart switch, the 68u really shouldn't have any need to go online. It's only purpose is to mimic a managed switch.

The Vlans are set up as follow:

http://i.imgur.com/hDdhLrz.png

vlan2 = untagged, bound to wan port on router
vlan3 = bound to ports 3 and 4, both untagged
vlan5 = bound to port 1, tagged
vlan6 = bound to port 1 and 2, only port 1 tagged, set as default vlan*

* Considering this is the default vlan, it's my understanding that should port 2 be connected to a dumb switch, all connected clients will be associated with vlan6 ?

Output from robocfg show

root@unknown:/tmp/home/root# robocfg show
Switch: enabled
Port 0:   DOWN enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
Port 1:   DOWN enabled stp: none vlan: 6 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 6 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 3 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 3 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 6 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   2: vlan2: 0 5t
   3: vlan3: 3 4 5t
   5: vlan5: 1t 5t
   6: vlan6: 1t 2 5t
  56: vlan56: 0t 4t 8t
  57: vlan57: 1 2 4 5 7 8t
  58: vlan58: 1t 2t 3 5t 7
  59: vlan59: 0t 1t 3t
  60: vlan60: 1t 2 3
  61: vlan61: 1t 3t 5 7
  62: vlan62: 0 3t 4t

Questions:

1) How do I duplicate the above on the asuswrt merlin firmware?

I have some understanding of how to use the robocfg command. How is a the default vlan assigned?

2) How do I make the bridge/subnet assignments?

3) How do I bind #2 to the vlans defined in 1?

I believe that's all there's needed to have the 68u function as a smart switch?

Thanks for your help!

 

[gpz1100]

Anyone? 1400+ view and no replies?

 

[gpz1100]

Made some progress with this. Spent days and hours jumping between asusmerlin, tomato and ddwrt. Ultimately settled on ddwrt but ran into issues with trying to set up an isolated guest network. Also, arp wasn't working right. It wasn't detecting all the hosts on the untagged bridged vlan. Eventually gave up and returned back to asusmerlin. This time however I had a better understanding of what I'm doing.

I'm still running sophos utm and that handles all dhcp, dns, ntp, firewall and routing functions. I strictly use the RT as a managed switch/ap (as managed as it gets anyway).

For now new config is relatively simple.

All I really had to do was add this into services-start

/jffs/services-start

#!/bin/sh
/usr/sbin/robocfg vlan 3 ports "0t 2 8t"
/usr/sbin/robocfg vlan 1 ports "0 1 3 4 8t"
/usr/sbin/robocfg vlan 4 ports "0t 1t 2t 3t 4t 8t"
/sbin/vconfig add eth0 3
/sbin/vconfig add eth0 4
/sbin/ifconfig vlan3 up
/sbin/ifconfig vlan4 up

Wan - connects to UTM - carries both tagged and untagged traffic for vlan 1, tagged for vlan 3 & 4
Ports 1, 3, 4 - carries tagged/untagged traffic for vlan 1, 3 & 4
Port 1 will connect to downstream rt's (configured similarly) to provide tagged/untagged vlans, ports 3/4 will either drive an unmanaged switch or directly connected hosts.

This whole vlan business is quite confusing. Having it in the GUI would be nice, but the above works relatively well and was simple to configure once the basics were understood.

In total there will be 3 RT's in series driven by the utm. I'd prefer a star topology but physical layout of the premises don't allow that.

Next piece of the puzzle is to add isolated guest wifi where each client is isolated from the lan and each other. Not sure how this will actually work because the RT is not acting as the firewall in any way, just the conduit.

PS. the above config is actually for the rt-ac66u. For the 68u, replace 8t with 5t.

 

[heedfulCrayon]

All I really had to do was add this into services-start

/jffs/services-start

#!/bin/sh
/usr/sbin/robocfg vlan 3 ports "0t 2 8t"
/usr/sbin/robocfg vlan 1 ports "0 1 3 4 8t"
/usr/sbin/robocfg vlan 4 ports "0t 1t 2t 3t 4t 8t"
/sbin/vconfig add eth0 3
/sbin/vconfig add eth0 4
/sbin/ifconfig vlan3 up
/sbin/ifconfig vlan4 up

Wan - connects to UTM - carries both tagged and untagged traffic for vlan 1, tagged for vlan 3 & 4
Ports 1, 3, 4 - carries tagged/untagged traffic for vlan 1, 3 & 4
Port 1 will connect to downstream rt's (configured similarly) to provide tagged/untagged vlans, ports 3/4 will either drive an unmanaged switch or directly connected hosts.
.

Wow dude, thank you for this. It really helped me figure out how to set up my ac88u to basically be a managed switch behind my UDM

 

[CaptainSTX]

I set up an old N66 running Tomato with three VLANs and three virtual APs (guest networks). The virtual APs could be associated any of the VLANs.

This all could be done using the GUI. Not entirely intuitive but with careful reading of several Wikis it worked fine.

One thing I prefer about the setup using Tomato vs VLANs on my smart switches is that each VLAN had its own subnet. For tracking down certain issues this made diagnosing thinks easier.

Glad you were able to get your setup working.

 

[Lord Lovaduck]

I set up an old N66 running Tomato with three VLANs and three virtual APs (guest networks). The virtual APs could be associated any of the VLANs.

This all could be done using the GUI. Not entirely intuitive but with careful reading of several Wikis it worked fine.

One thing I prefer about the setup using Tomato vs VLANs on my smart switches is that each VLAN had its own subnet. For tracking down certain issues this made diagnosing thinks easier.

Glad you were able to get your setup working.

I am trying to do something similar! Do you mind sharing some screenshots of your config so I get a starting point? Been looking into many wikis for DD-WRT vlan config, but Tomato seems like a better choice. What version are you using, Fresh Tomato? I am trying to repurpose an RT N16 for this job...

 

[CaptainSTX]

I am trying to do something similar! Do you mind sharing some screenshots of your config so I get a starting point? Been looking into many wikis for DD-WRT vlan config, but Tomato seems like a better choice. What version are you using, Fresh Tomato? I am trying to repurpose an RT N16 for this job...

Attached are screen shots from the various settings pages. I don't use this router anymore as while the VLANs were usesful I needed to implement an 802.1Q VLAN setup using smart switches so in places where I have only one Ethernet cable I still can have multiple VLANs. Hope this helps.

 

[Lord Lovaduck]

Thank you very much! I need to go through all of it, for some reason the long screen capture you have has a very low resolution and cannot be read, probably when uploaded it lost quality. Maybe it's not that relevant looks like the wireless vlan definitions? If you can PM the file to me directly that would be helpful, I can also look into how to post at the appropriate resolution here for posterity

Attached are screen shots from the various settings pages. I don't use this router anymore as while the VLANs were usesful I needed to implement an 802.1Q VLAN setup using smart switches so in places where I have only one Ethernet cable I still can have multiple VLANs. Hope this helps